Re: [xml] an xpath segfault reproducible with xmllint

From: Daniel Veillard <veillard redhat com>
To: Petr Pajas <pajas ufal ms mff cuni cz>
Cc: xml gnome org
Subject: Re: [xml] an xpath segfault reproducible with xmllint
Date: Wed, 4 Apr 2007 09:13:56 -0400

On Wed, Apr 04, 2007 at 03:00:23PM +0200, Petr Pajas wrote:

valgrind output is below; it's not built with -g so this doesn't say 
that much. I'll try to install the -debuginfo packages or recompile 
and come back with a more detailed one later:

$ valgrind xmllint --shell test.xml
...
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
==16758== Invalid read of size 4
==16758==    at 0x414DE11: xmlXPathFreeObject 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x414E45B: xmlXPathReleaseObject 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415C1AE: xmlXPathEval 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x414B846: xmlShell (in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x804DB5C: parseAndPrintFile (in /usr/bin/xmllint)
==16758==    by 0x8050003: main (in /usr/bin/xmllint)
==16758==  Address 0x43C03A8 is 0 bytes inside a block of size 40 
free'd
==16758==    at 0x402300A: free 
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16758==    by 0x414DE31: xmlXPathFreeObject 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x414E45B: xmlXPathReleaseObject 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415C74A: xmlXPathCompOpEvalPredicate 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415D6B8: xmlXPathNodeCollectAndTest 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415A2F8: xmlXPathCompOpEval 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x4159FEA: xmlXPathCompOpEval 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415BDCF: xmlXPathRunEval 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x415C16E: xmlXPathEval 
(in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x414B846: xmlShell (in /usr/lib/libxml2.so.2.6.27)
==16758==    by 0x804DB5C: parseAndPrintFile (in /usr/bin/xmllint)
==16758==    by 0x8050003: main (in /usr/bin/xmllint)
==16758==
==16758== Invalid read of size 4
==16758==    at 0x414DE40: xmlXPathFreeObject


  Please try to reproduce the crash under gdb with code compiled with memory
debug. I would also raise a bug on SuSE side they should be able to identify
where the problem is coming from exactly, without line number it's really
trying to shoot at a target in the dark.
  Can you make sure no patch was applied on SuSE rpms, I doubt it but
that may happen. Maybe someone from SuSe is monitoting that list and can
act on this problem (thanks in advance !)

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/

Follow-Ups:
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Pavol Rusnak

References:
- [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]