lxml

xmlFreeNodeList leads to segmentation fault

Bug #1330911 reported by Christopher Rabotin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxml
New
Undecided
Unassigned

Bug Description

A trivial XSL transformation will cause a segmentation fault if an Element instance is created from an arbitrary HTML content, transformed, and converted back to string without associating the output of each function as a separate variable. However, if each function's output is save to a distinct variable, all instructions succeed (cf. attachment).

This glitch is always reproducible (with the example data) on (at least) all of the three following configurations:

# System 1
Python : sys.version_info(major=2, minor=7, micro=6, releaselevel='final', serial=0)
lxml.etree : (3, 2, 4, 0)
libxml used : (2, 9, 1)
libxml compiled : (2, 9, 1)
libxslt used : (1, 1, 28)
libxslt compiled : (1, 1, 28)

# System 2
Python : sys.version_info(major=2, minor=7, micro=6, releaselevel='final', serial=0)
lxml.etree : (3, 3, 5, 0)
libxml used : (2, 9, 1)
libxml compiled : (2, 9, 1)
libxslt used : (1, 1, 28)
libxslt compiled : (1, 1, 28)

# System 3
Python : sys.version_info(major=2, minor=7, micro=6, releaselevel='final', serial=0)
lxml.etree : (3, 2, 4, 0)
libxml used : (2, 7, 6)
libxml compiled : (2, 7, 6)
libxslt used : (1, 1, 26)
libxslt compiled : (1, 1, 26)

Here's the backtrace for a crash on system 1 (the backtrace on system 2 has a bit more information):

Ready for a segmentation fault?
*** Error in `python': double free or corruption (fasttop): 0x0000000001c56a80 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7410f)[0x7f61b538710f]
/lib64/libc.so.6(+0x7996e)[0x7f61b538c96e]
/lib64/libc.so.6(+0x7a647)[0x7f61b538d647]
/usr/lib64/libxml2.so.2(xmlFreeNodeList+0x232)[0x7f61b412e272]
/usr/lib64/libxml2.so.2(xmlFreeProp+0x50)[0x7f61b412e2e0]
/usr/lib64/libxml2.so.2(xmlFreePropList+0x1c)[0x7f61b412e3ac]
/usr/lib64/libxml2.so.2(xmlFreeNodeList+0x13e)[0x7f61b412e17e]
/usr/lib64/libxml2.so.2(xmlFreeDoc+0xb6)[0x7f61b412dec6]
/usr/lib64/python2.7/site-packages/lxml/etree.so(+0x2e53e)[0x7f61b48c253e]
/usr/lib64/python2.7/site-packages/lxml/etree.so(+0x4b057)[0x7f61b48df057]
/usr/lib64/libpython2.7.so.1.0(+0xbdefa)[0x7f61b599defa]
/usr/lib64/python2.7/site-packages/lxml/etree.so(+0x2c9ae)[0x7f61b48c09ae]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x60b)[0x7f61b59a6f6b]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4f6)[0x7f61b59adae6]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7f61b59da802]
/usr/lib64/libpython2.7.so.1.0(+0x106f6d)[0x7f61b59e6f6d]
/usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7f61b5975010]
/usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x308)[0x7f61b5975bef]
/usr/lib64/libpython2.7.so.1.0(Py_Main+0xc60)[0x7f61b597d81e]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f61b5334be5]
python[0x400791]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:06 144902 /usr/bin/python2.7
00600000-00601000 r--p 00000000 08:06 144902 /usr/bin/python2.7
00601000-00602000 rw-p 00001000 08:06 144902 /usr/bin/python2.7
01902000-01c6c000 rw-p 00000000 00:00 0 [heap]
7f61b22d2000-7f61b22e8000 r-xp 00000000 08:06 1179659 /lib64/libgcc_s.so.1
7f61b22e8000-7f61b24e7000 ---p 00016000 08:06 1179659 /lib64/libgcc_s.so.1
7f61b24e7000-7f61b24e8000 r--p 00015000 08:06 1179659 /lib64/libgcc_s.so.1
7f61b24e8000-7f61b24e9000 rw-p 00016000 08:06 1179659 /lib64/libgcc_s.so.1
7f61b24e9000-7f61b24ed000 r-xp 00000000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7f61b24ed000-7f61b26ec000 ---p 00004000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7f61b26ec000-7f61b26ed000 r--p 00003000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7f61b26ed000-7f61b26ef000 rw-p 00004000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7f61b26ef000-7f61b26f3000 r-xp 00000000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7f61b26f3000-7f61b28f2000 ---p 00004000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7f61b28f2000-7f61b28f3000 r--p 00003000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7f61b28f3000-7f61b28f5000 rw-p 00004000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7f61b28f5000-7f61b28fc000 r-xp 00000000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7f61b28fc000-7f61b2afb000 ---p 00007000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7f61b2afb000-7f61b2afc000 r--p 00006000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7f61b2afc000-7f61b2afe000 rw-p 00007000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7f61b2afe000-7f61b2bbf000 rw-p 00000000 00:00 0
7f61b2bbf000-7f61b2bc4000 r-xp 00000000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7f61b2bc4000-7f61b2dc4000 ---p 00005000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7f61b2dc4000-7f61b2dc5000 r--p 00005000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7f61b2dc5000-7f61b2dc7000 rw-p 00006000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7f61b2dc7000-7f61b2dca000 r-xp 00000000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7f61b2dca000-7f61b2fc9000 ---p 00003000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7f61b2fc9000-7f61b2fca000 r--p 00002000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7f61b2fca000-7f61b2fcc000 rw-p 00003000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7f61b2fcc000-7f61b2fd4000 r-xp 00000000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7f61b2fd4000-7f61b31d3000 ---p 00008000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7f61b31d3000-7f61b31d4000 r--p 00007000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7f61b31d4000-7f61b31d6000 rw-p 00008000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7f61b31d6000-7f61b31dc000 r-xp 00000000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7f61b31dc000-7f61b33db000 ---p 00006000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7f61b33db000-7f61b33dc000 r--p 00005000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7f61b33dc000-7f61b33de000 rw-p 00006000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7f61b33de000-7f61b33e8000 r-xp 00000000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7f61b33e8000-7f61b35e7000 ---p 0000a000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7f61b35e7000-7f61b35e8000 r--p 00009000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7f61b35e8000-7f61b35ed000 rw-p 0000a000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7f61b35ed000-7f61b3609000 r-xp 00000000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7f61b3609000-7f61b3808000 ---p 0001c000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7f61b3808000-7f61b3809000 r--p 0001b000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7f61b3809000-7f61b3813000 rw-p 0001c000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7f61b3813000-7f61b3817000 r-xp 00000000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7f61b3817000-7f61b3a16000 ---p 00004000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7f61b3a16000-7f61b3a17000 r--p 00003000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7f61b3a17000-7f61b3a18000 rw-p 00004000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7f61b3a18000-7f61b3a3d000 r-xp 00000000 08:06 140800 /usr/lib64/liblzma.so.5.0.5
7f61b3a3d000-7f61b3c3c000 ---p 00025000 08:06 140800 /usr/lib64/liblzma.so.5.0.5Aborted

Here's the backtrace for a crash on system 2:

Ready for a segmentation fault?
Traceback (most recent call last):
  File "/home/chris/lxml_segfault.py", line 61, in <module>
    toHTML(transform_to_HTML(fromHTML(html_data)))
  File "/home/chris/Workspace/Work/Sparrho/Web/venv/lib/python2.7/site-packages/lxml/html/__init__.py", line 1589, in tostring
    doctype=doctype)
  File "lxml.etree.pyx", line 3120, in lxml.etree.tostring (src/lxml/lxml.etree.c:64499)
  File "serializer.pxi", line 135, in lxml.etree._tostring (src/lxml/lxml.etree.c:101414)
  File "serializer.pxi", line 195, in lxml.etree._raiseSerialisationError (src/lxml/lxml.etree.c:102028)
lxml.etree.SerialisationError: IO_ENCODER
*** Error in `python': double free or corruption (!prev): 0x000000000277fa70 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7410f)[0x7fe78867410f]
/lib64/libc.so.6(+0x7996e)[0x7fe78867996e]
/lib64/libc.so.6(+0x7a647)[0x7fe78867a647]
/usr/lib64/libxml2.so.2(xmlFreeNodeList+0x232)[0x7fe78743c272]
/usr/lib64/libxml2.so.2(xmlFreeProp+0x50)[0x7fe78743c2e0]
/usr/lib64/libxml2.so.2(xmlFreePropList+0x1c)[0x7fe78743c3ac]
/usr/lib64/libxml2.so.2(xmlFreeNodeList+0x13e)[0x7fe78743c17e]
/usr/lib64/libxml2.so.2(xmlFreeDoc+0xb6)[0x7fe78743bec6]
/home/chris/Workspace/Work/Sparrho/Web/venv/lib/python2.7/site-packages/lxml/etree.so(+0x2dc4e)[0x7fe787bcfc4e]
/home/chris/Workspace/Work/Sparrho/Web/venv/lib/python2.7/site-packages/lxml/etree.so(+0x4badf)[0x7fe787bedadf]
/usr/lib64/libpython2.7.so.1.0(+0xbdefa)[0x7fe788c8aefa]
/home/chris/Workspace/Work/Sparrho/Web/venv/lib/python2.7/site-packages/lxml/etree.so(+0x2ca8e)[0x7fe787bcea8e]
/usr/lib64/libpython2.7.so.1.0(+0xb1346)[0x7fe788c7e346]
/usr/lib64/libpython2.7.so.1.0(+0xd66bc)[0x7fe788ca36bc]
/usr/lib64/libpython2.7.so.1.0(+0xd6698)[0x7fe788ca3698]
/usr/lib64/libpython2.7.so.1.0(PyDict_SetItem+0x295)[0x7fe788c84845]
/usr/lib64/libpython2.7.so.1.0(PyDict_SetItemString+0x38)[0x7fe788c853b8]
/usr/lib64/libpython2.7.so.1.0(PyImport_Cleanup+0xfd)[0x7fe788ccee2d]
/usr/lib64/libpython2.7.so.1.0(Py_Finalize+0x12d)[0x7fe788c627be]
/usr/lib64/libpython2.7.so.1.0(Py_Main+0xd02)[0x7fe788c6a8c0]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fe788621be5]
python[0x400791]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:08 10488689 /home/chris/Workspace/Work/Sparrho/Web/venv/bin/python
00600000-00601000 r--p 00000000 08:08 10488689 /home/chris/Workspace/Work/Sparrho/Web/venv/bin/python
00601000-00602000 rw-p 00001000 08:08 10488689 /home/chris/Workspace/Work/Sparrho/Web/venv/bin/python
02543000-02794000 rw-p 00000000 00:00 0 [heap]
7fe7855f3000-7fe785609000 r-xp 00000000 08:06 1179659 /lib64/libgcc_s.so.1
7fe785609000-7fe785808000 ---p 00016000 08:06 1179659 /lib64/libgcc_s.so.1
7fe785808000-7fe785809000 r--p 00015000 08:06 1179659 /lib64/libgcc_s.so.1
7fe785809000-7fe78580a000 rw-p 00016000 08:06 1179659 /lib64/libgcc_s.so.1
7fe785836000-7fe78583a000 r-xp 00000000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7fe78583a000-7fe785a39000 ---p 00004000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7fe785a39000-7fe785a3a000 r--p 00003000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7fe785a3a000-7fe785a3c000 rw-p 00004000 08:06 141527 /usr/lib64/python2.7/lib-dynload/zlib.so
7fe785a3c000-7fe785a40000 r-xp 00000000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7fe785a40000-7fe785c3f000 ---p 00004000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7fe785c3f000-7fe785c40000 r--p 00003000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7fe785c40000-7fe785c42000 rw-p 00004000 08:06 171066 /usr/lib64/python2.7/lib-dynload/time.so
7fe785c42000-7fe785c49000 r-xp 00000000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7fe785c49000-7fe785e48000 ---p 00007000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7fe785e48000-7fe785e49000 r--p 00006000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7fe785e49000-7fe785e4b000 rw-p 00007000 08:06 171049 /usr/lib64/python2.7/lib-dynload/_struct.so
7fe785e4b000-7fe785e4e000 r-xp 00000000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe785e4e000-7fe78604d000 ---p 00003000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe78604d000-7fe78604e000 r--p 00002000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe78604e000-7fe786050000 rw-p 00003000 08:06 171044 /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe786050000-7fe78605a000 r-xp 00000000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7fe78605a000-7fe786259000 ---p 0000a000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7fe786259000-7fe78625a000 r--p 00009000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7fe78625a000-7fe78625f000 rw-p 0000a000 08:06 171058 /usr/lib64/python2.7/lib-dynload/itertools.so
7fe78625f000-7fe7862a0000 rw-p 00000000 00:00 0
7fe7862a0000-7fe7862a6000 r-xp 00000000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7fe7862a6000-7fe7864a5000 ---p 00006000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7fe7864a5000-7fe7864a6000 r--p 00005000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7fe7864a6000-7fe7864a8000 rw-p 00006000 08:06 141536 /usr/lib64/python2.7/lib-dynload/_collections.so
7fe7864a8000-7fe7864b0000 r-xp 00000000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7fe7864b0000-7fe7866af000 ---p 00008000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7fe7866af000-7fe7866b0000 r--p 00007000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7fe7866b0000-7fe7866b2000 rw-p 00008000 08:06 141476 /usr/lib64/python2.7/lib-dynload/operator.so
7fe7866b2000-7fe7866b7000 r-xp 00000000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7fe7866b7000-7fe7868b7000 ---p 00005000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7fe7868b7000-7fe7868b8000 r--p 00005000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7fe7868b8000-7fe7868ba000 rw-p 00006000 08:06 141503 /usr/lib64/python2.7/lib-dynload/strop.so
7fe7868ba000-7fe7868fb000 rw-p 00000000 00:00 0
7fe7868fb000-7fe786917000 r-xp 00000000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7fe786917000-7fe786b16000 ---p 0001c000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7fe786b16000-7fe786b17000 r--p 0001b000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7fe786b17000-7fe786b21000 rw-p 0001c000 08:06 141478 /usr/lib64/python2.7/lib-dynload/_io.so
7fe786b21000-7fe786b25000 r-xp 00000000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7fe786b25000-7fe786d24000 ---p 00004000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7fe786d24000-7fe786d25000 r--p 00003000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0
7fe786d25000-7fe786d26000 rw-p 00004000 08:06 140825 /usr/lib64/libgpg-error.so.0.10.0Aborted

I am of course willing to run additional tests if you'd like more information.

Revision history for this message
Christopher Rabotin (christopher-rabotin) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.