libxml2

segfault with XPath expression with unknown namespace and nested function calls

Bug #1009118 reported by Kovid Goyal on 2012-06-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libxml2	Triaged	Critical	Unassigned
	lxml	Fix Released	Critical	Unassigned	lxml 3.0

Bug Description

The following test snippet causes a segfault:
python -c "from lxml import etree; etree.fromstring('<r><a/></r>').xpath('''*[concat(' ', @xxx:zzz, ' ')='y']''')"

Removing either normalize-space or concat causes an XPathEvalError to be raised, which is much friendlier than a segfault. I guess that maybe the exception is not being handled properly in concat().

Python : sys.version_info(major=2, minor=7, micro=3, releaselevel='final', serial=0)
lxml.etree : (2, 3, 4, 0)
libxml used : (2, 8, 0)
libxml compiled : (2, 8, 0)
libxslt used : (1, 1, 26)

linux, 64-bit (gentoo)

Revision history for this message

Kovid Goyal (kovid) wrote on 2012-06-05:

Sorry I pasted the wrong test case to reproduce the crash. The correct test case is:

python -c "from lxml import etree; etree.fromstring('<r><a/></r>').xpath('''*[concat(' ', normalize-space(@xxx:type), ' ')='y']''')"

Revision history for this message

scoder (scoder) wrote on 2012-06-06:

Thanks for the report, I can reproduce this. However, from the stack trace I get, it seems to be a bug in libxml2:

#0 xmlXPathNormalizeFunction__internal_alias (ctxt=0x929940, nargs=<optimized out>) at xpath.c:9252
#1 xmlXPathNormalizeFunction__internal_alias (ctxt=0x929940, nargs=<optimized out>) at xpath.c:9233
#2 0x00007ffff57c59e2 in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93600) at xpath.c:13490
#3 0x00007ffff57c4dc2 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#4 xmlXPathCompOpEval (ctxt=0x929940, op=0xa93640) at xpath.c:13874
#5 0x00007ffff57c582f in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93680) at xpath.c:13508
#6 0x00007ffff57c57dd in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#7 xmlXPathCompOpEval (ctxt=0x929940, op=0xa93700) at xpath.c:13502
#8 0x00007ffff57c5950 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#9 xmlXPathCompOpEval (ctxt=0x929940, op=0xa93740) at xpath.c:13438
#10 0x00007ffff57c51ea in xmlXPathCompOpEval (op=<optimized out>, ctxt=<optimized out>) at xpath.c:13190
#11 xmlXPathCompOpEval (ctxt=0x929940, op=0xa937c0) at xpath.c:13252
#12 0x00007ffff57c6f5f in xmlXPathCompOpEval (op=0xa937c0, ctxt=0x929940) at xpath.c:13190
#13 xmlXPathCompOpEvalToBoolean (ctxt=0x929940, op=<optimized out>, isPredicate=1) at xpath.c:14108
#14 0x00007ffff57c79d1 in xmlXPathCompOpEvalPredicate (ctxt=0x929940, set=<optimized out>, contextSize=1, hasNsNodes=0, op=<optimized out>) at xpath.c:11664
#15 0x00007ffff57c8af5 in xmlXPathNodeCollectAndTest (ctxt=0x929940, op=<optimized out>, first=<optimized out>, last=<optimized out>, toBool=0) at xpath.c:12520
#16 0x00007ffff57c5698 in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93840) at xpath.c:13387
#17 0x00007ffff57c4dc2 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#18 xmlXPathCompOpEval (ctxt=0x929940, op=0xa93880) at xpath.c:13874
#19 0x00007ffff57c70c8 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#20 xmlXPathRunEval (ctxt=0x929940, toBool=0) at xpath.c:14444
#21 0x00007ffff57ce674 in xmlXPathEvalExpression__internal_alias (str=<optimized out>, ctxt=0xa901a0) at xpath.c:15019
#22 0x00007ffff5fc6bb7 in __pyx_pw_4lxml_5etree_21XPathElementEvaluator_7__call__ () from /home/sbehnel/source/Python/lxml/lxml-hg/src/lxml/etree.so

I don't see how lxml can handle this.

Thanks for the report, I can reproduce this. However, from the stack trace I get, it seems to be a bug in libxml2:

#0  xmlXPathNormalizeFunction__internal_alias (ctxt=0x929940, nargs=<optimized out>) at xpath.c:9252
#1  xmlXPathNormalizeFunction__internal_alias (ctxt=0x929940, nargs=<optimized out>) at xpath.c:9233
#2  0x00007ffff57c59e2 in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93600) at xpath.c:13490
#3  0x00007ffff57c4dc2 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#4  xmlXPathCompOpEval (ctxt=0x929940, op=0xa93640) at xpath.c:13874
#5  0x00007ffff57c582f in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93680) at xpath.c:13508
#6  0x00007ffff57c57dd in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#7  xmlXPathCompOpEval (ctxt=0x929940, op=0xa93700) at xpath.c:13502
#8  0x00007ffff57c5950 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#9  xmlXPathCompOpEval (ctxt=0x929940, op=0xa93740) at xpath.c:13438
#10 0x00007ffff57c51ea in xmlXPathCompOpEval (op=<optimized out>, ctxt=<optimized out>) at xpath.c:13190
#11 xmlXPathCompOpEval (ctxt=0x929940, op=0xa937c0) at xpath.c:13252
#12 0x00007ffff57c6f5f in xmlXPathCompOpEval (op=0xa937c0, ctxt=0x929940) at xpath.c:13190
#13 xmlXPathCompOpEvalToBoolean (ctxt=0x929940, op=<optimized out>, isPredicate=1) at xpath.c:14108
#14 0x00007ffff57c79d1 in xmlXPathCompOpEvalPredicate (ctxt=0x929940, set=<optimized out>, contextSize=1, hasNsNodes=0, op=<optimized out>) at xpath.c:11664
#15 0x00007ffff57c8af5 in xmlXPathNodeCollectAndTest (ctxt=0x929940, op=<optimized out>, first=<optimized out>, last=<optimized out>, toBool=0) at xpath.c:12520
#16 0x00007ffff57c5698 in xmlXPathCompOpEval (ctxt=0x929940, op=0xa93840) at xpath.c:13387
#17 0x00007ffff57c4dc2 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#18 xmlXPathCompOpEval (ctxt=0x929940, op=0xa93880) at xpath.c:13874
#19 0x00007ffff57c70c8 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x929940) at xpath.c:13190
#20 xmlXPathRunEval (ctxt=0x929940, toBool=0) at xpath.c:14444
#21 0x00007ffff57ce674 in xmlXPathEvalExpression__internal_alias (str=<optimized out>, ctxt=0xa901a0) at xpath.c:15019
#22 0x00007ffff5fc6bb7 in __pyx_pw_4lxml_5etree_21XPathElementEvaluator_7__call__ () from /home/sbehnel/source/Python/lxml/lxml-hg/src/lxml/etree.so

I don't see how lxml can handle this.

Changed in lxml:
assignee:	nobody → Stefan Behnel (scoder)
importance:	Undecided → Critical
status:	New → Triaged
affects:	lxml → libxml2
Changed in libxml2:
assignee:	Stefan Behnel (scoder) → nobody
Changed in lxml:
assignee:	nobody → Stefan Behnel (scoder)
importance:	Undecided → Critical
status:	New → Confirmed

Revision history for this message

scoder (scoder) wrote on 2012-10-14:

This is fixed in libxml2 2.9.0.

Changed in lxml:
assignee:	Stefan Behnel (scoder) → nobody
status:	Confirmed → Fix Released
milestone:	none → 3.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.