| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0002428 | NetSurf | RISC OS-specific | public | 2016-02-20 19:10 | 2016-03-07 12:59 | ||||||||
| Reporter | Richard Porter | ||||||||||||
| Assigned To | |||||||||||||
| Severity | crash | Reproducibility | unable to reproduce | ||||||||||
| Status | confirmed | Resolution | open | ||||||||||
| Platform | RiscPC | OS | RISC OS | OS Version | 6.16 | ||||||||
| Product Version | 3.5 | ||||||||||||
| Target Version | Fixed in Version | ||||||||||||
| Summary | 0002428: Segfault on saving image | ||||||||||||
| Description | Trying to save third picture of the green car having already saved the first two. | ||||||||||||
| Steps To Reproduce | Go to problem page (actually I did a 'top ten' search but that may be completey different when you investigate this) save photos to local directory. | ||||||||||||
| Additional Information | I then updated NetSurf to CI #3420 and downloaded the photo successfully. You don't need to be registered on the forum to read it. | ||||||||||||
| Tags | No tags attached. | ||||||||||||
| Fixed in CI build # | |||||||||||||
| Reported in CI build # | 3416 | ||||||||||||
| URL of problem page | http://www.minimarcos.org.uk/cgi-bin/forum/Blah.pl?,b=MJ,v=display,m=1454193515,s=1,highlight=#num1 | ||||||||||||
| Attached Files |
| ||||||||||||
 Relationships |
|
 Relationships |
| Notes |
|
Vincent Sanders (administrator) 2016-03-07 12:42 |
segmentation fault during saving element in content__get_source_data() use after free? There was a cache clear just before: (33274.940000) render/html.c:1513 html_destroy: content 0x3a255518 ... (33274.980000) render/html_object.c:636 html_object_free_objects: object 0x3ac457d8 (33274.980000) content/content.c:693 content_remove_user: content http://www.minimarcos.org.uk/BlahImages/logo.gif (0x3a7820a8), user 0xd0c68 0x3ac457d8 backtrace: ( 728bf4) pc: c5ac0 lr: c5b58 sp: 728bf8 content__get_source_data() ( 728c08) pc: c5b40 lr: 1980dc sp: 728c0c content_get_source_data() ( 728c40) pc: 197fd0 lr: 199fec sp: 728c44 ro_gui_save_content() ( 728c64) pc: 199f6c lr: 18803c sp: 728c68 ro_gui_save_datasave_ack() ( 728c7c) pc: 187fb0 lr: 193b9c sp: 728c80 ro_msg_datasave_ack() ( 728ca0) pc: 193ab4 lr: 9e7c sp: 728ca4 ro_message_handle_message() ( 728fe8) pc: 9750 lr: 4f7f70 sp: 728fec main() |
|
Vincent Sanders (administrator) 2016-03-07 12:59 |
This is actually a lifetime issue within riscos/save.c this front end saves the hlcache handle in ro_gui_save_set_state() without incrementing its reference count so when a cache clear throws away the "unused" object there is still a reference in the gui_save_content variable which is no longer viable and immediately leads to using freed memory and a crash |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-02-20 19:10 | Richard Porter | New Issue | |
| 2016-02-20 19:10 | Richard Porter | File Added: nslog324.zip | |
| 2016-03-07 12:42 | Vincent Sanders | Note Added: 0001344 | |
| 2016-03-07 12:42 | Vincent Sanders | Status | new => acknowledged |
| 2016-03-07 12:42 | Vincent Sanders | Product Version | => 3.5 |
| 2016-03-07 12:42 | Vincent Sanders | Additional Information Updated | View Revisions |
| 2016-03-07 12:59 | Vincent Sanders | Note Added: 0001345 | |
| 2016-03-07 12:59 | Vincent Sanders | Status | acknowledged => confirmed |
| 2016-03-07 12:59 | Vincent Sanders | Category | ABEND => RISC OS-specific |
| Issue History |