My gnome-panel will crash if system proxy is set to use certain pac file with failed dnsResolve() queries, like when the network is down.

With more observation with gdb, I believe at least two problems are here: * self->ctxs (ctxs) in _run() is freed on errors, but self->ctxs is not reset to null. This causes segfault on subsequent calls to _run(). _run() is called twice in gnome-panel, with segfault at the second time. * dnsResolve() returns something that makes webkit javascript interpreter segfault.

• Method to reproduce the first problem Use gnome-network-properties to configure system proxy to use a pac file contains this: <pre> function FindProxyForURL(url, host) { dnsResolve("non.existence"); } </pre> Run gnome-panel and it crashes in libc.so. gdb gnome-panel produces this: <pre> Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xad62bb70 (LWP 6986)] strcmp () at ../sysdeps/i386/i686/strcmp.S:39 39 ../sysdeps/i386/i686/strcmp.S: No such file or directory. in ../sysdeps/i386/i686/strcmp.S Current language: auto The current source language is "auto; currently asm". (gdb) where

  0 strcmp () at ../sysdeps/i386/i686/strcmp.S:39

1 0xb3767262 in _run (self=0x8257eb8, pac=0x8257ec8, url=0x828c6d0) at pacrunner_webkit.c:202

2 0xb33c2fc2 in px_proxy_factory_get_proxies (self=0x826b6b0, url=0x8291cf0 "http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=CYEG&quot;) at proxy.c:401

3 0xb3437b71 in ?? () from /usr/lib/libsoup-gnome-2.4.so.1

... </pre>

• Method to reproduce the second problem Use gnome-network-properties to configure system proxy to use a pac file contains this: <pre> function FindProxyForURL(url, host) { dnsResolve("non.existence") + ""; } </pre> Run gnome-panel and it crashes in libwebkit.so. gdb gnome-panel produces this: <pre> Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xafe30b70 (LWP 6920)] 0xb2c114e9 in JSC::JSValue::toString (callFrame=0xabffe0a8, v1=..., v2=...) at ../JavaScriptCore/runtime/JSString.h:510 510 return asCell()->toString(exec); Current language: auto The current source language is "auto; currently c++". (gdb) where

  0 0xb2c114e9 in JSC::JSValue::toString (callFrame=0xabffe0a8, v1=..., v2=...) at ../JavaScriptCore/runtime/JSString.h:510

1 JSC::jsAddSlowCase (callFrame=0xabffe0a8, v1=..., v2=...) at ../JavaScriptCore/runtime/Operations.cpp:56

2 0xb2b18c62 in cti_op_add (args=0xac40336c) at ../JavaScriptCore/jit/JITStubs.cpp:1071

3 0xad608a90 in ?? ()

4 0xb2b23dae in JSC::JITCode::execute (this=0x200, program=0xac4173f0, callFrame=0xac412e24, scopeChain=0xac3fe270, thisObj=0xabf80000, exception=0xafe30004)

at ../JavaScriptCore/jit/JITCode.h:77

5 JSC::Interpreter::execute (this=0x200, program=0xac4173f0, callFrame=0xac412e24, scopeChain=0xac3fe270, thisObj=0xabf80000, exception=0xafe30004)

at ../JavaScriptCore/interpreter/Interpreter.cpp:621

6 0xb2bdecd6 in JSC::evaluate (exec=0xac412e24, scopeChain=..., source=..., thisValue=...) at ../JavaScriptCore/runtime/Completion.cpp:62

7 0xb2ac54f9 in JSEvaluateScript (ctx=0xac412e24, script=0xac402170, thisObject=0x0, sourceURL=0x0, startingLineNumber=1, exception=0x0) at ../JavaScriptCore/API/JSBase.cpp:54

8 0xb376732b in _run (self=0xad501920, pac=0xad501568, url=0xad500cc0) at pacrunner_webkit.c:222

9 0xb33c2fc2 in px_proxy_factory_get_proxies (self=0x8255a70, url=0xad500c68 "http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=KPAO&quot;) at proxy.c:401

10 0xb3437b71 in ?? () from /usr/lib/libsoup-gnome-2.4.so.1

... </pre>

I tried to reproduce this with the provided proxy util, but the result is not as expected.

{{{ $ cat /tmp/1.pac function FindProxyForURL(url, host) { dnsResolve("non.existence"); } $ export PX_CONFIG_ORDER=config_envvar,USER,SESSION,SYSTEM,config_wpad,config_direct $ export http_proxy=pac+file:///tmp/1.pac $ proxy http://example.com direct:// Segmentation fault $ gdb --args proxy http://example.com ... Program received signal SIGSEGV, Segmentation fault. 0xb7810132 in JSC::ExecState::globalData (ctx=0x804d140) at ../JavaScriptCore/interpreter/CallFrame.h:74 74 return *scopeChain()->globalData; Current language: auto The current source language is "auto; currently c++". (gdb) where

0 0xb7810132 in JSC::ExecState::globalData (ctx=0x804d140)

at ../JavaScriptCore/interpreter/CallFrame.h:74

1 APIEntryShim (ctx=0x804d140) at ../JavaScriptCore/API/APIShims.h:61

2 JSGarbageCollect (ctx=0x804d140) at ../JavaScriptCore/API/JSBase.cpp:96

3 0xb7fd9146 in ctxs_free (self=0x8052668) at pacrunner_webkit.c:129

4 0xb7fd9430 in _destructor (s=0x804d178) at pacrunner_webkit.c:182

5 0xb7fc8f7e in regfree (self=0x80623d8) at module_manager.c:62

6 0xb7fc83f4 in px_array_free (self=0x8063420) at array.c:139

7 0xb7fcac5b in dict_free (item=0x80623f0) at strdict.c:48

8 0xb7fc83f4 in px_array_free (self=0x804a068) at array.c:139

9 0xb7fcaef1 in px_strdict_free (self=0x804a058) at strdict.c:124

10 0xb7fc920e in px_module_manager_free (self=0x804a030)

at module_manager.c:134

11 0xb7fcab92 in px_proxy_factory_free (self=0x804a008) at proxy.c:435

12 0x08048b86 in main (argc=2, argv=0xbffff4a4) at proxy.c:140

... }}}

Environment: * Debian GNU/Linux testing (squeeze) * libproxy0 0.3.1-2 * gnome-panel 2.30.2-2 * the proxy binary and libs are compiled with CFLAGS='-g -O0', installed as the convention of Debian. * If you need any other information?

Though this version is outdated and has been rewritten with c++, I found the related source in trunk (r777) is almost unchanged. Bugs can potentially remain. Please look into these.

Oh no. The formatting becomes crap.

What version of WebKit ?

1.2.5-2.1 cf. http://packages.debian.org/squeeze/libwebkit-1.0-2

did you have the pac file local and use it from a file:// url? I just checked in a loading fix for pac+file:// based uri,s which resolved a crash of this type.

Can you verify if trunk r778 solves this for you please?

r788 and a pac file like

function FindProxyForURL(url, host) { dnsResolve("non.existence") + ""; }

still have similar segfaults. Please make sure this is some problem with webkit javascript interpreter.

Looks very similar to what we already had in issue 54

Looking at the crash I have here:

0 __strcmp_ia32 () at ../sysdeps/i386/i686/multiarch/../strcmp.S:39

1 0x018edf82 in _run (self=0x8189c00, pac=0x8189c10, url=0x81112d0)

at pacrunner_webkit.c:197

2 0x01867bfa in px_proxy_factory_get_proxies (self=0x816fb68,

url=0x81e8448 "http://weather.noaa.gov/cgi-bin/mgetmetar.pl?cccc=CYYZ")
at proxy.c:401

It seems to be caused by:

(gdb) print *ctxs $9 = {ctx = 0x8199920, pac = 0x0}

ctxs->pac is NULL when calling:

if (ctxs && strcmp(ctxs->pac, px_pac_to_string(pac)))

at line 197 of src/modules/pacrunner_webkit.c

Not sure what ctxs->pac is NULL however. Any ideas? FWIW, my PAC contains:

function FindProxyForURL(url, host) { if (isPlainHostName(host) || isInNet(host, "10.0.0.0", "255.255.255.0") || isInNet(host, "10.75.22.0", "255.255.254.0") || isInNet(host, "10.23.104.0", "255.255.248.0") || isInNet(host, "192.168.0.0", "255.255.255.0") || isInNet(host, "192.168.1.0", "255.255.255.0") || isInNet(host, "192.168.15.0", "255.255.255.0") || isInNet(host, "127.0.0.0", "255.0.0.0") || dnsDomainIs(host, "bar.foo.com") || dnsDomainIs(host, "boo.foo.com") || dnsDomainIs(host, ".example.com") || dnsDomainIs(host, "apt.example.com")) return "DIRECT"; else return "PROXY proxy.example.com.:3128"; }

ctxs->pac is NULL when calling:

if (ctxs && strcmp(ctxs->pac, px_pac_to_string(pac)))

at line 197 of src/modules/pacrunner_webkit.c

==> This is old code. Can you reproduce this on 0.4.7 please? (0.3.x tree is REALLY long ago)

Can you reproduce this on 0.4.7 please?

OK. Per #libproxy, I have built 0.4.7 and as a quick and dirty hack, symlinked libproxy.so.1.0.0 to libproxy.so.0.0.0 since it was just a seldom used "free" function that was removed from the ABI.

That has allowed the gnome clock applet to finally work.

As such I have to declare this bug as 'fixed in a more recent version'.

We do not maintain 0.3.x branch. 0.4.0 was released more than a year ago; I hope you understand our reasoning on this.