[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [xml] stack corruption (2.5.4)

From: Gary Pennington sun com
To: Petr Pajas <pajas ufal ms mff cuni cz>
Cc: Daniel Veillard <veillard redhat com>, xml gnome org
Subject: Re: [xml] stack corruption (2.5.4)
Date: Wed, 30 Apr 2003 17:11:33 +0100

On Wed, Apr 30, 2003 at 05:23:18PM +0200, Petr Pajas wrote:
> Ok, the problem seems to be in your code now, not libxml2 (assuming
> you are still using the code you've posted earlier today).
> 
> info.ktx_doc = xmlNewDoc(BAD_CAST "1.0");
> xmlCreateIntSubset(info.ktx_doc, BAD_CAST "system",
>     BAD_CAST "-//Sun Microsystems Inc//DTD Resource "
>     "Management All//EN",
>     BAD_CAST dtd_location);
> /*
>  * This hack is required to force libxml to recognize the
>  * document structure without having to validate. This is
>  * achieved by forcing external DTD parsing.
>  */
> xmlFreeDtd(info.ktx_doc->extSubset);
> info.ktx_doc->extSubset =
>     xmlParseDTD(info.ktx_doc->intSubset->ExternalID,
> 	info.ktx_doc->intSubset->SystemID);
> 

I'm not using this code in the reproducible case. In the reproducible
case, the code is simply calling xmlValidateDocument() and then saving
the document and later closing it.

Apologies for not making that clear.

> After doing the last assignment, why do you expect libxml2 would
> associate the DTD with the document? xmlParseDTD reads the DTD from
> the file and makes it a standalone node (with ->doc==NULL in the whole
> DTD subtree, which is perfectly ok). You make your document point to
> the DTD without making the DTD point back to the document. When
> freeing the document, xmlUnlinkNode() supposes that the node actually
> points to back the document which leads to the SIGSEGV.
> 

Which seems reasonable. However, I took the code which does this assignment
from xmlValidateDocument() and it doesn't set the doc pointer either (or
at least not as far as I can tell.).

Anyway, this can't be the problem as this isn't the code, so once again
apologies for not making that clear.

> After assigning to the extSubset you should do something like
> xmlSetTreeDoc(info.ktx_doc->extSubset,info.ktx_doc)
>   
> (Of course, checking that ->doc is non-NULL in xmlUnlinkNode() would
> IMHO make no harm.)
> 

Agreed.

Gary
> 
> Gary Pennington sun com writes:
> 
> > On Wed, Apr 30, 2003 at 03:55:43PM +0100, Gary Pennington sun com wrote:
> >> Ok, we've got a reproducible test case and I have some information.
> >> 
> >> If we apply the patch you sent out, then the stack corruption problem
> >> disappears but we get a core dump when the document is freed.
> >> 
> >> This problem is caused by the following line in the patch:
> >> 
> >> 	ret->doc = NULL;
> >> 
> >> This will set the external subset of the document to have a null pointer.
> >> 
> >> In xmlUnlinkNode(), the following line causes the SIGSEGV:
> >> 
> >>     if (cur->type == XML_DTD_NODE) {
> >> 	xmlDocPtr doc;
> >> 	doc = cur->doc;
> >> 	if (doc->intSubset == (xmlDtdPtr) cur)
> >>             doc->intSubset = NULL;
> >> 	 if (doc->extSubset == (xmlDtdPtr) cur) <== SIGSEGV HERE
> >
> > Oops, I of course meant SIGSEGV on the above line.
> >
> > Apologies,
> >
> > Gary
> >
> >> 	doc->extSubset = NULL;
> >>     }
> >> 
> >> The problem is that the document has an external subset associated with it
> >> but the external subset has had it's document reference removed.
> >> 
> >> My workaround is to take out the "ret->doc = NULL" line from the patch
> >> that Daniel submitted. This allows the application to complete normally.
> >> 
> >> However, I can't honestly say that this is the definitively correct answer,
> >> since I don't know why Daniel was setting this to NULL in his patch. It may
> >> be that it should be set to NULL and a check added to xmlUnlinkNode() to
> >> make sure that doc isn't NULL.
> >> 
> >> Is the above information enough to determine the correct answer?
> >> 
> >> Gary
> >> 
> >> On Wed, Apr 30, 2003 at 01:07:46PM +0100, Gary Pennington sun com wrote:
> >> > Thanks for the information. I'll try and identify a reproducible test case
> >> > and ensure that the patch fixes the problem.
> >> > 
> >> > It may take some time.
> >> > 
> >> > Gary
> >> > 
> >> > On Wed, Apr 30, 2003 at 06:49:42AM -0400, Daniel Veillard wrote:
> >> > > On Wed, Apr 30, 2003 at 12:47:40PM +0200, Petr Pajas wrote:
> >> > > > Gary Pennington sun com writes:
> >> > > > 
> >> > > > [snip]
> >> > > > > I am building a document in memory. Since I want to be able to access
> >> > > > > DTD information as I build my document, I do the following:
> >> > > > [snip]
> >> > > > > 		info.ktx_doc->extSubset =
> >> > > > > 		    xmlParseDTD(info.ktx_doc->intSubset->ExternalID,
> >> > > > > 			info.ktx_doc->intSubset->SystemID);
> >> > > > [snip]
> >> > > > > My questions are:
> >> > > > >
> >> > > > > 1. Is this a known problem in 2.5.4?
> >> > > > > 2. If so, will an upgrade to 2.5.7 fix it?
> >> > > > 
> >> > > > A bug in xmlParseDTD fixed by Daniel few days ago is very likely the
> >> > > > cause of the behavior you describe. Try upgrading from the CVS (or
> >> > > > wait for 2.5.8; 2.5.7 still contains the bug).
> >> > > 
> >> > >   Hum, right, I forgot about this, it's easy to check, the patch was
> >> > > enclosed in my answer.
> >> > > 
> >> > > Daniel
> >> > > 
> >> > > -- 
> >> > > Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
> >> > > veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
> >> > > http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
> >> > _______________________________________________
> >> > xml mailing list, project page  http://xmlsoft.org/
> >> > xml gnome org
> >> > http://mail.gnome.org/mailman/listinfo/xml
> >> 
> >> -- 
> >> Gary Pennington
> >> Solaris Kernel Development,
> >> Sun Microsystems
> >> Gary Pennington sun com
> >> _______________________________________________
> >> xml mailing list, project page  http://xmlsoft.org/
> >> xml gnome org
> >> http://mail.gnome.org/mailman/listinfo/xml
> >
> > -- 
> > Gary Pennington
> > Solaris Kernel Development,
> > Sun Microsystems
> > Gary Pennington sun com
> > _______________________________________________
> > xml mailing list, project page  http://xmlsoft.org/
> > xml gnome org
> > http://mail.gnome.org/mailman/listinfo/xml
> 
> -- 

-- 
Gary Pennington
Solaris Kernel Development,
Sun Microsystems
Gary Pennington sun com

References:
- [xml] stack corruption (2.5.4)
  - From: Gary . Pennington
- Re: [xml] stack corruption (2.5.4)
  - From: Petr Pajas
- Re: [xml] stack corruption (2.5.4)
  - From: Daniel Veillard
- Re: [xml] stack corruption (2.5.4)
  - From: Gary . Pennington
- Re: [xml] stack corruption (2.5.4)
  - From: Gary . Pennington
- Re: [xml] stack corruption (2.5.4)
  - From: Gary . Pennington
- Re: [xml] stack corruption (2.5.4)
  - From: Petr Pajas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]