Ok, this one is going to be a little hard to explain because I have been unable to come up with a simple test case. xsltApplyOneTemplate was crashing (invalid pointer) around line 1837 ( xmlFreeDoc(tmp); ) where it is freeing up the tmpRVTs created in that template. xmlFreeDoc was eventually dieing while freeing a xmlAttrPtr because the xmlAttrPtr->doc pointer was invalid on a . It actually died in xmlDictOwns which accesses xmlAttrPtr->doc->dict which was invalid. I traced the problem down th xsltAttrListTemplateProcess. It creates an xmlAttrPtr by calling xsltAttrTemplateProcess. The new xmlAttrPtr (q) has it's parent set to target but the doc set to ctxt->output, which may not be the same as the target->doc. As an attribute's document and the attribute's parent element's document would always be the same the patch changes that. The ctxt->output document must not still exist when the tmpRVTs are destroyed in this case. Sorry I couldn't come up with a regression test case but it's a nasty stylesheet that causes this and any attempts to simplify eliminated the crash. Hopefully a good eyeballing will be enough to confirm the patch.
Attachment:
templates.diff
Description: templates.diff