Opened 12 years ago
Closed 12 years ago
#864 closed defect/bug (fixed)
[valgrind] "invalid read" detected in gui_internal_html
Reported by: | pini | Owned by: | cp15 |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | gui/internal | Version: | git master |
Severity: | Keywords: | ||
Cc: |
Description
Hi,
Steps to reproduce under Linux:
- compile navit with debug flags
- run under valgrind with gui_internal enabled
valgrind --suppressions=$HOME/.navit/navit.supp --gen-suppressions=yes --db-attach=yes --num-callers=30 navit
- (you may have to iterate a couple of times to suppress non significant valgind errors using the .supp file)
- navigated to the bookmarks menu (click map / Action / Bookmarks)
=> The following valgrind error is triggered:
==14938== Invalid read of size 1 ==14938== at 0x8093FAB: get_op (command.c:90) ==14938== by 0x8094D34: eval_postfix (command.c:426) ==14938== by 0x8094F75: eval_unary (command.c:462) ==14938== by 0x8094FA3: eval_multiplicative (command.c:471) ==14938== by 0x809521C: eval_additive (command.c:504) ==14938== by 0x809540E: eval_equality (command.c:531) ==14938== by 0x80956E2: eval_bitwise_and (command.c:572) ==14938== by 0x80957E9: eval_bitwise_xor (command.c:589) ==14938== by 0x80958C0: eval_bitwise_or (command.c:605) ==14938== by 0x80959C6: eval_logical_and (command.c:622) ==14938== by 0x8095AAB: eval_logical_or (command.c:638) ==14938== by 0x8095B90: eval_conditional (command.c:655) ==14938== by 0x8095D1C: eval_assignment (command.c:680) ==14938== by 0x8095DF4: eval_comma (command.c:697) ==14938== by 0x80963A4: command_evaluate (command.c:862) ==14938== by 0x582340D: gui_internal_evaluate (gui_internal.c:4500) ==14938== by 0x582342E: gui_internal_html_command (gui_internal.c:4507) ==14938== by 0x5816773: gui_internal_call_highlighted (gui_internal.c:1423) ==14938== by 0x5825785: gui_internal_button (gui_internal.c:5207) ==14938== by 0x805FB3A: callback_call (callback.c:172) ==14938== by 0x805FCF9: callback_list_call_attr (callback.c:219) ==14938== by 0x805FDBC: callback_list_call_attr_args (callback.c:235) ==14938== by 0x4BBE281: button_release (graphics_gtk_drawing_area.c:804) ==14938== by 0x4E04983: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2400.4) ==14938== by 0x4C469F1: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.2800.6) ==14938== by 0x4C59987: ??? (in /usr/lib/libgobject-2.0.so.0.2800.6) ==14938== by 0x4C6217A: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.2800.6) ==14938== by 0x4C625A1: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2800.6) ==14938== by 0x4F395A5: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2400.4) ==14938== by 0x4E02B0C: gtk_propagate_event (in /usr/lib/libgtk-x11-2.0.so.0.2400.4) ==14938== Address 0x5bb2fc3 is 11 bytes inside a block of size 12 free'd ==14938== at 0x4023B6A: free (vg_replace_malloc.c:366) ==14938== by 0x40AC3A5: g_free (in /lib/libglib-2.0.so.0.2800.6) ==14938== by 0x5816511: gui_internal_widget_destroy (gui_internal.c:1353) ==14938== by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343) ==14938== by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352) ==14938== by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343) ==14938== by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352) ==14938== by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343) ==14938== by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352) ==14938== by 0x581649F: gui_internal_widget_children_destroy (gui_internal.c:1343) ==14938== by 0x5816503: gui_internal_widget_destroy (gui_internal.c:1352) ==14938== by 0x58168C7: gui_internal_menu_destroy (gui_internal.c:1460) ==14938== by 0x5816A38: gui_internal_prune_menu_do (gui_internal.c:1494) ==14938== by 0x5816B02: gui_internal_prune_menu_count (gui_internal.c:1513) ==14938== by 0x581B74D: gui_internal_cmd_bookmarks (gui_internal.c:3008) ==14938== by 0x581BCB6: gui_internal_cmd2_bookmarks (gui_internal.c:3110) ==14938== by 0x8096468: command_table_call (command.c:897) ==14938== by 0x805FAA2: callback_call (callback.c:163) ==14938== by 0x805FCF9: callback_list_call_attr (callback.c:219) ==14938== by 0x805FDBC: callback_list_call_attr_args (callback.c:235) ==14938== by 0x8094C4E: command_call_function (command.c:402) ==14938== by 0x8094E7C: eval_postfix (command.c:444) ==14938== by 0x8094F75: eval_unary (command.c:462) ==14938== by 0x8094FA3: eval_multiplicative (command.c:471) ==14938== by 0x809521C: eval_additive (command.c:504) ==14938== by 0x809540E: eval_equality (command.c:531) ==14938== by 0x80956E2: eval_bitwise_and (command.c:572) ==14938== by 0x80957E9: eval_bitwise_xor (command.c:589) ==14938== by 0x80958C0: eval_bitwise_or (command.c:605) ==14938== by 0x80959C6: eval_logical_and (command.c:622)
What happens is that the string holding the command from html is freed by gui_internal_prune_menu_count (from command_call_function) while still being parsed by command_evaluate. The two callstack parts above clearly show that.
One sure way to fix that is to g_strdup the string at the beginning of command_evaluate, and release it on the end. A big fat comment should state not to rely on the command parameter once the evaluation has started.
Attaching a patch.
Thanks.
Attachments (1)
Change History (2)
Changed 12 years ago by pini
comment:1 Changed 12 years ago by woglinde
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Hi,
thanks for the patch. It was commited with revision http://navit.svn.sourceforge.net/viewvc/navit?view=revision&revision=4500
comments was changed from c++ style to c style