MantisBT - LibCSS
View Issue Details
0002854LibCSSLibCSSpublic2023-03-31 00:552023-09-17 18:53
Reporterphoebos 
Assigned ToMichael Drake 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
Platformx86_64OSLinuxOS Version5.15.104
Fixed in CI build #
Reported in CI build #
Summary0002854: Netsurf segmentation fault in libcss
DescriptionViewing the page https://stackoverflow.com/questions/45981545/why-does-noreturn-function-return
causes a segfault.
Steps To Reproducerun "netsurf-gtk3 https://stackoverflow.com/questions/45981545/why-does-noreturn-function-return" for libcss and netsurf at latest git commit.
Additional Informationbacktrace:

#0 css__select_revert_property_to_origin
    (select_state=0x7fffffffa2a0, prop_state=0x7fffffffb418, origin=CSS_ORIGIN_USER, pseudo=CSS_PSEUDO_ELEMENT_NONE, property=CSS_PROP_OUTLINE_COLOR)
    at src/select/select.c:1168
#1 0x0000555555793bd4 in css__select_revert_property
    (select_state=select_state@entry=0x7fffffffa2a0, prop_state=prop_state@entry=0x7fffffffb418, pseudo=pseudo@entry=CSS_PSEUDO_ELEMENT_NONE, property=property@entry=CSS_PROP_OUTLINE_COLOR) at src/select/select.c:1193
0000002 0x00005555557961d1 in css_select_style
    (ctx=<optimized out>, node=node@entry=0x7ffff4334980, unit_ctx=unit_ctx@entry=0x7ffff4525cb0, media=media@entry=0x7ffff4525c50, inline_style=inline_style@entry=0x0, handler=handler@entry=0x555555a01d80 <selection_handler>, pw=0x7fffffffbf50, result=0x7fffffffbf00) at src/select/select.c:1406
#3 0x00005555556939ad in nscss_get_style
    (ctx=ctx@entry=0x7fffffffbf50, n=n@entry=0x7ffff4334980, media=media@entry=0x7ffff4525c50, unit_len_ctx=unit_len_ctx@entry=0x7ffff4525cb0, inline_style=inline_style@entry=0x0) at content/handlers/css/select.c:264
#4 0x0000555555693e66 in box_get_style
    (c=0x7ffff4525a40, parent_style=0x7ffff3d70ab0, root_style=0x7ffff42d7b10, n=0x7ffff4334980) at content/handlers/html/box_construct.c:286
#5 0x000055555569450c in box_construct_element
    (ctx=ctx@entry=0x7ffff3608fe0, convert_children=convert_children@entry=0x7fffffffc07b) at content/handlers/html/box_construct.c:495
#6 0x000055555569572f in convert_xml_to_box (ctx=0x7ffff3608fe0)
    at content/handlers/html/box_construct.c:1240
#7 0x0000555555742c5d in schedule_run () at frontends/gtk/schedule.c:148
#8 0x0000555555738908 in nsgtk_main () at frontends/gtk/gui.c:1072
#9 0x00005555555e721c in main (argc=<optimized out>, argv=<optimized out>)
    at frontends/gtk/gui.c:1231
TagsNo tags attached.
Attached Files? log (47,949) 2023-03-31 00:55
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=728&type=bug
patch 0001-src-stylesheet.h-set-uses_revert-flag-for-shorthand-.patch (2,207) 2023-08-13 00:27
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=731&type=bug

Notes
(0002412)
phoebos   
2023-03-31 09:57   
The null dereference in src/select/select.c:1168 causes this segfault, and has been detected by your static analysis CI system for at least 4 months:

https://ci.netsurf-browser.org/jenkins/job/scan-build-libcss/361/clangScanBuildBugs/
(0002413)
phoebos   
2023-03-31 16:30   
ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==179658==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000026e8 (pc 0x55f51d0c51f3 bp 0x000000000000 sp 0x7ffe57f77c60 T0)
==179658==The signal is caused by a READ memory access.
    #0 0x55f51d0c51f3 in css__select_revert_property_to_origin /tmp/21803/build/libcss/src/select/select.c:1168:40
    #1 0x55f51cbe66a2 in __sanitizer::BufferedStackTrace::UnwindImpl(unsigned long, unsigned long, void*, bool, unsigned int) Scrt1.c
    0000002 0x55f51cc12e5b in __sanitizer::ReportDeadlySignal(__sanitizer::SignalContext const&, unsigned int, void (*)(__sanitizer::SignalContext const&, void const*, __sanitizer::BufferedStackTrace*), void const*) Scrt1.c
    #3 0x55f51cbe0d53 in __asan::ScopedInErrorReport::~ScopedInErrorReport() Scrt1.c
    #4 0x55f51cbe109d in __asan::ReportDeadlySignal(__sanitizer::SignalContext const&) Scrt1.c
    #5 0x55f51cbdf62d in __asan::AsanOnDeadlySignal(int, void*, void*) Scrt1.c
    #6 0x7f1aacb3e733 in _setjmp /tmp/852136/build/musl/src/signal/x86_64/restore.s:1

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/21803/build/libcss/src/select/select.c:1168:40 in css__select_revert_property_to_origin
==179658==ABORTING
(0002416)
Michael Orlitzky   
2023-08-12 19:09   
The "uses_revert" flag is not being set to true on stylesheets that obviously do contain a revert. That leads to uses_revert being false in the context, which leads to the "revert" pointer not being initialized. Then when we do finally encounter the revert, we try to dereference that (still NULL) pointer.

Here's a much simpler test case:

<html>
  <head>
    <title>hello</title>
    <style>
      body {
        outline: revert;
      }
    </style>
  </head>
  <body>
    


      hi
    


  </body>
</html>
(0002417)
Michael Orlitzky   
2023-08-12 19:10   
^ There's a missing paragraph tag that got absorbed by mantis, but you get the idea.
(0002418)
Michael Orlitzky   
2023-08-13 00:27   
Here's a patch to fix the issue. It was a problem with most shorthand properties (like "outline").
(0002419)
phoebos   
2023-08-13 01:47   
Thanks for your good work, the patch works for me too.
(0002420)
phoebos   
2023-08-13 01:54   
(In fact I now have a new segfault accessing the original page; it seems to be in libnsbmp, so I'll open a new issue).
(0002426)
Michael Drake   
2023-09-17 18:53   
Thanks both, for the report and the fix! Applied.

Issue History
2023-03-31 00:55phoebosNew Issue
2023-03-31 00:55phoebosFile Added: log
2023-03-31 09:57phoebosNote Added: 0002412
2023-03-31 16:30phoebosNote Added: 0002413
2023-08-12 19:09Michael OrlitzkyNote Added: 0002416
2023-08-12 19:10Michael OrlitzkyNote Added: 0002417
2023-08-13 00:27Michael OrlitzkyFile Added: 0001-src-stylesheet.h-set-uses_revert-flag-for-shorthand-.patch
2023-08-13 00:27Michael OrlitzkyNote Added: 0002418
2023-08-13 01:47phoebosNote Added: 0002419
2023-08-13 01:54phoebosNote Added: 0002420
2023-09-17 18:53Michael DrakeAssigned To => Michael Drake
2023-09-17 18:53Michael DrakeStatusnew => resolved
2023-09-17 18:53Michael DrakeResolutionopen => fixed
2023-09-17 18:53Michael DrakeDescription Updatedbug_revision_view_page.php?rev_id=2197#r2197
2023-09-17 18:53Michael DrakeAdditional Information Updatedbug_revision_view_page.php?rev_id=2199#r2199
2023-09-17 18:53Michael DrakeNote Added: 0002426