Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
3.0.1
-
None
-
None
-
All.
Description
Problem:
If you enable grammar caching and:
- DTD validate a valid document
- DTD validate an invalid document
- DTD validate an valid document
a segmentation fault, etc. occurs inside Xerces.
Apparent cause:
When parsing a document in DTD mode, the parser always creates a temporary
grammar called "[dtd]". If the parser successully parses the document,
it puts the parsed DTD in "[dtd]" and then renames "[dtd]" to the real
name of the DTD.
However, if the parse does not succeed, the parser (erroneously?)
just leaves "[dtd]" in the grammer cache. This means that "[dtd]"
exists in the grammar cache when a new document is parsed later that
uses a novel DTD, then the presence of "[dtd]" in the grammar cache
will eventually cause a memory leak and double free, ultimately
causing a crash (see attached dbx or gdb output).
This affects users of the DGXMLScanner and the IGXMLScanner.
A fix for the problem is to make sure that before "[dtd]" is placed
in the grammar cache any existing "[dtd]" is removed.
The attached test case failed under both Solaris and Linux.
Under Solaris, depending on where the files were located, environment, etc.
it would sometimes crash, and sometimes not. However, even when it did not
crash, it was still double freeing, etc; this can be seen by running
"bcheck test-12907" (output attached).
Under linux, it always seems to crash with:
-
-
- glibc detected *** free(): invalid pointer: 0x000000000050ed18 ***
However, even if the erroneous code does not trigger a crash,
valgrind should show the problem.
- glibc detected *** free(): invalid pointer: 0x000000000050ed18 ***
-
We have developed a kludgy workaround, but I do not think
that it is a "good" fix. See the attached diffs against 2.7.0.