[valgrind] "invalid read" detected in gui_internal_html

[pini]

Hi,

Steps to reproduce under Linux:

• compile navit with debug flags
• run under valgrind with gui_internal enabled

  valgrind --suppressions=$HOME/.navit/navit.supp --gen-suppressions=yes --db-attach=yes --num-callers=30 navit
  

• (you may have to iterate a couple of times to suppress non significant valgind errors using the .supp file)
• navigated to the bookmarks menu (click map / Action / Bookmarks)

=> The following valgrind error is triggered:

==14938== Invalid read of size 1
==14938==    at 0x8093FAB: get_op (command.c:90)
==14938==    by 0x8094D34: eval_postfix (command.c:426)
==14938==    by 0x8094F75: eval_unary (command.c:462)
==14938==    by 0x8094FA3: eval_multiplicative (command.c:471)
==14938==    by 0x809521C: eval_additive (command.c:504)
==14938==    by 0x809540E: eval_equality (command.c:531)
==14938==    by 0x80956E2: eval_bitwise_and (command.c:572)
==14938==    by 0x80957E9: eval_bitwise_xor (command.c:589)
==14938==    by 0x80958C0: eval_bitwise_or (command.c:605)
==14938==    by 0x80959C6: eval_logical_and (command.c:622)
==14938==    by 0x8095AAB: eval_logical_or (command.c:638)
==14938==    by 0x8095B90: eval_conditional (command.c:655)
==14938==    by 0x8095D1C: eval_assignment (command.c:680)
==14938==    by 0x8095DF4: eval_comma (command.c:697)
==14938==    by 0x80963A4: command_evaluate (command.c:862)
==14938==    by 0x582340D: gui_internal_evaluate (gui_internal.c:4500)
==14938==    by 0x582342E: gui_internal_html_command (gui_internal.c:4507)
==14938==    by 0x5816773: gui_internal_call_highlighted (gui_internal.c:1423)
==14938==    by 0x5825785: gui_internal_button (gui_internal.c:5207)
==14938==    by 0x805FB3A: callback_call (callback.c:172)
==14938==    by 0x805FCF9: callback_list_call_attr (callback.c:219)
==14938==    by 0x805FDBC: callback_list_call_attr_args (callback.c:235)
==14938==    by 0x4BBE281: button_release (graphics_gtk_drawing_area.c:804)
==14938==    by 0x4E04983: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2400.4)
==14938==    by 0x4C469F1: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.2800.6)
==14938==    by 0x4C59987: ??? (in /usr/lib/libgobject-2.0.so.0.2800.6)
==14938==    by 0x4C6217A: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.2800.6)
==14938==    by 0x4C625A1: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2800.6)
==14938==    by 0x4F395A5: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2400.4)
==14938==    by 0x4E02B0C: gtk_propagate_event (in /usr/lib/libgtk-x11-2.0.so.0.2400.4)
==14938==  Address 0x5bb2fc3 is 11 bytes inside a block of size 12 free'd
==14938==    at 0x4023B6A: free (vg_replace_malloc.c:366)
==14938==    by 0x40AC3A5: g_free (in /lib/libglib-2.0.so.0.2800.6)
==14938==    by 0x5816511: gui_internal_widget_destroy (gui_internal.c:1353)
==14938==    by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343)
==14938==    by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352)
==14938==    by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343)
==14938==    by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352)
==14938==    by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343)
==14938==    by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352)
==14938==    by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343)
==14938==    by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352)
==14938==    by 0x58168C7: gui_internal_menu_destroy (gui_internal.c:1460)
==14938==    by 0x5816A38: gui_internal_prune_menu_do (gui_internal.c:1494)
==14938==    by 0x5816B02: gui_internal_prune_menu_count (gui_internal.c:1513)
==14938==    by 0x581B74D: gui_internal_cmd_bookmarks (gui_internal.c:3008)
==14938==    by 0x581BCB6: gui_internal_cmd2_bookmarks (gui_internal.c:3110)
==14938==    by 0x8096468: command_table_call (command.c:897)
==14938==    by 0x805FAA2: callback_call (callback.c:163)
==14938==    by 0x805FCF9: callback_list_call_attr (callback.c:219)
==14938==    by 0x805FDBC: callback_list_call_attr_args (callback.c:235)
==14938==    by 0x8094C4E: command_call_function (command.c:402)
==14938==    by 0x8094E7C: eval_postfix (command.c:444)
==14938==    by 0x8094F75: eval_unary (command.c:462)
==14938==    by 0x8094FA3: eval_multiplicative (command.c:471)
==14938==    by 0x809521C: eval_additive (command.c:504)
==14938==    by 0x809540E: eval_equality (command.c:531)
==14938==    by 0x80956E2: eval_bitwise_and (command.c:572)
==14938==    by 0x80957E9: eval_bitwise_xor (command.c:589)
==14938==    by 0x80958C0: eval_bitwise_or (command.c:605)
==14938==    by 0x80959C6: eval_logical_and (command.c:622)

What happens is that the string holding the command from html is freed by gui_internal_prune_menu_count (from command_call_function) while still being parsed by command_evaluate. The two callstack parts above clearly show that.

One sure way to fix that is to g_strdup the string at the beginning of command_evaluate, and release it on the end. A big fat comment should state not to rely on the command parameter once the evaluation has started.

Attaching a patch.

Thanks.

[woglinde]

Hi,

thanks for the patch. It was commited with revision ​http://navit.svn.sourceforge.net/viewvc/navit?view=revision&revision=4500

comments was changed from c++ style to c style