Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Occasional crashes in hubbub parser bindings #146

Closed
burg opened this issue Oct 23, 2012 · 3 comments
Closed

Occasional crashes in hubbub parser bindings #146

burg opened this issue Oct 23, 2012 · 3 comments
Labels

Comments

@burg
Copy link

@burg burg commented Oct 23, 2012

There are some bad pointers in the unsafe hubbub glue code. For me this crashes on Mac on first run; on Ubuntu in VMWare, it crashes every run.

Valgrind has some useful hints:

=12043== Conditional jump or move depends on uninitialised value(s)
==12043==    at 0x25110: str::is_utf8::_2785596a8cd7c1d::_05 (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/libcore-c3ca5d77d81b46c1-0.5.dylib)
==12043==    by 0xAA07BA: tree_callbacks::from_hubbub_attributes::_9fc9e67257796e8::_01 (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12043==    by 0xAA0F36: tree_callbacks::from_hubbub_tag::_fb1482d987a53189::_01 (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12043==    by 0xAA184F: tree_callbacks::create_element::__rust_stack_shim (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12043==    by 0xCC429D: __morestack (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/librustrt.dylib)
==12043==    by 0x10053A10F: ???
==12043==    by 0x7FFF5FC04921: dyld::fastBindLazySymbol(ImageLoader**, unsigned long) (in /usr/lib/dyld)
==12043==    by 0x10053A12F: ???
==12043==    by 0xCB0414: rust_task::call_on_c_stack(void*, void*) (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/librustrt.dylib)
==12043==    by 0xA9E8DF: hubbub_parser_setopt__c_stack_shim (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12043==    by 0x2: ???
==12043==    by 0x10053A1AF: ???
==12043== 


@burg
Copy link
Author

@burg burg commented Oct 23, 2012

Another trace:

==12072== Thread 11:
==12072== Conditional jump or move depends on uninitialised value(s)
==12072==    at 0x25110: str::is_utf8::_2785596a8cd7c1d::_05 (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/libcore-c3ca5d77d81b46c1-0.5.dylib)
==12072==    by 0xAA0FC8: tree_callbacks::from_hubbub_doctype::_e31dc9821339113::_01 (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12072==    by 0xAA15FF: tree_callbacks::create_doctype::__rust_stack_shim (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12072==    by 0xCC429D: __morestack (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/librustrt.dylib)
==12072==    by 0x100D0369F: ???
==12072==    by 0x7FFF5FC04921: dyld::fastBindLazySymbol(ImageLoader**, unsigned long) (in /usr/lib/dyld)
==12072==    by 0x100D036BF: ???
==12072==    by 0xCB0414: rust_task::call_on_c_stack(void*, void*) (in /usr/local/lib/rustc/x86_64-apple-darwin/lib/librustrt.dylib)
==12072==    by 0xA9E8DF: hubbub_parser_setopt__c_stack_shim (in /Users/burg/repos/servo/build/src/rust-hubbub/libhubbub-68a2c114141ca-0.1.dylib)
==12072==    by 0x2: ???
==12072==    by 0x100D0373F: ???
==12072==    by 0x100D012FF: ???
==12072==
@burg
Copy link
Author

@burg burg commented Oct 23, 2012

Possible cause: rust-lang/rust#3843

Interim solution: copy strings earlier into a ~str, instead of passing around a slice.

@burg
Copy link
Author

@burg burg commented Oct 24, 2012

IRC discussion

burg: heh.. so the parser valgrind reports seem to be that
[3:03pm] burg: we use str::buf_as_slice to view the cstring as a &str
[3:03pm] burg: the above code makes a slice with len = cstring_len+1 to account for the trailing nul
[3:04pm] burg: but there's not necessarily a trailing nul
[3:04pm] burg: so is_utf8() will march over the bytes and try to read the non-existent nul
[3:05pm] pcwalton: ah
[3:05pm] brson: burg: gross
[3:05pm] burg:
[3:05pm] burg: so we may be better off just atomizing/copying the str right during the tree_builder callbacks instead of later
[3:07pm] burg: thoughts?
[3:07pm] brson: buf_as_slice is broken
[3:07pm] brson: the situation with trailing nulls and slices is not good
[3:08pm] brson: even seems rife for rust vulnerabilities
@burg burg closed this Oct 24, 2012
ChrisParis pushed a commit to ChrisParis/servo that referenced this issue Sep 7, 2014
glennw added a commit to glennw/servo that referenced this issue Jan 16, 2017
Don't panic on nonzero inset border radii.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.