MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002529NetSurfRISC OS-specificpublic2017-03-08 22:222017-03-27 14:36
ReporterPeter Young 
Assigned To 
PrioritynormalSeveritycrashReproducibilityrandom
StatusacknowledgedResolutionopen 
PlatformRISC OSOSRISC OSOS Version5.23 18 Mar 16
Product Version3.7 
Target VersionFixed in Version 
Fixed in CI build #
Reported in CI build #4018
URL of problem pageNone
Summary0002529: Crash at shutdown
DescriptionAt shutdown, NetSurf reports a fatal error. Logfile is saved, and is attached. I have no idea of any predictable way of reproducing this.
Steps To ReproduceNone known
Additional InformationNone
TagsNo tags attached.
Relationships
Attached Fileszip Logfile.zip (37,589) 2017-03-08 22:22
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=486&type=bug

Notes
(0001521)
Peter Young   
2017-03-12 22:02   
Still happening unpredictably
(0001530)
Vincent Sanders   
2017-03-27 12:11   
(20078.880000) content/fs_backing_store.c:1615 finalise: Cache total/hit/miss/fail (counts) 45/4/41/0 (100%/8%/91%/0%)
(20078.880000) content/llcache.c:3433 llcache_finalise: Backing store wrote 248406 bytes in 247 ms (average 1005692 bytes/second)
(20078.880000) desktop/netsurf.c:262 netsurf_exit: Closing fetches
(20078.880000) render/html_css_fetcher.c:70 html_css_fetcher_finalise: html_css_fetcher_finalise called for x-ns-css
(20078.880000) content/fetchers/curl.c:174 fetch_curl_finalise: Finalise cURL fetcher http
(20078.880000) content/fetchers/curl.c:174 fetch_curl_finalise: Finalise cURL fetcher https
(20078.880000) content/fetchers/curl.c:178 fetch_curl_finalise: All cURL fetchers finalised, closing down cURL
(20078.990000) content/fetchers/data.c:67 fetch_data_finalise: fetch_data_finalise called for data
(20078.990000) content/handlers/image/image_cache.c:439 image_cache_fini: Size at finish 0 (in 0)
(20078.990000) content/handlers/image/image_cache.c:449 image_cache_fini: Age 20060s
(20078.990000) content/handlers/image/image_cache.c:451 image_cache_fini: Peak size 1386740 (in 11)
(20078.990000) content/handlers/image/image_cache.c:453 image_cache_fini: Peak image count 61 (size 244028)
(20078.990000) content/handlers/image/image_cache.c:469 image_cache_fini: Cache total/hit/miss/fail (counts) 197/149/48/0 (100%/75%/24%/0%)
(20078.990000) content/handlers/image/image_cache.c:477 image_cache_fini: Cache total/hit/miss/fail (size) 8609760/5404368/3205392/0 (100%/62%/37%/0%)
(20078.990000) content/handlers/image/image_cache.c:482 image_cache_fini: Total images never rendered: 5 (includes 7 that were converted)
(20078.990000) content/handlers/image/image_cache.c:486 image_cache_fini: Total number of excessive conversions: 6 (from 6 images converted more than once)
(20078.990000) content/handlers/image/image_cache.c:490 image_cache_fini: Bitmap of size 820800 had most (2) conversions
(20078.990000) desktop/netsurf.c:273 netsurf_exit: Closing utf8
(20078.990000) desktop/netsurf.c:276 netsurf_exit: Destroying URLdb
(20078.1000000) desktop/netsurf.c:279 netsurf_exit: Destroying System colours
Fatal signal received: Illegal Instruction

Stack backtrace:

Running thread 0x74cb14 (Main Thread)
  ( 75dee0) pc: 50395c lr: 160b8c sp: 75dee4 __write_backtrace()
  ( 75df08) pc: 160b0c lr: 504288 sp: 75df0c ro_gui_signal()
  ( 75df30) pc: 504270 lr: 503f64 sp: 75df34 __unixlib_exec_sig()
  ( 75dfa0) pc: 503a7c lr: 504870 sp: 75dfa4 __unixlib_raise_signal()
  ( 75dfb0) pc: 504774 lr: 13d15c sp: 75cc88 __h_cback()

  Register dump at 0075dfb4:

    a1: a a2: 0 a3: 75cc09 a4: 5fb6d
    v1: 73d9d4 v2: 80144494 v3: 73d9dc v4: 74d128
    v5: 75cb04 v6: 12 sl: 75c208 fp: 75cc98
    ip: 1 sp: 75cc88 lr: 13d15c pc: 1445f4
    cpsr: 90000110

  001445e0 : .... : 00000000 : ANDEQ R0,R0,R0
  001445e4 : .... : 00000000 : ANDEQ R0,R0,R0
  001445e8 : .... : 00000000 : ANDEQ R0,R0,R0
  001445ec : 99�. : 02c53939 : SBCEQ R3,R5,#&000E4000
  001445f0 : �P�> : 3e9b50b0 : MRCCC CP0,4,R5,C11,C0,5
  001445f4 : ��<T : 543cacae : LDRPLT R10,[R12],#-3246
  001445f8 : �TT� : ad5454af : LDCGEL CP4,C5,[R4,#-700]
  001445fc : 9Ӿ. : 00bed339 : ADCEQS R13,R14,R9,LSR R3
  00144600 : 9.�. : 01cd0a39 : BICEQ R0,R13,R9,LSR R10

  ( 75cc98) pc: 13d0b0 lr: aa48 sp: 75cc9c netsurf_exit()
  ( 75cfe8) pc: a288 lr: 5128b4 sp: 75cfec main()
(0001531)
Vincent Sanders   
2017-03-27 14:36   
this appears to be usage of freed memory when system_colour.c:ns_system_colour_finalize() removes lwc references from the system colour table

I instrumented the lwc string unref to assert if the refcount is zero on entry and zeroed the memory in lwc_string_destroy but was unable to reproduce on Linux.

as the colour_list table is held within system_colour.c is never exposed I can only assume that one of the colour names (desktop/options.h) is being used elsewhere and refcount went wrong

Issue History
Date ModifiedUsernameFieldChange
2017-03-08 22:22Peter YoungNew Issue
2017-03-08 22:22Peter YoungFile Added: Logfile.zip
2017-03-12 22:02Peter YoungNote Added: 0001521
2017-03-27 12:11Vincent SandersNote Added: 0001530
2017-03-27 12:12Vincent SandersSeveritymajor => crash
2017-03-27 12:12Vincent SandersStatusnew => acknowledged
2017-03-27 12:12Vincent SandersProduct Version => 3.7
2017-03-27 14:36Vincent SandersNote Added: 0001531