After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 521699 - Python crashes when evaluating namespace-related query
Python crashes when evaluating namespace-related query
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2008-03-11 01:35 UTC by William M. Brack
Modified: 2008-03-12 10:03 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description William M. Brack 2008-03-11 01:35:27 UTC
As reported on the mailing list http://mail.gnome.org/archives/xml/2008-March/msg00046.html.

The "XPath semantic" for namespace is somewhat different than libxml2, so there is some special treatment which is not currently catered for in the python bindings.

1) For an XPath query involving namespace, xpath.c creates a "duplicate" of the namespace definition (see xmlXPathNodeSetDupl).
2) Python bindings in libxml2-py.c (see libxml_xmlXPathEval) calls libxml_xmlXPathObjectPtrWrap to prepare to return data to user
3) that routine (case XPATH_NODESET) sets up to return pointers without noticing this is an "xpath.c-created" node which will be deleted.  At the end of the routine, xmlXPathFreeObject is called, and the "duplicate" node is freed. Subsequent reference (within the user's Python program) to the node leads to the segfault reported.
Comment 1 Andreas Stricker 2008-03-12 09:54:05 UTC
If we add a return at line 387 in types.c (before break in case XPATH_NODESET), to avoid freeing of obj, the error vanishes. This proves the cause of the error, but introduces a memory leak.

So to actually solve the fix, another approach is needed. I tried to simply copy the nodes in the nodeset (line 382) with xmlNodeCopy(x, 1), but no luck. There are still some references to the freed XPathObject.

(I tried with svn:3702)
Comment 2 Daniel Veillard 2008-03-12 10:03:53 UTC
Analysis correct, I found a way to fix this in python/types.c , that
now fixed in SVN, 

  thanks :-)

Daniel