Skip Menu |
 

This queue is for tickets about the XML-LibXML CPAN distribution.

Report information
The Basics
Id: 94149
Status: resolved
Priority: 0/
Queue: XML-LibXML

People
Owner: Nobody in particular
Requestors: jeff [...] jefftrout.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Spam-Status: No, score=-0.5 tagged_above=-99.9 required=10 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Mailer: Apple Mail (2.1874)
X-Spam-Flag: NO
Message-ID: <5FFE8004-ADC4-40A7-89C0-EBD6DDBA5BB2 [...] jefftrout.com>
content-type: text/plain; charset="utf-8"
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Virus-Scanned: amavisd-new at torgo.978.org
X-Spam-Score: -0.5
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id AEB852404B4 for <cpan-bug+XML-LibXML [...] hipster.bestpractical.com>; Mon, 24 Mar 2014 13:28:45 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NNYqcxNyl6H for <cpan-bug+XML-LibXML [...] hipster.bestpractical.com>; Mon, 24 Mar 2014 13:28:44 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 2520E240384 for <bug-XML-LibXML [...] rt.cpan.org>; Mon, 24 Mar 2014 13:28:43 -0400 (EDT)
Received: (qmail 4536 invoked by alias); 24 Mar 2014 17:28:43 -0000
Received: from vms173017pub.verizon.net (HELO vms173017pub.verizon.net) (206.46.173.17) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Mon, 24 Mar 2014 10:28:41 -0700
Received: from jefftrout.com ([unknown] [173.76.169.82]) by vms173017.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0N2Y000HXB7LMJF0 [...] vms173017.mailsrvcs.net> for bug-XML-LibXML [...] rt.cpan.org; Mon, 24 Mar 2014 12:28:37 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by jefftrout.com (Postfix) with ESMTP id B1BCB521E7F for <bug-XML-LibXML [...] rt.cpan.org>; Mon, 24 Mar 2014 13:28:32 -0400 (EDT)
Received: from jefftrout.com ([127.0.0.1]) by localhost (torgo.978.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ov35QEomnZWv for <bug-XML-LibXML [...] rt.cpan.org>; Mon, 24 Mar 2014 13:28:31 -0400 (EDT)
Received: from [192.168.1.25] (skittlebrau [192.168.1.25]) by jefftrout.com (Postfix) with ESMTPA id F2092521E7D for <bug-XML-LibXML [...] rt.cpan.org>; Mon, 24 Mar 2014 13:28:30 -0400 (EDT)
Delivered-To: cpan-bug+XML-LibXML [...] hipster.bestpractical.com
Subject: libxml2 optimization in xmlAddSibling leads to a double free in DESTROY.
Return-Path: <jeff [...] jefftrout.com>
X-RT-Mail-Extension: xml-libxml
X-Original-To: cpan-bug+XML-LibXML [...] hipster.bestpractical.com
X-Spam-Check-BY: la.mx.develooper.com
Date: Mon, 24 Mar 2014 13:28:30 -0400
X-Spam-Level:
To: bug-XML-LibXML [...] rt.cpan.org
Content-Transfer-Encoding: quoted-printable
From: Jeff <jeff [...] jefftrout.com>
X-RT-Original-Encoding: cp1252
X-RT-Interface: Email
Content-Length: 2632
Download (untitled) / with headers
text/plain 2.5k
Been hitting a bug that randomly occurs, but always from the guts of XML::LibXML. however, I’ve never been able to reliably reproduce it until today. After debugging I was able to get to the root of the problem: In libxml2’s tree.c xmlAddSibling has an optimization where if the existing node is text and you are appendSibling a text node it will instead append the text onto the existing sibling then xmlFree the new sibling. When done via XML::LibXML this effectively free’s our xmlNode out from under us, then when DESTROY is run we end up with a double free, which can lead to all sorts of neat things. (In my case, it would sometimes lock up in the deep down in free()) Code to induce it is pretty simple: use strict; use XML::LibXML; my $orig = new XML::LibXML::Text("Double "); $orig->addSibling(new XML::LibXML::Text("Free")); valgrind output confirms: jeff@debian:~/insiderscore/site$ valgrind perl doublefree.pl ==13673== Memcheck, a memory error detector ==13673== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==13673== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==13673== Command: perl doublefree.pl ==13673== ==13673== Invalid read of size 8 ==13673== at 0x6C798C8: PmmREFCNT_dec (perl-libxml-mm.c:448) ==13673== by 0x6C5DB3E: XS_XML__LibXML__Node_DESTROY (LibXML.xs:4147) ==13673== by 0x4EE764B: Perl_pp_entersub (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4E7AAD0: Perl_call_sv (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4EEDB18: Perl_sv_clear (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4EEE1D1: Perl_sv_free2 (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4F139BF: Perl_free_tmps (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4E80633: perl_run (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x400F88: main (in /usr/bin/perl) ==13673== Address 0x7701380 is 0 bytes inside a block of size 120 free'd ==13673== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==13673== by 0x6EF0CC2: xmlAddSibling (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0) ==13673== by 0x6C5ACE5: XS_XML__LibXML__Node_addSibling (LibXML.xs:5041) ==13673== by 0x4EE764B: Perl_pp_entersub (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4EDEC25: Perl_runops_standard (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x4E80754: perl_run (in /usr/lib/libperl.so.5.14.2) ==13673== by 0x400F88: main (in /usr/bin/perl) ==13673== I’ve updated my application to detect this scenario and turn it into an append rather than addSibling, however XML::LibXML may want to add a check for that as well. -- Jeff Trout <jeff@jefftrout.com>
MIME-Version: 1.0
In-Reply-To: <5FFE8004-ADC4-40A7-89C0-EBD6DDBA5BB2 [...] jefftrout.com>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <5FFE8004-ADC4-40A7-89C0-EBD6DDBA5BB2 [...] jefftrout.com>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-32435-1395853819-1795.94149-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 160
Download (untitled) / with headers
text/plain 160b
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-32435-1395853819-1795.94149-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <5FFE8004-ADC4-40A7-89C0-EBD6DDBA5BB2 [...] jefftrout.com> <rt-4.0.18-32435-1395853819-1795.94149-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-22569-1396531179-49.94149-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 525
Download (untitled) / with headers
text/plain 525b
On Wed Mar 26 13:10:19 2014, NWELLNHOF wrote: Show quoted text
> Fixed in this pull request: > > https://bitbucket.org/shlomif/perl-xml-libxml/pull-request/30/fix- > double-free-when-calling-node/diff > > Thanks for the report. > > Nick
Thanks for the report and the bug fix. I'm RESOLVED-ing this bug report. Nick, I should note that seeing your recent pull requests were perfectly fine, I gave you a commit/"write" bit for the perl-xml-libxml repository: https://bitbucket.org/shlomif/perl-xml-libxml Enjoy! Regards, -- Shlomi Fish


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.