Thread: pg 8.3.7 libxml trying to free NULL pointer

This is CVS HEAD 8.3, Debian package 8.3.7 also affected.

libxml2: 2.7.3.dfsg-1 current version in debian testing.

postgres=# select version();
                                      version
-----------------------------------------------------------------------------------
 PostgreSQL 8.3.7 on i686-pc-linux-gnu, compiled by GCC gcc (Debian 4.3.3-3) 4.3.3

./configure --prefix=$HOME/inst/pg-dev --enable-nls --enable-debug --enable-depend --enable-cassert
--enable-thread-safety--with-pgport=5433 --with-libxml --with-libxslt 

postgres=# select xpath('count(//)', '<a></a>'::xml);
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Succeeded.

TRAP: FailedAssertion("!(pointer != ((void *)0))", File: "mcxt.c", Line: 580)
LOG:  server process (PID 30335) was terminated by signal 6: Aborted

Program received signal SIGABRT, Aborted.
0xb7f90424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7f90424 in __kernel_vsyscall ()
#1  0xb7c59640 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb7c5b008 in *__GI_abort () at abort.c:88
#3  0x082efcae in ExceptionalCondition (conditionName=0x83d6832 "!(pointer != ((void *)0))",
    errorType=0x83237a2 "FailedAssertion", fileName=0x83d682b "mcxt.c", lineNumber=580) at assert.c:57
#4  0x0830f1cc in pfree (pointer=0x0) at mcxt.c:580
#5  0xb7e6e5d2 in ?? () from /usr/lib/libxml2.so.2
#6  0x00000000 in ?? ()


--
Sergey Burladyan

I am install libxml2-dbg 2.7.3.dfsg-1 package, this is backtrace with it:

Program received signal SIGABRT, Aborted.
0xb7f17424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7f17424 in __kernel_vsyscall ()
#1  0xb7be0640 in *__GI_raise (sig=3D6) at ../nptl/sysdeps/unix/sysv/linux/=
raise.c:64
#2  0xb7be2008 in *__GI_abort () at abort.c:88
#3  0x082efcae in ExceptionalCondition (conditionName=3D0x83d6832 "!(pointe=
r !=3D ((void *)0))",
    errorType=3D0x83237a2 "FailedAssertion", fileName=3D0x83d682b "mcxt.c",=
 lineNumber=3D580) at assert.c:57
#4  0x0830f1cc in pfree (pointer=3D0x0) at mcxt.c:580
#5  0xb7df55d2 in xmlXPathCompPathExpr (ctxt=3D0x88a020c) at xpath.c:10312
#6  0xb7df58cd in xmlXPathCompUnaryExpr (ctxt=3D0x88a020c) at xpath.c:10616
#7  0xb7df5b0f in xmlXPathCompMultiplicativeExpr (ctxt=3D0x0) at xpath.c:10=
681
#8  0xb7df5cef in xmlXPathCompAdditiveExpr (ctxt=3D0x0) at xpath.c:10722
#9  0xb7df5e7f in xmlXPathCompRelationalExpr (ctxt=3D0x0) at xpath.c:10760
#10 0xb7df600f in xmlXPathCompEqualityExpr (ctxt=3D0x0) at xpath.c:10802
#11 0xb7df61cf in xmlXPathCompAndExpr (ctxt=3D0x0) at xpath.c:10833
#12 0xb7df6342 in xmlXPathCompileExpr (ctxt=3D0x0, sort=3D6) at xpath.c:108=
59
#13 0xb7dfd390 in xmlXPathCtxtCompile__internal_alias (ctxt=3D0x0, str=3D0x=
88b03d8 "count(//)") at xpath.c:14612
#14 0xb7dfd459 in xmlXPathCompile__internal_alias (str=3D0x88b03d8 "count(/=
/)") at xpath.c:14663
#15 0x082da303 in xpath (fcinfo=3D0xbfe322a8) at xml.c:3465
#16 0x081975bb in ExecMakeFunctionResult (fcache=3D0x88ae670, econtext=3D0x=
88ae5d8,
    isNull=3D0x88aec78 "\177~\177\177\177\177\177\177=EF=BF=BD=EF=BF=BD\206=
\b@", isDone=3D0x88aecd8) at execQual.c:1351
#17 0x081951f5 in ExecProject (projInfo=3D0x88aec8c, isDone=3D0xbfe32558) a=
t execQual.c:4610
#18 0x081a8614 in ExecResult (node=3D0x88ae54c) at nodeResult.c:155
#19 0x081943ed in ExecProcNode (node=3D0x88ae54c) at execProcnode.c:319
#20 0x08192153 in ExecutorRun (queryDesc=3D0x88adb00, direction=3DForwardSc=
anDirection, count=3D1) at execMain.c:1335
#21 0x0819e807 in postquel_getnext (es=3D0x88ada8c, fcache=3D0x88ad174) at =
functions.c:378
#22 0x0819ecc2 in fmgr_sql (fcinfo=3D0xbfe327f8) at functions.c:479
#23 0x081975bb in ExecMakeFunctionResult (fcache=3D0x88ac668, econtext=3D0x=
88ac5d0, isNull=3D0x88acd40 "", isDone=3D0x88acd54)
    at execQual.c:1351
#24 0x081951f5 in ExecProject (projInfo=3D0x88acc48, isDone=3D0xbfe32aa8) a=
t execQual.c:4610
#25 0x081a8614 in ExecResult (node=3D0x88ac544) at nodeResult.c:155
#26 0x081943ed in ExecProcNode (node=3D0x88ac544) at execProcnode.c:319
#27 0x08192153 in ExecutorRun (queryDesc=3D0x88abfd0, direction=3DForwardSc=
anDirection, count=3D0) at execMain.c:1335
#28 0x08241eab in PortalRunSelect (portal=3D0x88a31dc, forward=3D<value opt=
imized out>, count=3D0, dest=3D0x889a274) at pquery.c:943
#29 0x082435cd in PortalRun (portal=3D0x88a31dc, count=3D2147483647, isTopL=
evel=3D1 '\001', dest=3D0x889a274, altdest=3D0x889a274,
    completionTag=3D0xbfe32d0a "") at pquery.c:797
#30 0x0823df8e in exec_simple_query (query_string=3D0x88991bc "select xpath=
('count(//)', '<a></a>'::xml);") at postgres.c:1004
#31 0x0823f7fc in PostgresMain (argc=3D4, argv=3D0x8810cf4, username=3D0x88=
10cc4 "seb") at postgres.c:3631
#32 0x0820973f in ServerLoop () at postmaster.c:3207
#33 0x0820a6c3 in PostmasterMain (argc=3D4, argv=3D0x880ec88) at postmaster=
.c:1029
#34 0x081b8606 in main (argc=3D4, argv=3D0x880ec88) at main.c:188


--=20
Sergey Burladyan

Sergey Burladyan <eshkinkot@gmail.com> writes:
> postgres=# select xpath('count(//)', '<a></a>'::xml);
> server closed the connection unexpectedly
>         This probably means the server terminated abnormally
>         before or while processing the request.

Hmm.  Looking at the libxml2 source code makes it clear that at least
this one function (xmlXPathCompFunctionCall) needs xmlFree(NULL) to be a
no-op, because it's not checking.  I don't know whether the libxml guys
would consider that a bug or not.  Their API specifications are so poor
that one can't really tell if an xmlFree callback is supposed to allow
NULL or not.  The wording of
http://xmlsoft.org/html/libxml-xmlmemory.html#xmlFreeFunc suggests not,
and since we've not seen this before, there's at least fairly large
sections of libxml that do not assume they can free(NULL).

Anyway, I suppose the most prudent thing to do is assume that xml_pfree
had better act like POSIX free() and allow NULL, because it's unlikely
they test their code with any other implementation ...

            regards, tom lane