Sanitizing libnsbmp
by Francis Ricci
I've been running libnsbmp under the LLVM sanitizers (particularly
UBSan), and I've found quite a few errors. Are you guys open to taking
patches to fix these issues (things like undefined shift overflows,
etc)? I didn't see much about the contribution process on the website.
5 years, 9 months
OpenSSL
by Vincent Sanders
I have recently completed updating all the toolchains/SDK [1] to use
OpenSSL 1.1 instead of 1.0. This is prudent because OpenSSL 1.0 is
reaching the end of its life [2] and it is advisable to use an
actively supported version of a such a sensitive library in a web
browser.
There may be some issues with the new library build on some
platforms. To date the only one which has been reported as problematic
is the m68k Amiga os3 build which Chris Young is aware of and looking
to resolve.
To assist in this I have extended the CI system to build Amiga os3
packages and publish the results [3] I have no way to test these
packages so their usefulnes may be limited but they do now exist,
perhaps Chris can comment on their status.
I have failed to update the atari toolchains once again. They remain
badly broken in that they:
1. cannot generate a working cross compiler on a modern Debian OS
2. compiled on an old OS they produce a broken SDK with OpenSSL 1.1
3. Are very old compilers which generate poor code, especialy for m68k
I have been trying to use the patches provided by Thorsten Otto [4] to
fix these toolchains but any assistance would be gratefully recieved.
[1] http://source.netsurf-browser.org/toolchains.git/
[2] https://www.openssl.org/policies/releasestrat.html
[3] http://ci.netsurf-browser.org/builds/amigaos3/
[4] http://tho-otto.de/crossmint.php
--
Regards Vincent
http://www.kyllikki.org/
5 years, 9 months
Re: German Messages for NetSurf - updated
by Rob Kendrick
On Wed, Dec 06, 2017 at 12:06:39PM +0100, Sebastian Barthel wrote:
> Hello all.
>
> I've tried to send an eMail to Michael Drake directly but without succes
> - so I'm testing to reach somebody else by using this address.
Can I ask which address you tried?
> Since some years passed by and something changed in !NetSurf I thought
> it might be a good idea to add some entries to the messages
> file. I hope I've done this in the correct manner and didn't introduced
> new errors.
>
> If You are in the mode wich allows You to add some data into the GitHub
> - I would ask and please You to introduce into the sourcetree the
> FatMessages file which i add to this mail.
We don't use GitHub. Can you provide your changes to FatMessages as a
patch/diff to the current git master at this repository?
http://git.netsurf-browser.org/netsurf.git/
Many thanks!
B.
5 years, 9 months
Re: netsurf-dev Digest, Vol 134, Issue 3
by no pls
Err, most crypto wallets I know are based off of *-core forks, and that's
all written in C++. I'm not sure of anything that _does_ use electron.
On Mon, Dec 4, 2017 at 7:00 AM, <netsurf-dev-request(a)netsurf-browser.org>
wrote:
> Send netsurf-dev mailing list submissions to
> netsurf-dev(a)netsurf-browser.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/
> netsurf-dev-netsurf-browser.org
>
> or, via email, send a message with subject or body 'help' to
> netsurf-dev-request(a)netsurf-browser.org
>
> You can reach the person managing the list at
> netsurf-dev-owner(a)netsurf-browser.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of netsurf-dev digest..."
>
>
> Today's Topics:
>
> 1. Re: netsurf-dev Digest, Vol 134, Issue 2 (Erik Poupaert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 3 Dec 2017 19:29:36 +0700
> From: Erik Poupaert <erik(a)sankuru.biz>
> Subject: Re: netsurf-dev Digest, Vol 134, Issue 2
> To: netsurf-dev(a)netsurf-browser.org
> Message-ID:
> <CAFqk0_KCRByzG_YFYvT3QW5OA2BHfX2pk_miORWoQw+
> TBGOaJw(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> >> The http://www.netsurf-browser.org gives the impression of offering
> >> all the same building bricks, and also that it could possibly be a
> >> much smaller alternative.
> > Except that we lack 90% (or more) of the bindings, rendering, etc, right
> now :(
> > 1. Help with the CSS engine
> > 2. Help with the dynamic layout engine
> > 3. Help integrate that into NS
> > 4. Assist with the JavaScript bindings
>
> On the one side, there is the interesting goal of being able to
> compete with the existing browser oligopoly and offer an extra, less
> bloated alternative, which is indeed a commendable endeavour. That
> would indeed allow users to surf the existing web without having to
> trust the existing cartel.
>
> On the other side, for a desktop application, the existing netsurf
> capabilities are already way more than "good enough". Lacking more
> than 90% of the bindings, rendering, etc is quite immaterial in that
> context. A desktop application has no need to be compatible with
> existing websites.
>
> Still, I concede that your goal -- no matter how different from mine
> -- is certainly commendable.
>
> > 5. Worry about whether or not it's a good plan to promulgate the idea
> that
> > desktop applications built out of web browsers isn't the work of an evil
> > mind aiming to destroy all semblance of reliable and uniform user
> interfaces.
>
> Yes, but -- except for the original, universal evil -- it is always
> possible to find situations for every given evil in which it is the
> lesser evil. That is why I reject the belief in absolute evil.
> Seriously, I am not a follower of absolute evil or its principle.
>
> Even chopping off someone's limbs is not necessarily an absolute evil.
> A doctor calls that an "amputation". That is also why pharmacies are
> allowed and even encouraged to sell their dangerous poisons.
> Furthermore -- except for the original, universal good -- there are
> always situations, for every given good, in which it is actually an
> evil. Pure water may be good, but not when you try to swallow an
> entire tropical river. That is called "drowning".
>
> I originally looked into doing a desktop application with lua + lgi
> (gtk bindings), but unfortunately, I cannot find
> sufficiently-effective cryptocurrency-related source code in lua,
> while this is way less of a problem in javascript. Maintaining a lua
> port would end up burning a lot of energy just to allow a few people
> to have their way, especially, since not everybody is a fan of small,
> embeddable scripting engines.
>
> At the moment, pretty much everybody else uses a 100+ MB web-runtime
> to create even the simplest crypto-wallet on the desktop. It allows
> for deploying an almost unmodified app to the mobile phone too. So,
> they are doing some kind of understandable trade-off engineering with
> lots of advantages and disadvantages.
>
> I am certainly not trying to push anybody to go off on a tangent that
> does not serve their own goals. I was just trying to find people who
> would have similar goals already.
>
>
>
> End of netsurf-dev Digest, Vol 134, Issue 3
> *******************************************
>
5 years, 9 months
Re: netsurf-dev Digest, Vol 134, Issue 2
by Erik Poupaert
>> The http://www.netsurf-browser.org gives the impression of offering
>> all the same building bricks, and also that it could possibly be a
>> much smaller alternative.
> Except that we lack 90% (or more) of the bindings, rendering, etc, right now :(
> 1. Help with the CSS engine
> 2. Help with the dynamic layout engine
> 3. Help integrate that into NS
> 4. Assist with the JavaScript bindings
On the one side, there is the interesting goal of being able to
compete with the existing browser oligopoly and offer an extra, less
bloated alternative, which is indeed a commendable endeavour. That
would indeed allow users to surf the existing web without having to
trust the existing cartel.
On the other side, for a desktop application, the existing netsurf
capabilities are already way more than "good enough". Lacking more
than 90% of the bindings, rendering, etc is quite immaterial in that
context. A desktop application has no need to be compatible with
existing websites.
Still, I concede that your goal -- no matter how different from mine
-- is certainly commendable.
> 5. Worry about whether or not it's a good plan to promulgate the idea that
> desktop applications built out of web browsers isn't the work of an evil
> mind aiming to destroy all semblance of reliable and uniform user interfaces.
Yes, but -- except for the original, universal evil -- it is always
possible to find situations for every given evil in which it is the
lesser evil. That is why I reject the belief in absolute evil.
Seriously, I am not a follower of absolute evil or its principle.
Even chopping off someone's limbs is not necessarily an absolute evil.
A doctor calls that an "amputation". That is also why pharmacies are
allowed and even encouraged to sell their dangerous poisons.
Furthermore -- except for the original, universal good -- there are
always situations, for every given good, in which it is actually an
evil. Pure water may be good, but not when you try to swallow an
entire tropical river. That is called "drowning".
I originally looked into doing a desktop application with lua + lgi
(gtk bindings), but unfortunately, I cannot find
sufficiently-effective cryptocurrency-related source code in lua,
while this is way less of a problem in javascript. Maintaining a lua
port would end up burning a lot of energy just to allow a few people
to have their way, especially, since not everybody is a fan of small,
embeddable scripting engines.
At the moment, pretty much everybody else uses a 100+ MB web-runtime
to create even the simplest crypto-wallet on the desktop. It allows
for deploying an almost unmodified app to the mobile phone too. So,
they are doing some kind of understandable trade-off engineering with
lots of advantages and disadvantages.
I am certainly not trying to push anybody to go off on a tangent that
does not serve their own goals. I was just trying to find people who
would have similar goals already.
5 years, 9 months
Re: Thanks for Netsurf and few comments
by Chris Young
Forwarded to dev list.
Mathias please join the netsurf-dev list and continue discussion there.
Thanks
Chris
On 1 December 2017 22:06:58 GMT+00:00, Mathias Parnaudeau <mathias.p(a)wanadoo.fr> wrote:
>Hi Chris
>
>First, I would like to thank you because I installed Netsurf on my
>Amiga
>machines and I think it's a smart application. I like to use it, it is
>improved at each new release and is quite fast browsing.
>
>Then, you know, I am a developer and I like quality software, including
>
>things like continuous integration, static code analyzers, ... and I
>have to say I am impressed by Netsurf for all what is done in this
>area.
>That's not common.
>
>About that, I like to use the compiler sanitizers that really help to
>find problems / bugs at execution.
>
>So I compiled Netsurf on Linux with:
>
>make CC="gcc -fsanitize=undefined,address"
>
>I have to say I did not find easily where to modify CFLAGS and if I was
>
>forced or not to modify one or several makefiles.
>
>Anyway, compiling like that provides instrumented code that checks some
>
>errors. If I run Netsurf and then I quit it, I get:
>
>
>content/handlers/javascript/duktape/duktape.c:52791:6: runtime error:
>load of misaligned address 0x61400000b7cf for type 'duk_uint32_t',
>which
>requires 4 byte alignment
>0x61400000b7cf: note: pointer points here
> 02 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
>00 00 00 00 00 00 00 00 00
> ^
>src/libnsbmp.c:287:43: runtime error: shift exponent 32 is too large
>for
>32-bit type 'int'
>src/libnsbmp.c:569:64: runtime error: left shift of 150 by 24 places
>cannot be represented in type 'int'
>src/libnsbmp.c:71:88: runtime error: left shift of 150 by 24 places
>cannot be represented in type 'int'
>src/parse/properties/utils.c:889:15: runtime error: left shift of 255
>by
>24 places cannot be represented in type 'int'
>/home/mathias/Sources/netsurf-all-3.7/libcss/src/select/bloom.h:63:21:
>runtime error: left shift of 1 by 31 places cannot be represented in
>type 'int'
>
>=================================================================
>==22287==ERROR: LeakSanitizer: detected memory leaks
>
>Direct leak of 3145728 byte(s) in 1 object(s) allocated from:
> #0 0x7fc36b8c1ed0 in calloc
>(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0)
> #1 0x55a757175395 in read_entries content/fs_backing_store.c:1229
> #2 0x55a757175395 in initialise content/fs_backing_store.c:1556
> #3 0x55a75787f977
>(/home/mathias/Sources/netsurf-all-3.7/netsurf/nsgtk+0x13a2977)
>
>...
>
>SUMMARY: AddressSanitizer: 5300121 byte(s) leaked in 1958
>allocation(s).
>
>Leaks could also certainly be found by valgrind (not used looking at
>Jenkins jobs).
>
>
>If I start and click on the CNN link and thenk I quit, I get (as part
>of
>the output):
>
>src/libnsbmp.c:287:43: runtime error: shift exponent 32 is too large
>for
>32-bit type 'int'
>src/libnsbmp.c:569:64: runtime error: left shift of 150 by 24 places
>cannot be represented in type 'int'
>src/libnsbmp.c:71:88: runtime error: left shift of 150 by 24 places
>cannot be represented in type 'int'
>src/parse/properties/utils.c:889:15: runtime error: left shift of 255
>by
>24 places cannot be represented in type 'int'
>/home/mathias/Sources/netsurf-all-3.7/libcss/src/select/bloom.h:63:21:
>runtime error: left shift of 1 by 31 places cannot be represented in
>type 'int'
>src/utils/utils.c:130:18: runtime error: left shift of negative value
>-1
>/home/mathias/Sources/netsurf-all-3.7/libcss/src/select/bloom.h:63:21:
>runtime error: left shift of 1 by 31 places cannot be represented in
>type 'int'
>src/parse/properties/utils.c:655:16: runtime error: left shift of 191
>by
>24 places cannot be represented in type 'int'
>src/libnsbmp.c:848:54: runtime error: left shift of 255 by 24 places
>cannot be represented in type 'int'
>render/layout.c:1343:32: runtime error: negation of -2147483648 cannot
>be represented in type 'int [4]'; cast to an unsigned type to negate
>this value to itself
>
>
>So maybe you (or the team) could use these useful sanitizers to help
>finding bugs.
>
>Let me know if you prefer me to create a ticket in the bugtracker.
>
>
>A last comment: looking for your email in os4depot, I've just noticed
>that the latest version there is 3.6.
>
>
>Regards,
>
>Mathias
5 years, 9 months
Fwd: A nw.js-like use of netsurf
by Erik Poupaert
The http://nw.js project reuses webkit and node.js in order to offer
an interesting alternative to build desktop applications in html, css,
and javascript. The http://electronjs.org project does something quite
similar.
The http://www.netsurf-browser.org gives the impression of offering
all the same building bricks, and also that it could possibly be a
much smaller alternative.
Does anybody feel like offering remarks on what would be a reasonable
starting point to massage the netsurf source code in that general
direction? Would a plan like that actually be viable?
Better yet, is anybody possibly already working on a similar idea? If
you are interested in this subject, I would be more than happy to have
a chat about it, and explore the possibilities.
5 years, 9 months
