[xsde-users] State stack: memory corruption for stacks >= 8,
with patch
Klaus Kuehnhammer
klaus at bitstem.com
Thu Aug 26 08:09:49 EDT 2010
Hi,
I've run into memory corruption with XSD/E 3.1.0 on Linux, and have
found two issues with the way the state stack is handled.
For me this happens when the stack is grown beyond its default depth of
8 in a sequence, so to reproduce you need to use XML input that nests
the tags at least 8 levels deep.
- in stack.ixx (libxsde), push() grows the stack one call too late,
causing top() to point beyond the allocated region when the stack size
reaches the default of 8.
- in the generated _start_element_impl, top() is called once before the
recursive state machine calls. If the stack is grown during this, the
existing states are copied to a new memory location (grow() in
stack.cxx). The element-local reference vs is never updated and still
reads from the old, already delete[]'d stack buffer.
I'm attaching a patch against the 3.1.0+dep source distribution that
fixes these issues for my schema.. i was reluctant to touch anything
beyond the choice/sequence validator code generation, so it's entirely
possible that the second situation (stale vs) can arise somewhere else
too.
I avoid the stale vs issue by updating it through a last() method I
added to the stack: it gets the element last pushed in, even if the
buffer has been grown and moved somewhere else. There might be a more
elegant solution.
The fix for the first issue simply makes sure grow() is called as soon
as the stack is full.
Hope that helps!
Klaus
--
Bitstem Software
Klaus Kuehnhammer
Wasnergasse 11/5
1200 Wien, Austria
+43 664 2133466
klaus at bitstem.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsde-3.1.0-state-stack.patch
Type: text/x-patch
Size: 3595 bytes
Desc: not available
Url : http://codesynthesis.com/pipermail/xsde-users/attachments/20100826/50426449/xsde-3.1.0-state-stack.bin
More information about the xsde-users
mailing list