Crash when freeing sibling Elements
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxml |
Fix Released
|
High
|
scoder | ||
Bug Description
import lxml.etree
root = lxml.etree.
e1, e2 = root[0], root[1]
root.remove(e1)
root.remove(e2)
e1.addnext(e2)
del e1
print(e2.
Sometimes this simply prints None, sometimes it segfaults. The reason is obvious: the previous sibling of e2, namely e1, was garbage collected and free()'d, but we can still access it via e2.getprevious().
The bug seems to be in proxy.pxi:
Version info:
Python : sys.version_
lxml.etree : (3, 3, 5, 0)
libxml used : (2, 9, 0)
libxml compiled : (2, 9, 1)
libxslt used : (1, 1, 28)
libxslt compiled : (1, 1, 28)
| Olli Pottonen (olli-pottonen) wrote | #1 |
| scoder (scoder) wrote | #2 |
| Changed in lxml: | |
| assignee: | nobody → scoder (scoder) |
| importance: | Undecided → High |
| milestone: | none → 3.3 |
| status: | New → Fix Committed |
| summary: |
- Memory management failure, segfault + Crash when freeing sibling Elements |
| Olli Pottonen (olli-pottonen) wrote | #3 |
| scoder (scoder) wrote | #4 |
| Changed in lxml: | |
| status: | Fix Committed → Fix Released |
Another fun thing to try:
import lxml.etree
root = lxml.etree.
e1, e2= root[0], root[1]
e1.append(e2)
e2.addnext(e1)
Result: infinite loop.