GNOME Bugzilla – Bug 114812
Memory corruption bug in libxslt CVS 20030906
Last modified: 2009-08-15 18:40:50 UTC
There is a memory corruption bug in libxslt 1.0.30 and the latest CVS version. It can be reproduced by downloading the test case http://www.philmann-dark.de/xslt-bug1.tar.gz
I don't understand teh probelm. What is it ? where ? what's the symptoms. You just can't drop an example at me without any explanation ! Daniel
[Note: This was posted about one month ago on the XSLT List. I repeat it here so its linked with the case.] I have the same problem as Mr. Tom Moertel. I've created a test-case which documents the behavior. The test case is 600KB and can be downloaded at http://www.philmann-dark.de/xslt-bug1.tar.gz (and yes, I stripped the test to the smallest possible size). Just get the file, unpack it (it creates a new directory), go into xslt-bug1 and run "./run". It will run two tests. The first one in test.xsl works. It says: ... exsltFuncRegisterFunc: register {my://own.uri}lookup-image-info Registered module http://exslt.org/functions ... xsltCopyOf: select my:lookup-image-info('animation/jei-ani.gif') Lookup function {my://own.uri}lookup-image-info found function lookup-image-info ... The second test prints the same but when I use the function, I suddenly get: ... Lookup function {my://own.uri}lookup-image-info xmlXPathCompOpEval: function lookup-image-info not found XPath error Unregistered function in my:lookup-image-info($path-key) runtime error: file image-common.xsl line 173 element variable Evaluating variable info failed call-template returned: name insert-img On a related note, global variables sometimes get lost (ie. I can see that the lookup of them works 20 times and then xsltproc crashes while trying to look it up once more). My guess is that there is a buggy pointer somewhere (memory overwritten, freed twice, etc). This is why the simple example works but the complex one fails and why I couldn't strip the test down further. I've submitted a bug report in bugzilla (#114812). Since this a pretty urgent issue for me, I'm willing to help to track this bug down if anyone can tell me what other things I should try. Note that this is not like Bug #114377! In my case, the function isn't even called!
Well the use of the exslt:function extension do give troubles ... I tried to check the memory accesses, nothing strange is reported by valgrind: ==25981== ==25981== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==25981== malloc/free: in use at exit: 4096 bytes in 1 blocks. ==25981== malloc/free: 665119 allocs, 665118 frees, 46000894 bytes allocated. ==25981== For a detailed leak analysis, rerun with: --leak-check=yes ==25981== For counts of detected errors, rerun with: -v the differences between the test which works and the one which doesn't is quite significant: paphio:~/tmp/xslt-bug1 -> diff comic2html.xsl test.xsl | wc -l 305 paphio:~/tmp/xslt-bug1 -> diff dummy.xml tmp/data.xml | wc -l 31643 How I am supposed to analyze the difference which leads one to success and the other to failure ? If you want to help do the same as I would have to do: 1/ run xsltproc under a debugger 2/ breakpoint in the exslt extension function routine 3/ run the transformation 4/ check that the function is correctly registered 5/ continue until you breakpoint a the precise moment where the function is looked for 6/ check why the lookup fails you may have to find when in 5 the pointer got removed. This is extremeley time consuming especially since the transformation is large. Daniel
How do I do step 4? In which global data structure should the function appear? In which function does this happen? As I understand, all these things are stored in hashes which have the structure table->table[key]->next->next->...->NULL If I knew where my function is added, then I could add a watch for the next pointer pointing to the entry of my function: (gdb) p table->table[0]->next $45 = (struct _xmlHashEntry *) 0x804ee00 (gdb) watch *(int *)0x804ee00 Hardware watchpoint 9: *(int *) 134540800 (gdb) Then GDB will stop when this pointer is changed. I've found that exsltFuncFunctionComp() registers my function but it adds it only to a hash with one single entry. I guess that it is then copied to a global hash but I'm at a loss where that could be. Also, why is xmlXPathRegisterFuncNS() only called for lookup-char but not for lookup-image-info? Maybe the function is not registered globally?
I have no idea, I didn't wrote that code. I think this need to be posted on the mailing-list (not DocBook one, libxml one). Daniel
The problem concerning the exslt function was caused by a bug in the code handling importing stylesheets. I was able to produce test cases of a few tens of lines which demonstrated it (trying to debug a test case such as was initially submitted is completely impractical). The fixes are in CVS. Please check that they fix all of your problem.
Yep, now it works! Thanks a million for the quick fix! :-)