Re: [xml] after xpath search, xmlXPathFreeObject() can generate segfault

From: Daniel Veillard <veillard redhat com>
To: "Christopher J. Grayce" <cgrayce aleks com>
Cc: xml gnome org
Subject: Re: [xml] after xpath search, xmlXPathFreeObject() can generate segfault
Date: Fri, 9 Jan 2004 04:33:33 -0500

On Thu, Jan 08, 2004 at 11:21:38PM -0800, Christopher J. Grayce wrote:

Dear All,

   I have a program that uses xmlXPathEval() to produce a list of nodes in
an xmlXPathObject.  Those nodes are then further processed, in the course
of which they are all deleted.  Finally, on exit, I call


Rule 1: the objects returned from an XPath query are "live" objects
        so if you delete them you delete them from the document being
        queried.

xmlXPathFreeObject() to clean up the xmlXPathObject -- but this generates
a segfault, because of the following code in xpath.c:

--------------------------------------------------------------------------------
xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
    if (obj == NULL) return;
    if (obj->nodeTab != NULL) {
      int i;

      /* @@ with_ns to check whether namespace nodes should be looked at @@ */
      for (i = 0;i < obj->nodeNr;i++)
          if ((obj->nodeTab[i] != NULL) &&
 -->          (obj->nodeTab[i]->type == XML_NAMESPACE_DECL))
              xmlXPathNodeSetFreeNs((xmlNsPtr) obj->nodeTab[i]);
      xmlFree(obj->nodeTab);
    }
    xmlFree(obj);
}
--------------------------------------------------------------------------------


   This is an exception to Rule 1: due to difference in the implementation of
     namespace nodes between libxml2 internal representation and the XPath
     data model, the namespace nodes returned from XPath queries are not
     coming from the document, but generated on the fly and destroyed
     when the node set is destroyed.

   Right at the --> this code (from libxml2 2.6.4 CVS version of
1/6/04) deferences a pointer which, since I have deleted the node, is
no longer valid.


   Simply do not delete namespace nodes. They won't affect the tree anyway.

   My point in mentioning this is: I haven't seen it mentioned before that
if you free a node resulting from a call to xmlXPathEval(), you had better
set the pointer in the xmlXPathObject nodeTab[] vector to zero before
calling xmlXPathFreeObject().


   No, it's an artefact due to the special allocation of namespace nodes.
And anyway, what did you think removing namespace nodes meant ?

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

Follow-Ups:
- Re: [xml] after xpath search, xmlXPathFreeObject() can generate segfault
  - From: Christopher J. Grayce

References:
- [xml] after xpath search, xmlXPathFreeObject() can generate segfault
  - From: Christopher J. Grayce

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]