Paul, did you already have the time to look into this bug? I tried to locate the issue but don't quite understand the implementation concepts of the zstring/rstring classes. Their memory management and those of the derived/specialized classes seems to cause the segfaults. Unfortunately, I don't have enough time to dig deeper into the code. 

Here is the crash report of the query file test/rbkt/Queries/zorba/schemas/val-bad-attr.xq.

==29261==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00004dbf0 at pc 0x7fbc111aab8f bp 0x7fffe3b466b0 sp 0x7fffe3b466a0
READ of size 4 at 0x60b00004dbf0 thread T0
    #0 0x7fbc111aab8e in zorba::atomic_int::load_impl() const /builddir/build/BUILD/zorba-3.0/src/util/atomic_int.h:173
    #1 0x7fbc111aab8e in zorba::atomic_int::load() const /builddir/build/BUILD/zorba-3.0/src/util/atomic_int.h:100
    #2 0x7fbc111aab8e in zorba::rstring_classes::rep_base<zorba::atomic_int, std::char_traits<char>, std::allocator<char> >::is_sharable() /builddir/build/BUILD/zorba-3.0/src/util/string/rep_base.h:216
    #3 0x7fbc111aab8e in zorba::rstring_classes::rep_proxy<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > >::share(zorba::rstring_classes::rep_proxy<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::allocator<char> const&, std::allocator<char> const&) /builddir/build/BUILD/zorba-3.0/src/util/string/rep_proxy.h:120
    #4 0x7fbc111aab8e in zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > >::assign(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&) /builddir/build/BUILD/zorba-3.0/src/util/string/rstring.tcc:121
    #5 0x7fbc1242da8d in zorba::simplestore::XmlNode::getBaseURI(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > >&) const /builddir/build/BUILD/zorba-3.0/src/store/naive/node_items.h:496
    #6 0x7fbc12193ea1 in zorba::Validator::realValidationValue(zorba::store::ItemHandle<zorba::store::Item>&, zorba::store::ItemHandle<zorba::store::Item> const&, zorba::store::ItemHandle<zorba::store::Item> const&, zorba::TypeManager*, zorba::ParseConstants::validation_mode_t, zorba::static_context const*, zorba::QueryLoc const&) /builddir/build/BUILD/zorba-3.0/src/types/schema/validate.cpp:230
    #7 0x7fbc121958a8 in zorba::Validator::effectiveValidationValue(zorba::store::ItemHandle<zorba::store::Item>&, zorba::store::ItemHandle<zorba::store::Item> const&, zorba::store::ItemHandle<zorba::store::Item> const&, zorba::TypeManager*, zorba::ParseConstants::validation_mode_t, zorba::static_context const*, zorba::QueryLoc const&) /builddir/build/BUILD/zorba-3.0/src/types/schema/validate.cpp:77
    #8 0x7fbc11c7b87f in zorba::ValidateIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/schema/schema_impl.cpp:63
    #9 0x7fbc11ea813b in zorba::PlanIterator::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:433
    #10 0x7fbc11ea813b in zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:459
    #11 0x7fbc11ea813b in zorba::DescendantSelfAxisIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/core/path_iterators.cpp:1350
    #12 0x7fbc11ea36d9 in zorba::PlanIterator::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:433
    #13 0x7fbc11ea36d9 in zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:459
    #14 0x7fbc11ea36d9 in zorba::AttributeAxisIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/core/path_iterators.cpp:505
    #15 0x7fbc12485e32 in zorba::simplestore::StoreNodeSortIterator::next(zorba::store::ItemHandle<zorba::store::Item>&) /builddir/build/BUILD/zorba-3.0/src/store/naive/node_iterators.cpp:265
    #16 0x7fbc11e5dc10 in zorba::PlanIterator::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:433
    #17 0x7fbc11e5dc10 in zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:459
    #18 0x7fbc11e5dc10 in zorba::flwor::FLWORIterator::bindVariable(unsigned long, zorba::flwor::FlworState*, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/core/flwor_iterator.cpp:1221
    #19 0x7fbc11e6863c in zorba::flwor::FLWORIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/core/flwor_iterator.cpp:970
    #20 0x7fbc11df93f7 in zorba::PlanIterator::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:433
    #21 0x7fbc11df93f7 in zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) /builddir/build/BUILD/zorba-3.0/src/runtime/base/plan_iterator.h:459
    #22 0x7fbc11df93f7 in zorba::PlanWrapper::next(zorba::store::ItemHandle<zorba::store::Item>&) /builddir/build/BUILD/zorba-3.0/src/runtime/api/plan_wrapper.cpp:151
    #23 0x7fbc1126533e in zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, zorba::SAX2_ContentHandler*, bool) /builddir/build/BUILD/zorba-3.0/src/api/serialization/serializer.cpp:2696
    #24 0x7fbc11265e97 in zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, bool) /builddir/build/BUILD/zorba-3.0/src/api/serialization/serializer.cpp:2647
    #25 0x7fbc111a86c4 in zorba::XQueryImpl::serialize(std::ostream&, zorba::rchandle<zorba::PlanWrapper>&, Zorba_SerializerOptions const*) /builddir/build/BUILD/zorba-3.0/src/api/xqueryimpl.cpp:1324
    #26 0x7fbc111a89ed in zorba::XQueryImpl::execute(std::ostream&, Zorba_SerializerOptions const*) /builddir/build/BUILD/zorba-3.0/src/api/xqueryimpl.cpp:1150
    #27 0x40f847 in compileAndExecute(zorba::Zorba*, zorba::XmlDataManager*, ZorbaCMDProperties const&, zorba::SmartPtr<zorba::StaticContext>&, std::string const&, std::istream&, std::ostream&, TimingInfo&) /builddir/build/BUILD/zorba-3.0/bin/zorbacmd.cpp:871
    #28 0x407805 in main /builddir/build/BUILD/zorba-3.0/bin/zorbacmd.cpp:1204
    #29 0x7fbc0d2a80bf in __libc_start_main (/lib64/libc.so.6+0x200bf)
    #30 0x409126 (/builddir/build/BUILD/zorba-3.0/build/bin/zorba+0x409126)

0x60b00004dbf0 is located 0 bytes inside of 105-byte region [0x60b00004dbf0,0x60b00004dc59)
freed by thread T0 here:
    #0 0x7fbc12edba1f in operator delete(void*) (/lib64/libasan.so.1+0x58a1f)
    #1 0x7fbc11cf8519 in zorba::rstring_classes::rep_proxy<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > >::dispose(std::allocator<char> const&) /builddir/build/BUILD/zorba-3.0/src/util/string/rep_proxy.h:76
    #2 0x7fbc11cf8519 in ~rstring /builddir/build/BUILD/zorba-3.0/src/util/string/rstring.h:252
    #3 0x7fbc11cf8519 in loadDocument /builddir/build/BUILD/zorba-3.0/src/runtime/sequences/sequences_impl.cpp:1960
    #4 0x7fbc11cf96d8 in zorba::FnDocIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const /builddir/build/BUILD/zorba-3.0/src/runtime/sequences/sequences_impl.cpp:2026

previously allocated by thread T0 here:
    #0 0x7fbc12edb51f in operator new(unsigned long) (/lib64/libasan.so.1+0x5851f)
    #1 0x7fbc111b22ac in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/4.9.0/ext/new_allocator.h:104
    #2 0x7fbc111b22ac in zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> >::alloc(std::allocator<char> const&, unsigned long, unsigned long) /builddir/build/BUILD/zorba-3.0/src/util/string/default_rep.tcc:45

SUMMARY: AddressSanitizer: heap-use-after-free /builddir/build/BUILD/zorba-3.0/src/util/atomic_int.h:173 zorba::atomic_int::load_impl() const
Shadow bytes around the buggy address:
  0x0c1680001b20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1680001b30: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1680001b40: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1680001b50: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1680001b60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1680001b70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa[fd]fd
  0x0c1680001b80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1680001b90: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1680001ba0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1680001bb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1680001bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==29261==ABORTING