Segfaults in pacrunner_webkit.c

[GoogleCodeExporter]

My `gnome-panel` will crash if system proxy is set to use certain pac file with 
failed `dnsResolve()` queries, like when the network is down. 

With more observation with gdb, I believe at least two problems are here:
 * self->ctxs (ctxs) in _run() is freed on errors, but self->ctxs is not reset to null. This causes segfault on subsequent calls to _run(). _run() is called twice in gnome-panel, with segfault at the second time.
 * dnsResolve() returns something that makes webkit javascript interpreter segfault.

* Method to reproduce the first problem
Use `gnome-network-properties` to configure system proxy to use a pac file 
contains this:
<pre>
function FindProxyForURL(url, host)
{
dnsResolve("non.existence");
}
</pre>
Run `gnome-panel` and it crashes in `libc.so`. `gdb gnome-panel` produces this:
<pre>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xad62bb70 (LWP 6986)]
strcmp () at ../sysdeps/i386/i686/strcmp.S:39
39  ../sysdeps/i386/i686/strcmp.S: No such file or directory.
    in ../sysdeps/i386/i686/strcmp.S
Current language:  auto
The current source language is "auto; currently asm".
(gdb) where
#0  strcmp () at ../sysdeps/i386/i686/strcmp.S:39
#1  0xb3767262 in _run (self=0x8257eb8, pac=0x8257ec8, url=0x828c6d0) at 
pacrunner_webkit.c:202
#2  0xb33c2fc2 in px_proxy_factory_get_proxies (self=0x826b6b0, url=0x8291cf0 
"http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=CYEG") at proxy.c:401
#3  0xb3437b71 in ?? () from /usr/lib/libsoup-gnome-2.4.so.1
...
</pre>

* Method to reproduce the second problem
Use `gnome-network-properties` to configure system proxy to use a pac file 
contains this:
<pre>
function FindProxyForURL(url, host)
{
dnsResolve("non.existence") + "";
}
</pre>
Run `gnome-panel` and it crashes in `libwebkit.so`. `gdb gnome-panel` produces 
this:
<pre>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xafe30b70 (LWP 6920)]
0xb2c114e9 in JSC::JSValue::toString (callFrame=0xabffe0a8, v1=..., v2=...) at 
../JavaScriptCore/runtime/JSString.h:510
510         return asCell()->toString(exec);
Current language:  auto
The current source language is "auto; currently c++".
(gdb) where
#0  0xb2c114e9 in JSC::JSValue::toString (callFrame=0xabffe0a8, v1=..., v2=...) 
at ../JavaScriptCore/runtime/JSString.h:510
#1  JSC::jsAddSlowCase (callFrame=0xabffe0a8, v1=..., v2=...) at 
../JavaScriptCore/runtime/Operations.cpp:56
#2  0xb2b18c62 in cti_op_add (args=0xac40336c) at 
../JavaScriptCore/jit/JITStubs.cpp:1071
#3  0xad608a90 in ?? ()
#4  0xb2b23dae in JSC::JITCode::execute (this=0x200, program=0xac4173f0, 
callFrame=0xac412e24, scopeChain=0xac3fe270, thisObj=0xabf80000, 
exception=0xafe30004)
    at ../JavaScriptCore/jit/JITCode.h:77
#5  JSC::Interpreter::execute (this=0x200, program=0xac4173f0, 
callFrame=0xac412e24, scopeChain=0xac3fe270, thisObj=0xabf80000, 
exception=0xafe30004)
    at ../JavaScriptCore/interpreter/Interpreter.cpp:621
#6  0xb2bdecd6 in JSC::evaluate (exec=0xac412e24, scopeChain=..., source=..., 
thisValue=...) at ../JavaScriptCore/runtime/Completion.cpp:62
#7  0xb2ac54f9 in JSEvaluateScript (ctx=0xac412e24, script=0xac402170, 
thisObject=0x0, sourceURL=0x0, startingLineNumber=1, exception=0x0) at 
../JavaScriptCore/API/JSBase.cpp:54
#8  0xb376732b in _run (self=0xad501920, pac=0xad501568, url=0xad500cc0) at 
pacrunner_webkit.c:222
#9  0xb33c2fc2 in px_proxy_factory_get_proxies (self=0x8255a70, url=0xad500c68 
"http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=KPAO") at proxy.c:401
#10 0xb3437b71 in ?? () from /usr/lib/libsoup-gnome-2.4.so.1
...
</pre>

I tried to reproduce this with the provided `proxy` util, but the result is not 
as expected.

{{{
$ cat /tmp/1.pac 
function FindProxyForURL(url, host)
{
dnsResolve("non.existence");
}
$ export 
PX_CONFIG_ORDER=config_envvar,USER,SESSION,SYSTEM,config_wpad,config_direct
$ export http_proxy=pac+file:///tmp/1.pac
$ proxy http://example.com
direct://
Segmentation fault
$ gdb --args proxy http://example.com
...
Program received signal SIGSEGV, Segmentation fault.
0xb7810132 in JSC::ExecState::globalData (ctx=0x804d140)
    at ../JavaScriptCore/interpreter/CallFrame.h:74
74              return *scopeChain()->globalData;
Current language:  auto
The current source language is "auto; currently c++".
(gdb) where
#0  0xb7810132 in JSC::ExecState::globalData (ctx=0x804d140)
    at ../JavaScriptCore/interpreter/CallFrame.h:74
#1  APIEntryShim (ctx=0x804d140) at ../JavaScriptCore/API/APIShims.h:61
#2  JSGarbageCollect (ctx=0x804d140) at ../JavaScriptCore/API/JSBase.cpp:96
#3  0xb7fd9146 in ctxs_free (self=0x8052668) at pacrunner_webkit.c:129
#4  0xb7fd9430 in _destructor (s=0x804d178) at pacrunner_webkit.c:182
#5  0xb7fc8f7e in regfree (self=0x80623d8) at module_manager.c:62
#6  0xb7fc83f4 in px_array_free (self=0x8063420) at array.c:139
#7  0xb7fcac5b in dict_free (item=0x80623f0) at strdict.c:48
#8  0xb7fc83f4 in px_array_free (self=0x804a068) at array.c:139
#9  0xb7fcaef1 in px_strdict_free (self=0x804a058) at strdict.c:124
#10 0xb7fc920e in px_module_manager_free (self=0x804a030)
    at module_manager.c:134
#11 0xb7fcab92 in px_proxy_factory_free (self=0x804a008) at proxy.c:435
#12 0x08048b86 in main (argc=2, argv=0xbffff4a4) at proxy.c:140
...
}}}

Environment:
* Debian GNU/Linux testing (squeeze)
* libproxy0 0.3.1-2
* gnome-panel 2.30.2-2
* the `proxy` binary and libs are compiled with CFLAGS='-g -O0', installed as 
the convention of Debian.
* If you need any other information?

Though this version is outdated and has been rewritten with c++, I found the 
related source in trunk (r777) is almost unchanged. Bugs can potentially 
remain. Please look into these.

Original issue reported on code.google.com by metacybernesis@gmail.com on 9 Jan 2011 at 7:41

[GoogleCodeExporter]

Oh no. The formatting becomes crap.

Original comment by metacybernesis@gmail.com on 9 Jan 2011 at 7:42

[GoogleCodeExporter]

What version of WebKit ?

Original comment by nicolas.dufresne@gmail.com on 11 Jan 2011 at 8:02

[GoogleCodeExporter]

1.2.5-2.1
cf. http://packages.debian.org/squeeze/libwebkit-1.0-2

Original comment by metacybernesis@gmail.com on 11 Jan 2011 at 9:06

[GoogleCodeExporter]

did you have the pac file local and use it from a file:// url? I just checked 
in a loading fix for pac+file:// based uri,s which resolved a crash of this 
type.

Can you verify if trunk r778 solves this for you please?

Original comment by dominiqu...@gmail.com on 6 Feb 2011 at 1:09

• Changed state: FixProposed

[GoogleCodeExporter]

r788 and a pac file like

   function FindProxyForURL(url, host) { dnsResolve("non.existence") + ""; }

still have similar segfaults. Please make sure this is some problem with webkit 
javascript interpreter.

Original comment by metacybernesis@gmail.com on 13 Mar 2011 at 11:01

[GoogleCodeExporter]

Looks very similar to what we already had in issue 54

Original comment by dominiqu...@gmail.com on 14 Mar 2011 at 4:54

• Changed state: New

[GoogleCodeExporter]

Looking at the crash I have here:

#0  __strcmp_ia32 () at ../sysdeps/i386/i686/multiarch/../strcmp.S:39
#1  0x018edf82 in _run (self=0x8189c00, pac=0x8189c10, url=0x81112d0)
    at pacrunner_webkit.c:197
#2  0x01867bfa in px_proxy_factory_get_proxies (self=0x816fb68, 
    url=0x81e8448 "http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=CYYZ")
    at proxy.c:401

It seems to be caused by:

(gdb) print *ctxs
$9 = {ctx = 0x8199920, pac = 0x0}

ctxs->pac is NULL when calling:

    if (ctxs && strcmp(ctxs->pac, px_pac_to_string(pac)))

at line 197 of src/modules/pacrunner_webkit.c

Not sure what ctxs->pac is NULL however.  Any ideas?  FWIW, my PAC contains:

function FindProxyForURL(url, host) {
    if (isPlainHostName(host) ||
        isInNet(host, "10.0.0.0", "255.255.255.0") ||
        isInNet(host, "10.75.22.0", "255.255.254.0") ||
        isInNet(host, "10.23.104.0", "255.255.248.0") ||
        isInNet(host, "192.168.0.0", "255.255.255.0") ||
        isInNet(host, "192.168.1.0", "255.255.255.0") ||
        isInNet(host, "192.168.15.0", "255.255.255.0") ||
        isInNet(host, "127.0.0.0", "255.0.0.0") ||
        dnsDomainIs(host, "bar.foo.com") ||
        dnsDomainIs(host, "boo.foo.com") ||
        dnsDomainIs(host, ".example.com") ||
        dnsDomainIs(host, "apt.example.com"))
        return "DIRECT";
    else
        return "PROXY proxy.example.com.:3128";
}

Original comment by brianjmu...@gmail.com on 24 Jun 2011 at 3:40

[GoogleCodeExporter]

ctxs->pac is NULL when calling:

    if (ctxs && strcmp(ctxs->pac, px_pac_to_string(pac)))

at line 197 of src/modules/pacrunner_webkit.c

==> This is old code. Can you reproduce this on 0.4.7 please? (0.3.x tree is 
REALLY long ago)

Original comment by dominiqu...@gmail.com on 27 Jun 2011 at 11:16

[GoogleCodeExporter]

> Can you reproduce this on 0.4.7 please?

OK.  Per #libproxy, I have built 0.4.7 and as a quick and dirty hack, symlinked 
libproxy.so.1.0.0 to libproxy.so.0.0.0 since it was just a seldom used "free" 
function that was removed from the ABI.

That has allowed the gnome clock applet to finally work.

Original comment by brianjmu...@gmail.com on 29 Jun 2011 at 1:25

[GoogleCodeExporter]

As such I have to declare this bug as 'fixed in a more recent version'.

We do not maintain 0.3.x branch. 0.4.0 was released more than a year ago; I 
hope you understand our reasoning on this.

Original comment by dominiqu...@gmail.com on 29 Jun 2011 at 10:08

• Changed state: WontFix