Hi François,
François Delyon wrote:
> I try to evaluate a wrong XPath expression like "//command[start-with
> (@code,'XML')]"
> (start-with() is not an xpath function; the final "s" of "starts" is
> missing)
> Then I get the error:
> malloc: *** Deallocation of a pointer not malloced: 0x6d5b450;
> This could be a double free(), or free() called with the middle of an
> allocated block;
Yes, this is certainly caused by a double-free.
> I do the following:
> xmlXPathCompExprPtr exp=xmlXPathCtxtCompile(xpathCtx,s);// no error??
> xmlXPathObjectPtr xpathObj = xmlXPathCompiledEval(exp, xpathCtx);
>
> As expected, xmlXPathCompOpEval returns at the test
> if (func == NULL) {
> xmlGenericError(xmlGenericErrorContext,
> "xmlXPathCompOpEval:
> function %s not found\n",
> op->value4);
> XP_ERROR0(XPATH_UNKNOWN_FUNC_ERROR);
> }
>
> then in xmlXPathCompiledEvalInternal(), the following code:
> /*
> * Pop all remaining objects from the stack.
> */
> if (pctxt->valueNr > 0) {
> xmlXPathObjectPtr tmp;
> int stack = 0;
>
> do {
> tmp = valuePop(pctxt);
> if (tmp != NULL) {
> if (tmp != NULL)
> stack++;
> xmlXPathReleaseObject(ctxt, tmp);
> }
> } while (tmp != NULL);
>
> generates the error at the third and last execution of
> xmlXPathReleaseObject.
> The double test "if (tmp != NULL)" seems suspect.
> The last temp->type has a unknown random value.
>
> François.
Although you are correct that the "double-test" is redundant, it is not
the cause of the problem (in fact, during "optimisation", the gcc
compiler gets rid of the redundancy). I have made an enhancement to
xpath.c in SVN which fixes the problem - if you are interested in the
details, see
http://svn.gnome.org/viewcvs/libxml2/trunk/xpath.c?rev=3584&r1=3575&r2=3584
Note that I didn't remove the redundant line you mentioned (but I will
the next time I make any change to the module :-).
Regards,
Bill
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
http://mail.gnome.org/mailman/listinfo/xml
