GNOME Bugzilla – Bug 521699
Python crashes when evaluating namespace-related query
Last modified: 2008-03-12 10:03:53 UTC
As reported on the mailing list http://mail.gnome.org/archives/xml/2008-March/msg00046.html. The "XPath semantic" for namespace is somewhat different than libxml2, so there is some special treatment which is not currently catered for in the python bindings. 1) For an XPath query involving namespace, xpath.c creates a "duplicate" of the namespace definition (see xmlXPathNodeSetDupl). 2) Python bindings in libxml2-py.c (see libxml_xmlXPathEval) calls libxml_xmlXPathObjectPtrWrap to prepare to return data to user 3) that routine (case XPATH_NODESET) sets up to return pointers without noticing this is an "xpath.c-created" node which will be deleted. At the end of the routine, xmlXPathFreeObject is called, and the "duplicate" node is freed. Subsequent reference (within the user's Python program) to the node leads to the segfault reported.
If we add a return at line 387 in types.c (before break in case XPATH_NODESET), to avoid freeing of obj, the error vanishes. This proves the cause of the error, but introduces a memory leak. So to actually solve the fix, another approach is needed. I tried to simply copy the nodes in the nodeset (line 382) with xmlNodeCopy(x, 1), but no luck. There are still some references to the freed XPathObject. (I tried with svn:3702)
Analysis correct, I found a way to fix this in python/types.c , that now fixed in SVN, thanks :-) Daniel