zorba-coders team mailing list archive

Thread
Date
[Bug 1024033] Re: segfault in parse-xml:parse()

To: zorba-coders@xxxxxxxxxxxxxxxxxxx
From: Chris Hillery <1024033@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Jul 2012 00:08:54 -0000
Reply-to: Bug 1024033 <1024033@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Nicolae - this is happening because of the following:

    if (result->isStreamable())
    {
      state->theFragmentStream.theStream = &result->getStream();
    }

(lines 195-198 of parse_fragment_impl.cpp). This code assigns the
istream to the state, but memory ownership of the stream is still
associated with the item (result). Later, this stream is passed to
Store.loadDocument() at line 230. So when that item goes out of scope,
the stream is freed, and the store is left pointing to a freed istream.

What needs to happen is that state->theFragmentStream needs to have a
StreamReleaser field as well. Then, when you assign the value of
result->getStream() to theFragmentStream.theStream, you need to also
assign the value of result->getStreamReleaser() to
theFragmentStream.theStreamReleaser. You also need to call
result->setStreamReleaser(nullptr) to complete the transference of
memory ownership to theFragmentStream. Finally, in ~FragmentIStream()
(or, apparently, actually in FragmentIStream::reset()), if
theStreamReleaser is non-null then call it, passing theStream as an
argument.

It's not super-clear, but this is how streaming in Zorba works, for
better or for worse...

** Changed in: zorba
     Assignee: Chris Hillery (ceejatec) => Nicolae Brinza (nbrinza)

-- 
You received this bug notification because you are a member of Zorba
Coders, which is the registrant for Zorba.
https://bugs.launchpad.net/bugs/1024033

Title:
  segfault in parse-xml:parse()

Status in Zorba - The XQuery Processor:
  Confirmed

Bug description:
  parse-xml:parse() results in a segfault when called with:

  <opt:options>
    <opt:parse-external-parsed-entity opt:skip-root-nodes="0" />
  </opt:options>

  or with

  <opt:options>
    <opt:parse-external-parsed-entity opt:skip-root-nodes="1" />
  </opt:options>

  for that matter.
  With only <opt:options /> it works.

  Reproduce:

  echo "<page />" > acc.xml
  zorba -f -q xmlparse.xq

  This was tested with the zorba build from revision 10923.

  $ gdb --args zorba -f -q xmlparse.xq
  [Thread debugging using libthread_db enabled]
  <?xml version="1.0" encoding="UTF-8"?>
  fetch [0]: xs:string(<page />
  )

  Program received signal SIGSEGV, Segmentation fault.
  0xb54e29de in std::basic_istream<char, std::char_traits<char> >::sentry::sentry(std::basic_istream<char, std::char_traits<char> >&, bool) () from /usr/lib/i386-linux-gnu/libstdc++.so.6


  also:

  $ valgrind install_dbg/bin/zorba -f -q zorba-files/xmlparse.xq
  ==21695== Memcheck, a memory error detector
  ==21695== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
  ==21695== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
  ==21695== Command: /home/tillw/code/zorba/install_dbg/bin/zorba -f -q zorba-files/xmlparse.xq
  ==21695==
  <?xml version="1.0" encoding="UTF-8"?>
  fetch [0]: xs:string(<page />
  )
  ==21695== Invalid write of size 4
  ==21695==    at 0x6B0AFD3: std::istream::read(char*, int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.14)
  ==21695==    by 0x4EA5B70: zorba::simplestore::FastXmlLoader::readPacket(std::istream&, char*, long) (loader_fast.cpp:242)
  ==21695==    by 0x4EAAAC1: zorba::simplestore::FragmentXmlLoader::fillBuffer(zorba::FragmentIStream*) (loader_dtd.cpp:161)
  ==21695==    by 0x4EAB3E2: zorba::simplestore::FragmentXmlLoader::loadXml(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, 
  std::char_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<
  char>, std::allocator<char> > > const&, std::istream&) (loader_dtd.cpp:260)
  ==21695==    by 0x4ECD245: zorba::simplestore::Store::loadDocument(zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::ch
  ar_traits<char>, std::allocator<char> > > const&, zorba::rstring<zorba::rstring_classes::rep<zorba::atomic_int, std::char_traits<char>, 
  std::allocator<char> > > const&, std::istream&, zorba::store::LoadProperties const&) (store.cpp:1030)
  ==21695==    by 0x4A96C87: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanSt
  ate&) const (parse_fragment_impl.cpp:230)
  ==21695==    by 0x489381C: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::It
  em>&, zorba::PlanState&) const (plan_iterator.h:535)
  ==21695==    by 0x4B3D7BA: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, z
  orba::PlanState&) (plan_iterator.cpp:109)
  ==21695==    by 0x49FA142: zorba::TraceIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanState&) const (error
  s_and_diagnostics_impl.cpp:102)
  ==21695==    by 0x4969368: zorba::Batcher<zorba::TraceIterator>::produceNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanS
  tate&) const (plan_iterator.h:535)
  ==21695==    by 0x4B3D7BA: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, z
  orba::PlanState&) (plan_iterator.cpp:109)
  ==21695==    by 0x4B823DA: zorba::flwor::FLWORIterator::bindVariable(unsigned long, zorba::flwor::FlworState*, zorba::PlanState&) const 
  (flwor_iterator.cpp:1216)
  ==21695==  Address 0x7406f1c is 4 bytes inside a block of size 280 free'd
  ==21695==    at 0x4025907: operator delete(void*) (vg_replace_malloc.c:387)
  ==21695==    by 0x6B0215F: std::basic_ifstream<char, std::char_traits<char> >::~basic_ifstream() (in /usr/lib/i386-linux-gnu/libstdc++.s
  o.6.0.14)
  ==21695==    by 0x4778C2C: zorba::internal::fileStreamReleaser(std::istream*) (default_url_resolvers.cpp:86)
  ==21695==    by 0x4E697E6: zorba::simplestore::StreamableStringItem::~StreamableStringItem() (atomic_items.h:919)
  ==21695==    by 0x4E69866: zorba::simplestore::StreamableStringItem::~StreamableStringItem() (atomic_items.h:921)
  ==21695==    by 0x4C775ED: zorba::store::Item::free() (in /home/tillw/code/zorba/install_dbg/lib/libzorba_simplestore.so.2.5.0)
  ==21695==    by 0x4E0AE39: zorba::store::Item::removeReference() (item.cpp:172)
  ==21695==    by 0x445768B: zorba::store::ItemHandle<zorba::store::Item>& zorba::store::ItemHandle<zorba::store::Item>::assign<zorba::sto
  re::Item>(zorba::store::ItemHandle<zorba::store::Item> const&) (item_handle.h:200)
  ==21695==    by 0x4456971: zorba::store::ItemHandle<zorba::store::Item>::operator=(zorba::store::ItemHandle<zorba::store::Item> const&) 
  (item_handle.h:143)
  ==21695==    by 0x4A96C9C: zorba::FnZorbaParseXmlFragmentIterator::nextImpl(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanSt
  ate&) const (parse_fragment_impl.cpp:230)
  ==21695==    by 0x489381C: zorba::Batcher<zorba::FnZorbaParseXmlFragmentIterator>::produceNext(zorba::store::ItemHandle<zorba::store::It
  em>&, zorba::PlanState&) const (plan_iterator.h:535)
  ==21695==    by 0x4B3D7BA: zorba::PlanIterator::consumeNext(zorba::store::ItemHandle<zorba::store::Item>&, zorba::PlanIterator const*, z
  orba::PlanState&) (plan_iterator.cpp:109)
  ==21695==

To manage notifications about this bug go to:
https://bugs.launchpad.net/zorba/+bug/1024033/+subscriptions
References

[Bug 1024033] [NEW] segfault in parse-xml:parse()
From: mb21, 2012-07-12