Re: [PATCH] contrib/xml2: backend crash in xpath_nodeset() on the namespace axis

On Thu, Jun 11, 2026 at 03:14:36AM +0300, Andrey Chernyy wrote:
> Reproduced on master; the same unguarded xmlNodeDump() call in
> pgxmlNodeSetToText() is present on every supported back-branch (REL_18
> through REL_14).
>
> Patch attached: render XML_NAMESPACE_DECL nodes with
> xmlXPathCastNodeToString() like xpath_table() does. The repro then
> returns the namespace text, ordinary node-set output is unchanged, and
> the xml2 regression test passes.

Thanks for the report, that looks about right to fix the way you are
doing in xml2. Some tests and we should be good.

Hmm. We have a second caller of xmlNodeDump() in the core backend
code in adt/xml.c, leading to a confusing error if I try to use a
namespace:
=# select xpath('//namespace::*', '<root xmlns:foo="http://example.com"/>'::xml);
ERROR: 53200: could not copy node
CONTEXT: SQL function "xpath" statement 1
LOCATION: xml_ereport, xml.c:2082

It looks to me that we should fallback to xmlXPathCastNodeToString()
when dealing with a NAMESPACE_DECL. The attached patch leads me to
the following result, that looks much better:
=# select xpath('//namespace::*', '<root xmlns:foo="http://example.com"/>'::xml);
xpath
-----------------------------------------------------------
{http://www.w3.org/XML/1998/namespace,http://example.com}
(1 row)

What do you think? That also deserves a backpatch to me, even if it
is less worse than the xml2 crash you have reported.

I have grouped this fix with your patch in the attached. Both still
need some tests. Each fix deserves its own commit, that's just a
quick FYI version.
--
Michael