Re: [xml] an xpath segfault reproducible with xmllint

From: Pavol Rusnak <prusnak suse cz>
To: xml gnome org
Subject: Re: [xml] an xpath segfault reproducible with xmllint
Date: Wed, 04 Apr 2007 17:28:40 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Veillard wrote:

Can you find where obj->nodeNr is reset with that value ? Here I get 0 as
expected:


(gdb) r --shell test.xml
Starting program: /usr/bin/xmllint --shell test.xml
Breakpoint 2 at 0x2b4716766d23: file xpath.c, line 4058.
Pending breakpoint "xpath.c:4058" resolved
/ > xpath *[ a=name(concat(""))]

Breakpoint 2, xmlXPathFreeNodeSet (obj=0x6668d0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$1 = 1
(gdb) c
Continuing.
XPath error : Invalid number of arguments
XPath error : Invalid type

Breakpoint 2, xmlXPathFreeNodeSet (obj=0x6661d0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$2 = 1
(gdb) c
Continuing.

Breakpoint 2, xmlXPathFreeNodeSet (obj=0x6662c0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$3 = 1
(gdb) c
Continuing.

Breakpoint 2, xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$4 = 0
(gdb) c
Continuing.
xmlXPathEval: 3 object left on the stack

Breakpoint 2, xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$5 = 6711616
(gdb) p *obj
$6 = {nodeNr = 6711616, nodeMax = 0, nodeTab = 0x666110}
(gdb)

I'll try to investigate this further.

I also compiled latest libxml2 from SVN trunk and this modification:
http://svn.gnome.org/viewcvs/libxml2/trunk/xpath.c?r1=3575&r2=3584 -
changed SIGSEGV into SIGABRT:

(gdb) r --shell test.xml
Starting program: /usr/bin/xmllint --shell test.xml
Breakpoint 1 at 0x2ac6a8e4fd23: file xpath.c, line 4055.
/ > xpath *[ a=name(concat(""))]

Breakpoint 1, xmlXPathFreeNodeSet (obj=0x61c1f0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p i
$1 = <value optimized out>
(gdb) p obj->nodeNr
$2 = 1
(gdb) c
Continuing.
XPath error : Invalid number of arguments
XPath error : Invalid type

Breakpoint 1, xmlXPathFreeNodeSet (obj=0x61c110) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$3 = 1
(gdb) c
Continuing.

Breakpoint 1, xmlXPathFreeNodeSet (obj=0x61a6c0) at xpath.c:4058
4058            for (i = 0;i < obj->nodeNr;i++)
(gdb) p obj->nodeNr
$4 = 1
(gdb) c
Continuing.

Program received signal SIGABRT, Aborted.
0x00002ac6a97b8395 in raise () from /lib64/libc.so.6
(gdb)

- --
Best Regards / S pozdravom,

Pavol RUSNAK                                       SUSE LINUX, s.r.o
Package Maintainer                                Lihovarska 1060/12
PGP 0xA6917144                                     19000 Praha 9, CR
prusnak[at]suse.cz                                http://www.suse.cz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGE8QoASE5C6aRcUQRAnv3AKCyyQr2HJOqnLo+wgl97GkEWR4qTgCeI9LB
yBi9/69M6Mi7av6PhTEACR4=
=Q5/0
-----END PGP SIGNATURE-----

References:
- [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Pavol Rusnak
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Pavol Rusnak
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]