segfault when calling classObj::updateFromString() with SYMBOL

[bishopb]

<?php
// create a map with a layer and get that layer
$map =<<<EOTXT
MAP
    NAME 'test'
    SIZE 400 400
    EXTENT 0 0 100 100

    SYMBOL
      NAME 'POINT'
      TYPE ELLIPSE
      POINTS
        1 1
      END
      FILLED TRUE
    END

    LAYER
        NAME 'Airports'
        STATUS ON
        TYPE point
        FEATURE POINTS 10 10 50 50 1 50 70 10 END END
    END
END
EOTXT;
$oMap = ms_newMapObjFromString($map);
$oLayer = $oMap->getLayerByName('Airports');

// add a class to that layer
$class =<<<EOTXT
        CLASS
            STYLE
                COLOR 128 0 0
                SYMBOL 'POINT'
                SIZE 10
                OUTLINECOLOR 0 0 0
                WIDTH 5
            END
        END
EOTXT;
$oClass = new classObj($oLayer);
$oClass->updateFromString($class); // segfaults

$oMap->selectOutputFormat('png');
$oMap->draw()->saveImage('output.png');
?>

On:

AERES2-dev aeres # uname -a
Linux AERES2-dev 2.6.35-gentoo-r12 #1 Fri Dec 3 07:06:35 EST 2010 i686 AMD Athlon(tm) 64 Processor 3000+ AuthenticAMD GNU/Linux

AERES2-dev aeres # php -v
PHP 5.3.6-pl0-gentoo (cli) (built: Jul 24 2011 17:21:31)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with Xdebug v2.1.0, Copyright (c) 2002-2010, by Derick Rethans
    with test_helpers v1.0.1-dev, Copyright (c) 2009-2010, by Johannes Schlueter, Scott MacVicar, Sebastian Bergmann

AERES2-dev aeres # php -r 'echo ms_GetVersion();'
MapServer version 6.0.0 OUTPUT=GIF OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=ICONV SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER SUPPORTS=WFS_CLIENT SUPPORTS=WCS_SERVER SUPPORTS=GEOS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILEAERES2-d

Last few bits of strace:

AERES2-dev aeres # strace php try.php 2>&1 | tail -20
munmap(0xb7213000, 888)                 = 0
close(3)                                = 0
munmap(0xb78b5000, 4096)                = 0
gettimeofday({1319662528, 909732}, NULL) = 0
gettimeofday({1319662528, 910644}, NULL) = 0
open("/usr/share/proj/proj_def.dat", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=261, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78b5000
read(3, "# Projection library defaults fi"..., 4096) = 261
_llseek(3, 0, [0], SEEK_SET)            = 0
read(3, "# Projection library defaults fi"..., 4096) = 261
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb78b5000, 4096)                = 0
getcwd("/opt/aeres", 1024)              = 11
gettimeofday({1319662528, 922518}, NULL) = 0
gettimeofday({1319662528, 923561}, NULL) = 0
gettimeofday({1319662528, 924505}, NULL) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

The segfault occurs regardless of whether the class is instantiated by "new classObj($oLayer)" or "$oLayer->getClass(0)".

If the CLASS definition is moved into the LAYER in $map, and the updateFromString() business is skipped, the expected output is rendered.

See also Bug 3273 and Bug 2219.

[aboudreault]

I'm not able to reproduce the bug using $oLayer->getclass(0), how did you get it to segfault?

[bishopb]

For me, this segfaults (reliably) when calling classObj::updateFromString() with a valid string of the form "CLASS ... END".

I have not observed a problem with layerObj::getClass().

[aboudreault]

The segfault occurs regardless of whether the class is instantiated by "new classObj($oLayer)" or "$oLayer->getClass(0)". 

I'm relying on this.

[bishopb]

Ah, ok. In my original sample code, I created the classObj with: $oClass = new classObj($oLayer);

I then proceeded to call updateFromString() on $oClass, at which point I got a segfault.

If, instead of using new classObj to get the class object, I do: $oClass = $oLayer->getClass(0);

then proceed with the call to updateFromString(), the segfault still occurs.

So the point of that comment was, regardless of the means by which I got the class object, the subsequent call to updateFromString() segfaults.

[aboudreault]

Right, that's what I had understood. The question was, can you retest it to be sure... because I'm not able to reproduce it when getting the class with getClass(0).

[bishopb]

Sorry, three different projects going on now, a bit scatterbrained. I'm on the same page now.

I must have done something wrong originally, as I cannot reproduce the segfault when the class is instantiated with $oLayer->getClass(0). This sample code works as expected:

<?php
// create a map with a layer and get that layer
$map =<<<EOTXT
MAP
    NAME 'test'
    SIZE 400 400
    EXTENT 0 0 100 100

    SYMBOL
      NAME 'POINT'
      TYPE ELLIPSE
      POINTS
        1 1
      END
      FILLED TRUE
    END

    LAYER
        NAME 'Airports'
        STATUS ON
        TYPE point
        FEATURE POINTS 10 10 50 50 1 50 70 10 END END
        CLASS
            STYLE
                COLOR 0 255 0
                SYMBOL 'POINT'
                SIZE 10
                OUTLINECOLOR 255 0 0
                WIDTH 5
            END
        END
    END
END
EOTXT;
$oMap = ms_newMapObjFromString($map);
$oLayer = $oMap->getLayerByName('Airports');

// get the class that's there, then update it
$class =<<<EOTXT
        CLASS
            STYLE
                COLOR 255 0 0
                SYMBOL 'POINT'
                SIZE 10
                OUTLINECOLOR 0 0 255
                WIDTH 5
            END
        END
EOTXT;
$oClass = $oLayer->getClass(0);
$oClass->updateFromString($class);

$oMap->selectOutputFormat('png');
$oMap->draw()->saveImage('output.png');
?>

So this appears to only segfault when the class is created fresh with new classObj($oLayer). Perhaps I am missing an initialization step in my original code?

[aboudreault]

Thanks for the confirmation. No, you are not missing anything... I'm going to fix that issue today and also backport it in 6.0 branch.

[aboudreault]

Fixed and committed in trunk in r12785 and backported in branch 6-0 in r12786.