filipesam
commented
9 years ago I have the same bug, is this being watched? or should i assume that the problem is phantomJS build?
Open timeisflowing opened 10 years ago
filipesam
commented
9 years ago I have the same bug, is this being watched? or should i assume that the problem is phantomJS build?
bash cli/tpjs "http://marantz.co.uk/uk/Products/Pages/ProductDetails.aspx?CatId=Systems&ProductId=MER803MelodyMovie" -z 1 -d debug
............
tphantomjs: ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:466: void HB_HeuristicSetGlyphAttributes(HB_ShaperItem*): Assertion `length <= item->num_glyphs' failed. PhantomJS has crashed. Please read the crash reporting guide at https://github.com/ariya/phantomjs/wiki/Crash-Reporting and file a bug report at https://github.com/ariya/phantomjs/issues/new with the crash dump file attached: /tmp/3d3aaa3c-aa3d-7908-5df10369-7cb925f6.dmp cli/tpjs: line 170: 2279 Aborted (core dumped) ${TPJS_HOME}bin/tphantomjs $SCRIPT "${URL}" $COOKIE_FILE $TIMEOUT $FUZZ $RENDERING_PATH $VERBOSE
z00::k1ll3r { ~/Fuzzing/tpjs }-> gdb -c core /usr/local/bin/tphantomjs GNU gdb (Ubuntu 7.7-0ubuntu3.1) 7.7 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/local/bin/tphantomjs...(no debugging symbols found)...done. [New LWP 2279] [New LWP 2287] [New LWP 2283] [New LWP 2282] [New LWP 2280] [New LWP 2281] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/bin/tphantomjs /usr/local/share/tpjs/domxss.js http://marantz.co.uk/'. Program terminated with signal SIGABRT, Aborted.
0 0x00007ffff6721f79 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb$ bt
0 0x00007ffff6721f79 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
1 0x00007ffff6725388 in __GI_abort () at abort.c:89
2 0x00007ffff671ae36 in assert_fail_base (fmt=0x7ffff686c718 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x21e1d5a "length <= item->num_glyphs", file=file@entry=0x21e1f10 "../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp", line=line@entry=0x1d2, function=function@entry=0x21e2a60 <HB_HeuristicSetGlyphAttributes::__PRETTY_FUNCTION> "void HB_HeuristicSetGlyphAttributes(HB_ShaperItem*)") at assert.c:92
3 0x00007ffff671aee2 in GI_assert_fail (assertion=0x21e1d5a "length <= item->num_glyphs", file=0x21e1f10 "../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp", line=0x1d2, function=0x21e2a60 <HB_HeuristicSetGlyphAttributes::PRETTY_FUNCTION> "void HB_HeuristicSetGlyphAttributes(HB_ShaperItem*)") at assert.c:101
4 0x0000000001c18660 in HB_HeuristicSetGlyphAttributes ()
5 0x0000000001c19834 in HB_BasicShape ()
6 0x0000000001c1e423 in HB_ShapeItem ()
7 0x00000000017afa40 in QTextEngine::shapeTextWithHarfbuzz(int) const ()
8 0x00000000017b03b2 in QTextEngine::shapeText(int) const ()
9 0x00000000017b06d5 in QTextEngine::shape(int) const ()
10 0x00000000017b4175 in QTextEngine::shapeLine(QScriptLine const&) ()
11 0x0000000001714a26 in QPainter::drawText(QPointF const&, QString const&, int, int) ()
12 0x0000000000a2ddbe in WebCore::drawTextCommon(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, QFont const&, bool) ()
13 0x0000000000a2ec33 in WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const ()
14 0x00000000008bce58 in WebCore::GraphicsContext::drawBidiText(WebCore::Font const&, WebCore::TextRun const&, WebCore::FloatPoint const&) ()
15 0x0000000000767a7b in WebCore::CanvasRenderingContext2D::drawTextInternal(WTF::String const&, float, float, bool, float, bool) ()
16 0x00000000014de3b2 in WebCore::JSCanvasRenderingContext2D::fillText(JSC::ExecState*) ()
17 0x00000000012eaf7b in WebCore::jsCanvasRenderingContext2DPrototypeFunctionFillText(JSC::ExecState*) ()
18 0x00007fffb00001e8 in ?? ()
19 0x00007fffafc00610 in ?? ()
20 0x00007fffb017ea7e in ?? ()
21 0x00007fff000000d3 in ?? ()
22 0x00007fffac4d0540 in ?? ()
23 0x00007fffacf86580 in ?? ()
24 0x00007fffac4dfcd0 in ?? ()
25 0x0000000000000000 in ?? ()
gdb$ i r rax 0x0 0x0 rbx 0x7ffff7dff000 0x7ffff7dff000 rcx 0xffffffffffffffff 0xffffffffffffffff rdx 0x6 0x6 rsi 0x8e7 0x8e7 rdi 0x8e7 0x8e7 rbp 0x7ffff686c718 0x7ffff686c718 rsp 0x7fffffff8788 0x7fffffff8788 r8 0xfefefefefefefeff 0xfefefefefefefeff r9 0xfefefefefeff092d 0xfefefefefeff092d r10 0x8 0x8 r11 0x206 0x206 r12 0x21e1d5a 0x21e1d5a r13 0x21e2a60 0x21e2a60 r14 0x7fffffff9668 0x7fffffff9668 r15 0x0 0x0 rip 0x7ffff6721f79 0x7ffff6721f79 <GI_raise+57> eflags 0x206 [ PF IF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0 gdb$ x/100bx $rsp 0x7fffffff8788: 0x88 0x53 0x72 0xf6 0xff 0x7f 0x00 0x00 0x7fffffff8790: 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff8798: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87a0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87a8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87b0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87c0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87d0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87e0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87e8: 0x00 0x00 0x00 0x00 gdb$ x/100bx $rip 0x7ffff6721f79 <__GI_raise+57>: 0x48 0x3d 0x00 0xf0 0xff 0xff 0x77 0x19 0x7ffff6721f81 <GI_raise+65>: 0xf3 0xc3 0x0f 0x1f 0x44 0x00 0x00 0x85 0x7ffff6721f89 <GI_raise+73>: 0xc0 0x7f 0xdd 0x89 0xc1 0xf7 0xd9 0xa9 0x7ffff6721f91 <__GI_raise+81>: 0xff 0xff 0xff 0x7f 0x0f 0x44 0xce 0xeb 0x7ffff6721f99 <GI_raise+89>: 0xcf 0x48 0x8b 0x15 0xc7 0x7e 0x38 0x00 0x7ffff6721fa1 <__GI_raise+97>: 0xf7 0xd8 0x64 0x89 0x02 0x48 0x83 0xc8 0x7ffff6721fa9 <__GI_raise+105>: 0xff 0xc3 0x0f 0x1f 0x44 0x00 0x00 0x85 0x7ffff6721fb1 <killpg+1>: 0xff 0x78 0x0c 0xf7 0xdf 0xe9 0xa5 0x02 0x7ffff6721fb9 <killpg+9>: 0x00 0x00 0x0f 0x1f 0x44 0x00 0x00 0x48 0x7ffff6721fc1 <killpg+17>: 0x8b 0x05 0xa1 0x7e 0x38 0x00 0x64 0xc7 0x7ffff6721fc9 <killpg+25>: 0x00 0x16 0x00 0x00 0x00 0xb8 0xff 0xff 0x7ffff6721fd1 <killpg+33>: 0xff 0xff 0xc3 0x66 0x2e 0x0f 0x1f 0x84 0x7ffff6721fd9: 0x00 0x00 0x00 0x00 gdb$ x/100bx $rsp 0x7fffffff8788: 0x88 0x53 0x72 0xf6 0xff 0x7f 0x00 0x00 0x7fffffff8790: 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff8798: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87a0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87a8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87b0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87c0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87d0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87e0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffff87e8: 0x00 0x00 0x00 0x00
gdb$ disassemble assert_fail_base Dump of assembler code for function assert_fail_base: 0x00007ffff671ad10 <+0>: push r12 0x00007ffff671ad12 <+2>: mov r9d,ecx 0x00007ffff671ad15 <+5>: mov r12,rsi 0x00007ffff671ad18 <+8>: push rbp 0x00007ffff671ad19 <+9>: mov rbp,rdi 0x00007ffff671ad1c <+12>: push rbx 0x00007ffff671ad1d <+13>: sub rsp,0x60 0x00007ffff671ad21 <+17>: mov eax,DWORD PTR [rip+0x395349] # 0x7ffff6ab0070 <__libc_pthread_functions_init> 0x00007ffff671ad27 <+23>: test eax,eax 0x00007ffff671ad29 <+25>: jne 0x7ffff671ae36 <assert_fail_base+294> 0x00007ffff671ad2f <+31>: test r8,r8 0x00007ffff671ad32 <+34>: mov r10,r8 0x00007ffff671ad35 <+37>: lea rbx,[rip+0x14deca] # 0x7ffff6868c06 0x00007ffff671ad3c <+44>: je 0x7ffff671ae8d <assert_fail_base+381> 0x00007ffff671ad42 <+50>: mov rax,QWORD PTR [rip+0x38f0a7] # 0x7ffff6aa9df0 0x00007ffff671ad49 <+57>: lea rcx,[rip+0x14dc18] # 0x7ffff6868968 0x00007ffff671ad50 <+64>: lea rdi,[rsp+0x50] 0x00007ffff671ad55 <+69>: mov r8,rdx 0x00007ffff671ad58 <+72>: mov rsi,rbp 0x00007ffff671ad5b <+75>: mov r11,QWORD PTR [rax] 0x00007ffff671ad5e <+78>: lea rax,[rip+0x14dea1] # 0x7ffff6868c06 0x00007ffff671ad65 <+85>: cmp BYTE PTR [r11],0x0 0x00007ffff671ad69 <+89>: mov rdx,r11 0x00007ffff671ad6c <+92>: mov QWORD PTR [rsp+0x10],r12 0x00007ffff671ad71 <+97>: mov QWORD PTR [rsp+0x8],rbx 0x00007ffff671ad76 <+102>: mov QWORD PTR [rsp],r10 0x00007ffff671ad7a <+106>: cmove rax,rcx 0x00007ffff671ad7e <+110>: lea rcx,[rsp+0x40] 0x00007ffff671ad83 <+115>: mov QWORD PTR [rsp+0x18],rcx 0x00007ffff671ad88 <+120>: mov rcx,rax 0x00007ffff671ad8b <+123>: xor eax,eax 0x00007ffff671ad8d <+125>: call 0x7ffff673f880 <___asprintf> 0x00007ffff671ad92 <+130>: test eax,eax 0x00007ffff671ad94 <+132>: js 0x7ffff671ae75 <assert_fail_base+357> 0x00007ffff671ad9a <+138>: mov rdx,QWORD PTR [rsp+0x50] 0x00007ffff671ad9f <+143>: lea rsi,[rip+0x1504ef] # 0x7ffff686b295 0x00007ffff671ada6 <+150>: xor edi,edi 0x00007ffff671ada8 <+152>: xor eax,eax 0x00007ffff671adaa <+154>: call 0x7ffff6758df0 <fxprintf> 0x00007ffff671adaf <+159>: mov rax,QWORD PTR [rip+0x38efea] # 0x7ffff6aa9da0 0x00007ffff671adb6 <+166>: mov rdi,QWORD PTR [rax] 0x00007ffff671adb9 <+169>: call 0x7ffff6759d20 <__GI__IO_fflush> 0x00007ffff671adbe <+174>: mov rax,QWORD PTR [rip+0x38f09b] # 0x7ffff6aa9e60 0x00007ffff671adc5 <+181>: xor r9d,r9d 0x00007ffff671adc8 <+184>: xor edi,edi 0x00007ffff671adca <+186>: mov r8d,0xffffffff 0x00007ffff671add0 <+192>: mov ecx,0x22 0x00007ffff671add5 <+197>: mov edx,0x3 0x00007ffff671adda <+202>: mov rax,QWORD PTR [rax+0x18] 0x00007ffff671adde <+206>: mov esi,eax 0x00007ffff671ade0 <+208>: add eax,DWORD PTR [rsp+0x40] 0x00007ffff671ade4 <+212>: neg esi 0x00007ffff671ade6 <+214>: and esi,eax 0x00007ffff671ade8 <+216>: mov DWORD PTR [rsp+0x40],esi 0x00007ffff671adec <+220>: movsxd rsi,esi 0x00007ffff671adef <+223>: call 0x7ffff67e0850
0x00007ffff671adf4 <+228>: cmp rax,0xffffffffffffffff
0x00007ffff671adf8 <+232>: mov rbx,rax
0x00007ffff671adfb <+235>: je 0x7ffff671ae27 <assert_fail_base+279>
0x00007ffff671adfd <+237>: mov eax,DWORD PTR [rsp+0x40]
0x00007ffff671ae01 <+241>: mov rsi,QWORD PTR [rsp+0x50]
0x00007ffff671ae06 <+246>: lea rdi,[rbx+0x4]
0x00007ffff671ae0a <+250>: mov DWORD PTR [rbx],eax
0x00007ffff671ae0c <+252>: call 0x7ffff6774380 <strcpy_sse2>
0x00007ffff671ae11 <+257>: mov rdi,rbx
0x00007ffff671ae14 <+260>: xchg QWORD PTR [rip+0x390fe5],rdi # 0x7ffff6aabe00 <__abort_msg>
0x00007ffff671ae1b <+267>: test rdi,rdi
0x00007ffff671ae1e <+270>: je 0x7ffff671ae27 <assert_fail_base+279>
0x00007ffff671ae20 <+272>: mov esi,DWORD PTR [rdi]
0x00007ffff671ae22 <+274>: call 0x7ffff67e0880
0x00007ffff671ae27 <+279>: mov rdi,QWORD PTR [rsp+0x50]
0x00007ffff671ae2c <+284>: call 0x7ffff670a470 free@plt+48
0x00007ffff671ae31 <+289>: call 0x7ffff6725240 < GI_abort>
0x00007ffff671ae36 <+294>: mov QWORD PTR [rsp+0x38],r8
0x00007ffff671ae3b <+299>: mov QWORD PTR [rsp+0x28],rdx
0x00007ffff671ae40 <+304>: xor esi,esi
0x00007ffff671ae42 <+306>: mov rax,QWORD PTR [rip+0x395197] # 0x7ffff6aaffe0 <libc_pthread_functions+288>
0x00007ffff671ae49 <+313>: mov DWORD PTR [rsp+0x34],ecx
0x00007ffff671ae4d <+317>: mov edi,0x1
0x00007ffff671ae52 <+322>: ror rax,0x11
0x00007ffff671ae56 <+326>: xor rax,QWORD PTR fs:0x30
0x00007ffff671ae5f <+335>: call rax
0x00007ffff671ae61 <+337>: mov r8,QWORD PTR [rsp+0x38]
0x00007ffff671ae66 <+342>: mov r9d,DWORD PTR [rsp+0x34]
0x00007ffff671ae6b <+347>: mov rdx,QWORD PTR [rsp+0x28]
0x00007ffff671ae70 <+352>: jmp 0x7ffff671ad2f <assert_fail_base+31>
0x00007ffff671ae75 <+357>: lea rsi,[rip+0x1562f4] # 0x7ffff6871170
0x00007ffff671ae7c <+364>: mov edx,0x12
0x00007ffff671ae81 <+369>: mov edi,0x2
0x00007ffff671ae86 <+374>: call 0x7ffff67d76f0
0x00007ffff671ae8b <+379>: jmp 0x7ffff671ae31 <assert_fail_base+289>
0x00007ffff671ae8d <+381>: lea rbx,[rip+0x14dad4] # 0x7ffff6868968
0x00007ffff671ae94 <+388>: mov r10,rbx
0x00007ffff671ae97 <+391>: jmp 0x7ffff671ad42 <assert_fail_base+50>
End of assembler dump.