Lxml segfault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
We are building a Zope3 application that uses lxml for XSLT transformations.
Recently we discovered a weird bug, which we haven't been able to isolate. The server
segfaults on a specific page we use for diagnostics. On this page the following trivial
XSLT transformation is used to convert a label with markup into plain text:
_flatten_sheet = e.XSLT(
<xsl:stylesheet version="1.0"
xmlns:xsl="http://
><xsl:output method="text" encoding="UTF-8" /></xsl:stylesheet>
'''))
Not very efficient, but it was a work in progress. This sheet is called many times (about 1000)
for all labels that are matched in an XML file. If a label is matched, the corresponding node
is passed through this style sheet. One node can be transformed multiple times.
If we run this code, the process segfaults. If we make a deepcopy() of each node before passing
it for transformation, no segfault occurs.
We ran the Zope process through valgrind and received the following interesting output:
==31919== Invalid read of size 4
==31919== at 0x74B29A4: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B29E5: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B29E5: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B280D: xmlFreeDoc (in /data/usr/
==31919== by 0x73CE79C: __pyx_tp_
==31919== by 0x73D3450: __pyx_tp_
==31919== by 0x80F337E: (within /data/usr/
==31919== by 0x80F3838: _PyObject_GC_Malloc (in /data/usr/
==31919== by 0x809B55C: PyType_GenericAlloc (in /data/usr/
==31919== by 0x73933B5: __pyx_tp_
==31919== by 0x73AFDFB: __pyx_f_
==31919== by 0x73D4969: __pyx_f_
==31919== Address 0x702F73BE is not stack'd, malloc'd or (recently) free'd
==31919==
==31919== Process terminating with default action of signal 11 (SIGSEGV)
==31919== Access not within mapped region at address 0x702F73BE
==31919== at 0x74B29A4: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B29E5: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B29E5: xmlFreeNodeList (in /data/usr/
==31919== by 0x74B280D: xmlFreeDoc (in /data/usr/
==31919== by 0x73CE79C: __pyx_tp_
==31919== by 0x73D3450: __pyx_tp_
==31919== by 0x80F337E: (within /data/usr/
==31919== by 0x80F3838: _PyObject_GC_Malloc (in /data/usr/
==31919== by 0x809B55C: PyType_GenericAlloc (in /data/usr/
==31919== by 0x73933B5: __pyx_tp_
==31919== by 0x73AFDFB: __pyx_f_
==31919== by 0x73D4969: __pyx_f_
We weren't able to reproduce this outside of Zope, but valgrind still gives some output about
lxml which I'm not really able to interpret. It's attached to this message.
This behaviour has been seen on 32bit Ubuntu, 64bit Ubuntu and OSX, so it seems to be platform
independent. The output is from lxml 1.3.6 + python 2.5 on Ubuntu, installed from an egg.
Any clue? Any suggestions as to how to isolate this problem? We can work around it, but it's
nasty.
Changed in lxml: | |
milestone: | none → 1.3.7 |
which version of lxml are you using?
http:// codespeak. net/lxml/ dev/FAQ. html#i- think-i- have-found- a-bug-in- lxml-what- should- i-do