Summary: | tag small following iframe with google maps link cause khtml to crash | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Tommi Mäkitalo <tommi> |
Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
Status: | RESOLVED WORKSFORME | ||
Severity: | crash | CC: | dominik.tritscher, frank78ac |
Priority: | NOR | Keywords: | testcase, triaged |
Version: | 4.2.0 | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: |
Description
Tommi Mäkitalo
2009-03-01 16:20:29 UTC
Thanks for the bug report and the nice test case! It's not 100% reproducible, but both 4.2.0 and trunk rev. 933864 crash sometimes when opening the test case. Here's a more detailed backtrace: Thread 1 (Thread 0xb5c186c0 (LWP 25478)): [KCrash Handler] #6 0xb3c72a58 in khtml::InlineFlowBox::deleteLine (this=0x9571c9c, arena=0x95483a8) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_line.cpp:209 #7 0xb3bd4520 in khtml::RenderBlock::determineStartPosition (this=0x95719d4, fullLayout=true, start=@0xbfe0f340, bidi=@0xbfe0f2c0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/bidi.cpp:1742 #8 0xb3bd5a92 in khtml::RenderBlock::layoutInlineChildren (this=0x95719d4, relayoutChildren=true, breakBeforeLine=0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/bidi.cpp:1469 #9 0xb3be44f6 in khtml::RenderBlock::layoutBlock (this=0x95719d4, relayoutChildren=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:780 #10 0xb3be4cef in khtml::RenderBlock::layout (this=0x95719d4) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:683 #11 0xb3c6b398 in khtml::RenderBody::layout (this=0x95719d4) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_body.cpp:91 #12 0xb3a7326d in khtml::RenderObject::layoutIfNeeded (this=0x95719d4) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_object.h:477 #13 0xb3be3a3b in khtml::RenderBlock::layoutBlockChildren (this=0x95718e4, relayoutChildren=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:1510 #14 0xb3be450b in khtml::RenderBlock::layoutBlock (this=0x95718e4, relayoutChildren=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:782 #15 0xb3be4cef in khtml::RenderBlock::layout (this=0x95718e4) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:683 #16 0xb3a7326d in khtml::RenderObject::layoutIfNeeded (this=0x95718e4) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_object.h:477 #17 0xb3be3a3b in khtml::RenderBlock::layoutBlockChildren (this=0x95717a0, relayoutChildren=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:1510 #18 0xb3be450b in khtml::RenderBlock::layoutBlock (this=0x95717a0, relayoutChildren=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_block.cpp:782 #19 0xb3c65c4e in khtml::RenderCanvas::layout (this=0x95717a0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_canvas.cpp:187 #20 0xb3a6f802 in KHTMLView::layout (this=0x946cad0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtmlview.cpp:1052 #21 0xb3b11e78 in DOM::DocumentImpl::updateLayout (this=0x953e8f0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_docimpl.cpp:1510 #22 0xb3b11dd1 in DOM::DocumentImpl::updateLayout (this=0x95b6140) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_docimpl.cpp:1497 #23 0xb3d3e84f in KJS::DOMNode::getValueProperty (this=0xb1c21ca0, exec=0xbfe10eac, token=62) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_dom.cpp:365 #24 0xb3d4562d in KJS::staticValueGetter<KJS::DOMNode> (exec=0xbfe10eac, slot=@0xbfe0fa48) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/lookup.h:147 #25 0xb390010f in KJS::PropertySlot::getValue (this=0xbfe0fa48, exec=0xbfe10eac, originalObject=0xb1c21ca0, propertyName=@0x975972c) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/property_slot.h:46 #26 0xb38fe9d6 in KJS::JSObject::get (this=0xb1c21ca0, exec=0xbfe10eac, propertyName=@0x975972c) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:132 #27 0xb391ae24 in KJS::Machine::runBlock (exec=0xbfe10eac, codeBlock=@0x97598e0, parentExec=0xbfe1240c) at codes.def:673 #28 0xb38fab6b in KJS::FunctionImp::callAsFunction (this=0xb1c21040, exec=0xbfe1240c, thisObj=0xb1c30000, args=@0xbfe12358) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/function.cpp:144 #29 0xb38ffb77 in KJS::JSObject::call (this=0xb1c21040, exec=0xbfe1240c, thisObj=0xb1c30000, args=@0xbfe12358) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:69 #30 0xb3923092 in KJS::Machine::runBlock (exec=0xbfe1240c, codeBlock=@0x975e0f8, parentExec=0xbfe13a20) at codes.def:1192 #31 0xb38fab6b in KJS::FunctionImp::callAsFunction (this=0xb1c211c0, exec=0xbfe13a20, thisObj=0xb1c30000, args=@0xbfe138b8) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/function.cpp:144 #32 0xb38ffb77 in KJS::JSObject::call (this=0xb1c211c0, exec=0xbfe13a20, thisObj=0xb1c30000, args=@0xbfe138b8) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:69 #33 0xb3923092 in KJS::Machine::runBlock (exec=0xbfe13a20, codeBlock=@0x98ce330, parentExec=0x0) at codes.def:1192 #34 0xb38c37a1 in KJS::FunctionBodyNode::execute (this=0x98ce2d8, exec=0xbfe13a20) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/nodes.cpp:927 #35 0xb3901a3f in KJS::Interpreter::evaluate (this=0x9611328, sourceURL=@0xbfe13ba8, startingLineNumber=2, code=0x98a5fe0, codeLength=18233, thisV=0xb1c30000) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/interpreter.cpp:553 #36 0xb3901ca1 in KJS::Interpreter::evaluate (this=0x9611328, sourceURL=@0xbfe13ba8, startingLineNumber=2, code=@0xbfe13bac, thisV=0xb1c30000) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/interpreter.cpp:493 #37 0xb3d8f747 in KJS::KJSProxyImpl::evaluate (this=0x960aa20, filename= {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 11153}, alloc = 0, size = 0, data = 0xb73b4c3a, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = {_q_value = 176}, alloc = 0, size = 0, data = 0xb73b4c4e, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, d = 0xbfe13c54, static codecForCStrings = 0x0}, baseLine=2, str=@0xbfe13e00, n=@0xbfe13ca8, completion=0xbfe13c2c) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_proxy.cpp:158 #38 0xb3aa9640 in KHTMLPart::executeScript (this=0x93dcf00, filename=@0xbfe13cc4, baseLine=2, n=@0xbfe13ca8, script=@0xbfe13e00) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:1320 (46 more frames follow...) It's probably a duplicate of bug 182524 and the ones I listed in https://bugs.kde.org/show_bug.cgi?id=182524#c2, but maybe the test case actually makes it easier to find the root cause of the bug. @ FrankR: could you please try getting a valgrind log of this? Isn't reproducible under it for me... (In reply to comment #3) > @ FrankR: could you please try getting a valgrind log of this? Isn't > reproducible under it for me... I have the same problem - "konqueror testcase.html" crashes more often than not, but "valgrind konqueror testcase.html" never crashes for me :-( No crash inside vg: ==20050== ==20050== Invalid read of size 4 ==20050== at 0x1481E39E: void khtmlImLoad::scaleLoop<unsigned int>(QImage*, unsigned int*, int, QImage const&, int, int, int) (scaledimageplane.cpp:53) ==20050== by 0x1481E884: khtmlImLoad::ScaledImagePlane::ensureUpToDate(unsigned int, unsigned int, khtmlImLoad::PixmapTile*) (scaledimageplane.cpp:97) ==20050== by 0x1481F4DB: khtmlImLoad::PixmapPlane::paint(int, int, QPainter*, int, int, int, int) (pixmapplane.cpp:102) ==20050== by 0x1481FB04: khtmlImLoad::ImagePainter::paint(int, int, QPainter*, int, int, int, int) (imagepainter.cpp:126) ==20050== by 0x14639EF3: khtml::RenderImage::paint(khtml::RenderObject::PaintInfo&, int, int) (render_image.cpp:331) ==20050== by 0x14634A00: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1082) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634E00: khtml::RenderLayer::paint(QPainter*, QRect const&, bool) (render_layer.cpp:974) ==20050== by 0x14457084: KHTMLView::render(QPainter*, QRect const&, QPoint const&) (khtmlview.cpp:3428) ==20050== by 0x146551D6: khtml::RenderWidget::paintWidget(khtml::RenderObject::PaintInfo&, QWidget*, int, int, QPixmap**) (render_replace d.cpp:764) ==20050== by 0x146564CD: khtml::RenderWidget::paint(khtml::RenderObject::PaintInfo&, int, int) (render_replaced.cpp:624) ==20050== by 0x1467F771: khtml::InlineBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:141) ==20050== by 0x1467E196: khtml::InlineFlowBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:826) ==20050== by 0x1467E214: khtml::RootInlineBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:1134) ==20050== by 0x14625B86: khtml::RenderFlow::paintLines(khtml::RenderObject::PaintInfo&, int, int) (render_flow.cpp:389) ==20050== by 0x145EAFF9: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1730) ==20050== by 0x145EB46D: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1700) ==20050== by 0x145EB07F: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1734) ==20050== by 0x145EB46D: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1700) ==20050== by 0x14634A00: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1082) ==20050== by 0x14634C8F: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107) ==20050== by 0x14634E00: khtml::RenderLayer::paint(QPainter*, QRect const&, bool) (render_layer.cpp:974) ==20050== by 0x1446B6A4: KHTMLView::paintEvent(QPaintEvent*) (khtmlview.cpp:964) ==20050== by 0x7D3B12E: QWidget::event(QEvent*) (qwidget.cpp:7649) ==20050== by 0x8125C8A: QFrame::event(QEvent*) (qframe.cpp:554) ==20050== by 0x1445D837: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2356) ==20050== by 0x14461C4C: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2220) ==20050== by 0x75B3766: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qcoreapplication.cpp:710) ==20050== by 0x7CDE358: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4047) ==20050== by 0x7CE023C: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4016) ==20050== by 0x66A465C: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:307) ==20050== by 0x75B51A8: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:590) ==20050== by 0x7CEA0DC: QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qcoreapplication.h:211) ==20050== by 0x7D389F9: QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) (q widget.cpp:5041) ==20050== by 0x7F0F4A5: QWidgetBackingStore::sync() (qbackingstore.cpp:1259) ==20050== by 0x7D32CC1: QWidgetPrivate::syncBackingStore() (qwidget.cpp:1598) ==20050== by 0x7D3B711: QWidget::event(QEvent*) (qwidget.cpp:7789) ==20050== by 0x8142D56: QMainWindow::event(QEvent*) (qmainwindow.cpp:1391) ==20050== by 0x67788A9: KMainWindow::event(QEvent*) (kmainwindow.cpp:1094) ==20050== by 0x67B638E: KXmlGuiWindow::event(QEvent*) (kxmlguiwindow.cpp:131) ==20050== by 0x4EA5ACD: KonqMainWindow::event(QEvent*) (konqmainwindow.cpp:5681) ==20050== by 0x7CDE37A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4051) ==20050== by 0x7CE023C: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4016) ==20050== by 0x66A465C: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:307) ==20050== by 0x75B51A8: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:590) ==20050== Address 0x1110419c is 0 bytes after a block of size 4 alloc'd ==20050== at 0x4C2694E: malloc (vg_replace_malloc.c:207) ==20050== by 0x7D93776: QImageData::create(QSize const&, QImage::Format, int) (qimage.cpp:241) ==20050== by 0x7D954E9: QImage::QImage(int, int, QImage::Format) (qimage.cpp:826) ==20050== by 0x1481EF2C: khtmlImLoad::ImageFormat::makeImage(int, int) const (imageformat.h:74) ==20050== by 0x148219B7: khtmlImLoad::Image::notifyAppendFrame(int, int, khtmlImLoad::ImageFormat const&) (image.cpp:249) ==20050== by 0x14826D3A: khtmlImLoad::ImageLoader::notifyAppendFrame(int, int, khtmlImLoad::ImageFormat const&) (imageloader.h:62) ==20050== by 0x14826D75: khtmlImLoad::ImageLoader::notifySingleFrameImage(int, int, khtmlImLoad::ImageFormat const&) (imageloader.h:71) ==20050== by 0x148275F8: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:186) ==20050== by 0x14827679: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==20050== by 0xC0E260B: (within /usr/lib/libpng12.so.0.27.0) ==20050== by 0xC0E2C7A: png_process_data (in /usr/lib/libpng12.so.0.27.0) ==20050== by 0x148270E3: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:257) ==20050== by 0x14821D3C: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:151) ==20050== by 0x146EFFA3: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:853) ==20050== by 0x146EC713: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1467) ==20050== by 0x146EF13F: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:133) ==20050== by 0x75CB547: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3061) ==20050== by 0x75CC89A: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3136) ==20050== by 0x5B2C6A4: KIO::TransferJob::data(KIO::Job*, QByteArray const&) (jobclasses.moc:364) ==20050== by 0x5B2CF85: KIO::TransferJob::slotData(QByteArray const&) (job.cpp:921) ==20050== by 0x5B37254: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:344) ==20050== by 0x75CB547: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3061) ==20050== by 0x75CC89A: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3136) ==20050== by 0x5BD588C: KIO::SlaveInterface::data(QByteArray const&) (slaveinterface.moc:140) ==20050== by 0x5BD7206: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:163) ==20050== by 0x5BD7132: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:91) ==20050== by 0x5BCADDA: KIO::Slave::gotInput() (slave.cpp:322) ==20050== by 0x5BCC03A: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:76) ==20050== by 0x75CB547: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3061) ==20050== by 0x75CC89A: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3136) ==20050== by 0x5B027ED: KIO::Connection::readyRead() (connection.moc:86) ==20050== by 0x5B03665: KIO::ConnectionPrivate::dequeue() (connection.cpp:82) ==20050== by 0x5B044F9: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:73) ==20050== by 0x75C4DB2: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:484) ==20050== by 0x75C93E3: QObject::event(QEvent*) (qobject.cpp:1110) ==20050== by 0x7CDE37A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4051) ==20050== by 0x7CDE6C7: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3598) ==20050== by 0x66A465C: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:307) ==20050== by 0x75B51A8: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:590) ==20050== by 0x75B8C3C: QCoreApplication::sendEvent(QObject*, QEvent*) (qcoreapplication.h:208) ==20050== by 0x75B56FA: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1228) ==20050== by 0x75B58D1: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1124) ==20050== by 0x75E47F2: QCoreApplication::sendPostedEvents() (qcoreapplication.h:213) ==20050== by 0x75E3A33: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:204) ==20050== by 0xB61FD3A: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1800.2) ==20050== by 0xB62350C: (within /usr/lib/libglib-2.0.so.0.1800.2) ==20050== by 0xB6236CA: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.1800.2) ==20050== by 0x75E2D75: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:318) ==20050== by 0x7D86212: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:197) ==20050== by 0x75B2456: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:144) The provided testcase works fine for me with konqueror 4.2.90. I opened the html file abaout a dozen time from within dolphin and it never crashed. Can somebody else still reproduce that crash with a current version of konqueror? Konqueror 4.2.2 does not crash any more. Thanks for the quick reply. I close this report for now. Please feel free to reopen, if anybody still experiences this issue with a recent kde version. |