segfault on MyHTML_TREE_PARSE_FLAGS_WITHOUT_PROCESS_TOKEN

[kostya]

if in example tokenizer_colorize_high_level.c

add line:

    myhtml_tree_parse_flags_set(tree, MyHTML_TREE_PARSE_FLAGS_WITHOUT_PROCESS_TOKEN);

it segfauled on page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<body></body>
</html>

[lexborisov]

Work fine with Valgrind and AddressSanitizer debugger.
MyHTML_TREE_PARSE_FLAGS_WITHOUT_PROCESS_TOKEN can not influence this process

[kostya]

00000000  3c 21 44 4f 43 54 59 50  45 20 68 74 6d 6c 20 50  |<!DOCTYPE html P|
00000010  55 42 4c 49 43 20 22 2d  2f 2f 57 33 43 2f 2f 44  |UBLIC "-//W3C//D|
00000020  54 44 20 58 48 54 4d 4c  20 31 2e 30 20 54 72 61  |TD XHTML 1.0 Tra|
00000030  6e 73 69 74 69 6f 6e 61  6c 2f 2f 45 4e 22 20 22  |nsitional//EN" "|
00000040  68 74 74 70 3a 2f 2f 77  77 77 2e 77 33 2e 6f 72  |http://www.w3.or|
00000050  67 2f 54 52 2f 78 68 74  6d 6c 31 2f 44 54 44 2f  |g/TR/xhtml1/DTD/|
00000060  78 68 74 6d 6c 31 2d 74  72 61 6e 73 69 74 69 6f  |xhtml1-transitio|
00000070  6e 61 6c 2e 64 74 64 22  3e 0a 3c 68 74 6d 6c 3e  |nal.dtd">.<html>|
00000080  0a 3c 62 6f 64 79 3e 3c  2f 62 6f 64 79 3e 0a 3c  |.<body></body>.<|
00000090  2f 68 74 6d 6c 3e 0a                              |/html>.|
00000097

valgrind ./test 4.html
==88347== Memcheck, a memory error detector
==88347== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==88347== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==88347== Command: ./test 4.html
==88347==
--88347-- run: /usr/bin/dsymutil "./test"
warning: no debug symbols in executable (-arch x86_64)
==88347== Invalid write of size 1
==88347==    at 0x100006B50: myhtml_string_copy (in ./test)
==88347==    by 0x10000DFC0: myhtml_token_merged_two_token_string (in ./test)
==88347==    by 0x1000153C8: myhtml_tree_node_insert_text (in ./test)
==88347==    by 0x1000082D9: myhtml_insertion_mode_in_body (in ./test)
==88347==    by 0x10000B2C8: myhtml_insertion_mode_after_after_body (in ./test)
==88347==    by 0x10000B92B: myhtml_rules_tree_dispatcher (in ./test)
==88347==    by 0x1000057FA: myhtml_queue_add (in ./test)
==88347==    by 0x10000EA64: myhtml_tokenizer_queue_create_text_node_if_need (in ./test)
==88347==    by 0x100011ACB: myhtml_tokenizer_end_state_data (in ./test)
==88347==    by 0x10000E752: myhtml_tokenizer_end (in ./test)
==88347==    by 0x10000118C: main (in ./test)
==88347==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==88347==
==88347==
==88347== Process terminating with default action of signal 11 (SIGSEGV)
==88347==  Access not within mapped region at address 0x0
==88347==    at 0x100006B50: myhtml_string_copy (in ./test)
==88347==    by 0x10000DFC0: myhtml_token_merged_two_token_string (in ./test)
==88347==    by 0x1000153C8: myhtml_tree_node_insert_text (in ./test)
==88347==    by 0x1000082D9: myhtml_insertion_mode_in_body (in ./test)
==88347==    by 0x10000B2C8: myhtml_insertion_mode_after_after_body (in ./test)
==88347==    by 0x10000B92B: myhtml_rules_tree_dispatcher (in ./test)
==88347==    by 0x1000057FA: myhtml_queue_add (in ./test)
==88347==    by 0x10000EA64: myhtml_tokenizer_queue_create_text_node_if_need (in ./test)
==88347==    by 0x100011ACB: myhtml_tokenizer_end_state_data (in ./test)
==88347==    by 0x10000E752: myhtml_tokenizer_end (in ./test)
==88347==    by 0x10000118C: main (in ./test)
==88347==  If you believe this happened as a result of a stack
==88347==  overflow in your program's main thread (unlikely but
==88347==  possible), you can try to increase the size of the
==88347==  main thread stack using the --main-stacksize= flag.
==88347==  The main thread stack size used in this run was 8388608.
==88347==
==88347== HEAP SUMMARY:
==88347==     in use at exit: 3,518,847 bytes in 281 blocks
==88347==   total heap usage: 346 allocs, 65 frees, 3,528,631 bytes allocated
==88347==
==88347== LEAK SUMMARY:
==88347==    definitely lost: 0 bytes in 0 blocks
==88347==    indirectly lost: 0 bytes in 0 blocks
==88347==      possibly lost: 0 bytes in 0 blocks
==88347==    still reachable: 3,496,568 bytes in 85 blocks
==88347==         suppressed: 22,279 bytes in 196 blocks
==88347== Rerun with --leak-check=full to see details of leaked memory
==88347==
==88347== For counts of detected and suppressed errors, rerun with: -v
==88347== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault: 11

[horpto]

+1
appeared

[lexborisov]

Full code, please.

[kostya]

https://gist.github.com/kostya/44ec230bcee1521e72c2097664b7bebd

[lexborisov]

==24566== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
OS name and version, compiler?

[kostya]

osx 10.11.6, cc --version

Apple LLVM version 7.3.0 (clang-703.0.31)
Target: x86_64-apple-darwin15.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

little later i try on linux.

[lexborisov]

I'm confused.

My OS and compiler:
Darwin Kernel Version 15.6.0 (10.11.6)

Apple LLVM version 7.3.0 (clang-703.0.31)
Target: x86_64-apple-darwin15.6.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

[horpto]

if I build with myhtml with MyHTML_BUILD_WITHOUT_THREADS=YES then it crashes else nope.

[lexborisov]

How do you build the example?

[horpto]

make MyHTML_BUILD_WITHOUT_THREADS=YES clean all && ./bin/tokenizer_colorize_high_level test.html

[kostya]

yes, my build was make MyHTML_BUILD_SHARED=OFF MyHTML_BUILD_WITHOUT_THREADS=YES MyHTML_OPTIMIZATION_LEVEL=-O3, if i change to make MyHTML_BUILD_SHARED=OFF MyHTML_BUILD_WITHOUT_THREADS=NO MyHTML_OPTIMIZATION_LEVEL=-O3, no crash

[lexborisov]

Thanks!

Fixed!