2024-11-24 14:54 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002228NetSurf[All Projects] Generalpublic2016-04-12 10:50
ReporterChris Young 
Assigned To 
SeveritycrashReproducibilityalways 
StatusacknowledgedResolutionopen 
PlatformAmigaOSAmigaOSOS Version4.1
Product Version3.3 
Target Version3.6Fixed in Version 
Summary0002228: Possible race condition with scheduler
DescriptionWhen NetSurf deletes a scheduled event, there is the possibility that it is already "in transit" to be triggered before the delete takes effect.

This will occur in the following circumstance:
* The triggered event is sent to the main NetSurf loop using an external (eg. OS) timer, which includes details of the callback.
* The event is deleted before NetSurf returns to the main loop to pick up messages from the timer.
* The callback is then called but the pointer passed may no longer be valid = crash.
Steps To ReproduceI can reproduce this on recent AmigaOS builds as the callback is now passed back to NetSurf rather than NetSurf picking the events off the list itself. I've only seen problems with nsgif_animate.
Additional InformationI'm not sure much can be done about this except to mitigate any problems (or insist events are always picked off a shared list). I've attached a possible fix for nsgif_animate but it may not be a full solution if the content object itself has been freed too.
This also ties into bug#2227, as if nsgif_animate stops running long before the object is destroyed this issue would not have arisen.
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #2383
URL of problem page
Attached Files
  • diff file icon gif.diff (555 bytes) 2014-11-23 20:01 -
    diff --git a/image/gif.c b/image/gif.c
    index c2f0ae4..31c0c62 100644
    --- a/image/gif.c
    +++ b/image/gif.c
    @@ -142,6 +142,8 @@ static void nsgif_animate(void *p)
     	int delay;
     	int f;
     
    +	if(gif->gif == NULL) return;
    +
     	/* Advance by a frame, updating the loop count accordingly */
     	gif->current_frame++;
     	if (gif->current_frame == (int)gif->gif->frame_count_partial) {
    @@ -360,6 +362,7 @@ static void nsgif_destroy(struct content *c)
     	guit->browser->schedule(-1, nsgif_animate, c);
     	gif_finalise(gif->gif);
     	free(gif->gif);
    +	gif->gif = NULL;
     }
     
     
    
    diff file icon gif.diff (555 bytes) 2014-11-23 20:01 +

-Relationships
related to 0002227closedChris Young nsgif_animate runs when gif not displayed 
+Relationships

-Notes
Chris Young

~0000557

Chris Young (developer)

There's a better fix in branch chris/stop-gif-anim which ensures if nsgif_animate gets called when it shouldn't, it won't continue to repeat (the animation callback now stops when there are no more users).
Branch will need checking/merging.
+Notes

-Issue History
Date Modified Username Field Change
2014-11-23 20:01 Chris Young New Issue
2014-11-23 20:01 Chris Young File Added: gif.diff
2014-11-23 20:01 Chris Young Additional Information Updated View Revisions
2014-12-01 14:15 Vincent Sanders Status new => acknowledged
2014-12-01 14:15 Vincent Sanders Description Updated View Revisions
2014-12-01 14:15 Vincent Sanders Additional Information Updated View Revisions
2014-12-09 15:21 Chris Young Relationship added related to 0002227
2014-12-09 15:24 Chris Young Severity minor => crash
2014-12-09 15:24 Chris Young Target Version => 3.3
2014-12-12 17:17 Chris Young Note Added: 0000557
2015-02-28 16:03 Vincent Sanders Target Version 3.3 => 3.4
2016-02-16 13:46 Vincent Sanders Target Version 3.4 => 3.5
2016-04-12 10:50 Vincent Sanders Target Version 3.5 => 3.6
+Issue History