Re: [xml] an xpath segfault reproducible with xmllint
- From: Daniel Veillard <veillard redhat com>
- To: Pavol Rusnak <prusnak suse cz>
- Cc: xml gnome org
- Subject: Re: [xml] an xpath segfault reproducible with xmllint
- Date: Wed, 4 Apr 2007 10:54:33 -0400
On Wed, Apr 04, 2007 at 04:42:27PM +0200, Pavol Rusnak wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Veillard wrote:
What is the stack like, and value for i and obj->nodeNr.
As stated I tested with latest SVN version on 2 machines without seeing the
problem myself.
(gdb) r --shell test.xml
Starting program: /usr/bin/xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack
Program received signal SIGSEGV, Segmentation fault.
0x00002b9636a24d4b in xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4059
4059 if ((obj->nodeTab[i] != NULL) &&
(gdb) bt
#0 0x00002b9636a24d4b in xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4059
#1 0x00002b9636a2552e in xmlXPathFreeObject (obj=0x666170) at xpath.c:5344
#2 0x00002b9636a32c1d in xmlXPathEval (str=0x2b96369df5c0
"UH\211ïSH\201ïï", ctx=0x61b7c0)
at xpath.c:14832
#3 0x00002b9636a233db in xmlShell (doc=<value optimized out>,
filename=0x7fff749b23f9 "test.xml", input=<value optimized out>,
output=<value optimized out>) at debugXML.c:2989
#4 0x0000000000406b42 in parseAndPrintFile (filename=0x7fff749b23f9
"test.xml", rectxt=0x0)
at xmllint.c:2310
#5 0x0000000000408e13 in main (argc=3, argv=0x7fff749b09e8) at
xmllint.c:3499
#6 0x00002b9637165944 in __libc_start_main () from /lib64/libc.so.6
#7 0x00000000004044a9 in _start ()
(gdb) p i
$1 = 10
(gdb) p obj->nodeTab[i]
$2 = (xmlNodePtr) 0x60
(gdb) p obj->nodeNr
$3 = 6711616
-> that value is clearly corrupted
(gdb)
File test.xml contains only "<aaa />"
Can you find where obj->nodeNr is reset with that value ? Here I get 0 as
expected:
Starting program: /u/veillard/XML/xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498e38) at xpath.c:4055
4055 xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
XPath error : Invalid number of arguments
XPath error : Invalid type
Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa4985c8) at xpath.c:4055
4055 xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498f18) at xpath.c:4055
4055 xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498cc8) at xpath.c:4055
4055 xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
xmlXPathEval: 3 object left on the stack
Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa4983c8) at xpath.c:4055
4055 xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) p *obj
$5 = {nodeNr = 0, nodeMax = 10, nodeTab = 0xa498418}
(gdb) c
Continuing.
Object is empty (NULL)
/ >
When allocating a node set nodeNr and nodeMax are always initialized to 0
(see xmlXPathNewNodeSet).
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
