Zorba

segfault in modules/xml:parse()

Bug #1020953 reported by Dennis Knochenwefel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zorba
Fix Released
Undecided
Nicolae Brinza
Zorba 2.7 "Gaia"

Bug Description

the following tests crash on windows in debug build (rev. 10908):

    test/rbkt/zorba/parsing_and_serializing/parse-fragment-skip-root-47 (SEGFAULT)
    test/rbkt/zorba/parsing_and_serializing/parse-fragment-skip-root-51 (SEGFAULT)
    test/rbkt/zorba/parsing_and_serializing/parse-xml-fragment-09 (SEGFAULT)
    test/rbkt/zorba/parsing_and_serializing/parse-xml-fragment-17 (SEGFAULT)

valgrind reveals:

valgrind zorba/build/test/rbkt/testdriver "zorba/parsing_and_serializing/parse-fragment-skip-root-47.xq"
==31358== Memcheck, a memory error detector
==31358== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==31358== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==31358== Command: zorba/build/test/rbkt/testdriver zorba/parsing_and_serializing/parse-fragment-skip-root-47.xq
==31358==
test zorba/parsing_and_serializing/parse-fragment-skip-root-47
=== Query: ===
import module namespace z = "http://www.zorba-xquery.com/modules/xml";
import schema namespace opt = "http://www.zorba-xquery.com/modules/xml-options";

z:parse("<root>
  <test/>
  <test/>
  </bad>
</root>
",
  <opt:options>
    <opt:parse-external-parsed-entity opt:skip-root-nodes="0"/>
  </opt:options>
)

=== end of Query ===
save execution plan in 1.900000 sec
load execution plan in 0.630000 sec
==31358== Invalid read of size 8
==31358== at 0x5E4AB4A: zorba::simplestore::XmlTree::removeType(zorba::simplestore::XmlNode const*) (node_items.cpp:242)
==31358== by 0x5E4C91F: zorba::simplestore::XmlNode::destroyInternal(bool) (node_items.cpp:877)
==31358== by 0x5E4C882: zorba::simplestore::XmlNode::destroyInternal(bool) (node_items.cpp:860)
==31358== by 0x5E4C65E: zorba::simplestore::XmlNode::destroy(bool) (node_items.cpp:819)
==31358== by 0x5EE7290: zorba::simplestore::FastXmlLoader::abortload() (loader_fast.cpp:177)
==31358== by 0x5EEDD01: zorba::simplestore::FragmentXmlLoader::loadXml(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&) (loader_dtd.cpp:322)
==31358== by 0x5F12F3F: zorba::simplestore::Store::loadDocument(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&, zorba::store::LoadProperties const&) (store.cpp:1014)
==31358== by 0x5AA44C4: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (parse_fragment_impl.cpp:230)
==31358== by 0x5892CD0: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (plan_iterator.h:535)
==31358== by 0x5B54712: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) (plan_iterator.cpp:109)
==31358== by 0x5B540A8: zorba::PlanWrapper::next(zorba::store::ItemHandle<zorba::store::Item>&) (plan_wrapper.cpp:151)
==31358== by 0x5481E54: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, zorba::SAX2_ContentHandler*) (serializer.cpp:2782)
==31358== Address 0xabc2c48 is 56 bytes inside a block of size 184 free'd
==31358== at 0x4C2A4BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31358== by 0x5EE7216: zorba::simplestore::FastXmlLoader::abortload() (loader_fast.cpp:165)
==31358== by 0x5EEDD01: zorba::simplestore::FragmentXmlLoader::loadXml(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&) (loader_dtd.cpp:322)
==31358== by 0x5F12F3F: zorba::simplestore::Store::loadDocument(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&, zorba::store::LoadProperties const&) (store.cpp:1014)
==31358== by 0x5AA44C4: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (parse_fragment_impl.cpp:230)
==31358== by 0x5892CD0: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (plan_iterator.h:535)
==31358== by 0x5B54712: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) (plan_iterator.cpp:109)
==31358== by 0x5B540A8: zorba::PlanWrapper::next(zorba::store::ItemHandle<zorba::store::Item>&) (plan_wrapper.cpp:151)
==31358== by 0x5481E54: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, zorba::SAX2_ContentHandler*) (serializer.cpp:2782)
==31358== by 0x5481B58: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&) (serializer.cpp:2734)
==31358== by 0x541FA38: zorba::XQueryImpl::serialize(std::ostream&, zorba::rchandle<zorba::PlanWrapper>&, Zorba_SerializerOptions const*) (xqueryimpl.cpp:1305)
==31358== by 0x541ECA5: zorba::XQueryImpl::execute(std::ostream&, Zorba_SerializerOptions const*) (xqueryimpl.cpp:1131)
==31358==
==31358== Invalid read of size 8
==31358== at 0x5E4AB76: zorba::simplestore::XmlTree::removeType(zorba::simplestore::XmlNode const*) (node_items.cpp:244)
==31358== by 0x5E4C91F: zorba::simplestore::XmlNode::destroyInternal(bool) (node_items.cpp:877)
==31358== by 0x5E4C882: zorba::simplestore::XmlNode::destroyInternal(bool) (node_items.cpp:860)
==31358== by 0x5E4C65E: zorba::simplestore::XmlNode::destroy(bool) (node_items.cpp:819)
==31358== by 0x5EE7290: zorba::simplestore::FastXmlLoader::abortload() (loader_fast.cpp:177)
==31358== by 0x5EEDD01: zorba::simplestore::FragmentXmlLoader::loadXml(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&) (loader_dtd.cpp:322)
==31358== by 0x5F12F3F: zorba::simplestore::Store::loadDocument(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&, zorba::store::LoadProperties const&) (store.cpp:1014)
==31358== by 0x5AA44C4: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (parse_fragment_impl.cpp:230)
==31358== by 0x5892CD0: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (plan_iterator.h:535)
==31358== by 0x5B54712: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) (plan_iterator.cpp:109)
==31358== by 0x5B540A8: zorba::PlanWrapper::next(zorba::store::ItemHandle<zorba::store::Item>&) (plan_wrapper.cpp:151)
==31358== by 0x5481E54: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, zorba::SAX2_ContentHandler*) (serializer.cpp:2782)
==31358== Address 0xabc2c48 is 56 bytes inside a block of size 184 free'd
==31358== at 0x4C2A4BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31358== by 0x5EE7216: zorba::simplestore::FastXmlLoader::abortload() (loader_fast.cpp:165)
==31358== by 0x5EEDD01: zorba::simplestore::FragmentXmlLoader::loadXml(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&) (loader_dtd.cpp:322)
==31358== by 0x5F12F3F: zorba::simplestore::Store::loadDocument(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, std::allocator<char> > > const&, std::istream&, zorba::store::LoadProperties const&) (store.cpp:1014)
==31358== by 0x5AA44C4: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (parse_fragment_impl.cpp:230)
==31358== by 0x5892CD0: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (plan_iterator.h:535)
==31358== by 0x5B54712: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, zorba::PlanState&) (plan_iterator.cpp:109)
==31358== by 0x5B540A8: zorba::PlanWrapper::next(zorba::store::ItemHandle<zorba::store::Item>&) (plan_wrapper.cpp:151)
==31358== by 0x5481E54: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&, zorba::SAX2_ContentHandler*) (serializer.cpp:2782)
==31358== by 0x5481B58: zorba::serializer::serialize(zorba::rchandle<zorba::store::Iterator>, std::ostream&) (serializer.cpp:2734)
==31358== by 0x541FA38: zorba::XQueryImpl::serialize(std::ostream&, zorba::rchandle<zorba::PlanWrapper>&, Zorba_SerializerOptions const*) (xqueryimpl.cpp:1305)
==31358== by 0x541ECA5: zorba::XQueryImpl::execute(std::ostream&, Zorba_SerializerOptions const*) (xqueryimpl.cpp:1131)
==31358==
The following execution error occurred as expected:
http://www.w3.org/2005/xqt-errors:FODC0006: http://www.w3.org/2005/xqt-errors:FODC0006invalid content passed to parse-xml:parse(): loader parsing error: Opening and ending tag mismatch: root line 0 and bad
[line 4][column 1][file zorba/sandbox/test/rbkt/Queries/zorba/parsing_and_serializing/parse-fragment-skip-root-47.xq]
testdriver: test runtime was 9268363us
testdriver: success
==31358==
==31358== HEAP SUMMARY:
==31358== in use at exit: 2,368 bytes in 2 blocks
==31358== total heap usage: 26,474 allocs, 26,472 frees, 12,336,013 bytes allocated
==31358==
==31358== LEAK SUMMARY:
==31358== definitely lost: 128 bytes in 1 blocks
==31358== indirectly lost: 2,240 bytes in 1 blocks
==31358== possibly lost: 0 bytes in 0 blocks
==31358== still reachable: 0 bytes in 0 blocks
==31358== suppressed: 0 bytes in 0 blocks
==31358== Rerun with --leak-check=full to see details of leaked memory
==31358==
==31358== For counts of detected and suppressed errors, rerun with: -v
==31358== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)

Tags: crash

Related branches

lp:~zorba-coders/zorba/bug-1020953
Ghislain Fourny: Approve
Nicolae Brinza: Approve
Diff: 38 lines (+11/-11)
1 file modified
src/store/naive/loader_fast.cpp (+11/-11)
Dennis Knochenwefel (dennis-knochenwefel)
Changed in zorba:
status: New → Fix Committed
Dana Florescu (dflorescu)
Changed in zorba:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.