Re: [xml] memory problem with unknown XPath functions

From: "William M. Brack" <wbrack mmm com hk>
To: François Delyon <f delyon satimage fr>
Cc: xml gnome org
Subject: Re: [xml] memory problem with unknown XPath functions
Date: Tue, 13 Feb 2007 18:41:54 -0800 (PST)

Hi François,

François Delyon wrote:

I try to evaluate a wrong XPath expression like "//command[start-with
(@code,'XML')]"
(start-with() is not an xpath function; the final "s" of "starts" is
missing)
Then I get the error:
  malloc: ***  Deallocation of a pointer not malloced: 0x6d5b450;
This could be a double free(), or free() called with the middle of an
allocated block;

Yes, this is certainly caused by a double-free.

I do the following:
xmlXPathCompExprPtr exp=xmlXPathCtxtCompile(xpathCtx,s);// no error??
xmlXPathObjectPtr xpathObj = xmlXPathCompiledEval(exp, xpathCtx);

As expected, xmlXPathCompOpEval returns at the test
                     if (func == NULL) {
                         xmlGenericError(xmlGenericErrorContext,
                                         "xmlXPathCompOpEval:
function %s not found\n",
                                         op->value4);
                         XP_ERROR0(XPATH_UNKNOWN_FUNC_ERROR);
                     }

then in xmlXPathCompiledEvalInternal(), the following code:
     /*
     * Pop all remaining objects from the stack.
     */
     if (pctxt->valueNr > 0) {
      xmlXPathObjectPtr tmp;
      int stack = 0;

      do {
          tmp = valuePop(pctxt);
          if (tmp != NULL) {
              if (tmp != NULL)
                  stack++;
              xmlXPathReleaseObject(ctxt, tmp);
          }
      } while (tmp != NULL);

generates the error at the third and last  execution of
xmlXPathReleaseObject.
The double test "if (tmp != NULL)" seems suspect.
The last temp->type has a unknown random value.

François.


Although you are correct that the "double-test" is redundant, it is not
the cause of the problem (in fact, during "optimisation", the gcc
compiler gets rid of the redundancy).  I have made an enhancement to
xpath.c in SVN which fixes the problem - if you are interested in the
details, see
http://svn.gnome.org/viewcvs/libxml2/trunk/xpath.c?rev=3584&r1=3575&r2=3584
Note that I didn't remove the redundant line you mentioned (but I will
the next time I make any change to the module :-).

Regards,

Bill

References:
- [xml] memory problem with unknown XPath functions
  - From: =?ISO-8859-1?Q?Fran=E7ois_Delyon?=

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]