Re: [xml] memory problem with unknown XPath functions

Hi François,

François Delyon wrote:
I try to evaluate a wrong XPath expression like "//command[start-with
(start-with() is not an xpath function; the final "s" of "starts" is
Then I get the error:
  malloc: ***  Deallocation of a pointer not malloced: 0x6d5b450;
This could be a double free(), or free() called with the middle of an
allocated block;
Yes, this is certainly caused by a double-free.

I do the following:
xmlXPathCompExprPtr exp=xmlXPathCtxtCompile(xpathCtx,s);// no error??
xmlXPathObjectPtr xpathObj = xmlXPathCompiledEval(exp, xpathCtx);

As expected, xmlXPathCompOpEval returns at the test
                     if (func == NULL) {
function %s not found\n",

then in xmlXPathCompiledEvalInternal(), the following code:
     * Pop all remaining objects from the stack.
     if (pctxt->valueNr > 0) {
      xmlXPathObjectPtr tmp;
      int stack = 0;

      do {
          tmp = valuePop(pctxt);
          if (tmp != NULL) {
              if (tmp != NULL)
              xmlXPathReleaseObject(ctxt, tmp);
      } while (tmp != NULL);

generates the error at the third and last  execution of
The double test "if (tmp != NULL)" seems suspect.
The last temp->type has a unknown random value.


Although you are correct that the "double-test" is redundant, it is not
the cause of the problem (in fact, during "optimisation", the gcc
compiler gets rid of the redundancy).  I have made an enhancement to
xpath.c in SVN which fixes the problem - if you are interested in the
details, see
Note that I didn't remove the redundant line you mentioned (but I will
the next time I make any change to the module :-).



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]