Stripping whitespace from an XSL transformation crashes in libxslt

Bug #583249 reported by Daniel Varela Santoalla on 2010-05-20
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libxslt
Confirmed
Critical
lxml
High
scoder

Bug Description

pepe@celia:~$ python crash/crashme.py
lxml.etree: (2, 2, 6, u'crash')
libxml used: (2, 7, 6)
libxml compiled: (2, 7, 6)
libxslt used: (1, 1, 22)
libxslt compiled: (1, 1, 22)

Doing XSL from the TOP
Parsed form, got <lxml.etree._ElementTree object at 0x819828c>
........
........
........

Doing XSL from the TARGET
Segmentation fault (core dumped)
$

crash/crashme.py is:

import lxml
import lxml.etree
from lxml.etree import Element, ElementTree, tostring

def process(path, add=True, xslFromTop=False):

    doc = lxml.etree.parse("data/form.xml")
    target = doc.xpath(path)[0]

    xslt_doc = lxml.etree.parse(open("static/form.xsl"))
    transform = lxml.etree.XSLT(xslt_doc)
    if xslFromTop:
        xslresult = transform(doc,edit="'True'")
    else:
        xslresult = transform(target,edit="'True'")

    return xslresult, doc

if __name__ == "__main__":

    print "lxml.etree: ", lxml.etree.LXML_VERSION
    print "libxml used: ", lxml.etree.LIBXML_VERSION
    print "libxml compiled: ", lxml.etree.LIBXML_COMPILED_VERSION
    print "libxslt used: ", lxml.etree.LIBXSLT_VERSION
    print "libxslt compiled: ", lxml.etree.LIBXSLT_COMPILED_VERSION

    for i in range(0,10):
        doc = lxml.etree.parse("data/form.xml")
        print "Parsed form, got %s " % doc

    print "Doing XSL from the TOP"
    print process("/Application/Languages",xslFromTop=True)

    print "Doing XSL from the TARGET"
    print process("/Application/Languages")

    print "Finished"

pepe@celia:~$ uname -a
Linux celia 2.6.22.19-0.4-bigsmp #1 SMP 2009-08-14 02:09:16 +0200 i686 i686 i386 GNU/Linux
pepe@celia:~$ python --version
Python 2.5.4

> doc = lxml.etree.parse("data/form.xml")
> xslt_doc = lxml.etree.parse(open("static/form.xsl"))

Could you provide these two files so that I can test it here?

Thanks,

Stefan

Thanks Stefan.

Here are the files. You also need default.xsl because it is imported
from form.xsl.

Cheers
d

Daniel Varela Santoalla
European Centre for Medium-Range Weather Forecasts (ECMWF)
(http://www.ecmwf.int)
Email: <email address hidden> Telephone: (+44) 118 9499608

Stefan Behnel wrote:
>> doc = lxml.etree.parse("data/form.xml")
>> xslt_doc = lxml.etree.parse(open("static/form.xsl"))
>
> Could you provide these two files so that I can test it here?
>
> Thanks,
>
> Stefan
>

Crash confirmed, valgrind says it's accessing memory that's already been freed.

Changed in lxml:
assignee: nobody → Stefan Behnel (scoder)
importance: Undecided → High
status: New → Confirmed
scoder (scoder) wrote :

It seems like libxslt modifies the input document when stripping spaces. Removing the <xsl:strip-space> tag might provide a work-around. I've opened an upstream bug.

Changed in libxslt:
status: Unknown → New

Hi Stefan

You are right, removing the <xsl:strip-space elements="*" /> tag
prevents the application from crashing.

This may do it for us if we make sure that the initial XML data doesn't
have any whitespace within the tags, but I still have to check it
thoroughly.

Best regards
Daniel Varela Santoalla

Bug Watch Updater wrote:
> ** Changed in: libxslt
> Status: Unknown => New
>

scoder (scoder) on 2010-06-21
summary: - Applying an XSL transformation from a non-root XML element crashes
+ Stripping whitespace from an XSL transformation crashes in libxslt
Changed in libxslt:
importance: Unknown → Critical
Marek Sebera (marek-sebera) wrote :

This bug does affect my setup using python3 and lxml library, using Debian 9.0

If it will be of any help, I can provide sample XML and XSLT for debugging purposes.

Removing "<xsl:strip-space elements="*"/>" declaration will solve the problem.

Crash occurs in tree.c:3672 see>

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5f0751a in xmlFreeNodeList__internal_alias (cur=0x555555e40af0) at ../../tree.c:3672
3672 ../../tree.c: No such file or directory.

system info>

$> apt-cache policy python3
python3:
  Installed: 3.5.3-1
  Candidate: 3.5.3-1
  Version table:
 *** 3.5.3-1 500
        500 http://ftp.debian.org/debian stretch/main amd64 Packages
        100 http://ftp.debian.org/debian sid/main amd64 Packages
        100 /var/lib/dpkg/status

$> apt-cache policy python3-lxml
python3-lxml:
  Installed: 3.7.3-1
  Candidate: 3.7.3-1
  Version table:
 *** 3.7.3-1 100
        100 http://ftp.debian.org/debian sid/main amd64 Packages
        100 /var/lib/dpkg/status
     3.7.1-1 500
        500 http://ftp.debian.org/debian stretch/main amd64 Packages

This bug (still unfixed) seems to be caused by lxml, not libxslt. Reproducing this crash using any other libxslt binding (Python, Perl, JavaScript) wasn't possible.

Changed in libxslt:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.