After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 469410 - Running this stylesheet causes xsltproc to crash
Running this stylesheet causes xsltproc to crash
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
1.1.x
Other All
: Normal critical
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2007-08-22 22:31 UTC by Mike Gorse
Modified: 2007-08-23 13:41 UTC
See Also:
GNOME target: ---
GNOME version: 2.17/2.18

Attachments
test case for reproducing. (5.33 KB, application/x-compressed-tar)
2007-08-22 22:38 UTC, Mike Gorse 		Details
This is a greatly simplified version of the test case that I uploaded earlier. (25 bytes, application/x-compressed-tar)
2007-08-23 00:17 UTC, Mike Gorse 		Details
This is what I meant to upload last time (a simplified test case)... (1.19 KB, application/x-compressed-tar)
2007-08-23 03:02 UTC, Mike Gorse 		Details

Description Mike Gorse 2007-08-22 22:31:38 UTC 
Steps to reproduce:
1. untar the attached xsltbug.tar.gz
2. cd xsltbug
3. xsltproc word2007.xsl document.xml (or run xsltbug.sh)

Stack trace:
 Invalid read of size 8
    at 0x518165C: xmlXPathCacheFreeObjectList (xpath.c:1824)
    by 0x5181766: xmlXPathFreeCache (xpath.c:1851)
    by 0x5187B82: xmlXPathFreeContext (xpath.c:6030)
    by 0x4B5307D: xsltFreeTransformContext (transform.c:578)
    by 0x40225F: xsltProcess (xsltproc.c:410)
    by 0x4049C3: main (xsltproc.c:853)
  Address 0x5BB2070 is 8 bytes inside a block of size 72 free'd
    at 0x4A206AA: free (vg_replace_malloc.c:233)
    by 0x5187131: xmlXPathReleaseObject (xpath.c:5518)
    by 0x519B187: xmlXPathCompiledEvalInternal (xpath.c:14701)
    by 0x519B259: xmlXPathCompiledEval (xpath.c:14741)
    by 0x4B58B6A: xsltValueOf (transform.c:4399)
    by 0x4B55769: xsltApplySequenceConstructor (transform.c:2582)
    by 0x4B565E5: xsltApplyOneTemplate (transform.c:3174)
    by 0x4B3E99B: xsltEvalTemplateString (templates.c:225)
    by 0x4B4E1BF: xsltAttributeInternal (attributes.c:985)
    by 0x4B4E254: xsltAttribute (attributes.c:1016)
    by 0x4B55769: xsltApplySequenceConstructor (transform.c:2582)
    by 0x4B59F4A: xsltChoose (transform.c:5229)

Other information:
I created the stack trace with valgrind on xsltproc 1.1.21, built against libxml2 2.6.29.  The .xsl file is buggy (it references pStyle rather than pstyle, so it produces an undefined variable error, for one thing), but it does bring out a bug in libxslt or libxml2 (an object being cleaned up twice?)
Comment 1 Mike Gorse 2007-08-22 22:38:07 UTC 
Created attachment 94152 [details]
test case for reproducing.
Comment 2 Mike Gorse 2007-08-23 00:17:46 UTC 
Created attachment 94159 [details]
This is a greatly simplified version of the test case that I uploaded earlier.
Comment 3 Mike Gorse 2007-08-23 03:02:40 UTC 
Created attachment 94166 [details]
This is what I meant to upload last time (a simplified test case)...
Comment 4 William M. Brack 2007-08-23 13:41:28 UTC 
I simplified your testcase a bit further :-) -

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform" >

<xsl:template match="p">
<xsl:value-of select="preceding-sibling::p[not(pPr/pStyle = $pStyle)][1]/preceding-sibling::p/pPr/pStyle"/>
</xsl:template>

</xsl:stylesheet>

and ran it with a copy of your data file with all namespaces removed.  I was able to trace through to find the root cause (which was actually in libxml2/xpath.c). The trouble was due to the undefined variable 'pStyle' in combination with the evaluation of a "positonal predicate" (the "[1]" term in the xpath expression). This caused some double-freeing of memory, resulting in the crash you experienced.

Fixed code (libxml2/xpath.c) is in svn, and will be included in the next release due out imminently.  I also put the modified testcase into the regression tests for libxslt.

Thanks for your work in putting together a test case for this problem!