2019-01-22 02:58 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002387NetSurfJavascriptpublic2016-02-16 14:14
ReporterHarriet Bazley 
Assigned ToDaniel Silverstone 
SeverityminorReproducibilityalways 
StatusclosedResolutionfixed 
PlatformARMOSRISC OSOS Version5.19
Product Version3.4 
Target Version3.4Fixed in Version3.4 
Summary0002387: Segfault on NHS page
DescriptionNetsurf crashes with a segfault every time I attempt to view the page http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
With JavaScript disabled, the page loads without problems. Tried with latest version of Netsurf, same issue.
Steps To ReproduceVisit page.
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #3058
URL of problem page http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
Attached Files
  • zip file icon Log.zip (8,261 bytes) 2015-11-11 01:16

-Relationships
+Relationships

-Notes
Michael Drake

~0001067

Michael Drake (administrator)

(32.330000) javascript/duktape/dukky.c:655 dukky_register_event_listener_for: have registered listener for 0x710db2d0.click
(32.330000) javascript/duktape/dukky.c:407 js_exec: Returning false


Fatal signal received: Segmentation fault

Stack backtrace:

Running thread 0x701fd8
  ( 70aee0) pc: 4dcc7c lr: 185e78 sp: 70aee4 __write_backtrace()
  ( 70af08) pc: 185df8 lr: 4dd5a0 sp: 70af0c ro_gui_signal()
  ( 70af30) pc: 4dd588 lr: 4dd27c sp: 70af34 __unixlib_exec_sig()
  ( 70afa0) pc: 4dcd94 lr: 4ddb84 sp: 70afa4 __unixlib_raise_signal()
  ( 70afb0) pc: 4dda88 lr: 245504 sp: 70959c __h_cback()

  Register dump at 0070afb4:

    a1: 1 a2: 710babf8 a3: 7095a0 a4: b8e59ff2
    v1: 709744 v2: 709744 v3: 71246690 v4: 7095a4
    v5: 78c v6: 710bbfe9 sl: 709208 fp: 7095c0
    ip: 4b sp: 70959c lr: 245504 pc: 245508
    cpsr: 60000010

  002454f4 : .0\90\E5 : e5903000 : LDR R3,[R0,#0]
  002454f8 : . \8D\E2 : e28d2004 : ADD R2,R13,#4
  002454fc : .\E0\A0\E1 : e1a0e00f : MOV R14,PC
  00245500 : \C0\F0\93\E5 : e593f0c0 : LDR PC,[R3,#192]
  00245504 : ..P\E3 : e3500000 : CMP R0,#0
  00245508 : .... : 1a00000b : BNE &0024553C
  0024550c : .0\9D\E5 : e59d3004 : LDR R3,[R13,#4]
  00245510 : .0\85\E5 : e5853000 : STR R3,[R5,#0]
  00245514 : ..\9D\E5 : e59d0008 : LDR R0,[R13,#8]

  ( 7095c0) pc: 245484 lr: 27d088 sp: 7095c4 create_text()
  ( 7095e4) pc: 27d050 lr: 27d218 sp: 7095e8 append_text()
  ( 70960c) pc: 27d17c lr: 27e808 sp: 709610 process_characters_expect_whitespace()
  ( 709648) pc: 27e6f4 lr: 27c7ac sp: 70964c handle_in_head()
  ( 709660) pc: 27c560 lr: 273344 sp: 709664 hubbub_treebuilder_token_handler()
  ( 709678) pc: 27331c lr: 278d60 sp: 70967c hubbub_tokeniser_emit_token()
  ( 7097cc) pc: 27899c lr: 2799c4 sp: 7097d0 hubbub_tokeniser_handle_data()
  ( 709a40) pc: 279490 lr: 27c4c0 sp: 709a44 hubbub_tokeniser_run()
  ( 709a50) pc: 27c45c lr: 271fdc sp: 709a54 hubbub_tokeniser_setopt()
  ( 709a68) pc: 271ec8 lr: 2461ac sp: 709a6c hubbub_parser_setopt()
  ( 709a80) pc: 24618c lr: 167ab8 sp: 709a84 dom_hubbub_parser_pause()
  ( 709ab4) pc: 1679dc lr: cf2e8 sp: 709ab8 convert_script_sync_cb()
  ( 709afc) pc: cf290 lr: c2a34 sp: 709b08 hlcache_content_callback()
  ( 709b4c) pc: c29c0 lr: c2e7c sp: 709b58 content_broadcast()
  ( 709bb4) pc: c2e20 lr: 111038 sp: 709bb8 content_set_done()
  ( 709bc8) pc: 111020 lr: c3120 sp: 709bcc javascript_convert()
  ( 709c30) pc: c2f54 lr: d1800 sp: 709c34 content_llcache_callback()
  ( 709c68) pc: d1670 lr: d18f8 sp: 709c6c llcache_object_notify_users()
  ( 709c80) pc: d18cc lr: 199aa4 sp: 709c84 llcache_catch_up_all_users()
  ( 709ca0) pc: 199a5c lr: 9fe0 sp: 709ca4 schedule_run()
  ( 709fe8) pc: 9740 lr: 4eb944 sp: 709fec main()
Michael Drake

~0001069

Michael Drake (administrator)

valgrind ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
==18076== Memcheck, a memory error detector
==18076== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18076== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==18076== Command: ./nsfb http://www.nhs.uk/conditions/peptic-ulcer/Pages/Introduction.aspx
==18076==
==18076== Use of uninitialised value of size 8
==18076== at 0x58F6E4: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076==
==18076== Use of uninitialised value of size 8
==18076== at 0x58F710: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076==
==18076== Invalid read of size 8
==18076== at 0x58F718: dom_string_length (in /home/mdrake/dev-netsurf/workspace/netsurf/nsfb)
==18076== by 0x4D2090: dukky_push_handler_code_ (dukky.c:475)
==18076== by 0x4D2090: dukky_get_current_value_of_event_handler (dukky.c:496)
==18076== by 0x41D83F: dukky_document_onreadystatechange_getter (Document.bnd:421)
==18076== by 0x4DB4A1: duk_handle_call (duk_js_call.c:1390)
==18076== by 0x4E8F79: duk_hobject_getprop (duk_hobject_props.c:2578)
==18076== by 0x4D8FB5: duk__js_execute_bytecode_inner (duk_js_executor.c:2864)
==18076== by 0x4DAA6B: duk_js_execute_bytecode (duk_js_executor.c:2045)
==18076== by 0x4DB5BE: duk_handle_call (duk_js_call.c:1503)
==18076== by 0x4FA29C: duk_eval_raw (duk_api_compile.c:46)
==18076== by 0x4D13BE: eval_top_string (dukky.c:382)
==18076== by 0x4DBEB9: duk_handle_safe_call (duk_js_call.c:1925)
==18076== by 0x4D1CC0: js_exec (dukky.c:393)
==18076== Address 0x2043c710 is not stack'd, malloc'd or (recently) free'd
==18076==
==18076==
==18076== HEAP SUMMARY:
==18076== in use at exit: 4,721,998 bytes in 49,431 blocks
==18076== total heap usage: 197,599 allocs, 148,168 frees, 37,039,346 bytes allocated
==18076==
==18076== LEAK SUMMARY:
==18076== definitely lost: 42 bytes in 4 blocks
==18076== indirectly lost: 352 bytes in 8 blocks
==18076== possibly lost: 0 bytes in 0 blocks
==18076== still reachable: 4,721,604 bytes in 49,419 blocks
==18076== suppressed: 0 bytes in 0 blocks
==18076== Rerun with --leak-check=full to see details of leaked memory
==18076==
==18076== For counts of detected and suppressed errors, rerun with: -v
==18076== Use --track-origins=yes to see where uninitialised values come from
==18076== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault
Michael Drake

~0001070

Michael Drake (administrator)

static void dukky_push_handler_code_(duk_context *ctx, dom_string *name,
                     dom_event_target *et)
{
    dom_string *onname, *val;
    dom_element *ele = (dom_element *)et;
    dom_exception exc;

    exc = dom_string_concat(corestring_dom_on, name, &onname);
    if (exc != DOM_NO_ERR) {
        duk_push_lstring(ctx, "", 0);
        return;
    }

    exc = dom_element_get_attribute(ele, onname, &val);
    if ((exc != DOM_NO_ERR) || (val == NULL)) {
        dom_string_unref(onname);
        duk_push_lstring(ctx, "", 0);
        return;
    }

    dom_string_unref(onname);
    duk_push_lstring(ctx, dom_string_data(val), dom_string_length(val));
    dom_string_unref(val);
}
Michael Drake

~0001072

Michael Drake (administrator)

Looks like we're getting a bad dom_string back from dom_element_get_attribute()
Michael Drake

~0001106

Michael Drake (administrator)

Last edited: 2015-11-19 22:07

View 3 revisions

Actually I think we're passing the document node to dom_element_get_attribute().

So the event target isn't an element in that case, and the code currently assumes it is.

Daniel Silverstone

~0001111

Daniel Silverstone (administrator)

This is fixed in Git. Sadly the CI system is currently down due to datacenter issues. Look for a CI#3177 or newer to validate the correction.
Vincent Sanders

~0001252

Vincent Sanders (administrator)

Confirmed fixed in 3.4 release
+Notes

-Issue History
Date Modified Username Field Change
2015-11-11 01:16 Harriet Bazley New Issue
2015-11-11 01:16 Harriet Bazley File Added: Log.zip
2015-11-11 17:50 Michael Drake Note Added: 0001067
2015-11-11 18:11 Michael Drake Note Added: 0001069
2015-11-11 18:17 Michael Drake Note Added: 0001070
2015-11-11 18:18 Michael Drake Note Added: 0001072
2015-11-17 16:34 Vincent Sanders Assigned To => Daniel Silverstone
2015-11-17 16:34 Vincent Sanders Status new => confirmed
2015-11-17 16:34 Vincent Sanders Product Version => 3.4
2015-11-17 16:34 Vincent Sanders Description Updated View Revisions
2015-11-19 22:01 Michael Drake Note Added: 0001106
2015-11-19 22:05 Michael Drake Note Edited: 0001106 View Revisions
2015-11-19 22:07 Michael Drake Note Edited: 0001106 View Revisions
2015-11-22 13:44 Daniel Silverstone Note Added: 0001111
2015-11-22 13:44 Daniel Silverstone Status confirmed => resolved
2015-11-22 13:44 Daniel Silverstone Resolution open => fixed
2015-11-22 13:44 Daniel Silverstone Fixed in Version => 3.4
2015-11-22 13:44 Daniel Silverstone Target Version => 3.4
2016-02-16 14:14 Vincent Sanders Note Added: 0001252
2016-02-16 14:14 Vincent Sanders Status resolved => closed
+Issue History