Re: XML::LibXML-1.53

Hi,

i just had some spare time and was able to confine the problem further to the 
PmmREFCNT_dec() function in perl-libxml-mm.c of XML-LibXML-1.56:

I have added some debug printf statements to demonstrate where it crashes

/* decrements the proxy counter. if the counter becomes zero or less,
   this method will free the proxy node. If the node is part of a
   subtree, PmmREFCNT_def will fix the reference counts and delete
   the subtree if it is not required any more.
 */
int
PmmREFCNT_dec( ProxyNodePtr node )
{
    xmlNodePtr libnode = NULL;
    ProxyNodePtr owner = NULL;
    int retval = 0;

    if ( node != NULL && node) {
        printf("## Before PmmREFCNT(node)\n");
        retval = PmmREFCNT(node)--;
        printf("## node->count=%d\n",node->count);
        printf("## PmmREFCNT(node)=%d\n",PmmREFCNT(node));
        printf("## retval=%d\n",retval);
        if ( PmmREFCNT(node) <= 0 ) {
            xs_warn( "NODE DELETATION\n" );
            libnode = PmmNODE( node );
            if ( libnode != NULL ) {
                if ( libnode->_private != node ) {
                    xs_warn( "lost node\n" );
                    libnode = NULL;
                }
                else {
                    libnode->_private = NULL;
                }
            }

            PmmNODE( node ) = NULL;
            if ( PmmOWNER(node) && PmmOWNERPO(node) ) {
                xs_warn( "DOC NODE!\n" );
                owner = PmmOWNERPO(node);
                PmmOWNER( node ) = NULL;
                if( libnode != NULL && libnode->parent == NULL ) {
                    /* this is required if the node does not directly
                     * belong to the document tree
                     */
                    xs_warn( "REAL DELETE" );
                    PmmFreeNode( libnode );
                }
                xs_warn( "decrease owner" );

                /*

At this point owner is a dangling pointer which will crash when dereferencing 
it in the next call to PmmREFCNT_dec( ) -> remember this func is recursive 
...
                */

                printf("## Before 1 PmmREFCNT_dec(owner)\n");
                PmmREFCNT_dec( owner );

                /* we won't get here */
                printf("## After 1 PmmREFCNT_dec()\n");
            }
            else if ( libnode != NULL ) {
                xs_warn( "STANDALONE REAL DELETE" );
                PmmFreeNode( libnode );
            }
            Safefree( node );
            /* free( node ); */
        }
    }
    else {
        xs_warn("lost node" );
    }
    printf ("Returning retval=%d\n",retval);
    return retval;
}


~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~

Having a quick look at the state of "owner" shows that it is probably not fit 
for being passwd around:

(gdb) p *node->owner
$10 = {_private = 0x30312f74, type = 1668183398, name = 0x6e6f6974 <Address 
0x6e6f6974 out of bounds>, children = 0x742e73, last = 0x4015a6e8, parent = 
0x41, next = 0x0,
  prev = 0x0, doc = 0x0, ns = 0x0, content = 0x0, properties = 0x0, nsDef = 
0x82eb5e8}

But where does owner get srewed up in the first place? I doubt that it's 
anywhere in perl-libxml-mm.c !!

I will try to look deeper into this when I have more time at hand, -> also I 
am not familiar with the code so the person who wrote this might be able to 
spot the problem faster than me ...

Note that you have to add the -g switch to CFLAGS in the XML-LibXML Makefile
to get any meaningful debugging with gdb.
 
Cheers,
~/joachim


On Tuesday 09 December 2003 08:55, Joachim Bauernberger wrote:
> Hi Grant,
>
> On Monday 08 December 2003 18:49, Grant McLean wrote:
> <snip/>
>
> > > [t][jmbdev]# perl ./10functions.t
> > > 1..14
> > > ok 1
> > > ok 2
> > > ok 3
> > > ok 4
> > > ok 5
> > > ok 6
> > > Segmentation fault
> >
> > One obvious difference between running 'make test' and running the test
> > directly is that make test uses the recently built version of LibXML
> > sitting in the blib directory whereas your simple perl command to run
> > the test script uses the version of LibXML installed on your system.
>
> That version of LibXML was already installed from before, so it should not
> make a difference (I also double checked by using the -Include switches as
> you did below but it's all the same...)
>
> cheers,
> ~/joachim
>
> > You could try editing the command line generated by 'make test':
> >
> > PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib \
> > -I/usr/lib/perl/5.6.1  -I/usr/share/perl/5.6.1 t/10functions.t
> >
> > or you could use the 'prove' script that comes with recent versions of
> > Test::Harness to achieve a similar thing.
> >
> > Of course if you've already run 'make install' then the files from blib
> > should have been copied to /usr/local/lib already.
> >
> > Cheers
> > Grant

-- 
Phone: +49 (0) 89 15883875
Fax: +49 (0) 89 15883874
Mobile: +49 (0) 179 674 3611         
Web: http://www.bauernberger.org/

_______________________________________________
Perl-XML mailing list
Perl-XML@xxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs