unsoundness from libxslt issue #14

[SamB]

See https://gitlab.gnome.org/GNOME/libxslt/-/issues/14 and the reproducer in https://gitlab.gnome.org/GNOME/libxslt/-/issues/14.
It turns out that libxslt mutates the input document as part of the implementation of whitespace stripping, which is under stylesheet control.

You call this from the function:

rust-libxslt/src/stylesheet.rs

Line 34 in 8cfe923

pub fn transform(&mut self, doc: &Document, params: Vec<(&str, &str)>) -> Result<Document, Box<dyn Error>> {

which takes a shared reference &Document and passes it straight to libxslt. If the caller passes in a stylesheet that enables whitespace stripping, this will mutate the document through a shared pointer,
violates Rust's prohibition against mutating immutable bytes, instantly causing undefined behavior.
Because this function can be called from safe code with such a stylesheet, it is unsound.

Now obviously this is not your fault: there does not appear to be any indication in the libxslt documentation that it can mutate the input document, certainly not in the documentation for this family of functions. Who would expect that?

But nevertheless, I think you need to copy the input document unless/until this gets fixed in libxslt.

[dginev]

Unfortunate and fascinating.

My first instinct to resolve is slightly different - to switch the argument reference &Document to receive an owned Document and consume (then free it) upon transforming it.

Whether the user is interested in making a copy can be an external question - no need to make transform any heavier.