We discussed this on #ELinks with Miciah Dashiel Butler Masters.
The bug is triggered by configure --enable-html-highlight, which
also enables the RSS renderer. configure --enable-debug can hide
the bug, at least in some circumstances. Here is a relevant part
of a valgrind log:
==25631== Invalid read of size 2
==25631==at 0x80B2438: call_dom_stack_callbacks (stack.c:145)
==25631==by 0x80B2822: pop_dom_node (stack.c:222)
==25631==by 0x8092E3A: render_dom_document (renderer.c:1078)
==25631==by 0x808AC6E: render_encoded_document (renderer.c:262)
==25631==by 0x808AEFE: render_document (renderer.c:345)
==25631==by 0x808B420: render_document_frames (renderer.c:472)
==25631==by 0x810D697: draw_formatted (draw.c:350)
==25631==by 0x80F57FE: display_timer (session.c:454)
==25631==by 0x80F8CF8: loading_callback (task.c:538)
==25631==by 0x80D105C: notify_connection_callbacks (connection.c:428)
==25631==by 0x80D0D93: set_connection_state (connection.c:367)
==25631==by 0x80D08CB: set_connection_socket_state (connection.c:234)
==25631== Address 0x4db1c78 is 0 bytes inside a block of size 32 free'd
==25631==at 0x4021B8A: free (vg_replace_malloc.c:323)
==25631==by 0x8106C53: mem_free (memory.c:96)
==25631==by 0x80AF858: done_dom_node_data (node.c:430)
==25631==by 0x80AF944: done_dom_node (node.c:461)
==25631==by 0x8092A55: dom_rss_pop_document (renderer.c:950)
==25631==by 0x80B2486: call_dom_stack_callbacks (stack.c:151)
==25631==by 0x80B2822: pop_dom_node (stack.c:222)
==25631==by 0x8092E3A: render_dom_document (renderer.c:1078)
==25631==by 0x808AC6E: render_encoded_document (renderer.c:262)
==25631==by 0x808AEFE: render_document (renderer.c:345)
==25631==by 0x808B420: render_document_frames (renderer.c:472)
==25631==by 0x810D697: draw_formatted (draw.c:350)
The struct dom_node was freed and then used during the same call
to call_dom_stack_callbacks. There were three contexts using the
DOM stack. The first one didn't have any callbacks. The second
one was dom_rss_renderer_context_info, whose dom_rss_pop_document
callback freed the document node. The third context was
dom_config_normalizer_context, whose dom_normalize_node_end
callback wouldn't have done anything to DOM_NODE_DOCUMENT.
When call_dom_stack_callbacks was examining the third context,
it read state-node-type, whose value was invalid because
state-node had already been freed. This then caused
call_dom_stack_callbacks to call an invalid function pointer.
The following patch attempts to fix this bug by keeping the node
in memory until call_dom_stack_callbacks has called the callbacks
of all contexts. This change removes the valgrind error report
and avoids the crash. However, I'm really unfamiliar with the
DOM code, so I cannot be sure this is the right solution.
--- src/document/dom/renderer.c.~1~ 2008-06-30 01:40:02.0 +0300
+++ src/document/dom/renderer.c 2009-02-09 02:57:09.0 +0200
@@ -947,9 +947,7 @@ dom_rss_pop_document(struct dom_stack *s
done_dom_string(renderer-text);
mem_free_if(renderer-items);
- done_dom_node(root);
-
- return DOM_CODE_OK;
+ return DOM_CODE_FREE_NODE;
}
pgpJDf2EaMY10.pgp
Description: PGP signature