format-number can mess up the XPath stack
If the format-number
XPath extension function receives invalid arguments, it doesn't push a result and messes up the XPath stack. libxml2's XPath engine should handle this gracefully but the current behavior has uncovered some cases where a corrupted stack led to double frees, use-after-frees or null pointer derefs. I think format-number
should be fixed but it might be useful to add an extension function that deliberately pops all elements off the stack which can be enabled when fuzzing libxml2.