View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0002667 | NetSurf | ABEND | public | 2019-06-07 13:28 | 2019-07-19 08:24 | ||||
Reporter | Vincent Sanders | ||||||||
Assigned To | Vincent Sanders | ||||||||
Severity | crash | Reproducibility | always | ||||||
Status | closed | Resolution | fixed | ||||||
Product Version | 3.9 | ||||||||
Target Version | 3.9 | Fixed in Version | 3.9 | ||||||
Summary | 0002667: the popular sites test is asploding because of a double free | ||||||||
Description | after a great deal of messing about i have a full run performed under valgrind at some point (the valgrind and test action output are not interleaved properly) the browser wanders off into the weeds eventually double freeing. | ||||||||
Additional Information | ==14020== Conditional jump or move depends on uninitialised value(s) ==14020== at 0x2917C3: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365) ==14020== by 0x1CD670: nscss_destroy (css.c:343) ==14020== by 0x1C4D36: content_destroy (content.c:388) ==14020== by 0x24018E: hlcache_clean (hlcache.c:140) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Uninitialised value was created by a stack allocation ==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== Use of uninitialised value of size 8 ==14020== at 0x2917C6: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365) ==14020== by 0x1CD670: nscss_destroy (css.c:343) ==14020== by 0x1C4D36: content_destroy (content.c:388) ==14020== by 0x24018E: hlcache_clean (hlcache.c:140) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Uninitialised value was created by a stack allocation ==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== ==14020== Use of uninitialised value of size 8 ==14020== at 0x2917F0: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365) ==14020== by 0x1CD670: nscss_destroy (css.c:343) ==14020== by 0x1C4D36: content_destroy (content.c:388) ==14020== by 0x24018E: hlcache_clean (hlcache.c:140) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Uninitialised value was created by a stack allocation ==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== ==14020== Invalid free() / delete / delete[] / realloc() ==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==14020== by 0x292E46: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365) ==14020== by 0x1CD670: nscss_destroy (css.c:343) ==14020== by 0x1C4D36: content_destroy (content.c:388) ==14020== by 0x24018E: hlcache_clean (hlcache.c:140) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Address 0xd5e1890 is 0 bytes inside a block of size 32 free'd ==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365) ==14020== by 0x1CD670: nscss_destroy (css.c:343) ==14020== by 0x1C4D36: content_destroy (content.c:388) ==14020== by 0x24018E: hlcache_clean (hlcache.c:140) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Block was alloc'd at ==14020== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==14020== by 0x292F9E: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28FCEA: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28C2B7: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x28DA79: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1CD6A6: nscss_process_css_data (css.c:271) ==14020== by 0x1CD6A6: nscss_process_data (css.c:252) ==14020== by 0x1C4239: content_llcache_callback (content.c:150) ==14020== by 0x2423B3: llcache_object_notify_users (llcache.c:3157) ==14020== by 0x2425AF: llcache_catch_up_all_users (llcache.c:3617) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== ==14020== Conditional jump or move depends on uninitialised value(s) ==14020== at 0x27D3C9: idna__is_valid (idna.c:440) ==14020== by 0x27D3C9: idna_encode (idna.c:640) ==14020== by 0x282F29: nsurl__create_from_section (parse.c:923) ==14020== by 0x284205: nsurl_join (parse.c:1449) ==14020== by 0x1D51B1: node_is_visited (select.c:1634) ==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1D5FB4: nscss_get_style (select.c:266) ==14020== by 0x1DA97A: box_get_style (box_construct.c:1376) ==14020== by 0x1DA97A: box_construct_element (box_construct.c:763) ==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Uninitialised value was created by a heap allocation ==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245) ==14020== by 0x27D2FE: idna_encode (idna.c:634) ==14020== by 0x282F29: nsurl__create_from_section (parse.c:923) ==14020== by 0x284205: nsurl_join (parse.c:1449) ==14020== by 0x1D51B1: node_is_visited (select.c:1634) ==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==14020== by 0x1D5FB4: nscss_get_style (select.c:266) ==14020== by 0x1DA97A: box_get_style (box_construct.c:1376) ==14020== by 0x1DA97A: box_construct_element (box_construct.c:763) ==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== ==14020== Conditional jump or move depends on uninitialised value(s) ==14020== at 0x27D3C9: idna__is_valid (idna.c:440) ==14020== by 0x27D3C9: idna_encode (idna.c:640) ==14020== by 0x282F29: nsurl__create_from_section (parse.c:923) ==14020== by 0x284205: nsurl_join (parse.c:1449) ==14020== by 0x1DB600: box_extract_link (box_construct.c:3136) ==14020== by 0x1DD67C: box_a (box_construct.c:1494) ==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877) ==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) ==14020== Uninitialised value was created by a heap allocation ==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245) ==14020== by 0x27D2FE: idna_encode (idna.c:634) ==14020== by 0x282F29: nsurl__create_from_section (parse.c:923) ==14020== by 0x284205: nsurl_join (parse.c:1449) ==14020== by 0x1DB600: box_extract_link (box_construct.c:3136) ==14020== by 0x1DD67C: box_a (box_construct.c:1494) ==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877) ==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383) ==14020== by 0x27130E: monkey_schedule_run (schedule.c:159) ==14020== by 0x13B17B: monkey_run (main.c:277) ==14020== by 0x13B17B: main (main.c:408) | ||||||||
Tags | No tags attached. | ||||||||
Fixed in CI build # | |||||||||
Reported in CI build # | 4660 | ||||||||
URL of problem page | https://googleblog.com/ | ||||||||
Attached Files |
|
![]() |
|
Vincent Sanders (administrator) 2019-06-09 13:32 |
reading the double free more carefully, it appears like this occurs because content_destroy is being run a second time on already destroyed contents! indeed the previous errors are use of uninitialised values in css__mq_cond_or_feature_destroy |
Vincent Sanders (administrator) 2019-06-10 22:00 |
from a clean valgrind run now all other detected errors fixed ==18082== Invalid free() / delete / delete[] / realloc() ==18082== at 0x48369AB: free (vg_replace_malloc.c:530) ==18082== by 0x293B7B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365) ==18082== by 0x1C9FBF: nscss_destroy (css.c:343) ==18082== by 0x1C19A6: content_destroy (content.c:388) ==18082== by 0x2398B6: hlcache_clean (hlcache.c:140) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408) ==18082== Address 0x7af97a0 is 0 bytes inside a block of size 32 free'd ==18082== at 0x48369AB: free (vg_replace_malloc.c:530) ==18082== by 0x2924A1: css__mq_cond_destroy.part.4 (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x293B70: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365) ==18082== by 0x1C9FBF: nscss_destroy (css.c:343) ==18082== by 0x1C19A6: content_destroy (content.c:388) ==18082== by 0x2398B6: hlcache_clean (hlcache.c:140) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408) ==18082== Block was alloc'd at ==18082== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==18082== by 0x294067: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x290936: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28CE77: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28E559: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FF6: nscss_process_css_data (css.c:271) ==18082== by 0x1C9FF6: nscss_process_data (css.c:252) ==18082== by 0x1C0EB9: content_llcache_callback (content.c:150) ==18082== by 0x23B8FC: llcache_object_notify_users (llcache.c:3157) ==18082== by 0x23BA5F: llcache_catch_up_all_users (llcache.c:3617) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408) |
Vincent Sanders (administrator) 2019-06-12 08:31 |
memory corruption when content is destroyed. Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault. 0x00005555556ddf99 in css.mq_feature_destroy () (gdb) w Ambiguous command "w": watch, wh, whatis, where, while, while-stepping, winheight, ws. (gdb) where #0 0x00005555556ddf99 in css.mq_feature_destroy () #1 0x00005555556de049 in css.mq_cond_or_feature_destroy () 0000002 0x00005555556de092 in css.mq_cond_destroy () #3 0x00005555556df68c in css.mq_query_destroy () #4 0x00005555556d795e in css.stylesheet_rule_destroy () #5 0x00005555556d7a1b in css_stylesheet_destroy () #6 0x00005555556197c1 in nscss_destroy_css_data (c=0x55555602d550) at content/handlers/css/css.c:365 #7 nscss_destroy (c=0x55555602d170) at content/handlers/css/css.c:343 #8 0x0000555555610e87 in content_destroy (c=0x55555602d170) at content/content.c:388 #9 0x000055555568c2df in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140 #10 0x000055555568d12f in hlcache_finalise () at content/hlcache.c:576 #11 0x00005555556a7739 in netsurf_exit () at desktop/netsurf.c:455 #12 0x0000555555587334 in main (argc=<optimized out>, argv=<optimized out>) at frontends/monkey/main.c:413 (gdb) list 306 &exc_fd_set, 307 timeout); 308 if (rdy_fd < 0) { 309 monkey_done = true; 310 } else if (rdy_fd > 0) { 311 if (FD_ISSET(0, &read_fd_set)) { 312 monkey_process_command(); 313 } 314 } 315 } (gdb) |
Vincent Sanders (administrator) 2019-06-12 08:36 |
Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault. 0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65 65 switch (cond_or_feature->type) { (gdb) where #0 0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65 #1 0x00005555556e3d51 in css__mq_cond_parts_destroy (cond_parts=0x5555560b9860) at src/parse/mq.c:46 0000002 0x00005555556e3da2 in css__mq_cond_destroy (cond=0x5555560b9840) at src/parse/mq.c:56 #3 0x00005555556e3e30 in css__mq_query_destroy (media=0x5555560b9810) at src/parse/mq.c:82 #4 0x00005555556d8003 in css__stylesheet_rule_destroy (sheet=0x555555ff99d0, rule=0x5555560b98a0) at src/stylesheet.c:1169 #5 0x00005555556d66b0 in css_stylesheet_destroy (sheet=0x555555ff99d0) at src/stylesheet.c:273 #6 0x0000555555619041 in nscss_destroy_css_data (c=0x555555ff9990) at content/handlers/css/css.c:365 #7 nscss_destroy (c=0x555555ff95b0) at content/handlers/css/css.c:343 #8 0x0000555555610707 in content_destroy (c=0x555555ff95b0) at content/content.c:388 #9 0x000055555568bb5f in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140 #10 0x000055555568c9af in hlcache_finalise () at content/hlcache.c:576 #11 0x00005555556a6fb9 in netsurf_exit () at desktop/netsurf.c:455 #12 0x0000555555586bb4 in main (argc=<optimized out>, argv=<optimized out>) at frontends/monkey/main.c:413 (gdb) list 60 61 static void css__mq_cond_or_feature_destroy( 62 css_mq_cond_or_feature *cond_or_feature) 63 { 64 if (cond_or_feature != NULL) { 65 switch (cond_or_feature->type) { 66 case CSS_MQ_FEATURE: 67 css__mq_feature_destroy(cond_or_feature->data.feat); 68 break; 69 case CSS_MQ_COND: (gdb) p cond_or_feature $1 = (css_mq_cond_or_feature *) 0x50 (gdb) |
Vincent Sanders (administrator) 2019-06-12 11:21 |
I think that in libcss/src/parse/mq.c mq_parse_condition() calls mq_parse_media_in_parens() mq_parse_media_in_parens() can exit with error CSS_OK but with cond_or_feature unset?!? this can apparently happen if mq_parse_general_enclosed() in the default case returns CSS_OK note both callers assume cond_or_feature is useful if mq_parse_condition() returns NULL in cond_or_feature if mq_parse_general_enclosed() returns CSS_OK the memory corruption issues are resolved. |
Michael Drake (administrator) 2019-06-12 21:07 |
Fixed by Vince in http://git.netsurf-browser.org/libcss.git/commit/?id=f3b8e297d3af3817f83011b64cf2a389059115f3 |
Vincent Sanders (administrator) 2019-07-19 08:24 |
we believe this issue has been resolved in NetSurf 3.9 |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2019-06-07 13:28 | Vincent Sanders | New Issue | |
2019-06-07 16:25 | Vincent Sanders | Additional Information Updated | View Revisions |
2019-06-09 13:32 | Vincent Sanders | Note Added: 0001949 | |
2019-06-10 22:00 | Vincent Sanders | Note Added: 0001957 | |
2019-06-12 08:31 | Vincent Sanders | Status | new => confirmed |
2019-06-12 08:31 | Vincent Sanders | URL of problem page | => https://googleblog.com/ |
2019-06-12 08:31 | Vincent Sanders | Note Added: 0001958 | |
2019-06-12 08:36 | Vincent Sanders | Note Added: 0001959 | |
2019-06-12 11:21 | Vincent Sanders | Note Added: 0001960 | |
2019-06-12 21:07 | Michael Drake | Assigned To | => Vincent Sanders |
2019-06-12 21:07 | Michael Drake | Status | confirmed => resolved |
2019-06-12 21:07 | Michael Drake | Resolution | open => fixed |
2019-06-12 21:07 | Michael Drake | Note Added: 0001961 | |
2019-06-13 16:24 | Vincent Sanders | Fixed in Version | => 3.9 |
2019-07-19 08:24 | Vincent Sanders | Status | resolved => closed |
2019-07-19 08:24 | Vincent Sanders | Note Added: 0001997 |