Bug 723137 – Segfault when variable references self during definition

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 723137 - Segfault when variable references self during definition


Summary:	Segfault when variable references self during definition


Status:	RESOLVED FIXED

Product:	libxslt
Classification:	Platform
Component:	general
Version:	1.1.26
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-01-27 23:37 UTC by peterx14
Modified:	2014-02-25 13:49 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
example stylesheet (637 bytes, application/xslt+xml) 2014-01-27 23:37 UTC, peterx14	Details
example XML document (128 bytes, text/xml) 2014-01-27 23:38 UTC, peterx14	Details

Description peterx14 2014-01-27 23:37:17 UTC

Created attachment 267359 [details]
example stylesheet

The following causes a segfault:

  <xsl:variable name="newclass" select="
      concat(
          'x ',
          substring-after(@class, $newclass)
      )
  " />

Specifically, xsltproc says:

  Variable 'newclass' has not been declared.
  XPath error : Stack usage errror
  Segmentation fault (core dumped)

Obviously the XSLT is at fault by referencing a variable that hasn't been declared, but the segfault is unexpected.

Oddly, if the substring-after() function is the *first* argument to concat() then there is no segfault.

I original discovered this problem with PHP/Apache, but xsltproc also exhibits this issue.

$ xsltproc --version
Using libxml 20708, libxslt 10126 and libexslt 815
xsltproc was compiled against libxml 20708, libxslt 10126 and libexslt 815
libxslt 10126 was compiled against libxml 20708
libexslt 815 was compiled against libxml 20708

$ uname -srvmpio
Linux 3.8.0-35-generic #50~precise1-Ubuntu SMP Wed Dec 4 17:25:51 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

See attached XML and XSL.

Comment 1 peterx14 2014-01-27 23:38:08 UTC

Created attachment 267360 [details]
example XML document

Comment 2 Nick Wellnhofer 2014-02-25 13:49:10 UTC

I can confirm the segfault with libxml2 2.7.8 and libxslt 1.1.26 but it works for me with libxml2 2.9.1 and libxslt 1.1.28. I guess that one of the fixes to the XPath engine in libxml2 also fixed this segfault.