Created an attachment (id=17878) [details]
image with which I can crash Krita

You may want to crop until just the building with the two towers is left.

Valgrind says:

==8467==
==8467== Syscall param writev(vector[...]) points to uninitialised byte(s)
==8467==    at 0x4000772: (within /lib/ld-2.3.6.so)
==8467==    by 0x56E14E2: (within /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56E1735: _X11TransWritev (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56E676E: _XSend (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56D6ED8: (within /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56D706D: XPutImage (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F83922: QPixmap::convertFromImage(QImage const&, int) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x504F5A9: QPixmap::convertFromImage(QImage const&, QPixmap::ColorMode) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4BA4C99: KIconLoader::loadIcon(QString const&, KIcon::Group, int, int, QString*, bool) const (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x4BA6E0B: DesktopIcon(QString const&, int, int, KInstance*) (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x4BA6F08: KApplication::icon() const (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x4BA6FFE: KApplication::setTopWidget(QWidget*) (in /usr/lib/libkdecore.so.4.2.0)
==8467==  Address 0x5A9CF0D is 253 bytes inside a block of size 16,384 alloc'd
==8467==    at 0x401D7AA: calloc (vg_replace_malloc.c:279)
==8467==    by 0x56D1F65: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F5F50F: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F615F3: qt_init(int*, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD62D1: QApplication::construct(int&, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD6610: QApplication::QApplication(int&, char**, bool) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4BB56B7: KApplication::KApplication(bool, bool) (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x40BBD12: KoApplication::KoApplication() (in /usr/lib/libkofficecore.so.3.0.0)
==8467==    by 0x40212E9: kdemain (in /usr/lib/libkdeinit_krita.so)
==8467==    by 0x80486E5: main (kdeinit_krita.cpp:2)
==8467==
==8467== Syscall param write(buf) points to uninitialised byte(s)
==8467==    at 0x4000772: (within /lib/ld-2.3.6.so)
==8467==    by 0x56E16F3: _X11TransWrite (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56E606A: (within /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56C3F10: XFlush (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F9BD11: QWidget::setCursor(QCursor const&) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x50F2FAD: QDockWindowResizeHandle::setOrientation(Qt::Orientation) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x50F3140: QDockWindowResizeHandle::QDockWindowResizeHandle(Qt::Orientation, QWidget*, QDockWindow*, char const*) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x50F996F: QDockWindow::init() (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x50FA331: QDockWindow::QDockWindow(QDockWindow::Place, QWidget*, char const*, unsigned, bool) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x519262F: QToolBar::QToolBar(QString const&, QMainWindow*, QWidget*, bool, char const*, unsigned) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x486DEFE: KToolBar::KToolBar(QWidget*, char const*, bool, bool) (in /usr/lib/libkdeui.so.4.2.0)
==8467==    by 0x48AB7D6: KXMLGUIBuilder::createContainer(QWidget*, int, QDomElement const&, int&) (in /usr/lib/libkdeui.so.4.2.0)
==8467==  Address 0x5A9CE3C is 44 bytes inside a block of size 16,384 alloc'd
==8467==    at 0x401D7AA: calloc (vg_replace_malloc.c:279)
==8467==    by 0x56D1F65: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F5F50F: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F615F3: qt_init(int*, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD62D1: QApplication::construct(int&, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD6610: QApplication::QApplication(int&, char**, bool) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4BB56B7: KApplication::KApplication(bool, bool) (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x40BBD12: KoApplication::KoApplication() (in /usr/lib/libkofficecore.so.3.0.0)
==8467==    by 0x40212E9: kdemain (in /usr/lib/libkdeinit_krita.so)
==8467==    by 0x80486E5: main (kdeinit_krita.cpp:2)
ScimInputContextPlugin()
==8467==
==8467== Syscall param write(buf) points to uninitialised byte(s)
==8467==    at 0x4000772: (within /lib/ld-2.3.6.so)
==8467==    by 0x56E16F3: _X11TransWrite (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56E606A: (within /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56C1C69: XDrawLine (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F8B7D9: QPainter::drawLine(int, int, int, int) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x5D374A3: PlastikStyle::renderContour(QPainter*, QRect const&, QColor const&, QColor const&, unsigned) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8467==    by 0x5D469C2: PlastikStyle::drawPrimitive(QStyle::PrimitiveElement, QPainter*, QRect const&, QColorGroup const&, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8467==    by 0x4D2064E: KStyle::drawComplexControl(QStyle::ComplexControl, QPainter*, QWidget const*, QRect const&, QColorGroup const&, unsigned, unsigned, unsigned, QStyleOption const&) const (in /usr/lib/libkdefx.so.4.2.0)
==8467==    by 0x5D3C94D: PlastikStyle::drawComplexControl(QStyle::ComplexControl, QPainter*, QWidget const*, QRect const&, QColorGroup const&, unsigned, unsigned, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8467==    by 0x516CF1A: QScrollBar::drawControls(unsigned, unsigned, QPainter*) const (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x516CF7B: QScrollBar::drawControls(unsigned, unsigned) const (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x516D125: QScrollBar::rangeChange() (in /usr/lib/libqt-mt.so.3.3.6)
==8467==  Address 0x5A9EC94 is 7,812 bytes inside a block of size 16,384 alloc'd
==8467==    at 0x401D7AA: calloc (vg_replace_malloc.c:279)
==8467==    by 0x56D1F65: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F5F50F: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F615F3: qt_init(int*, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD62D1: QApplication::construct(int&, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD6610: QApplication::QApplication(int&, char**, bool) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4BB56B7: KApplication::KApplication(bool, bool) (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x40BBD12: KoApplication::KoApplication() (in /usr/lib/libkofficecore.so.3.0.0)
==8467==    by 0x40212E9: kdemain (in /usr/lib/libkdeinit_krita.so)
==8467==    by 0x80486E5: main (kdeinit_krita.cpp:2)
==8467==
==8467== Syscall param write(buf) points to uninitialised byte(s)
==8467==    at 0x4000772: (within /lib/ld-2.3.6.so)
==8467==    by 0x56E16F3: _X11TransWrite (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56E606A: (within /usr/lib/libX11.so.6.2.0)
==8467==    by 0x56BD95B: XCheckTypedWindowEvent (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F52720: QETWidget::translateConfigEvent(_XEvent const*) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F5CE0D: QApplication::x11ProcessEvent(_XEvent*) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F764DA: QEventLoop::processEvents(unsigned) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FEA946: QEventLoop::enterLoop() (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FEA869: QEventLoop::exec() (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD0964: QApplication::exec() (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4021302: kdemain (in /usr/lib/libkdeinit_krita.so)
==8467==    by 0x80486E5: main (kdeinit_krita.cpp:2)
==8467==  Address 0x5A9DBD0 is 3,520 bytes inside a block of size 16,384 alloc'd
==8467==    at 0x401D7AA: calloc (vg_replace_malloc.c:279)
==8467==    by 0x56D1F65: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==8467==    by 0x4F5F50F: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4F615F3: qt_init(int*, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD62D1: QApplication::construct(int&, char**, QApplication::Type) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4FD6610: QApplication::QApplication(int&, char**, bool) (in /usr/lib/libqt-mt.so.3.3.6)
==8467==    by 0x4BB56B7: KApplication::KApplication(bool, bool) (in /usr/lib/libkdecore.so.4.2.0)
==8467==    by 0x40BBD12: KoApplication::KoApplication() (in /usr/lib/libkofficecore.so.3.0.0)
==8467==    by 0x40212E9: kdemain (in /usr/lib/libkdeinit_krita.so)
==8467==    by 0x80486E5: main (kdeinit_krita.cpp:2)
~ScimInputContextPlugin()

SVN commit 587382 by coppens:

Fix a crash where the histogram docker would try to fetch selectedness outside of the consecutive area of the selection (but inside the consecutive area of the actual iterator). This shouldn't have happened because the comment of selectionMask() says it shouldn't:
'this is guaranteed to have the same number of consecutive pixels that the iterator has at a given point'
BUG:134497

 M  +23 -2     kis_iterators_pixel.h  


--- branches/koffice/1.6/koffice/krita/core/kis_iterators_pixel.h #587381:587382
@@ -58,6 +58,16 @@
     
     Q_INT32 y() const { return KisHLineIterator::y() + m_offsety; }
     
+    Q_INT32 nConseqHPixels() const {
+        if (m_selectionIterator) {
+            Q_INT32 parent = KisHLineIteratorPixel::nConseqHPixels();
+            Q_INT32 selection = m_selectionIterator->nConseqHPixels();
+            if (parent < selection)
+                return parent;
+            return selection;
+        }
+        return KisHLineIteratorPixel::nConseqHPixels();
+    }
 protected:
 
     Q_INT32 m_offsetx, m_offsety;
@@ -85,7 +95,7 @@
     Q_INT32 x() const { return KisVLineIterator::x() + m_offsetx; }
     
     Q_INT32 y() const { return KisVLineIterator::y() + m_offsety; }
-    
+
 protected:
 
     Q_INT32 m_offsetx, m_offsety;
@@ -113,7 +123,18 @@
     Q_INT32 x() const { return KisRectIterator::x() + m_offsetx; }
     
     Q_INT32 y() const { return KisRectIterator::y() + m_offsety; }
-    
+
+    Q_INT32 nConseqPixels() const {
+        if (m_selectionIterator) {
+            Q_INT32 parent = KisRectIterator::nConseqPixels();
+            Q_INT32 selection = m_selectionIterator->nConseqPixels();
+            if (parent < selection)
+                return parent;
+            return selection;
+        }
+        return KisRectIterator::nConseqPixels();
+    }
+
 protected:
 
     Q_INT32 m_offsetx, m_offsety;

SVN commit 587383 by coppens:

Seems to be needed after the fix for the difference between selection and actual conseqpixels. Seems a bit weird but doesn't loop infinitely anymore.
CCBUG:134497

 M  +2 -0      kis_cachedhistogram.cc  


--- branches/koffice/1.6/koffice/krita/plugins/viewplugins/histogram_docker/kis_cachedhistogram.cc #587382:587383
@@ -31,5 +31,7 @@
         i = srcIt.nConseqPixels();
         m_producer->addRegionToBin(srcIt.rawData(), srcIt.selectionMask(), i, dev->colorSpace());
         srcIt += i;
+        if (i == 0)
+            ++srcIt;
     }
 }