0002667: the popular sites test is asploding because of a double free

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0002667

NetSurf

ABEND

public

2019-06-07 14:28

2019-07-19 09:24

Reporter

Vincent Sanders

Assigned To

Vincent Sanders

Severity

crash

Reproducibility

always

Status

closed

Resolution

fixed

Product Version

3.9

Target Version

3.9

Fixed in Version

3.9

Summary

0002667: the popular sites test is asploding because of a double free

Description

after a great deal of messing about i have a full run performed under valgrind

at some point (the valgrind and test action output are not interleaved properly) the browser wanders off into the weeds eventually double freeing.

Additional Information

==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x2917C3: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== Use of uninitialised value of size 8
==14020== at 0x2917C6: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020==
==14020== Use of uninitialised value of size 8
==14020== at 0x2917F0: css__mq_cond_or_feature_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a stack allocation
==14020== at 0x292930: mq_parse_condition (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020==
==14020== Invalid free() / delete / delete[] / realloc()
==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==14020== by 0x292E46: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Address 0xd5e1890 is 0 bytes inside a block of size 32 free'd
==14020== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==14020== by 0x291841: css__mq_cond_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x292E3B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B0C5: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28B17A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD670: nscss_destroy_css_data (css.c:365)
==14020== by 0x1CD670: nscss_destroy (css.c:343)
==14020== by 0x1C4D36: content_destroy (content.c:388)
==14020== by 0x24018E: hlcache_clean (hlcache.c:140)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Block was alloc'd at
==14020== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==14020== by 0x292F9E: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28FCEA: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28C2B7: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x28DA79: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1CD6A6: nscss_process_css_data (css.c:271)
==14020== by 0x1CD6A6: nscss_process_data (css.c:252)
==14020== by 0x1C4239: content_llcache_callback (content.c:150)
==14020== by 0x2423B3: llcache_object_notify_users (llcache.c:3157)
==14020== by 0x2425AF: llcache_catch_up_all_users (llcache.c:3617)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020==
==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x27D3C9: idna__is_valid (idna.c:440)
==14020== by 0x27D3C9: idna_encode (idna.c:640)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1D51B1: node_is_visited (select.c:1634)
==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1D5FB4: nscss_get_style (select.c:266)
==14020== by 0x1DA97A: box_get_style (box_construct.c:1376)
==14020== by 0x1DA97A: box_construct_element (box_construct.c:763)
==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a heap allocation
==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245)
==14020== by 0x27D2FE: idna_encode (idna.c:634)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1D51B1: node_is_visited (select.c:1634)
==14020== by 0x2B2C3B: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==14020== by 0x1D5FB4: nscss_get_style (select.c:266)
==14020== by 0x1DA97A: box_get_style (box_construct.c:1376)
==14020== by 0x1DA97A: box_construct_element (box_construct.c:763)
==14020== by 0x1DA97A: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020==
==14020== Conditional jump or move depends on uninitialised value(s)
==14020== at 0x27D3C9: idna__is_valid (idna.c:440)
==14020== by 0x27D3C9: idna_encode (idna.c:640)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1DB600: box_extract_link (box_construct.c:3136)
==14020== by 0x1DD67C: box_a (box_construct.c:1494)
==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877)
==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)
==14020== Uninitialised value was created by a heap allocation
==14020== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==14020== by 0x27D2FE: idna__utf8_to_ucs4 (idna.c:245)
==14020== by 0x27D2FE: idna_encode (idna.c:634)
==14020== by 0x282F29: nsurl__create_from_section (parse.c:923)
==14020== by 0x284205: nsurl_join (parse.c:1449)
==14020== by 0x1DB600: box_extract_link (box_construct.c:3136)
==14020== by 0x1DD67C: box_a (box_construct.c:1494)
==14020== by 0x1DB0EB: box_construct_element (box_construct.c:877)
==14020== by 0x1DB0EB: convert_xml_to_box (box_construct.c:383)
==14020== by 0x27130E: monkey_schedule_run (schedule.c:159)
==14020== by 0x13B17B: monkey_run (main.c:277)
==14020== by 0x13B17B: main (main.c:408)

Tags

No tags attached.

Fixed in CI build #

Reported in CI build #

4660

URL of problem page

https://googleblog.com/

Attached Files

Relationships

Relationships

Notes
~0001949 Vincent Sanders (administrator) 2019-06-09 14:32	reading the double free more carefully, it appears like this occurs because content_destroy is being run a second time on already destroyed contents! indeed the previous errors are use of uninitialised values in css__mq_cond_or_feature_destroy

~0001957 Vincent Sanders (administrator) 2019-06-10 23:00	from a clean valgrind run now all other detected errors fixed ==18082== Invalid free() / delete / delete[] / realloc() ==18082== at 0x48369AB: free (vg_replace_malloc.c:530) ==18082== by 0x293B7B: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365) ==18082== by 0x1C9FBF: nscss_destroy (css.c:343) ==18082== by 0x1C19A6: content_destroy (content.c:388) ==18082== by 0x2398B6: hlcache_clean (hlcache.c:140) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408) ==18082== Address 0x7af97a0 is 0 bytes inside a block of size 32 free'd ==18082== at 0x48369AB: free (vg_replace_malloc.c:530) ==18082== by 0x2924A1: css__mq_cond_destroy.part.4 (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x293B70: css__mq_query_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BD5D: css__stylesheet_rule_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28BE1A: css_stylesheet_destroy (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FBF: nscss_destroy_css_data (css.c:365) ==18082== by 0x1C9FBF: nscss_destroy (css.c:343) ==18082== by 0x1C19A6: content_destroy (content.c:388) ==18082== by 0x2398B6: hlcache_clean (hlcache.c:140) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408) ==18082== Block was alloc'd at ==18082== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==18082== by 0x294067: css__mq_parse_media_list (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x290936: language_handle_event (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28CE77: parseAtRuleEnd (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x28E559: css__parser_parse_chunk (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey) ==18082== by 0x1C9FF6: nscss_process_css_data (css.c:271) ==18082== by 0x1C9FF6: nscss_process_data (css.c:252) ==18082== by 0x1C0EB9: content_llcache_callback (content.c:150) ==18082== by 0x23B8FC: llcache_object_notify_users (llcache.c:3157) ==18082== by 0x23BA5F: llcache_catch_up_all_users (llcache.c:3617) ==18082== by 0x26A1E4: monkey_schedule_run (schedule.c:165) ==18082== by 0x138393: monkey_run (main.c:277) ==18082== by 0x138393: main (main.c:408)

~0001958 Vincent Sanders (administrator) 2019-06-12 09:31	memory corruption when content is destroyed. Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault. 0x00005555556ddf99 in css.mq_feature_destroy () (gdb) w Ambiguous command "w": watch, wh, whatis, where, while, while-stepping, winheight, ws. (gdb) where #0 0x00005555556ddf99 in css.mq_feature_destroy () #1 0x00005555556de049 in css.mq_cond_or_feature_destroy () 0000002 0x00005555556de092 in css.mq_cond_destroy () #3 0x00005555556df68c in css.mq_query_destroy () #4 0x00005555556d795e in css.stylesheet_rule_destroy () #5 0x00005555556d7a1b in css_stylesheet_destroy () #6 0x00005555556197c1 in nscss_destroy_css_data (c=0x55555602d550) at content/handlers/css/css.c:365 #7 nscss_destroy (c=0x55555602d170) at content/handlers/css/css.c:343 #8 0x0000555555610e87 in content_destroy (c=0x55555602d170) at content/content.c:388 #9 0x000055555568c2df in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140 #10 0x000055555568d12f in hlcache_finalise () at content/hlcache.c:576 #11 0x00005555556a7739 in netsurf_exit () at desktop/netsurf.c:455 #12 0x0000555555587334 in main (argc=<optimized out>, argv=<optimized out>) at frontends/monkey/main.c:413 (gdb) list 306 &exc_fd_set, 307 timeout); 308 if (rdy_fd < 0) { 309 monkey_done = true; 310 } else if (rdy_fd > 0) { 311 if (FD_ISSET(0, &read_fd_set)) { 312 monkey_process_command(); 313 } 314 } 315 } (gdb)

~0001959 Vincent Sanders (administrator) 2019-06-12 09:36	Thread 1 "nsmonkey" received signal SIGSEGV, Segmentation fault. 0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65 65 switch (cond_or_feature->type) { (gdb) where #0 0x00005555556e3dc8 in css__mq_cond_or_feature_destroy (cond_or_feature=0x50) at src/parse/mq.c:65 #1 0x00005555556e3d51 in css__mq_cond_parts_destroy (cond_parts=0x5555560b9860) at src/parse/mq.c:46 0000002 0x00005555556e3da2 in css__mq_cond_destroy (cond=0x5555560b9840) at src/parse/mq.c:56 #3 0x00005555556e3e30 in css__mq_query_destroy (media=0x5555560b9810) at src/parse/mq.c:82 #4 0x00005555556d8003 in css__stylesheet_rule_destroy (sheet=0x555555ff99d0, rule=0x5555560b98a0) at src/stylesheet.c:1169 #5 0x00005555556d66b0 in css_stylesheet_destroy (sheet=0x555555ff99d0) at src/stylesheet.c:273 #6 0x0000555555619041 in nscss_destroy_css_data (c=0x555555ff9990) at content/handlers/css/css.c:365 #7 nscss_destroy (c=0x555555ff95b0) at content/handlers/css/css.c:343 #8 0x0000555555610707 in content_destroy (c=0x555555ff95b0) at content/content.c:388 #9 0x000055555568bb5f in hlcache_clean (ignored=<optimized out>) at content/hlcache.c:140 #10 0x000055555568c9af in hlcache_finalise () at content/hlcache.c:576 #11 0x00005555556a6fb9 in netsurf_exit () at desktop/netsurf.c:455 #12 0x0000555555586bb4 in main (argc=<optimized out>, argv=<optimized out>) at frontends/monkey/main.c:413 (gdb) list 60 61 static void css__mq_cond_or_feature_destroy( 62 css_mq_cond_or_feature cond_or_feature) 63 { 64 if (cond_or_feature != NULL) { 65 switch (cond_or_feature->type) { 66 case CSS_MQ_FEATURE: 67 css__mq_feature_destroy(cond_or_feature->data.feat); 68 break; 69 case CSS_MQ_COND: (gdb) p cond_or_feature $1 = (css_mq_cond_or_feature ) 0x50 (gdb)

~0001960 Vincent Sanders (administrator) 2019-06-12 12:21	I think that in libcss/src/parse/mq.c mq_parse_condition() calls mq_parse_media_in_parens() mq_parse_media_in_parens() can exit with error CSS_OK but with cond_or_feature unset?!? this can apparently happen if mq_parse_general_enclosed() in the default case returns CSS_OK note both callers assume cond_or_feature is useful if mq_parse_condition() returns NULL in cond_or_feature if mq_parse_general_enclosed() returns CSS_OK the memory corruption issues are resolved.

~0001961 Michael Drake (administrator) 2019-06-12 22:07	Fixed by Vince in http://git.netsurf-browser.org/libcss.git/commit/?id=f3b8e297d3af3817f83011b64cf2a389059115f3

~0001997 Vincent Sanders (administrator) 2019-07-19 09:24	we believe this issue has been resolved in NetSurf 3.9

Notes

Date Modified	Username	Field	Change
Issue History
2019-06-07 14:28	Vincent Sanders	New Issue
2019-06-07 17:25	Vincent Sanders	Additional Information Updated	View Revisions
2019-06-09 14:32	Vincent Sanders	Note Added: 0001949
2019-06-10 23:00	Vincent Sanders	Note Added: 0001957
2019-06-12 09:31	Vincent Sanders	Status	new => confirmed
2019-06-12 09:31	Vincent Sanders	URL of problem page	=> https://googleblog.com/
2019-06-12 09:31	Vincent Sanders	Note Added: 0001958
2019-06-12 09:36	Vincent Sanders	Note Added: 0001959
2019-06-12 12:21	Vincent Sanders	Note Added: 0001960
2019-06-12 22:07	Michael Drake	Assigned To	=> Vincent Sanders
2019-06-12 22:07	Michael Drake	Status	confirmed => resolved
2019-06-12 22:07	Michael Drake	Resolution	open => fixed
2019-06-12 22:07	Michael Drake	Note Added: 0001961
2019-06-13 17:24	Vincent Sanders	Fixed in Version	=> 3.9
2019-07-19 09:24	Vincent Sanders	Status	resolved => closed
2019-07-19 09:24	Vincent Sanders	Note Added: 0001997

Issue History