Created attachment 12091 [details]
this file causes konqueror to hang and consume load of memory. kill quickly or your os will hang

Do you have debugger support on as well?  With it, I get this "beauty"; can't even get gdb to the base frame..

Exceeded maximum function call depth
Exceeded maximum function call depth
Exceeded maximum function call depth
Exceeded maximum function call depth

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1228757312 (LWP 13636)]
0xb6cd82a6 in malloc () from /lib/tls/libc.so.6
(gdb) Quit
(gdb) bt
#0  0xb6cd82a6 in malloc () from /lib/tls/libc.so.6
#1  0xb6e7e457 in operator new () from /usr/lib/libstdc++.so.6
#2  0xb646ba14 in List (this=0xbf80007c) at /home/maksim/kde3/kdelibs/kjs/list.cpp:108
#3  0xb646cb21 in KJS::Error::create (exec=0xbff2efcc, errtype=KJS::RangeError,
    message=0xb647c4f0 "Exceeded maximum function call depth.", lineno=-1, sourceId=-1)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:540
#4  0xb646ce0e in KJS::Object::call (this=0xb6482f98, exec=0xbff2efcc, thisObj=@0xbf800170, args=@0xb6483424)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:66
#5  0xb646d2f3 in KJS::ObjectImp::defaultValue (this=0x8798ce8, exec=0xbff2efcc, hint=KJS::StringType)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:320
#6  0xb646c1aa in KJS::ObjectImp::toPrimitive (this=0xb6482f98, exec=0xbff2efcc, preferredType=KJS::StringType)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:444
#7  0xb646c2a1 in KJS::ObjectImp::toString (this=0xb6482f98, exec=0xbff2efcc)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:462
#8  0xb646a360 in KJS::ValueImp::dispatchToString (this=0x8798ce8, exec=0xbff2efcc)
    at /home/maksim/kde3/kdelibs/kjs/value.cpp:200
#9  0xb6646d15 in KJS::Value::toString (this=0xb6482f98, exec=0xbff2efcc) at value.h:247
#10 0xb67cdd8a in KJS::KJSDebugWin::exception (this=0x849f8f0, exec=0xbff2efcc, value=@0xbf80046c, inTryCatch=false)
    at /home/maksim/kde3/kdelibs/khtml/ecma/kjs_debugwin.cpp:802
#11 0xb646dbdb in KJS::ExecState::setException (this=0xbff2efcc, e=@0xbf80046c)
    at /home/maksim/kde3/kdelibs/kjs/interpreter.cpp:364
#12 0xb646ce1a in KJS::Object::call (this=0xb6482f98, exec=0xbff2efcc, thisObj=@0xbf8004d0, args=@0xb6483424)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:67
#13 0xb646d2f3 in KJS::ObjectImp::defaultValue (this=0x8798ee0, exec=0xbff2efcc, hint=KJS::StringType)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:320
#14 0xb646c1aa in KJS::ObjectImp::toPrimitive (this=0xb6482f98, exec=0xbff2efcc, preferredType=KJS::StringType)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:444
#15 0xb646c2a1 in KJS::ObjectImp::toString (this=0xb6482f98, exec=0xbff2efcc)
    at /home/maksim/kde3/kdelibs/kjs/object.cpp:462
#16 0xb646a360 in KJS::ValueImp::dispatchToString (this=0x8798ee0, exec=0xbff2efcc)
    at /home/maksim/kde3/kdelibs/kjs/value.cpp:200
#17 0xb6646d15 in KJS::Value::toString (this=0xb6482f98, exec=0xbff2efcc) at value.h:247
#18 0xb67cdd8a in KJS::KJSDebugWin::exception (this=0x849f8f0, exec=0xbff2efcc, value=@0xbf8007cc, inTryCatch=false)
    at /home/maksim/kde3/kdelibs/khtml/ecma/kjs_debugwin.cpp:802
#19 0xb646dbdb in KJS::ExecState::setException (this=0xbff2efcc, e=@0xbf8007cc)
---Type <return> to continue, or q <return> to quit---
    at /home/maksim/kde3/kdelibs/kjs/interpreter.cpp:364

No I don't. I'm using standard SuSE packages. Also, konqueror does not crash for me but goes into a resource hungry loop.

I meant as in "View->JavaScript Debugger", not a debug build

I can open the debugger, but the debugger is so buggy that it doesn't show the code for the page in question. Also, if I change the code to only hang after pressing a button, the page does not hang. So I think the bug is related to the fact that the code is run on init.

Created attachment 12104 [details]
KDE 3.4.1 will hang if you type in the text box

After some more testing I found another case that triggers the bug. See the previous attachment for a demonstration. On typing in the text box, a javascript function is called that causes the same loop mentioned above.

Well, I think there are 2 bugs in your report: 
1. There is some bug which causes some sort of an infinite recursion here.
2. When the debugger is on, the call depth guard manages to screw up and get into infinite recursion itself.

#2 is what causes nasty memory usage spike, #1 is what causes problems with stuff not working

My debugger does not go into infinite recursion, but that's probably because it does not pick up the javascript code. So the bug I am reporting here is #1: the loop without debugger.
The code I've submitted does not contain an infinite loop. This is the code:

        var c = div.firstChild;
        while (c) {
                div.removeChild(c);
                c = div.firstChild;
        }

If div has no children, c == null. If c != null, div has children and the first child is removed. This continues until no children are left at which point the loop is exited. This is bona fide code that works in firefox and opera.

So the infinite loop is code by a bug in the javascript interpreter in KDE 3.4.1.

And after even more analysis, I've found that the cause of the bug is even more simple:
   <input onkeyup="onkeyup()" type="text" size="50"/>
The fact that the function called has the same name as the event is the problem. This causes an infinite loop. The function does not have to be defined in the page.

If you try this in Opera, you get:
  Event thread: keyup
  ECMAScript interpreter stack overflow.
  Script terminated.

Firefox does not complain, but ignores the problem.

My 3.5-branch konqi wont hang/leak memory. Tested all three test cases.

Can't reproduce in trunk (rev. 798035).

Testcases in comments #1 and #6 don't make konqueror crash anymore nor hang.

Also tested <input onkeyup="onkeyup()" type="text" size="50"/> : Konqueror doesn't seem to be affected.

All three bugs are not present in konqueror 3.5.7 anymore, so I'm closing this bug.