GNOME Bugzilla – Bug 491651
xmlMemFree(NULL) crashes
Last modified: 2007-10-30 20:27:02 UTC
xmlMemFree is documented as "a free() equivalent, with error checking". AFAIK, at least C99 explicitly specifies that free(NULL) has no action. p = CLIENT_2_HDR(ptr); // p is negative if (p->mh_tag != MEMTAG) { // crashes This problem makes Safari/WebKit crash on any XHTML file when running against a libxml2 built with memory debugging enabled. Production builds are of course OK, since xmlFree() maps to system free() there.
Hum, we could add a test of NULL in that function, that doesn't sound a problem to me, but libxml2 library is designed to never call xmlFree(NULL), that allow to spot more errors. Daniel
In WebKit, calling xmlFree(NULL) happens naturally, e.g.: xmlChar* base = xmlNodeGetBase(parentDoc, (xmlNodePtr)parentDoc); // ... xmlFree(base); Adding null checks around xmlFree calls would be undesirable for us for performance reasons, and, perhaps more importantly, this is not a stable solution in the sense that missing checks won't be detected when using production libxml2 builds. Also, most of the code base uses versions of delete/free that work with null parameters, so it would be hard to remember about null checks around xmlFree.
Sure, I understand, I was speaking for libxml2 internal code. For the debug mode your problem should be trivially fixed by the following patch paphio:~/XML -> svn diff Index: xmlmemory.c =================================================================== --- xmlmemory.c (revision 3660) +++ xmlmemory.c (working copy) @@ -409,6 +409,9 @@ size_t size; #endif + if (ptr == NULL) + return; + if (ptr == (void *) -1) { xmlGenericError(xmlGenericErrorContext, "trying to free pointer from freed area\n"); paphio:~/XML -> which I commited to SVN head, Daniel