Expat XML Parser

Tracker: Bugs

5 missing check of stopped parser in doContent() 'for' loop - ID: 1515266

Last Update: Comment added ( kwaclaw )

Details:

In Expat 2.0.0, in expat.c:doConvert() there is a 'for'
loop for the XML_TOK_DATA_CHARS case. There is
unfortunately no check in that loop whether the parser
was stopped during that call because of an error.

This was discovered in Python
(Lib/test/crashers/xml_parsers.py) because pyexpat,
upon error where there is no error return code like
with characterDataHandlers, sets all handlers to 0,
sets parsingStatus to XML_FINISHED, and sets errorCode.
This leads to a segfault if the 'for' loop goes around
again because parser->m_characterDataHandler is set to 0.

A simple check if the parser is stopped fixes the
problem. I have attached a simple patch that just
breaks out of the loop and lets execution fall through
to the bottom of the 'switch' statement. I don't know
if returning errorCode directly would be better or if
checking for XML_SUSPENDED is also desirable.

Submitted:

Brett Cannon ( bcannon ) - 2006-06-30 18:04

Priority:

Status:

Open

Resolution:

Fixed

Assigned:

Fred L. Drake, Jr.

Category:

None

Group:

Test Required

Visibility:

Public

Comments ( 18 )

Date: 2009-01-17 16:09 Sender: kwaclaw Comment for Fred: So, do we need to address this last comment - i.e. that Python is supposedly broken with release 2.0.1? Karl
Date: 2008-05-24 23:50 Sender: dleverton > Python compatibility still needs testing. This does indeed break Python: when it clears the handler, it sets the variable containing the Python-side handler to NULL, and then assumes that said variable is non-null when expat calls the old handler. (The vanilla Python distribution uses a bundled copy of expat from before this change was made, which is probably why no-one's complained until now, but some Linux distros like to use the system copy instead of the bundled one.)
Date: 2006-11-25 17:41 Sender: kwaclaw Is anyone testing CVS for this solution?
Date: 2006-07-10 19:02 Sender: kwaclaw Logged In: YES user_id=290026 Applied the patch preserving default handler failover. See xmlparse.c rev. 1.158. Docs updated as well. Python compatibility still needs testing.
Date: 2006-07-06 17:19 Sender: kwaclaw Logged In: YES user_id=290026 I am attaching a patch to current CVS that preserves the default handler failover logic by saving the character data handler to a local variable instead of moving the NULL check into the inner for loop (file "localCharDataHandlerPatch.diff"). The drawback: Even if the handler is cleared, it will be called back on as long as the inner for loop is active. Could be a problem for Python, if it cannot deal with a few more call-backs despite clearing the handlers.
Date: 2006-07-06 17:03 Sender: bcannon Logged In: YES user_id=357491 Yes, I'm listening, Fred. =) If you look at PEP 356 (http://www.python.org/dev/peps/pep-0356/) it seems like b2 is due on July 12 and rc1 August 1. So there is still time to get whatever change/fix needed to Python's wrapper before we hit final release.
Date: 2006-07-06 12:56 Sender: kwaclaw Logged In: YES user_id=290026 One way to preserver the old default handler logic would be this: Revert back to the original code, but save the character data handler into a local variable for the duration of the inner for loop. This would prevent the segfault, but would enforce the call-backs in the loop to go on until the loop terminates, even if the character data handler was cleared. I personally like this solution, but the question is how Python could handle it if there were more call-backs even after the handlers were cleared.
Date: 2006-07-06 05:15 Sender: fdrake Logged In: YES user_id=3066 Python (on the trunk) is no longer quite as sensitive to the Expat implementation for this, so that's not a source of time pressure to come up with the final fix for this. Reducing priority back to "Medium"
Date: 2006-07-06 03:23 Sender: fdrake Logged In: YES user_id=3066 The tests now pass, but agree that the lack of falling back to the default handler is undesirable. As noted, I'm not sure how much we want to worry about this in code, though, rather than through documentation.
Date: 2006-07-06 02:55 Sender: kwaclaw Logged In: YES user_id=290026 The bug is quite obvious when you look at it. When the character data handler is cleared, the for loop will do nothing forever. Please check again with xmlparse.c rev. 1.157. However this quick fix is not quite satisfying. There is one piece of logic that becomes ill-fitted now: the "fail-over" to the default handler does not work as expected anymore, so I'll have some more thinking to do.
Date: 2006-07-06 02:38 Sender: fdrake Logged In: YES user_id=3066 The tests no longer complete, but take up all the CPU the system will let them have. Hallmarks of an infinite loop, if you ask me. :-) Are you able to run the tests on Windows? I don't know if a MSVC++ target was ever built for them, and don't have access to a Windows development machine most of the time. One thing that can be done is to document that the character data handler can't be removed (though it can be replaced), during parsing, except from some non-character data (and non-decoding-related) handler. Then the Python bindings can use an alternate approach, replacing the character handler with a completely no-op handler until it can be safely removed completely. Brett, are you still paying attention? I can make the needed changes to the Python bindings to isolate those from some of the changes in Expat, hopefully no later than sometime this weekend. Not sure what the release schedule is, though. Karl, I'm generally inclined to make Expat as safe from segfaults as possible, so I'd like things to "just work" in even some of the oddball scenarios that exception-handling wrappers built to support scripting languages might present, though I don't object to making them go through a bit of extra work. I know our main audience is very performance-sensitive, so I don't want to pay too high a cost on that front. It might be worth taking the discussion of alternatives to the mailing list, but I vaguely recall that we've done that before.
Date: 2006-07-05 13:26 Sender: kwaclaw Logged In: YES user_id=290026 Corrected Summary.
Date: 2006-07-05 13:14 Sender: kwaclaw Logged In: YES user_id=290026 Applied the patch for bug # 1515600 which solves this issue as well. Removed the check for XML_FINISHED/XML_SUSPENDED. We could discuss special treatment of XML_FINISHED, but if one is clearing all handlers anyway, then special treatment of XML_FINISHED is not necessary. For Fred: I have not re-run the test cases. Please do so and close the issue if successful.
Date: 2006-07-04 13:37 Sender: kwaclaw Logged In: YES user_id=290026 I am re-opening this issue because in the case of a suspended parser, breaking out of the inner loop in XML_TOK_DATA_CHARS means that character call-backs are missed when resuming the parser. We should let the inner loop finish reporting all characters. The documentation already states that after calling XML_StopParser() there may still be a few call-backs that would otherwise be missed, so this would not be new behaviour, but consistent with existing behaviour. The solution to the problem described is the same as suggested for bug # 1515600 (Segfault after removing character data handler). Just put the NULL check for the character data handler inside the internal loop. Btw, the same problem exists in the doCdataSection() function. I'll attach a patch suggestion to bug # 1515600. We might decide to treat XML_FINISHED different from XML_SUSPENDED such that no other call-backs will happen, but in that case we need to review all the other places where this would need to be done as well (and update the documentation, of course).
Date: 2006-07-01 15:32 Sender: fdrake Logged In: YES user_id=3066 Confirmed that the suspend behavior parallels the abort behavior Brett's patch fixed; fixed and added a regression test in lib/xmlparse.c 1.155 and tests/runtests.c 1.66.
Date: 2006-07-01 15:02 Sender: fdrake Logged In: YES user_id=3066 Added a regression test in tests/runtests.c revision 1.65. Closing this report.
Date: 2006-07-01 04:00 Sender: fdrake Logged In: YES user_id=3066 That seems fine, but can be done faster within the Expat implementation. I've committed the simplified patch as lib/xmlparse.c revision 1.154. I'll have a test case committed tomorrow as well. Leaving this report open for now since I need to finish up the test case.
Date: 2006-06-30 18:40 Sender: fdrake Logged In: YES user_id=3066 The Python folks need this dealt with before Python 2.5, so I'll try and take a look at it this weekend if no one beats me to it.

Attached Files ( 2 )

Filename	Description	Download
localCharDataHandlerPatch.diff	Patch that preserves default handler logic	Download
expat_check_status.diff	Add check for stopped parser in 'for' loop in doConvert()	Download

Changes ( 14 )

Field	Old Value	Date	By
File Added	184081: localCharDataHandlerPatch.diff	2006-07-06 17:19	kwaclaw
priority	6	2006-07-06 05:15	fdrake
summary	missing check of stopped parser in doContext() 'for' loop	2006-07-05 13:26	kwaclaw
resolution_id	None	2006-07-05 13:14	kwaclaw
resolution_id	Accepted	2006-07-04 13:37	kwaclaw
status_id	Closed	2006-07-04 13:37	kwaclaw
close_date	2006-07-01 15:02	2006-07-04 13:37	kwaclaw
close_date	-	2006-07-01 15:02	fdrake
status_id	Open	2006-07-01 15:02	fdrake
artifact_group_id	None	2006-07-01 04:00	fdrake
resolution_id	None	2006-07-01 04:00	fdrake
assigned_to	nobody	2006-06-30 18:40	fdrake
priority	5	2006-06-30 18:40	fdrake
File Added	183470: expat_check_status.diff	2006-06-30 18:04	bcannon

Expat XML Parser

Tracker: Bugs

Comments ( 18 )

Attached Files ( 2 )

Changes ( 14 )

About SourceForge

Find Software

Develop Software

Community

Help