pg 8.3.7 libxml trying to free NULL pointer
This is CVS HEAD 8.3, Debian package 8.3.7 also affected.
libxml2: 2.7.3.dfsg-1 current version in debian testing.
postgres=# select version();
version
-----------------------------------------------------------------------------------
PostgreSQL 8.3.7 on i686-pc-linux-gnu, compiled by GCC gcc (Debian 4.3.3-3) 4.3.3
./configure --prefix=$HOME/inst/pg-dev --enable-nls --enable-debug --enable-depend --enable-cassert --enable-thread-safety --with-pgport=5433 --with-libxml --with-libxslt
postgres=# select xpath('count(//)', '<a></a>'::xml);
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Succeeded.
TRAP: FailedAssertion("!(pointer != ((void *)0))", File: "mcxt.c", Line: 580)
LOG: server process (PID 30335) was terminated by signal 6: Aborted
Program received signal SIGABRT, Aborted.
0xb7f90424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7f90424 in __kernel_vsyscall ()
#1 0xb7c59640 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb7c5b008 in *__GI_abort () at abort.c:88
#3 0x082efcae in ExceptionalCondition (conditionName=0x83d6832 "!(pointer != ((void *)0))",
errorType=0x83237a2 "FailedAssertion", fileName=0x83d682b "mcxt.c", lineNumber=580) at assert.c:57
#4 0x0830f1cc in pfree (pointer=0x0) at mcxt.c:580
#5 0xb7e6e5d2 in ?? () from /usr/lib/libxml2.so.2
#6 0x00000000 in ?? ()
--
Sergey Burladyan
I am install libxml2-dbg 2.7.3.dfsg-1 package, this is backtrace with it:
Program received signal SIGABRT, Aborted.
0xb7f17424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7f17424 in __kernel_vsyscall ()
#1 0xb7be0640 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb7be2008 in *__GI_abort () at abort.c:88
#3 0x082efcae in ExceptionalCondition (conditionName=0x83d6832 "!(pointer != ((void *)0))",
errorType=0x83237a2 "FailedAssertion", fileName=0x83d682b "mcxt.c", lineNumber=580) at assert.c:57
#4 0x0830f1cc in pfree (pointer=0x0) at mcxt.c:580
#5 0xb7df55d2 in xmlXPathCompPathExpr (ctxt=0x88a020c) at xpath.c:10312
#6 0xb7df58cd in xmlXPathCompUnaryExpr (ctxt=0x88a020c) at xpath.c:10616
#7 0xb7df5b0f in xmlXPathCompMultiplicativeExpr (ctxt=0x0) at xpath.c:10681
#8 0xb7df5cef in xmlXPathCompAdditiveExpr (ctxt=0x0) at xpath.c:10722
#9 0xb7df5e7f in xmlXPathCompRelationalExpr (ctxt=0x0) at xpath.c:10760
#10 0xb7df600f in xmlXPathCompEqualityExpr (ctxt=0x0) at xpath.c:10802
#11 0xb7df61cf in xmlXPathCompAndExpr (ctxt=0x0) at xpath.c:10833
#12 0xb7df6342 in xmlXPathCompileExpr (ctxt=0x0, sort=6) at xpath.c:10859
#13 0xb7dfd390 in xmlXPathCtxtCompile__internal_alias (ctxt=0x0, str=0x88b03d8 "count(//)") at xpath.c:14612
#14 0xb7dfd459 in xmlXPathCompile__internal_alias (str=0x88b03d8 "count(//)") at xpath.c:14663
#15 0x082da303 in xpath (fcinfo=0xbfe322a8) at xml.c:3465
#16 0x081975bb in ExecMakeFunctionResult (fcache=0x88ae670, econtext=0x88ae5d8,
isNull=0x88aec78 "\177~\177\177\177\177\177\177��\206\b@", isDone=0x88aecd8) at execQual.c:1351
#17 0x081951f5 in ExecProject (projInfo=0x88aec8c, isDone=0xbfe32558) at execQual.c:4610
#18 0x081a8614 in ExecResult (node=0x88ae54c) at nodeResult.c:155
#19 0x081943ed in ExecProcNode (node=0x88ae54c) at execProcnode.c:319
#20 0x08192153 in ExecutorRun (queryDesc=0x88adb00, direction=ForwardScanDirection, count=1) at execMain.c:1335
#21 0x0819e807 in postquel_getnext (es=0x88ada8c, fcache=0x88ad174) at functions.c:378
#22 0x0819ecc2 in fmgr_sql (fcinfo=0xbfe327f8) at functions.c:479
#23 0x081975bb in ExecMakeFunctionResult (fcache=0x88ac668, econtext=0x88ac5d0, isNull=0x88acd40 "", isDone=0x88acd54)
at execQual.c:1351
#24 0x081951f5 in ExecProject (projInfo=0x88acc48, isDone=0xbfe32aa8) at execQual.c:4610
#25 0x081a8614 in ExecResult (node=0x88ac544) at nodeResult.c:155
#26 0x081943ed in ExecProcNode (node=0x88ac544) at execProcnode.c:319
#27 0x08192153 in ExecutorRun (queryDesc=0x88abfd0, direction=ForwardScanDirection, count=0) at execMain.c:1335
#28 0x08241eab in PortalRunSelect (portal=0x88a31dc, forward=<value optimized out>, count=0, dest=0x889a274) at pquery.c:943
#29 0x082435cd in PortalRun (portal=0x88a31dc, count=2147483647, isTopLevel=1 '\001', dest=0x889a274, altdest=0x889a274,
completionTag=0xbfe32d0a "") at pquery.c:797
#30 0x0823df8e in exec_simple_query (query_string=0x88991bc "select xpath('count(//)', '<a></a>'::xml);") at postgres.c:1004
#31 0x0823f7fc in PostgresMain (argc=4, argv=0x8810cf4, username=0x8810cc4 "seb") at postgres.c:3631
#32 0x0820973f in ServerLoop () at postmaster.c:3207
#33 0x0820a6c3 in PostmasterMain (argc=4, argv=0x880ec88) at postmaster.c:1029
#34 0x081b8606 in main (argc=4, argv=0x880ec88) at main.c:188
--
Sergey Burladyan
Sergey Burladyan <eshkinkot@gmail.com> writes:
postgres=# select xpath('count(//)', '<a></a>'::xml);
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Hmm. Looking at the libxml2 source code makes it clear that at least
this one function (xmlXPathCompFunctionCall) needs xmlFree(NULL) to be a
no-op, because it's not checking. I don't know whether the libxml guys
would consider that a bug or not. Their API specifications are so poor
that one can't really tell if an xmlFree callback is supposed to allow
NULL or not. The wording of
http://xmlsoft.org/html/libxml-xmlmemory.html#xmlFreeFunc suggests not,
and since we've not seen this before, there's at least fairly large
sections of libxml that do not assume they can free(NULL).
Anyway, I suppose the most prudent thing to do is assume that xml_pfree
had better act like POSIX free() and allow NULL, because it's unlikely
they test their code with any other implementation ...
regards, tom lane