c_DOMDocument::sweep causes segfault in Joomla! JForm Test

[chalet16]

Code (extracted from joomlacms repository)

<?php
function load($data)
{
    $element     = new SimpleXMLElement($data);
    $fields = $element->xpath('descendant-or-self::field');
    foreach ($fields as $field) {
        $loadeddom = dom_import_simplexml($field);
        $current   = simplexml_load_string('<books></books>');
        $olddom    = dom_import_simplexml($current);
        $addeddom  = $olddom->ownerDocument->importNode($loadeddom);
        $olddom->parentNode->replaceChild($addeddom, $olddom);
   }
}

$loadMergeDocument = '
   <fields>
      <field name="published" type="list">
         <option value="1">JYES</option>
         <option value="0">JNO</option>
      </field>
      <field name="abstract" label="Abstract" />
      <fields label="A general group">
         <field name="access" />
         <field name="ordering" />
      </fields>
      <fields name="params">
         <field name="show_abstract" type="radio">
            <option value="1">JYes</option>
            <option value="0">JNo</option>
         </field>
      </fields>
      <fieldset>
         <field name="language" type="text" />
      </fieldset>
   </fields>
';

load($loadMergeDocument);

[alexmalyshev]

Thanks for opening this issue. Feel free (you, or anyone else) to dig deeper into this and stop it from crashing; we'd appreciate it.

[chalet16]

GDB Backtrace:

(gdb) run
Starting program: /home/chalet16/dev/hhvm/hphp/test/frameworks/../../hhvm/hhvm -v Eval.Jit=0 /home/chalet16/dev/hhvm/hphp/test/frameworks/vendor/bin/phpunit --filter JFormTest::testLoad\$ --debug -c /home/chalet16/dev/hhvm/hphp/test/frameworks/framework_downloads/joomla-cms/phpunit.xml.dist /home/chalet16/dev/hhvm/hphp/test/frameworks/framework_downloads/joomla-cms/tests/unit/suites/libraries/joomla/form/JFormTest.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe6fff700 (LWP 1689)]
[Thread 0x7fffe6fff700 (LWP 1689) exited]

PHPUnit 4.0.14 by Sebastian Bergmann.

Configuration read from /home/chalet16/dev/hhvm/hphp/test/frameworks/framework_downloads/joomla-cms/phpunit.xml.dist


Starting test 'JFormTest::testLoad'.
.

Time: 1.6 seconds, Memory: 6.49Mb

OK (1 test, 0 assertions)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3cd3f2f in xmlDictOwns () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
(gdb) 
(gdb) bt
#0  0x00007ffff3cd3f2f in xmlDictOwns () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#1  0x00007ffff3c2c638 in xmlFreeNodeList () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#2  0x00007ffff3c2c750 in xmlFreeProp () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#3  0x00007ffff3c2ca34 in xmlFreeNode () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#4  0x0000000002eb67b1 in HPHP::php_libxml_node_free (node=0x7fffe0a29b00) at /home/chalet16/dev/hhvm/hphp/runtime/ext/ext_domdocument.cpp:962
#5  0x0000000002ebe06a in HPHP::c_DOMDocument::sweep (this=0x7fffdfd7f2f0) at /home/chalet16/dev/hhvm/hphp/runtime/ext/ext_domdocument.cpp:3068
#6  0x00000000020e9561 in HPHP::Sweepable::SweepAll () at /home/chalet16/dev/hhvm/hphp/runtime/base/sweepable.cpp:56
#7  0x000000000211fecc in HPHP::MemoryManager::sweep (this=0x7ffff7f3a860) at /home/chalet16/dev/hhvm/hphp/runtime/base/memory-manager.cpp:280
#8  0x00000000021c9702 in HPHP::hphp_session_exit () at /home/chalet16/dev/hhvm/hphp/runtime/base/program-functions.cpp:1766
#9  0x00000000021c377e in HPHP::execute_command_line_end (xhprof=0, coverage=true, program=0x7fffe21f9538 "/home/chalet16/dev/hhvm/hphp/test/frameworks/vendor/bin/phpunit")
    at /home/chalet16/dev/hhvm/hphp/runtime/base/program-functions.cpp:635
#10 0x00000000021c70c3 in HPHP::execute_program_impl (argc=10, argv=0x7fffffffe498) at /home/chalet16/dev/hhvm/hphp/runtime/base/program-functions.cpp:1412
#11 0x00000000021c454f in HPHP::execute_program (argc=10, argv=0x7fffffffe498) at /home/chalet16/dev/hhvm/hphp/runtime/base/program-functions.cpp:885
#12 0x0000000002031b1b in main (argc=10, argv=0x7fffffffe498) at /home/chalet16/dev/hhvm/hphp/hhvm/main.cpp:58

[LiraNuna]

I cannot reproduce this. Please try again with latest master and let us know if you still experience it.

[fredemmott]

This does crash in master with the jit on.

[fredemmott]

• Slightly simplified test case:

<?php
function load($data)
{
    $element     = new SimpleXMLElement($data);
    $fields = $element->xpath('descendant-or-self::field');
    foreach ($fields as $field) {
        $loadeddom = dom_import_simplexml($field);
        $current   = simplexml_load_string('<books></books>');
        $olddom    = dom_import_simplexml($current);
        $addeddom  = $olddom->ownerDocument->importNode($loadeddom);
        $olddom->parentNode->replaceChild($addeddom, $olddom);
   }
}

$loadMergeDocument = '
   <fields>
      <field name="abstract" label="Abstract" />
      <field name="abstract" label="Abstract" />
   </fields>
';

load($loadMergeDocument);

• I suspect it's an ownership issue - this is related:

<?php

$foo_sx = simplexml_load_string('<foo />');
$foo_dom = dom_import_simplexml($foo_sx);
$foo_dom->setAttribute('herp', 'derp');

// <foo herp="derp" /> - $foo_dom still uses the same xmlNodePtr as $foo_sx
var_dump($foo_sx->asXML());

[fredemmott]

Looks like a jit bug, not interp masking:

<?php

function derp() {
  $foo_sx = simplexml_load_string('<foo />');
  $foo_dom = dom_import_simplexml($foo_sx);
  $foo_dom->setAttribute('herp', 'derp');
  var_dump(gettype($foo_dom->ownerDocument)); // Has a dom document
  return $foo_dom;
}

var_dump(gettype(derp()->ownerDocument));

[fredemmott@devbig076 ~] hhvm -v Eval.Jit=1 test3.php
string(6) "object"

Warning: Unsupported node type: -858993460 in /home/fredemmott/test3.php on line 11

Warning: Cannot create required DOM object in /home/fredemmott/test3.php on line 11
string(4) "NULL"
[fredemmott@devbig076 ~] hhvm -v Eval.Jit=0 test3.php
string(6) "object"
string(6) "object"

[fredemmott]

Our libxml memory model is fundamentally broken.

We basically need an equivalent to php_libxml_node_object from php5, and both simplexml + domelement need to do their operations on this, and not own anything directly.

[paulbiss]

@fredemmott I'm no longer seeing the behavior in your repro, any idea if this is resolved?

[fredemmott]

My simplified example is now fine, however, the original example in the first post is still broken:

[fredemmott@devbig076 ~] hhvm -v Eval.Jit=1 test.php
BFD: Dwarf Error: mangled line number section (bad file number).
BFD: Dwarf Error: Offset (2969572511) greater than or equal to .debug_str size (149144599).
BFD: Dwarf Error: mangled line number section (bad file number).
BFD: Dwarf Error: Offset (2969568125) greater than or equal to .debug_str size (149144599).
hhvm: hphp/runtime/base/array-data.h:83: incRefCount: Assertion `!MemoryManager::sweeping()' failed.
hhvm: hphp/runtime/base/array-data.h:83: incRefCount: Assertion `!MemoryManager::sweeping()' failed.
Aborted

I expect we'll keep having similar bugs until DOMElement and libxml are rewritten to use a common refcounted internal libxml object (PHP5 does this), instead of the 'owner' concept

[fredemmott]

Symptom of #4108