View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0002387 | NetSurf | Javascript | public | 2015-11-11 01:16 | 2016-02-16 14:14 | ||||
Reporter | Harriet Bazley | ||||||||
Assigned To | Daniel Silverstone | ||||||||
Severity | minor | Reproducibility | always | ||||||
Status | closed | Resolution | fixed | ||||||
Platform | ARM | OS | RISC OS | OS Version | 5.19 | ||||
Product Version | 3.4 | ||||||||
Target Version | 3.4 | Fixed in Version | 3.4 | ||||||
Summary | 0002387: Segfault on NHS page | ||||||||
Description | Netsurf crashes with a segfault every time I attempt to view the page http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx With JavaScript disabled, the page loads without problems. Tried with latest version of Netsurf, same issue. | ||||||||
Steps To Reproduce | Visit page. | ||||||||
Tags | No tags attached. | ||||||||
Fixed in CI build # | |||||||||
Reported in CI build # | 3058 | ||||||||
URL of problem page | http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx | ||||||||
Attached Files |
|
Notes | |
Michael Drake (administrator) 2015-11-11 17:50 |
(32.330000) javascript/duktape/dukky.c:655 dukky_register_event_listener_for: have registered listener for 0x710db2d0.click (32.330000) javascript/duktape/dukky.c:407 js_exec: Returning false Fatal signal received: Segmentation fault Stack backtrace: Running thread 0x701fd8 ( 70aee0) pc: 4dcc7c lr: 185e78 sp: 70aee4 __write_backtrace() ( 70af08) pc: 185df8 lr: 4dd5a0 sp: 70af0c ro_gui_signal() ( 70af30) pc: 4dd588 lr: 4dd27c sp: 70af34 __unixlib_exec_sig() ( 70afa0) pc: 4dcd94 lr: 4ddb84 sp: 70afa4 __unixlib_raise_signal() ( 70afb0) pc: 4dda88 lr: 245504 sp: 70959c __h_cback() Register dump at 0070afb4: a1: 1 a2: 710babf8 a3: 7095a0 a4: b8e59ff2 v1: 709744 v2: 709744 v3: 71246690 v4: 7095a4 v5: 78c v6: 710bbfe9 sl: 709208 fp: 7095c0 ip: 4b sp: 70959c lr: 245504 pc: 245508 cpsr: 60000010 002454f4 : .0\90\E5 : e5903000 : LDR R3,[R0,#0] 002454f8 : . \8D\E2 : e28d2004 : ADD R2,R13,#4 002454fc : .\E0\A0\E1 : e1a0e00f : MOV R14,PC 00245500 : \C0\F0\93\E5 : e593f0c0 : LDR PC,[R3,#192] 00245504 : ..P\E3 : e3500000 : CMP R0,#0 00245508 : .... : 1a00000b : BNE &0024553C 0024550c : .0\9D\E5 : e59d3004 : LDR R3,[R13,#4] 00245510 : .0\85\E5 : e5853000 : STR R3,[R5,#0] 00245514 : ..\9D\E5 : e59d0008 : LDR R0,[R13,#8] ( 7095c0) pc: 245484 lr: 27d088 sp: 7095c4 create_text() ( 7095e4) pc: 27d050 lr: 27d218 sp: 7095e8 append_text() ( 70960c) pc: 27d17c lr: 27e808 sp: 709610 process_characters_expect_whitespace() ( 709648) pc: 27e6f4 lr: 27c7ac sp: 70964c handle_in_head() ( 709660) pc: 27c560 lr: 273344 sp: 709664 hubbub_treebuilder_token_handler() ( 709678) pc: 27331c lr: 278d60 sp: 70967c hubbub_tokeniser_emit_token() ( 7097cc) pc: 27899c lr: 2799c4 sp: 7097d0 hubbub_tokeniser_handle_data() ( 709a40) pc: 279490 lr: 27c4c0 sp: 709a44 hubbub_tokeniser_run() ( 709a50) pc: 27c45c lr: 271fdc sp: 709a54 hubbub_tokeniser_setopt() ( 709a68) pc: 271ec8 lr: 2461ac sp: 709a6c hubbub_parser_setopt() ( 709a80) pc: 24618c lr: 167ab8 sp: 709a84 dom_hubbub_parser_pause() ( 709ab4) pc: 1679dc lr: cf2e8 sp: 709ab8 convert_script_sync_cb() ( 709afc) pc: cf290 lr: c2a34 sp: 709b08 hlcache_content_callback() ( 709b4c) pc: c29c0 lr: c2e7c sp: 709b58 content_broadcast() ( 709bb4) pc: c2e20 lr: 111038 sp: 709bb8 content_set_done() ( 709bc8) pc: 111020 lr: c3120 sp: 709bcc javascript_convert() ( 709c30) pc: c2f54 lr: d1800 sp: 709c34 content_llcache_callback() ( 709c68) pc: d1670 lr: d18f8 sp: 709c6c llcache_object_notify_users() ( 709c80) pc: d18cc lr: 199aa4 sp: 709c84 llcache_catch_up_all_users() ( 709ca0) pc: 199a5c lr: 9fe0 sp: 709ca4 schedule_run() ( 709fe8) pc: 9740 lr: 4eb944 sp: 709fec main() |
Michael Drake (administrator) 2015-11-11 18:11 |
valgrind ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx ==18076== Memcheck, a memory error detector ==18076== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==18076== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==18076== Command: ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx ==18076== ==18076== Use of uninitialised value of size 8 ==18076== at 0x58F6E4: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb) ==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475) ==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496) ==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421) ==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390) ==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578) ==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864) ==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045) ==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503) ==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46) ==18076== by 0x4D13BE: eval_top_string (dukky.c:382) ==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925) ==18076== by 0x4D1CC0: js_exec (dukky.c:393) ==18076== ==18076== Use of uninitialised value of size 8 ==18076== at 0x58F710: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb) ==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475) ==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496) ==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421) ==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390) ==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578) ==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864) ==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045) ==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503) ==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46) ==18076== by 0x4D13BE: eval_top_string (dukky.c:382) ==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925) ==18076== by 0x4D1CC0: js_exec (dukky.c:393) ==18076== ==18076== Invalid read of size 8 ==18076== at 0x58F718: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb) ==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475) ==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496) ==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421) ==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390) ==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578) ==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864) ==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045) ==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503) ==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46) ==18076== by 0x4D13BE: eval_top_string (dukky.c:382) ==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925) ==18076== by 0x4D1CC0: js_exec (dukky.c:393) ==18076== Address 0x2043c710 is not stack'd, malloc'd or (recently) free'd ==18076== ==18076== ==18076== HEAP SUMMARY: ==18076== in use at exit: 4,721,998 bytes in 49,431 blocks ==18076== total heap usage: 197,599 allocs, 148,168 frees, 37,039,346 bytes allocated ==18076== ==18076== LEAK SUMMARY: ==18076== definitely lost: 42 bytes in 4 blocks ==18076== indirectly lost: 352 bytes in 8 blocks ==18076== possibly lost: 0 bytes in 0 blocks ==18076== still reachable: 4,721,604 bytes in 49,419 blocks ==18076== suppressed: 0 bytes in 0 blocks ==18076== Rerun with --leak-check=full to see details of leaked memory ==18076== ==18076== For counts of detected and suppressed errors, rerun with: -v ==18076== Use --track-origins=yes to see where uninitialised values come from ==18076== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault |
Michael Drake (administrator) 2015-11-11 18:17 |
static void dukky_push_handler_code_(duk_context *ctx, dom_string *name, dom_event_target *et) { dom_string *onname, *val; dom_element *ele = (dom_element *)et; dom_exception exc; exc = dom_string_concat(corestring_dom_on, name, &onname); if (exc != DOM_NO_ERR) { duk_push_lstring(ctx, "", 0); return; } exc = dom_element_get_attribute(ele, onname, &val); if ((exc != DOM_NO_ERR) || (val == NULL)) { dom_string_unref(onname); duk_push_lstring(ctx, "", 0); return; } dom_string_unref(onname); duk_push_lstring(ctx, dom_string_data(val), dom_string_length(val)); dom_string_unref(val); } |
Michael Drake (administrator) 2015-11-11 18:18 |
Looks like we're getting a bad dom_string back from dom_element_get_attribute() |
Michael Drake (administrator) 2015-11-19 22:01 Last edited: 2015-11-19 22:07 |
Actually I think we're passing the document node to dom_element_get_attribute(). So the event target isn't an element in that case, and the code currently assumes it is. |
Daniel Silverstone (administrator) 2015-11-22 13:44 |
This is fixed in Git. Sadly the CI system is currently down due to datacenter issues. Look for a CI#3177 or newer to validate the correction. |
Vincent Sanders (administrator) 2016-02-16 14:14 |
Confirmed fixed in 3.4 release |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2015-11-11 01:16 | Harriet Bazley | New Issue | |
2015-11-11 01:16 | Harriet Bazley | File Added: Log.zip | |
2015-11-11 17:50 | Michael Drake | Note Added: 0001067 | |
2015-11-11 18:11 | Michael Drake | Note Added: 0001069 | |
2015-11-11 18:17 | Michael Drake | Note Added: 0001070 | |
2015-11-11 18:18 | Michael Drake | Note Added: 0001072 | |
2015-11-17 16:34 | Vincent Sanders | Assigned To | => Daniel Silverstone |
2015-11-17 16:34 | Vincent Sanders | Status | new => confirmed |
2015-11-17 16:34 | Vincent Sanders | Product Version | => 3.4 |
2015-11-17 16:34 | Vincent Sanders | Description Updated | View Revisions |
2015-11-19 22:01 | Michael Drake | Note Added: 0001106 | |
2015-11-19 22:05 | Michael Drake | Note Edited: 0001106 | View Revisions |
2015-11-19 22:07 | Michael Drake | Note Edited: 0001106 | View Revisions |
2015-11-22 13:44 | Daniel Silverstone | Note Added: 0001111 | |
2015-11-22 13:44 | Daniel Silverstone | Status | confirmed => resolved |
2015-11-22 13:44 | Daniel Silverstone | Resolution | open => fixed |
2015-11-22 13:44 | Daniel Silverstone | Fixed in Version | => 3.4 |
2015-11-22 13:44 | Daniel Silverstone | Target Version | => 3.4 |
2016-02-16 14:14 | Vincent Sanders | Note Added: 0001252 | |
2016-02-16 14:14 | Vincent Sanders | Status | resolved => closed |