[xsde-users] State stack: memory corruption for stacks >= 8, with patch

Boris Kolpackov boris at codesynthesis.com
Fri Aug 27 14:07:22 EDT 2010 

Hi Klaus,

I have CC'ed xsde-users to my reply.

Klaus Kuehnhammer <klaus at bitstem.com> writes:

> I still get the memory issues I described in the second point using your
> patch.

Yes, you are right. I was concentrating on the code after the loop
while it is the code in the loop that has the problem.

My solution is to re-implement the stack so that it doesn't move
elements:

http://scm.codesynthesis.com/?p=xsde/xsde.git;a=commit;h=14b909b25dec8e68f7bcb35e89ce503c5f12967c

It will probably be easier to just copy the whole stack.?xx files
than apply the patch.

Let me know if you get any problems with this.

Boris


[The rest of the original email follows for context.]

> 
> Putting some printfs in the stack push and start_element code shows that
> the stack is definitely grown by something (the (this->*vd->func)
> calls? ) before vs is read back:
> 
> push ()
>     {
>       if (size_ > capacity_)
>       {
> printf("%p: growing stack, old buffer at %p, top %p\n", this, data_,
> top());
> #ifdef XSDE_EXCEPTIONS
>         grow ();
> #else
>         if (error e = grow ())
>           return e;
> #endif
> 
> printf("%p: new buffer at %p, top %p\n", this, data_, top() );
>       }
> 
> -------------------------------------------------------------------------------
> 
> _start_element_impl (const ::xsde::cxx::ro_string& ns,
>                      const ::xsde::cxx::ro_string& n)
> {
>   ::xsde::cxx::parser::context& ctx = this->_context ();
> 
>   v_state_& vs = *static_cast< v_state_* > (this->v_state_stack_.top
> ());
>   v_state_descr_* vd = vs.data + (vs.size - 1);
>   printf("set vs\n");
> 
>   if (vd->func == 0 && vd->state == 0)
>   {
>     typedef ::xsde::cxx::parser::validating::complex_content base;
>     if (base::_start_element_impl (ns, n))
>       return true;
>     else
>       vd->state = 1;
>   }
> 
>   while (vd->func != 0)
>   {
>     (this->*vd->func) (vd->state, vd->count, ns, n, true);
> 
>   printf("read vs\n");
>     vd = vs.data + (vs.size - 1);
> 
>     if (vd->state == ~0UL && !ctx.error_type ())
>       vd = vs.data + (--vs.size - 1);
>     else
>       break;
>   }
> 
> -------------------------------------------------------------------------------
> 
> log:
> 
> read vs
> set vs
> set vs
> 0x7feffc5a0: growing stack, old buffer at 0x8511660, top 0x85116d0
> 0x7feffc5a0: new buffer at 0x8513f70, top 0x8513fe0
> 0x7feffc468: growing stack, old buffer at 0x8511720, top 0x85117c8
> 0x7feffc468: new buffer at 0x85140b0, top 0x8514158
> 0x7feffc568: growing stack, old buffer at 0x8511820, top 0x8511827
> 0x7feffc568: new buffer at 0x8514270, top 0x8514277
> 0x7feffc538: growing stack, old buffer at 0x8511870, top 0x8511b48
> 0x7feffc538: new buffer at 0x85142c0, top 0x8514598
> read vs
> 
> after this, valgrind reports reads from the old buffer that has just
> been deleted.
> 
> The XML input that triggers this is structured like this:
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> <a>
> <b/>
> </a>
> </a>
> </a>
> </a>
> </a>
> </a>
> </a>
> </a>
> </a>

More information about the xsde-users mailing list