Notes |
|
|
(32.330000) javascript/duktape/dukky.c:655 dukky_register_event_listener_for: have registered listener for 0x710db2d0.click
(32.330000) javascript/duktape/dukky.c:407 js_exec: Returning false
Fatal signal received: Segmentation fault
Stack backtrace:
Running thread 0x701fd8
( 70aee0) pc: 4dcc7c lr: 185e78 sp: 70aee4 __write_backtrace()
( 70af08) pc: 185df8 lr: 4dd5a0 sp: 70af0c ro_gui_signal()
( 70af30) pc: 4dd588 lr: 4dd27c sp: 70af34 __unixlib_exec_sig()
( 70afa0) pc: 4dcd94 lr: 4ddb84 sp: 70afa4 __unixlib_raise_signal()
( 70afb0) pc: 4dda88 lr: 245504 sp: 70959c __h_cback()
Register dump at 0070afb4:
a1: 1 a2: 710babf8 a3: 7095a0 a4: b8e59ff2
v1: 709744 v2: 709744 v3: 71246690 v4: 7095a4
v5: 78c v6: 710bbfe9 sl: 709208 fp: 7095c0
ip: 4b sp: 70959c lr: 245504 pc: 245508
cpsr: 60000010
002454f4 : .0\90\E5 : e5903000 : LDR R3,[R0,#0]
002454f8 : . \8D\E2 : e28d2004 : ADD R2,R13,#4
002454fc : .\E0\A0\E1 : e1a0e00f : MOV R14,PC
00245500 : \C0\F0\93\E5 : e593f0c0 : LDR PC,[R3,#192]
00245504 : ..P\E3 : e3500000 : CMP R0,#0
00245508 : .... : 1a00000b : BNE &0024553C
0024550c : .0\9D\E5 : e59d3004 : LDR R3,[R13,#4]
00245510 : .0\85\E5 : e5853000 : STR R3,[R5,#0]
00245514 : ..\9D\E5 : e59d0008 : LDR R0,[R13,#8]
( 7095c0) pc: 245484 lr: 27d088 sp: 7095c4 create_text()
( 7095e4) pc: 27d050 lr: 27d218 sp: 7095e8 append_text()
( 70960c) pc: 27d17c lr: 27e808 sp: 709610 process_characters_expect_whitespace()
( 709648) pc: 27e6f4 lr: 27c7ac sp: 70964c handle_in_head()
( 709660) pc: 27c560 lr: 273344 sp: 709664 hubbub_treebuilder_token_handler()
( 709678) pc: 27331c lr: 278d60 sp: 70967c hubbub_tokeniser_emit_token()
( 7097cc) pc: 27899c lr: 2799c4 sp: 7097d0 hubbub_tokeniser_handle_data()
( 709a40) pc: 279490 lr: 27c4c0 sp: 709a44 hubbub_tokeniser_run()
( 709a50) pc: 27c45c lr: 271fdc sp: 709a54 hubbub_tokeniser_setopt()
( 709a68) pc: 271ec8 lr: 2461ac sp: 709a6c hubbub_parser_setopt()
( 709a80) pc: 24618c lr: 167ab8 sp: 709a84 dom_hubbub_parser_pause()
( 709ab4) pc: 1679dc lr: cf2e8 sp: 709ab8 convert_script_sync_cb()
( 709afc) pc: cf290 lr: c2a34 sp: 709b08 hlcache_content_callback()
( 709b4c) pc: c29c0 lr: c2e7c sp: 709b58 content_broadcast()
( 709bb4) pc: c2e20 lr: 111038 sp: 709bb8 content_set_done()
( 709bc8) pc: 111020 lr: c3120 sp: 709bcc javascript_convert()
( 709c30) pc: c2f54 lr: d1800 sp: 709c34 content_llcache_callback()
( 709c68) pc: d1670 lr: d18f8 sp: 709c6c llcache_object_notify_users()
( 709c80) pc: d18cc lr: 199aa4 sp: 709c84 llcache_catch_up_all_users()
( 709ca0) pc: 199a5c lr: 9fe0 sp: 709ca4 schedule_run()
( 709fe8) pc: 9740 lr: 4eb944 sp: 709fec main() |
|
|
|
valgrind ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
==18076== Memcheck, a memory error detector
==18076== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18076== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==18076== Command: ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
==18076==
==18076== Use of uninitialised value of size 8
==18076== at 0x58F6E4: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076==
==18076== Use of uninitialised value of size 8
==18076== at 0x58F710: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076==
==18076== Invalid read of size 8
==18076== at 0x58F718: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076== Address 0x2043c710 is not stack'd, malloc'd or (recently) free'd
==18076==
==18076==
==18076== HEAP SUMMARY:
==18076== in use at exit: 4,721,998 bytes in 49,431 blocks
==18076== total heap usage: 197,599 allocs, 148,168 frees, 37,039,346 bytes allocated
==18076==
==18076== LEAK SUMMARY:
==18076== definitely lost: 42 bytes in 4 blocks
==18076== indirectly lost: 352 bytes in 8 blocks
==18076== possibly lost: 0 bytes in 0 blocks
==18076== still reachable: 4,721,604 bytes in 49,419 blocks
==18076== suppressed: 0 bytes in 0 blocks
==18076== Rerun with --leak-check=full to see details of leaked memory
==18076==
==18076== For counts of detected and suppressed errors, rerun with: -v
==18076== Use --track-origins=yes to see where uninitialised values come from
==18076== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault |
|
|
|
static void dukky_push_handler_code_(duk_context *ctx, dom_string *name,
dom_event_target *et)
{
dom_string *onname, *val;
dom_element *ele = (dom_element *)et;
dom_exception exc;
exc = dom_string_concat(corestring_dom_on, name, &onname);
if (exc != DOM_NO_ERR) {
duk_push_lstring(ctx, "", 0);
return;
}
exc = dom_element_get_attribute(ele, onname, &val);
if ((exc != DOM_NO_ERR) || (val == NULL)) {
dom_string_unref(onname);
duk_push_lstring(ctx, "", 0);
return;
}
dom_string_unref(onname);
duk_push_lstring(ctx, dom_string_data(val), dom_string_length(val));
dom_string_unref(val);
} |
|
|
|
Looks like we're getting a bad dom_string back from dom_element_get_attribute() |
|
|
(0001106)
|
Michael Drake
|
2015-11-19 22:01
(Last edited: 2015-11-19 22:07) |
|
Actually I think we're passing the document node to dom_element_get_attribute().
So the event target isn't an element in that case, and the code currently assumes it is.
|
|
|
|
This is fixed in Git. Sadly the CI system is currently down due to datacenter issues. Look for a CI#3177 or newer to validate the correction. |
|
|
|
Confirmed fixed in 3.4 release |
|