Bug #4445

Problem with validation [ArrayIndexOutOfBoundsException in TinyTree]

Added by Mathieu Bergonzini 7 months ago. Updated 5 months ago.

Schema conformance
Start date:
Due date:
% Done:


Estimated time:
Legacy ID:
Applies to branch:
9.8, 9.9, trunk
Fix Committed on Branch:
9.8, 9.9, trunk
Fixed in Maintenance Release:


Hello, I have a problem with xml validation by xsd schema. Some files crash validation and I get this error message:

java.lang.ArrayIndexOutOfBoundsException: 32008
	at net.sf.saxon.tree.tiny.TinyParentNodeImpl.getStringValueCS(
	at net.sf.saxon.tree.tiny.TinyParentNodeImpl.getStringValueCS(
	at net.sf.saxon.tree.tiny.TinyTree.getTypedValueOfElement(
	at net.sf.saxon.tree.tiny.TinyElementImpl.atomize(
	at net.sf.saxon.tree.wrapper.VirtualCopy.atomize(
	at net.sf.saxon.expr.OrExpression.effectiveBooleanValue(
	at net.sf.saxon.expr.instruct.Choose.choose(
	at net.sf.saxon.expr.instruct.Choose.iterate(
	at net.sf.saxon.expr.Expression.effectiveBooleanValue(
	at net.sf.saxon.functions.NotFn$1.effectiveBooleanValue(
	at net.sf.saxon.expr.FilterIterator$NonNumeric.matches(
	at net.sf.saxon.expr.FilterIterator.getNextMatchingItem(
	at net.sf.saxon.event.ProxyReceiver.endElement(
	at net.sf.saxon.event.StartTagBuffer.endElement(
	at net.sf.saxon.event.PathMaintainer.endElement(
	at net.sf.saxon.event.DocumentValidator.endElement(
	at net.sf.saxon.event.ReceivingContentHandler.endElement(
	at net.sf.saxon.event.Sender.sendSAXSource(
	at net.sf.saxon.event.Sender.send(
	at fr.insee.test.saxonee.util.SaxonUtilTest.validateTestBug(
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(
	at java.lang.reflect.Method.invoke(
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(
	at org.junit.runners.ParentRunner.runLeaf(
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(
	at org.junit.runners.ParentRunner$
	at org.junit.runners.ParentRunner$1.schedule(
	at org.junit.runners.ParentRunner.runChildren(
	at org.junit.runners.ParentRunner.access$000(
	at org.junit.runners.ParentRunner$2.evaluate(
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(

Here is the code I use for validation:

        File schema = new File("./src/test/resources/shema.xsd");
        File file = new File("./src/test/resources/file-bug.xml");
        Processor proc = new Processor(true);
        proc.setConfigurationProperty(FeatureKeys.LICENSE_FILE_LOCATION, "./src/test/resources/saxon-license.lic");
        SchemaManager sm = proc.getSchemaManager();
        sm.load(new StreamSource(schema));
        SchemaValidator sv = sm.newSchemaValidator();
        sv.validate(new StreamSource(new FileInputStream(file)));

and the test files attached

file-bug.xml (1.07 MB) file-bug.xml file test Mathieu Bergonzini, 2020-01-29 10:02
schema.xsd (65 KB) schema.xsd schema xsd Mathieu Bergonzini, 2020-01-29 10:02
xhtml.xsd (63.9 KB) xhtml.xsd Mathieu Bergonzini, 2020-01-29 10:02
xml.xsd (5.57 KB) xml.xsd Mathieu Bergonzini, 2020-01-29 10:02


#1 Updated by Michael Kay 7 months ago

Thanks for reporting it. From the stack trace, I can make a guess: we're evaluating an assertion against a subtree of the document, and we've used the "fast copy" mechanism to create a copy of that subtree, and the fast copy mechanism is dodgy. In fact, in resolving bug #4433, I decided to scrap this optimisation because it had given too many reliability problems.

I'll look at the repro first, however, before jumping to conclusions.

#2 Updated by Michael Kay 7 months ago

  • Category set to Schema conformance
  • Status changed from New to In Progress
  • Assignee set to Michael Kay
  • Applies to branch 9.8 added

Reproduced on 9.8 (from the command line); runs without failure on 9.9

#3 Updated by Michael Kay 7 months ago

Seems to be in the same general area as bug #3665, though it's not the same because that involved construction of prior-pointers.

I'm not going to close it immediately as "fixed in 9.9" because I think the reason it's working in 9.9 might be coincidence (the TinyTree in 9.9 has been reduced in size by the introduction of TextualElement nodes, and that might mean the bug is still there on a particular boundary condition, but not activated by this test case). So I'm going to try and debug it on 9.8.

#4 Updated by Michael Kay 7 months ago

Stepping through what's happening in the debugger, it's evaluating the assertion on the Adresse element at line 24284, and while atomizing the LibellePays element (which is the last child of Adresse, and happens to be empty), it follows a "next" pointer which points off the end of the underlying TinyTree.

So I looked at how the construction of tree fragments for assertions works, and I noticed a relevant change between 9.8 and 9.9, which was made in response to the (apparently asymptomatic) bug #4124.

I tried experimentally to reverse that change in the 9.9 code, and it doesn't cause the validation to crash, so we have no evidence as to whether this code change is responsible for fixing the bug. In fact, looking at it more carefully, I think the patch only affects what happens when we finish tree construction for an assertion on the root element of the entire document, which suggests it's not relevant.

I do find the code a little puzzling, because we seem to do the testing of assertions before sending an endElement() event to the builder; what's more the intuitive code to send the endElement() event has been commented out suggesting a deliberate change.

#5 Updated by Michael Kay 7 months ago

  • Subject changed from Problem with validation to Problem with validation [ArrayIndexOutOfBoundsException in TinyTree]

Yes, it's a bug, and it's still there in 9.9; it's just very unlikely to be triggered.

When we get the string value of a node in the tinytree (TinyParentNodeImpl.getStringValueCS) we take a quick look to see if the depth of the next node is <= the current depth; if so, that implies that the node has no children, so the string value is a zero-length string. But on this occasion the "next node" is off the end of the TinyTree array.

This will never happen when accessing a normal tree, because we always add a "stopper" node at the end to guard against such things. And on this special path for assertion handling, where we're accessing a tree that's under construction, there will normally be a zero entry in the uninitialised part of the array, which happens to give the correct results. It's failed this time because of a rare combination of circumstances: the last child of the element containing the assertion is empty; we're accessing its string value; and the algorithm for allocating space in the TinyTree is such that there was exactly the right amount of room for this particular element; since we're typically allocating space in chunks of at least 4K bytes, this has a very low probability of happening.

#6 Updated by Michael Kay 7 months ago

  • Status changed from In Progress to Resolved
  • Applies to branch 9.9, trunk added
  • Fix Committed on Branch 9.8, 9.9, trunk added

Patch applied on 9.8, 9.9, and development branches; tested on 9.8, regression tested only on 9.9 and 10.0 as it is impossible to construct a test case for this unlikely event.

#7 Updated by O'Neil Delpratt 5 months ago

  • Status changed from Resolved to Closed
  • % Done changed from 0 to 100
  • Fixed in Maintenance Release added
  • Fixed in Maintenance Release deleted (

Patch applied in the maintenance release.

Please register to edit this issue

Also available in: Atom PDF