MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002428NetSurfRISC OS-specificpublic2016-02-20 19:102016-03-07 12:59
ReporterRichard Porter 
Assigned To 
PrioritynormalSeveritycrashReproducibilityunable to reproduce
StatusconfirmedResolutionopen 
PlatformRiscPCOSRISC OSOS Version6.16
Product Version3.5 
Target VersionFixed in Version 
Fixed in CI build #
Reported in CI build #3416
URL of problem pagehttp://www.minimarcos.org.uk/cgi-bin/forum/Blah.pl?,b=MJ,v=display,m=1454193515,s=1,highlight=#num1
Summary0002428: Segfault on saving image
DescriptionTrying to save third picture of the green car having already saved the first two.
Steps To ReproduceGo to problem page (actually I did a 'top ten' search but that may be completey different when you investigate this) save photos to local directory.
Additional InformationI then updated NetSurf to CI #3420 and downloaded the photo successfully.
You don't need to be registered on the forum to read it.
TagsNo tags attached.
Relationships
Attached Fileszip nslog324.zip (210,717) 2016-02-20 19:10
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=413&type=bug

Notes
(0001344)
Vincent Sanders   
2016-03-07 12:42   
segmentation fault during saving element in content__get_source_data()

use after free?

There was a cache clear just before:

(33274.940000) render/html.c:1513 html_destroy: content 0x3a255518

...

(33274.980000) render/html_object.c:636 html_object_free_objects: object 0x3ac457d8
(33274.980000) content/content.c:693 content_remove_user: content http://www.minimarcos.org.uk/BlahImages/logo.gif (0x3a7820a8), user 0xd0c68 0x3ac457d8

backtrace:

  ( 728bf4) pc: c5ac0 lr: c5b58 sp: 728bf8 content__get_source_data()
  ( 728c08) pc: c5b40 lr: 1980dc sp: 728c0c content_get_source_data()
  ( 728c40) pc: 197fd0 lr: 199fec sp: 728c44 ro_gui_save_content()
  ( 728c64) pc: 199f6c lr: 18803c sp: 728c68 ro_gui_save_datasave_ack()
  ( 728c7c) pc: 187fb0 lr: 193b9c sp: 728c80 ro_msg_datasave_ack()
  ( 728ca0) pc: 193ab4 lr: 9e7c sp: 728ca4 ro_message_handle_message()
  ( 728fe8) pc: 9750 lr: 4f7f70 sp: 728fec main()
(0001345)
Vincent Sanders   
2016-03-07 12:59   
This is actually a lifetime issue within riscos/save.c

this front end saves the hlcache handle in ro_gui_save_set_state() without incrementing its reference count so when a cache clear throws away the "unused" object there is still a reference in the gui_save_content variable which is no longer viable and immediately leads to using freed memory and a crash

Issue History
Date ModifiedUsernameFieldChange
2016-02-20 19:10Richard PorterNew Issue
2016-02-20 19:10Richard PorterFile Added: nslog324.zip
2016-03-07 12:42Vincent SandersNote Added: 0001344
2016-03-07 12:42Vincent SandersStatusnew => acknowledged
2016-03-07 12:42Vincent SandersProduct Version => 3.5
2016-03-07 12:42Vincent SandersAdditional Information Updatedbug_revision_view_page.php?rev_id=1828#r1828
2016-03-07 12:59Vincent SandersNote Added: 0001345
2016-03-07 12:59Vincent SandersStatusacknowledged => confirmed
2016-03-07 12:59Vincent SandersCategoryABEND => RISC OS-specific