MantisBT - NetSurf
View Issue Details
0002367NetSurfJavascriptpublic2015-10-20 09:052016-02-16 15:10
ReporterHarriet Bazley 
Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformARMOSRISC OSOS Version5.19
Product Version3.4 
Target VersionFixed in Version3.4 
Fixed in CI build #3005
Reported in CI build #3000
URL of problem pagehttp://www.wizards.com/default.asp?x=dnd%2Fdnd%2F20001222b
Summary0002367: JavaScript crash
DescriptionNetSurf crashes when visiting quiz page - I don't expect the quiz to work, but the entire browser falls over!
Steps To ReproduceVisit http://www.wizards.com/default.asp?x=dnd%2Fdnd%2F20001222b
Additional InformationRISC OS 5.20, Iyonix Aria
TagsNo tags attached.
Attached Fileszip Log.zip (10,468) 2015-10-20 09:06
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=332&type=bug
zip APinder.zip (5,843) 2015-10-20 19:16
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=334&type=bug

Notes
(0000968)
Dave Higton   
2015-10-20 19:19   
(Last edited: 2015-10-20 19:26)
Andrew Pinder also reported a crash when visiting http://www.lonelyplanet.com/jordan/shopping/souvenir-gifts with JS enabled but was unable to report the bug. I have reproduced his crash and attached the resulting log as APinder.zip

A null node is pushed. The next bit of code attempts to reference this node, which is presumably the point at which the crash occurs.

It seems to me that two things can be done:

1) Working forwards: Don't push null nodes; this should be enough to prevent the crash.

2) Working backwards: find out why there was an attempt to push a null node. This is not so easy!

(0000970)
Vincent Sanders   
2015-10-20 21:42   
(5.445954) javascript/duktape/dukky.c:69 dukky_populate_object: Call the init function
(5.445961) build-Linux-gtk/duktape/event_target.c:45 dukky_event_target___init: Initialise 0x1f8e450 (priv=0x1e46f50)
(5.445967) build-Linux-gtk/duktape/node.c:46 dukky_node___init: Initialise 0x1f8e450 (priv=0x1e46f50)
(5.445972) build-Linux-gtk/duktape/element.c:47 dukky_element___init: Initialise 0x1f8e450 (priv=0x1e46f50)
(5.445978) build-Linux-gtk/duktape/html_element.c:46 dukky_html_element___init: Initialise 0x1f8e450 (priv=0x1e46f50)
(5.445983) build-Linux-gtk/duktape/html_div_element.c:46 dukky_html_div_element___init: Initialise 0x1f8e450 (priv=0x1e46f50)
(5.445995) javascript/duktape/dukky.c:77 dukky_create_object: name=NETSURF_DUKTAPE_PROTOTYPE_NODELIST nargs=1
(5.446003) javascript/duktape/dukky.c:69 dukky_populate_object: Call the init function
(5.446015) build-Linux-gtk/duktape/node_list.c:45 dukky_node_list___init: Initialise 0x1f8cec0 (priv=0x1c15420)
(5.446021) javascript/duktape/dukky.c:90 dukky_create_object: created
(5.446028) NodeList.bnd:22 dukky_node_list___fini: Finalise 0x1f8cec0
(5.446043) javascript/duktape/dukky.c:219 dukky_push_node: Pushing node 0x1f938a0
(5.446054) javascript/duktape/dukky.c:69 dukky_populate_object: Call the init function
(5.446061) build-Linux-gtk/duktape/event_target.c:45 dukky_event_target___init: Initialise 0x1f93970 (priv=0x1c15420)
(5.446066) build-Linux-gtk/duktape/node.c:46 dukky_node___init: Initialise 0x1f93970 (priv=0x1c15420)
(5.446072) build-Linux-gtk/duktape/element.c:47 dukky_element___init: Initialise 0x1f93970 (priv=0x1c15420)
(5.446077) build-Linux-gtk/duktape/html_element.c:46 dukky_html_element___init: Initialise 0x1f93970 (priv=0x1c15420)
(5.446082) build-Linux-gtk/duktape/html_div_element.c:46 dukky_html_div_element___init: Initialise 0x1f93970 (priv=0x1c15420)
(5.446091) javascript/duktape/dukky.c:219 dukky_push_node: Pushing node (nil)
(0000971)
Vincent Sanders   
2015-10-20 21:48   
#0 dukky_push_node (ctx=ctx@entry=0x128ceb0, node=0x0) at javascript/duktape/dukky.c:245
#1 0x00000000004f7ddd in dukky_node_lastChild_getter (ctx=0x128ceb0) at Node.bnd:149
0000002 0x0000000000593581 in duk_handle_call (thr=0x128ceb0, num_stack_args=1, call_flags=0) at duk_js_call.c:1364
#3 0x00000000005a48f4 in duk_hobject_getprop (thr=thr@entry=0x128ceb0, tv_obj=0x7fffffffb680,
    tv_key=0x7fffffffb690) at duk_hobject_props.c:2582
#4 0x000000000059130f in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x128ceb0) at duk_js_executor.c:2848
#5 0x0000000000593841 in duk_handle_call (thr=0x128ceb0, num_stack_args=0, call_flags=0) at duk_js_call.c:1471
#6 0x00000000005af269 in duk_eval_raw (ctx=ctx@entry=0x128ceb0, src_buffer=src_buffer@entry=0x0,
    src_length=src_length@entry=0, flags=flags@entry=1) at duk_api_compile.c:44
#7 0x000000000058a3bf in eval_top_string (ctx=0x128ceb0,
    ctx@entry=<error reading variable: Cannot access memory at address 0xa2>) at javascript/duktape/dukky.c:355
#8 0x0000000000597dc4 in duk_handle_safe_call (
    thr=<error reading variable: Cannot access memory at address 0xa2>,
    func=func@entry=0x58a3a0 <eval_top_string>, num_stack_args=num_stack_args@entry=1,
    num_stack_rets=num_stack_rets@entry=1) at duk_js_call.c:1876
#9 0x0000000000598064 in duk_safe_call (ctx=<optimized out>, func=func@entry=0x58a3a0 <eval_top_string>,
    nargs=nargs@entry=1, nrets=nrets@entry=1) at duk_api_call.c:221
#10 0x000000000058ad91 in js_exec (ctx=0xe31070,
    txt=0x7fffe42e4010 "/*! jQuery v1.9.1 | (c) 2005, 2012 jQuery Foundation, Inc. | jquery.org/license\r\n//@ sourceMappingURL=jquery.min.map\r\n*/\r\n(function (e, t) {\r\n\tvar n, r, i = typeof t, o = e.document, a = e.location"..., txtlen=<optimized out>) at javascript/duktape/dukky.c:366
(0000972)
Andrew Pinder   
2015-10-20 22:08   
I've been able to generate a crash just by trying to go straight to www.lonelyplanet.com
(0000973)
Vincent Sanders   
2015-10-21 19:56   
kinnison resolved our null node handling so the jquery no longer causes the segfault. lonely planet rendering is still utterly broken though.
(0001288)
Vincent Sanders   
2016-02-16 15:10   
Confirmed resolved in 3.4 release

Issue History
2015-10-20 09:05Harriet BazleyNew Issue
2015-10-20 09:06Harriet BazleyFile Added: Log.zip
2015-10-20 19:16Dave HigtonFile Added: APinder.zip
2015-10-20 19:19Dave HigtonNote Added: 0000968
2015-10-20 19:26Dave HigtonNote Edited: 0000968bug_revision_view_page.php?bugnote_id=968#r1556
2015-10-20 20:38Vincent SandersStatusnew => confirmed
2015-10-20 20:38Vincent SandersProduct Version => 3.4
2015-10-20 21:42Vincent SandersNote Added: 0000970
2015-10-20 21:48Vincent SandersNote Added: 0000971
2015-10-20 22:08Andrew PinderNote Added: 0000972
2015-10-21 19:56Vincent SandersFixed in CI build # => 3005
2015-10-21 19:56Vincent SandersNote Added: 0000973
2015-10-21 19:56Vincent SandersStatusconfirmed => resolved
2015-10-21 19:56Vincent SandersResolutionopen => fixed
2015-10-21 19:56Vincent SandersFixed in Version => 3.4
2016-02-16 15:10Vincent SandersNote Added: 0001288
2016-02-16 15:10Vincent SandersStatusresolved => closed