Re: [xml] xml freeing the same string twice
- From: Wolfgang Rohdewald <wolfgang rohdewald de>
- To: Nikolay Sivov <bunglehead gmail com>
- Cc: xml gnome org
- Subject: Re: [xml] xml freeing the same string twice
- Date: Tue, 5 Apr 2011 15:26:07 +0200
On Dienstag 05 April 2011, Wolfgang Rohdewald wrote:
On Dienstag 05 April 2011, Nikolay Sivov wrote:
DICT_FREE() already check if string is owned by a dictionary
or not. If it's owned it's freed with a dictionary in
xmlDictFree(), otherwise it's freed as is with xmlFree.
DICT_FREE fails because cur->doc is NULL, so there is no dict
do you have an idea how that could happen?
I believe this is what happens:
1. SAX2TextNode() sets content using ctxt->dict but it does
not copy ctxt->myDoc to the new node. So this is inconsistent
at the end of SAX2TextNode(): content points to a dict entry
but ->doc is NULL and so ->doc->dict cannot be reached.
Maybe SAX2TextNode() is relying on later code to fill in
->doc
2. xmlAddChild does
"If parent->last is nbktext and we're not, merge with current
node"
and then it frees the current node which still has doc==NULL
so DICT_FREE does not know content is a dict entry and frees
it wrongly.
with this patch I can generate KDE4 html manuals on windows
but I did not investigate why this problem does not happen
on Linux. It seems this code path is not taken very often
however.
this is the KDE bug I want to fix:
https://bugs.kde.org/show_bug.cgi?id=263828
--- SAX2.c 2010-03-15 16:06:22.000000000 +0100
+++ n 2011-04-05 15:17:18.031908992 +0200
@@ -1832,6 +1832,7 @@
if (ctxt->dictNames) {
xmlChar cur = str[len];
+ ret->doc = ctxt->myDoc;
if ((len < (int) (2 * sizeof(void *))) &&
(ctxt->options & XML_PARSE_COMPACT)) {
/* store the string in the node overrithing
properties and nsDef */
--
Wolfgang
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
