MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002667NetSurfABENDpublic2019-06-07 14:282019-07-19 09:24
ReporterVincent Sanders 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.9 
Target Version3.9Fixed in Version3.9 
Fixed in CI build #
Reported in CI build #4660
URL of problem pagehttps://googleblog.com/
Summary0002667: the popular sites test is asploding because of a double free
Descriptionafter a great deal of messing about i have a full run performed under valgrind

at some point (the valgrind and test action output are not interleaved properly) the browser wanders off into the weeds eventually double freeing.
Additional Information==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x2917C3: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== Use of uninitialised value of size 8
==14020== at 0x2917C6: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020==
==14020== Use of uninitialised value of size 8
==14020== at 0x2917F0: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020==
==14020== Invalid free() / delete / delete[] / realloc()
==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==14020== by 0x292E46: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Address 0xd5e1890 is 0 bytes inside a block of size 32 free'd
==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Block was alloc'd at
==14020== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==14020== by 0x292F9E: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28FCEA: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28C2B7: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28DA79: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD6A6: nscss_process_css_data (css.c:271)
==14020== by 0x1CD6A6: nscss_process_data (css.c:252)
==14020== by 0x1C4239: content_llcache_callback (content.c:150)
==14020== by 0x2423B3: llcache_object_notify_users (llcache.c:3157)
==14020== by 0x2425AF: llcache_catch_up_all_users (llcache.c:3617)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020==
==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x27D3C9: idna__is_valid (idna.c:440)
==14020== by 0x27D3C9: idna_encode (idna.c:640)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1D51B1: node_is_visited (select.c:1634)
==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1D5FB4: nscss_get_style (select.c:266)
==14020== by 0x1DA97A: box_get_style (box_construct.c:1376)
==14020== by 0x1DA97A: box_construct_element (box_construct.c:763)
==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a heap allocation
==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245)
==14020== by 0x27D2FE: idna_encode (idna.c:634)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1D51B1: node_is_visited (select.c:1634)
==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1D5FB4: nscss_get_style (select.c:266)
==14020== by 0x1DA97A: box_get_style (box_construct.c:1376)
==14020== by 0x1DA97A: box_construct_element (box_construct.c:763)
==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020==
==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x27D3C9: idna__is_valid (idna.c:440)
==14020== by 0x27D3C9: idna_encode (idna.c:640)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1DB600: box_extract_link (box_construct.c:3136)
==14020== by 0x1DD67C: box_a (box_construct.c:1494)
==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877)
==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a heap allocation
==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245)
==14020== by 0x27D2FE: idna_encode (idna.c:634)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1DB600: box_extract_link (box_construct.c:3136)
==14020== by 0x1DD67C: box_a (box_construct.c:1494)
==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877)
==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
TagsNo tags attached.
Relationships
Attached Files

Notes
(0001949)
Vincent Sanders   
2019-06-09 14:32   
reading the double free more carefully, it appears like this occurs because content_destroy is being run a second time on already destroyed contents!

indeed the previous errors are use of uninitialised values in
css__mq_cond_or_feature_destroy
(0001957)
Vincent Sanders   
2019-06-10 23:00   
from a clean valgrind run now all other detected errors fixed

==18082== Invalid free() / delete / delete[] / realloc()
==18082== at 0x48369AB: free (vg_replace_malloc.c:530)
==18082== by 0x293B7B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365)
==18082== by 0x1C9FBF: nscss_destroy (css.c:343)
==18082== by 0x1C19A6: content_destroy (content.c:388)
==18082== by 0x2398B6: hlcache_clean (hlcache.c:140)
==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165)
==18082== by 0x138393: monkey_run (main.c:277)
==18082== by 0x138393: main (main.c:408)
==18082== Address 0x7af97a0 is 0 bytes inside a block of size 32 free'd
==18082== at 0x48369AB: free (vg_replace_malloc.c:530)
==18082== by 0x2924A1: css__mq_cond_destroy.part.4 (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x293B70: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365)
==18082== by 0x1C9FBF: nscss_destroy (css.c:343)
==18082== by 0x1C19A6: content_destroy (content.c:388)
==18082== by 0x2398B6: hlcache_clean (hlcache.c:140)
==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165)
==18082== by 0x138393: monkey_run (main.c:277)
==18082== by 0x138393: monkey_run (main.c:277)
==18082== by 0x138393: main (main.c:408)
==18082== Block was alloc'd at
==18082== at 0x4837B65: calloc (vg_replace_malloc.c:752)
==18082== by 0x294067: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x290936: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28CE77: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x28E559: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==18082== by 0x1C9FF6: nscss_process_css_data (css.c:271)
==18082== by 0x1C9FF6: nscss_process_data (css.c:252)
==18082== by 0x1C0EB9: content_llcache_callback (content.c:150)
==18082== by 0x23B8FC: llcache_object_notify_users (llcache.c:3157)
==18082== by 0x23BA5F: llcache_catch_up_all_users (llcache.c:3617)
==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165)
==18082== by 0x138393: monkey_run (main.c:277)
==18082== by 0x138393: main (main.c:408)
(0001958)
Vincent Sanders   
2019-06-12 09:31   
memory corruption when content is destroyed.

Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault.
0x00005555556ddf99 in css.mq_feature_destroy ()
(gdb) w
Ambiguous command "w": watch, wh, whatis, where, while, while-stepping, winheight, ws.
(gdb) where
#0 0x00005555556ddf99 in css.mq_feature_destroy ()
#1 0x00005555556de049 in css.mq_cond_or_feature_destroy ()
0000002 0x00005555556de092 in css.mq_cond_destroy ()
#3 0x00005555556df68c in css.mq_query_destroy ()
#4 0x00005555556d795e in css.stylesheet_rule_destroy ()
#5 0x00005555556d7a1b in css_stylesheet_destroy ()
#6 0x00005555556197c1 in nscss_destroy_css_data (c=0x55555602d550) at content/handlers/css/css.c:365
#7 nscss_destroy (c=0x55555602d170) at content/handlers/css/css.c:343
#8 0x0000555555610e87 in content_destroy (c=0x55555602d170) at content/content.c:388
#9 0x000055555568c2df in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140
#10 0x000055555568d12f in hlcache_finalise () at content/hlcache.c:576
#11 0x00005555556a7739 in netsurf_exit () at desktop/netsurf.c:455
#12 0x0000555555587334 in main (argc=<optimized out>, argv=<optimized out>)
    at frontends/monkey/main.c:413
(gdb) list
306 &exc_fd_set,
307 timeout);
308 if (rdy_fd < 0) {
309 monkey_done = true;
310 } else if (rdy_fd > 0) {
311 if (FD_ISSET(0, &read_fd_set)) {
312 monkey_process_command();
313 }
314 }
315 }
(gdb)
(0001959)
Vincent Sanders   
2019-06-12 09:36   
Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault.
0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65
65 switch (cond_or_feature->type) {
(gdb) where
#0 0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65
#1 0x00005555556e3d51 in css__mq_cond_parts_destroy (cond_parts=0x5555560b9860) at src/parse/mq.c:46
0000002 0x00005555556e3da2 in css__mq_cond_destroy (cond=0x5555560b9840) at src/parse/mq.c:56
#3 0x00005555556e3e30 in css__mq_query_destroy (media=0x5555560b9810) at src/parse/mq.c:82
#4 0x00005555556d8003 in css__stylesheet_rule_destroy (sheet=0x555555ff99d0, rule=0x5555560b98a0)
    at src/stylesheet.c:1169
#5 0x00005555556d66b0 in css_stylesheet_destroy (sheet=0x555555ff99d0) at src/stylesheet.c:273
#6 0x0000555555619041 in nscss_destroy_css_data (c=0x555555ff9990) at content/handlers/css/css.c:365
#7 nscss_destroy (c=0x555555ff95b0) at content/handlers/css/css.c:343
#8 0x0000555555610707 in content_destroy (c=0x555555ff95b0) at content/content.c:388
#9 0x000055555568bb5f in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140
#10 0x000055555568c9af in hlcache_finalise () at content/hlcache.c:576
#11 0x00005555556a6fb9 in netsurf_exit () at desktop/netsurf.c:455
#12 0x0000555555586bb4 in main (argc=<optimized out>, argv=<optimized out>)
    at frontends/monkey/main.c:413
(gdb) list
60
61 static void css__mq_cond_or_feature_destroy(
62 css_mq_cond_or_feature *cond_or_feature)
63 {
64 if (cond_or_feature != NULL) {
65 switch (cond_or_feature->type) {
66 case CSS_MQ_FEATURE:
67 css__mq_feature_destroy(cond_or_feature->data.feat);
68 break;
69 case CSS_MQ_COND:
(gdb) p cond_or_feature
$1 = (css_mq_cond_or_feature *) 0x50
(gdb)
(0001960)
Vincent Sanders   
2019-06-12 12:21   
I think that

in libcss/src/parse/mq.c

mq_parse_condition() calls mq_parse_media_in_parens()

mq_parse_media_in_parens() can exit with error CSS_OK but with cond_or_feature unset?!?

this can apparently happen if mq_parse_general_enclosed() in the default case returns CSS_OK note both callers assume cond_or_feature is useful

if mq_parse_condition() returns NULL in cond_or_feature if mq_parse_general_enclosed() returns CSS_OK the memory corruption issues are resolved.
(0001961)
Michael Drake   
2019-06-12 22:07   
Fixed by Vince in http://git.netsurf-browser.org/libcss.git/commit/?id=f3b8e297d3af3817f83011b64cf2a389059115f3
(0001997)
Vincent Sanders   
2019-07-19 09:24   
we believe this issue has been resolved in NetSurf 3.9

Issue History
Date ModifiedUsernameFieldChange
2019-06-07 14:28Vincent SandersNew Issue
2019-06-07 17:25Vincent SandersAdditional Information Updatedbug_revision_view_page.php?rev_id=2088#r2088
2019-06-09 14:32Vincent SandersNote Added: 0001949
2019-06-10 23:00Vincent SandersNote Added: 0001957
2019-06-12 09:31Vincent SandersStatusnew => confirmed
2019-06-12 09:31Vincent SandersURL of problem page => https://googleblog.com/
2019-06-12 09:31Vincent SandersNote Added: 0001958
2019-06-12 09:36Vincent SandersNote Added: 0001959
2019-06-12 12:21Vincent SandersNote Added: 0001960
2019-06-12 22:07Michael DrakeAssigned To => Vincent Sanders
2019-06-12 22:07Michael DrakeStatusconfirmed => resolved
2019-06-12 22:07Michael DrakeResolutionopen => fixed
2019-06-12 22:07Michael DrakeNote Added: 0001961
2019-06-13 17:24Vincent SandersFixed in Version => 3.9
2019-07-19 09:24Vincent SandersStatusresolved => closed
2019-07-19 09:24Vincent SandersNote Added: 0001997