After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 338303 - passing a non-XML-Schema document to xmlSchemaParse interferes with xmlFreeDoc
passing a non-XML-Schema document to xmlSchemaParse interferes with xmlFreeDoc
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
2.6.x
Other All
: Normal critical
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2006-04-13 06:23 UTC by Stefan Behnel
Modified: 2006-04-13 07:50 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Stefan Behnel 2006-04-13 06:23:11 UTC 
Steps to reproduce:
1. Pass a non-XML-Schema document to xmlSchemaParse (like "<test/>") using
xmlSchemaNewDocParserCtxt
2. have it fail (which is correct, it's not XML-Schema after all)
2.a. if that's not enough, free the XML document
3. you should get a memory error


Stack trace:
From Valgrind (trace from lxml, the __pyx_tp_dealloc_* functions basically call
xmlFreeNode or xmlFreeDoc):

==20915== Invalid read of size 8
==20915==    at 0x59094F6: __pyx_tp_dealloc_5etree__NodeBase (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x58E2ED6: __pyx_tp_dealloc_5etree__ElementTree (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B6D9E9: (within /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x4B6DC79: PyDict_SetItem (in /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x56CD0C7: ???
==20915==  Address 0x5F6E038 is 0 bytes inside a block of size 120 free'd
==20915==    at 0x4A1A5E3: free (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20915==    by 0x5BC39ED: xmlFreeNodeList (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5BC3793: xmlFreeDoc (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C15CA1: (within /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C28D4A: xmlSchemaParse (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x59223CA: __pyx_f_5etree_9XMLSchema___init__ (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B7C67C: (within /usr/lib64/libpython2.4.so.1.0)
==20915==
==20915== Invalid write of size 8
==20915==    at 0x5909502: __pyx_tp_dealloc_5etree__NodeBase (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x58E2ED6: __pyx_tp_dealloc_5etree__ElementTree (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B6D9E9: (within /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x4B6DC79: PyDict_SetItem (in /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x56CD0C7: ???
==20915==  Address 0x5F6E038 is 0 bytes inside a block of size 120 free'd
==20915==    at 0x4A1A5E3: free (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20915==    by 0x5BC39ED: xmlFreeNodeList (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5BC3793: xmlFreeDoc (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C15CA1: (within /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C28D4A: xmlSchemaParse (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x59223CA: __pyx_f_5etree_9XMLSchema___init__ (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B7C67C: (within /usr/lib64/libpython2.4.so.1.0)
==20915==
==20915== Invalid read of size 8
==20915==    at 0x58E250F: __pyx_f_5etree_attemptDeallocation (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x5909585: __pyx_tp_dealloc_5etree__NodeBase (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x58E2ED6: __pyx_tp_dealloc_5etree__ElementTree (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B6D9E9: (within /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x4B6DC79: PyDict_SetItem (in /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x56CD0C7: ???
==20915==  Address 0x5F6E060 is 40 bytes inside a block of size 120 free'd
==20915==    at 0x4A1A5E3: free (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20915==    by 0x5BC39ED: xmlFreeNodeList (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5BC3793: xmlFreeDoc (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C15CA1: (within /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C28D4A: xmlSchemaParse (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x59223CA: __pyx_f_5etree_9XMLSchema___init__ (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B7C67C: (within /usr/lib64/libpython2.4.so.1.0)
==20915==
==20915== Invalid read of size 4
==20915==    at 0x58E2518: __pyx_f_5etree_attemptDeallocation (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x5909585: __pyx_tp_dealloc_5etree__NodeBase (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x58E2ED6: __pyx_tp_dealloc_5etree__ElementTree (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B6D9E9: (within /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x4B6DC79: PyDict_SetItem (in /usr/lib64/libpython2.4.so.1.0)
==20915==    by 0x56CD0C7: ???
==20915==  Address 0x5F6DF30 is 8 bytes inside a block of size 168 free'd
==20915==    at 0x4A1A5E3: free (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20915==    by 0x5BC384F: xmlFreeDoc (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C15CA1: (within /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x5C28D4A: xmlSchemaParse (in /usr/lib64/libxml2.so.2.6.23)
==20915==    by 0x59223CA: __pyx_f_5etree_9XMLSchema___init__ (in
/home/me/source/Python/lxml/lxml-HEAD/src/lxml/etree.so)
==20915==    by 0x4B7C67C: (within /usr/lib64/libpython2.4.so.1.0)


Other information:
Parsing a non-XML-Schema document seems to (partially?) free the XML document
itself from within the xmlSchemaParse. This bug does not occur if the document
has an XML-Schema root node.
Comment 1 Daniel Veillard 2006-04-13 07:50:26 UTC 
Same thing as 338306, the interface where the document is passed preparsed
is not used commonly, as the compilation modifies it.

I reproduced the bug, it is fixed in CVS, thanks for the report !

paphio:~/XML -> cat tst.c #include <stdio.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlschemas.h>

int main(int argc, char **argv) {
    xmlDocPtr schemas;
    xmlSchemaParserCtxtPtr ctxt;
    xmlSchemaPtr res;


    if (argc != 2)
        return(1);

    LIBXML_TEST_VERSION

    schemas = xmlReadFile(argv[1], NULL, 0);
    if (schemas == NULL) {
        fprintf(stderr, "Failed to parse %s\n", argv[1]);
        exit(0);
    }
    ctxt = xmlSchemaNewDocParserCtxt(schemas);
    if (ctxt == NULL) {
        fprintf(stderr, "Failed to build XSD parser from %s\n", argv[1]);
        exit(0);
    }
    res = xmlSchemaParse(ctxt);
    if (res != NULL) {
        fprintf(stderr, "%s is actually an XSD schemas\n", argv[1]);
        exit(0);
    } else {
        fprintf(stderr, "%s is not an XSD schemas, freeing\n", argv[1]);
    }
    xmlSchemaFreeParserCtxt(ctxt);
    xmlFreeDoc(schemas);

    xmlCleanupParser();
    xmlMemoryDump();
    return(0);
}
paphio:~/XML -> valgrind --leak-check=full --leak-resolution=high ./tst test.xml
Schemas parser error : The XML document 'test.xml' is not a schema document.
test.xml is not an XSD schemas, freeing
paphio:~/XML ->

Daniel