Re: [xml] an xpath segfault reproducible with xmllint

[Daniel Veillard <veillard redhat com>]

On Tue, Apr 03, 2007 at 06:04:54PM +0200, Petr Pajas wrote:
> Hi Daniel, All,
>
> I have experienced segfaults where just an error should be issued. After 
> playing with the xpath for a while, I have narrowed it to the following test 
> case:
>
> xmllint --shell test.xml
> / > xpath *[ a=name(concat(""))]
> XPath error : Invalid number of arguments
> XPath error : Invalid type
> xmlXPathEval: 3 object left on the stack
> Object is empty (NULL)
> / > xpath *[ a=name(concat(""))]
> XPath error : Invalid number of arguments
> Segmentation fault (SIGSEGV)
>
> Notes:
> 1) test.xml can by any XML file
>
> 2) you may need to repeat the xpath query two or more times before it actually 
> segfaults, but valgrind indicates a problem already during the first run
>
> 3) with just *[name("")] I have to repeat 3 times before it segfaults, but it 
> does; valgrind shows a problem only on 1st run, though
>
> 4) name("") alone is ok (invalid type error is reported)
>
> 5) I'm running libxml2-2.6.27, openSuSE 10.2

  I can't reproduce it with CVS head nor the default binary installed on
RHEL5 x86_64 nor i386, please provide more informations about the crash because
here it is really behaving as it should:

paphio:~/XML -> valgrind xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack
Object is empty (NULL)
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack
Object is empty (NULL)
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack
Object is empty (NULL)
/ > quit
paphio:~/XML -> rpm -qf /usr/bin/xmllint
libxml2-2.6.26-2.1.2
libxml2-2.6.26-2.1.2
paphio:~/XML -> valgrind /usr/bin/xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
==21965== Conditional jump or move depends on uninitialised value(s)
==21965==    at 0x39BE684DA4: (within /usr/lib64/libxml2.so.2.6.26)
==21965==    by 0x39BE6837F5: (within /usr/lib64/libxml2.so.2.6.26)
==21965==    by 0x39BE6831CD: (within /usr/lib64/libxml2.so.2.6.26)
==21965==    by 0x39BE6883E5: xmlXPathEval (in /usr/lib64/libxml2.so.2.6.26)
==21965==    by 0x39BE675156: xmlShell (in /usr/lib64/libxml2.so.2.6.26)
==21965==    by 0x4066A6: (within /usr/bin/xmllint)
==21965==    by 0x408A38: (within /usr/bin/xmllint)
==21965==    by 0x39B9A1D8A3: (below main) (in /lib64/libc-2.5.so)
XPath error : Invalid number of arguments
XPath error : Invalid type
XPath error : Invalid type
xmlXPathEval: 2 object left on the stack
Object is empty (NULL)
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
XPath error : Invalid type
xmlXPathEval: 2 object left on the stack
Object is empty (NULL)
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
XPath error : Invalid type
xmlXPathEval: 2 object left on the stack
Object is empty (NULL)
/ > quit
paphio:~/XML -> 

  The first run conditional jump is IMHO unrelated, it seems to be an
optimization by gcc that valgrind misunderstand or something of this kind,
it does not show up in non-optimized code and this has been that way for years
as far as I can tell.

  Please provide the traceback for the crash because here everything seems
to behave normally (considering that the XPath evaluation failed but that's
normal). I have tried on 2 different architectures with 2 kind of different
compiles and it all seems mormal on my systems.

Daniel



-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/