[libxml-devel] [ libxml-Bugs-26863 ] Libxml::Node#children causes segfault
nor...@rubyforge.org
You can respond by visiting:
http://rubyforge.org/tracker/?func=detail&atid=1971&aid=26863&group_id=494
Category: None
Group: None
>Status: Closed
Resolution: Accepted
Priority: 3
Submitted By: Nobody (None)
Assigned to: Charlie Savage (cfis)
Summary: Libxml::Node#children causes segfault
Initial Comment:
The following ruby snippet causes a segmentation fault with ruby 1.8.7 p160 and libxml-ruby 1.1.3.
###File: libxml_test.rb###
#! /usr/local/bin/ruby
require "rubygems"
require 'xml'
require 'xml/libxml'
def child(e)
e.children.each do |n| # segfault
child(n)
end
end
def make_text(txt)
return
end
file = File.open("html")
regexp_result = file.read
regexp_rexml_result = XML::Parser.string(regexp_result)
doc = regexp_rexml_result.parse
cnt = 1
loop do
elem = doc.find("//*")
elem.each{|e|
child(e)
}
p cnt
cnt+=1
end
###result###
1
2
3
4
./libxml_test.rb:8: [BUG] Segmentation fault
ruby 1.8.7 (2009-04-08 patchlevel 160) [x86_64-linux]
###trace###
gdb --args ruby ./libxml_test.rb
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) run
Starting program: /usr/local/bin/ruby ./libxml_test.rb
[Thread debugging using libthread_db enabled]
[New Thread 0x2b59906fb1b0 (LWP 25792)]
1
2
3
4
Program received signal SIGSEGV, Segmentation fault.
0x0000000000472959 in st_lookup (table=0x2b599137c7e0, key=10937, value=0x7fffbc525290) at st.c:250
250 hash_val = do_hash(key, table);
(gdb) backtrace
#0 0x0000000000472959 in st_lookup (table=0x2b599137c7e0, key=10937, value=0x7fffbc525290) at st.c:250
#1 0x00000000004115e5 in search_method (klass=47663683986880, id=10937, origin=0x7fffbc5252c8) at eval.c:475
#2 0x0000000000411657 in rb_get_method_body (klassp=0x7fffbc525310, idp=0x7fffbc525318, noexp=0x7fffbc525324) at eval.c:496
#3 0x000000000041c215 in rb_call (klass=47663683986880, recv=47663683986080, mid=10937, argc=0, argv=0x0, scope=0, self=47663675716280) at eval.c:6128
#4 0x0000000000416ebb in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3494
#5 0x0000000000416dc7 in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3488
#6 0x0000000000418fcf in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3224
#7 0x000000000041bda0 in rb_call0 (klass=47663675726440, recv=47663675716280, id=10921, oid=<value optimized out>, argc=11097, argv=0x7fffbc526048, body=0x2b5990739640, flags=<value optimized out>)
at eval.c:6057
#8 0x000000000041c258 in rb_call (klass=47663675726440, recv=47663675716280, mid=10921, argc=1, argv=0x7fffbc526040, scope=1, self=47663675716280) at eval.c:6153
#9 0x0000000000416ff3 in rb_eval (self=<value optimized out>, n=<value optimized out>) at eval.c:3509
#10 0x000000000041a2b5 in rb_yield_0 (val=47663683986080, self=47663675716280, klass=0, flags=<value optimized out>, avalue=0) at eval.c:5079
#11 0x0000000000486791 in rb_ary_each (ary=47663675330080) at array.c:1261
#12 0x000000000041b54a in rb_call0 (klass=47663675661400, recv=47663675330080, id=4001, oid=4001, argc=0, argv=0x0, body=0x2b599074d410, flags=<value optimized out>) at eval.c:5906
#13 0x000000000041c258 in rb_call (klass=47663675661400, recv=47663675330080, mid=4001, argc=0, argv=0x0, scope=0, self=47663675716280) at eval.c:6153
#14 0x0000000000416ebb in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3494
#15 0x0000000000418fcf in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3224
#16 0x000000000041bda0 in rb_call0 (klass=47663675726440, recv=47663675716280, id=10921, oid=<value optimized out>, argc=0, argv=0x7fffbc527218, body=0x2b5990739640, flags=<value optimized out>) at eval.c:6057
#17 0x000000000041c258 in rb_call (klass=47663675726440, recv=47663675716280, mid=10921, argc=1, argv=0x7fffbc527210, scope=1, self=47663675716280) at eval.c:6153
#18 0x0000000000416ff3 in rb_eval (self=<value optimized out>, n=<value optimized out>) at eval.c:3509
#19 0x000000000041a2b5 in rb_yield_0 (val=47663683988920, self=47663675716280, klass=0, flags=<value optimized out>, avalue=0) at eval.c:5079
#20 0x0000000000486791 in rb_ary_each (ary=47663675344200) at array.c:1261
#21 0x000000000041b54a in rb_call0 (klass=47663675661400, recv=47663675344200, id=4001, oid=4001, argc=0, argv=0x0, body=0x2b599074d410, flags=<value optimized out>) at eval.c:5906
#22 0x000000000041c258 in rb_call (klass=47663675661400, recv=47663675344200, mid=4001, argc=0, argv=0x0, scope=0, self=47663675716280) at eval.c:6153
#23 0x0000000000416ebb in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3494
#24 0x0000000000418fcf in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3224
#25 0x000000000041bda0 in rb_call0 (klass=47663675726440, recv=47663675716280, id=10921, oid=<value optimized out>, argc=32767, argv=0x7fffbc5283e8, body=0x2b5990739640, flags=<value optimized out>)
at eval.c:6057
#26 0x000000000041c258 in rb_call (klass=47663675726440, recv=47663675716280, mid=10921, argc=1, argv=0x7fffbc5283e0, scope=1, self=47663675716280) at eval.c:6153
#27 0x0000000000416ff3 in rb_eval (self=<value optimized out>, n=<value optimized out>) at eval.c:3509
#28 0x000000000041a2b5 in rb_yield_0 (val=47663684015880, self=47663675716280, klass=0, flags=<value optimized out>, avalue=0) at eval.c:5079
#29 0x00002b5991381066 in rxml_xpath_object_each (self=47663678310840) at ruby_xml_xpath_object.c:184
#30 0x000000000041b54a in rb_call0 (klass=47663682999600, recv=47663678310840, id=4001, oid=4001, argc=0, argv=0x0, body=0x2b5990e4d440, flags=<value optimized out>) at eval.c:5906
#31 0x000000000041c258 in rb_call (klass=47663682999600, recv=47663678310840, mid=4001, argc=0, argv=0x0, scope=0, self=47663675716280) at eval.c:6153
#32 0x0000000000416ebb in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3494
#33 0x0000000000418fcf in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3224
#34 0x000000000041a2b5 in rb_yield_0 (val=6, self=47663675716280, klass=0, flags=<value optimized out>, avalue=0) at eval.c:5079
#35 0x0000000000424e47 in loop_i () at eval.c:5211
#36 0x0000000000410704 in rb_rescue2 (b_proc=0x424e30 <loop_i>, data1=0, r_proc=0, data2=0) at eval.c:5475
#37 0x00000000004108e0 in rb_f_loop () at eval.c:5236
#38 0x000000000041b54a in rb_call0 (klass=47663675726160, recv=47663675716280, id=4121, oid=4121, argc=0, argv=0x0, body=0x2b5990759b98, flags=<value optimized out>) at eval.c:5906
#39 0x000000000041c258 in rb_call (klass=47663675726160, recv=47663675716280, mid=4121, argc=0, argv=0x0, scope=1, self=47663675716280) at eval.c:6153
#40 0x0000000000416ff3 in rb_eval (self=<value optimized out>, n=<value optimized out>) at eval.c:3509
#41 0x0000000000418fcf in rb_eval (self=47663675716280, n=<value optimized out>) at eval.c:3224
#42 0x00000000004279e9 in ruby_exec_internal () at eval.c:1643
#43 0x0000000000427a35 in ruby_exec () at eval.c:1663
#44 0x0000000000427a5f in ruby_run () at eval.c:1673
#45 0x000000000040ddc3 in main (argc=2, argv=0x7fffbc52a328, envp=<value optimized out>) at main.c:48
----------------------------------------------------------------------
>Comment By: Charlie Savage (cfis)
Date: 2011-05-02 00:26
Message:
Hi Josh,
I think this is now fixed. If not, let me know and reopen a ticket here (or better yet on GitHub at https://github.com/xml4r/libxml-ruby).
Charlie
----------------------------------------------------------------------
Comment By: Charlie Savage (cfis)
Date: 2011-04-22 23:45
Message:
Does the html file have specific content, or just any html file?
If I save this page to the file html, and run the script, all is well with the new release.
Could you retest with the new release?
Thanks - Charlie
----------------------------------------------------------------------
Comment By: Josh Glover (jmglov)
Date: 2011-03-04 07:58
Message:
Ah, but this can't be right:
(gdb) up 5
#5 0x0000000000491639 in st_lookup (table=0x7f2b21c20660, key=10985, value=0x7fffc02954d8) at st.c:250
250 hash_val = do_hash(key, table);
table is again WAAAAAY out there; no way that's going to be addressable. table comes from eval.c#L486 :
478 static NODE*
479 search_method(klass, id, origin)
480 VALUE klass, *origin;
481 ID id;
482 {
483 st_data_t body;
484
485 if (!klass) return 0;
486 while (!st_lookup(RCLASS(klass)->m_tbl, id, &body)) {
487 klass = RCLASS(klass)->super;
488 if (!klass) return 0;
489 }
490
491 if (origin) *origin = klass;
492 return (NODE *)body;
493 }
So some class has lost its pointer to its function pointer table. I don't think I have the time to take this much further, but hopefully this info is useful to someone. :-/
----------------------------------------------------------------------
Comment By: Josh Glover (jmglov)
Date: 2011-03-04 07:03
Message:
(gdb) info locals
hash_val = 0
bin_pos = 32122193
ptr = 0x7f2b21f2dd40
(gdb) l
245 st_data_t *value;
246 {
247 unsigned int hash_val, bin_pos;
248 register st_table_entry *ptr;
249
250 hash_val = do_hash(key, table);
251 FIND_ENTRY(table, ptr, hash_val, bin_pos);
252
253 if (ptr == 0) {
254 return 0;
Oops, ptr hasn't been assigned to yet at L250. I'll keep digging.
BTW, I compiled Ruby like this to get all of the debug symbols:
CFLAGS='-O0 -g -Wall' ./configure --disable-pthread && make
----------------------------------------------------------------------
Comment By: Josh Glover (jmglov)
Date: 2011-03-04 07:01
Message:
: josh@josh; gdb ~/tmp/ruby-1.8.7-p334/ruby core
GNU gdb (GDB) 7.2-ubuntu
[...]
Program terminated with signal 6, Aborted.
#0 0x00007f2b225c5ba5 in raise (sig=<value optimised out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0 0x00007f2b225c5ba5 in raise (sig=<value optimised out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f2b225c96b0 in abort () at abort.c:92
#2 0x00000000004c284e in rb_bug (fmt=0x4e1b13 "Segmentation fault") at error.c:213
#3 0x000000000048e1b9 in sigsegv (sig=11) at signal.c:634
#4 <signal handler called>
#5 0x0000000000491639 in st_lookup (table=0x7f2b21c20660, key=10985, value=0x7fffc02954d8) at st.c:250
#6 0x000000000040e861 in search_method (klass=139823229885920, id=10985, origin=0x7fffc0295528) at eval.c:486
[...]
(gdb) up 5
#5 0x0000000000491639 in st_lookup (table=0x7f2b21c20660, key=10985, value=0x7fffc02954d8) at st.c:250
250 hash_val = do_hash(key, table);
(gdb) info locals
hash_val = 0
bin_pos = 32122193
ptr = 0x7f2b21f2dd40
0x7f2b21f2dd40 is 139_823_229_885_760 in decimal, so unless my ThinkPad T510i has 139 terrabytes of memory, this is a segmentation fault. :)
----------------------------------------------------------------------
Comment By: Josh Glover (jmglov)
Date: 2011-03-04 06:55
Message:
Breaks in ruby-1.8.7-p334:
: josh@josh; ~/tmp/ruby-1.8.7-p334/ruby test/tc_node_child.rb >/dev/null
test/tc_node_child.rb:21: [BUG] Segmentation fault
ruby 1.8.7 (2011-02-18 patchlevel 334) [x86_64-linux]
Aborted (core dumped)
----------------------------------------------------------------------
Comment By: Josh Glover (jmglov)
Date: 2011-03-04 06:42
Message:
Interesting data point, it works on ruby 1.8.7_0 but not 1.8.7_299:
: josh@josh; /usr/bin/ruby -v
ruby 1.8.7 (2010-06-23 patchlevel 299) [x86_64-linux]
: josh@josh; /usr/bin/ruby test/tc_node_child.rb >/dev/null
test/tc_node_child.rb:21: [BUG] Segmentation fault
ruby 1.8.7 (2010-06-23 patchlevel 299) [x86_64-linux]
Aborted (core dumped)
: josh@josh; ~/tmp/ruby-1.8.7/ruby -v
ruby 1.8.7 (2008-05-31 patchlevel 0) [x86_64-linux]
: josh@josh; ~/tmp/ruby-1.8.7/ruby test/tc_node_child.rb >/dev/null
# Victory!
----------------------------------------------------------------------
You can respond by visiting:
http://rubyforge.org/tracker/?func=detail&atid=1971&aid=26863&group_id=494
_______________________________________________
libxml-devel mailing list
libxml...@rubyforge.org
http://rubyforge.org/mailman/listinfo/libxml-devel