[elinks-users] Seg faults in elinks 0.11.3

Kalle Olavi Niemitalo kon at iki.fi
Sun Apr 13 11:36:40 PDT 2008


Roy Millar <awzg95 at dsl.pipex.com> writes:

> Now after entering my logon info (several items, for security), as
> soon as the new screen starts to appear, elinks seg faults in frames.c.

There have been many bugs in the frames support, but I think this
crash is not currently listed at bugzilla.elinks.cz.  Could you
post a self-contained test case?

Your crash was in format_frame():

	if (doc_view) {
		render_document(vs, doc_view, o);
		assert(doc_view->document);
		doc_view->document->frame = frame_desc;
	}

The assignment crashed because doc_view->document was not NULL
but pointed to freed memory.  render_document() calls
detach_formatted(), which sets doc_view->document = NULL; so the
dangling pointer must have been placed there after that.

I am not very familiar with this part of ELinks.
In 0.11, I think the way to debug this would be:

----------------------------------------------------------------------
Assert in done_document that no document_view points there.

This should help find the cause of the format_frame crash reported at
elinks-users.

---
commit 4ed1ea4b578fa145c3989c38ffc3e1e081195287
tree 7964249503382d465119634dc6857ad9463dadd2
parent 003d09ed781fb84fb711f42a82ddf89870ce10e4
author Kalle Olavi Niemitalo <kon at iki.fi> Sun, 13 Apr 2008 21:31:20 +0300
committer Kalle Olavi Niemitalo <Kalle at Astalo.kon.iki.fi> Sun, 13 Apr 2008 21:31:20 +0300

 src/document/document.c    |   19 +++++++++++++++++++
 src/document/html/frames.c |   11 +++++++++++
 src/document/view.h        |    9 +++++++++
 3 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/src/document/document.c b/src/document/document.c
index 9765197..69d1a34 100644
--- a/src/document/document.c
+++ b/src/document/document.c
@@ -21,6 +21,7 @@
 #include "document/html/renderer.h"
 #include "document/options.h"
 #include "document/refresh.h"
+#include "document/view.h"
 #include "main/module.h"
 #include "main/object.h"
 #include "protocol/uri.h"
@@ -35,6 +36,10 @@
 
 static INIT_LIST_HEAD(format_cache);
 
+#ifdef CONFIG_DEBUG
+INIT_LIST_HEAD(debug_docview_refs);
+#endif
+
 struct document *
 init_document(struct cache_entry *cached, struct document_options *options)
 {
@@ -103,6 +108,18 @@ done_link_members(struct link *link)
 	mem_free_if(link->points);
 }
 
+#ifdef CONFIG_DEBUG
+void
+assert_document_not_in_any_view(struct document *document)
+{
+	struct debug_docview_ref *ref;
+	foreach (ref, debug_docview_refs)
+		assert(ref->doc_view->document != document);
+}
+#else
+# define assert_document_not_in_any_view (void)
+#endif
+
 void
 done_document(struct document *document)
 {
@@ -114,6 +131,8 @@ done_document(struct document *document)
 	assertm(!is_object_used(document), "Attempt to free locked formatted data.");
 	if_assert_failed return;
 
+	assert_document_not_in_any_view(document);
+
 	cached = find_in_cache(document->uri);
 	if (!cached)
 		INTERNAL("no cache entry for document");
diff --git a/src/document/html/frames.c b/src/document/html/frames.c
index d3d7134..03a4532 100644
--- a/src/document/html/frames.c
+++ b/src/document/html/frames.c
@@ -201,9 +201,20 @@ format_frame(struct session *ses, struct frame_desc *frame_desc,
 
 	doc_view = find_fd(ses, frame_desc->name, depth, o->box.x, o->box.y);
 	if (doc_view) {
+#ifdef CONFIG_DEBUG
+		struct debug_docview_ref ref;
+
+		ref.doc_view = doc_view;
+		add_to_list(debug_docview_refs, &ref);
+#endif
+
 		render_document(vs, doc_view, o);
 		assert(doc_view->document);
 		doc_view->document->frame = frame_desc;
+
+#ifdef CONFIG_DEBUG
+		del_from_list(&ref);
+#endif
 	}
 	o->plain = plain;
 
diff --git a/src/document/view.h b/src/document/view.h
index 931c1ca..d0179b6 100644
--- a/src/document/view.h
+++ b/src/document/view.h
@@ -47,4 +47,13 @@ struct document_view {
 	  && (doc_view)->vs->current_link < (doc_view)->document->nlinks) \
 	? &(doc_view)->document->links[(doc_view)->vs->current_link] : NULL)
 
+#ifdef CONFIG_DEBUG
+struct debug_docview_ref {
+	LIST_HEAD(struct debug_docview_ref);
+	struct document_view *doc_view;
+};
+
+extern struct list_head debug_docview_refs;
+#endif
+
 #endif



More information about the elinks-users mailing list