Bug 112329 - Konqueror can be crashed with JavaScript and CSS
Summary: Konqueror can be crashed with JavaScript and CSS
Status: RESOLVED DUPLICATE of bug 84173
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: openSUSE Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-09 21:43 UTC by Christian Kern
Modified: 2005-09-09 22:42 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Kern 2005-09-09 21:43:42 UTC 
Version:           3.3.2 (as well as 3.2.3) (using KDE KDE 3.3.2)
Installed from:    SuSE RPMs
Compiler:          gcc, I guess ... 
OS:                Linux

I have two images in a web page and have a JavaScript function to hide and show them
via CSS: document.getElementById(...).styles.display='none'
Hiding the first one is fine. Then hiding the second one and then asking for the
width of the second image will crash Konqueror.

I've tried this on i686 Linux machines. One of them was SuSE 9.0/KDE 3.3.2
(crash handler report below is from this machine), the other was RedHat 8.0/KDE 3.2.3.
I don't have a newer version of KDE.

Here's the HTML code:

<?xml version='1.0' encoding='ISO-8859-1'?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head><title>Crashing Konqueror with JavaScript and CSS</title></head>
<body>
<h1>Crashing Konqueror with JavaScript and CSS</h1>
<p>How to do it: First click "no One", then "no Two"!</p>
<hr />

<!-- ========== Configuration ============================================= -->
<p>
  <b>Configuration:</b> Show
  (<a href='javascript:hide("one")' id='hide_one'>no One</a> |
   <a href='javascript:show("one")' id='show_one'>   One</a>) &middot;
  (<a href='javascript:hide("two")' id='hide_two'>no Two</a> |
   <a href='javascript:show("two")' id='show_two'>   Two</a>)
</p>
<hr />

<!-- ========== Two pictures ============================================== -->

  <img id='id_one' src='1.png' name='img_one' alt='?' width='32' height='32' />
  <img id='id_two' src='2.png' name='img_two' alt='?' width='32' height='32' />

<!-- ========== Script ==================================================== -->

<script type='text/javascript'>
   //--- Set basic parameters ---------------------------------------------
   // These hold the information which picture show be shown
   can_be_seen=new Array();
   can_be_seen['one']=1;
   can_be_seen['two']=1;

   // --- Functions for showing and hiding pictures -----------------------
   function show(id)
     {
      // show picture
      document.getElementById('id_'+id).style.display='block';
      // update configuration
      can_be_seen[id]=1;
      // special: get information about second picture and reload it
      picturewidth=document.getElementsByName('img_two')[0]['width'];
     };
   function hide(id)
     {
      // hide picture
      document.getElementById('id_'+id).style.display='none';
      // update configuration
      can_be_seen[id]=0;
      // if no picture is left, show all three
      if (can_be_seen['one']+can_be_seen['two']==0)
        {
         show('one');
         show('two');
        };
     };

   // --- At the beginning, initialize pictures once ----------------------
   show('one');
   show('two');
   // if you'd write "hide" here, Konqueror would crash immediately!

   // --- End of scripting ------------------------------------------------
</script>

<!-- ========== Page footer =============================================== -->
<hr />
</body>
</html>

Pictures were normal small 32x32 PNG pictures created with kiconedit,
any other pictures are fine too.

Here's what Konqueror says on the console:

konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
KCrash: Application 'konqueror' crashing...

And here's what the KDE crash handler delivers:
(it was a SIGSEGV, signal 11)

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 3898)]
[KCrash handler]
#4  0x419897e1 in DOM::HTMLImageElementImpl::width ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#5  0x41adad7f in DOM::HTMLImageElement::width ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#6  0x41a4bee3 in KJS::HTMLElement::getValueProperty ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#7  0x41a44921 in KJS::HTMLElement::tryGet ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#8  0x41a2d510 in KJS::DOMObject::get ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#9  0x41bc0c30 in KJS::Reference::getValue ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#10 0x41b85d62 in KJS::Node::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#11 0x41b8b26e in KJS::AssignNode::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#12 0x41b8ce7a in KJS::ExprStatementNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#13 0x41b9380c in KJS::SourceElementsNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#14 0x41b8cc8f in KJS::BlockNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#15 0x41b92ce3 in KJS::FunctionBodyNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#16 0x41bb54bc in KJS::DeclaredFunctionImp::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#17 0x41bb4892 in KJS::FunctionImp::call ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#18 0x41bb9d80 in KJS::Object::call ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#19 0x41b88813 in KJS::FunctionCallNode::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#20 0x41b8ce7a in KJS::ExprStatementNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#21 0x41b93796 in KJS::SourceElementsNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#22 0x41b8cc8f in KJS::BlockNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#23 0x41b8d21e in KJS::IfNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#24 0x41b9380c in KJS::SourceElementsNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#25 0x41b8cc8f in KJS::BlockNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#26 0x41b92ce3 in KJS::FunctionBodyNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#27 0x41bb54bc in KJS::DeclaredFunctionImp::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#28 0x41bb4892 in KJS::FunctionImp::call ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#29 0x41bb9d80 in KJS::Object::call ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#30 0x41b88813 in KJS::FunctionCallNode::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#31 0x41b8ce7a in KJS::ExprStatementNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#32 0x41b93796 in KJS::SourceElementsNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#33 0x41b8cc8f in KJS::BlockNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#34 0x41b92ce3 in KJS::FunctionBodyNode::execute ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#35 0x41baa183 in KJS::InterpreterImp::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#36 0x41bbbcda in KJS::Interpreter::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkjs.so.1
#37 0x41a7b743 in KJS::KJSProxyImpl::evaluate ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#38 0x41909bd8 in KHTMLPart::executeScript ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#39 0x41908dc4 in KHTMLPart::crossFrameExecuteScript ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#40 0x419157d3 in KHTMLPart::urlSelected ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#41 0x419822fb in DOM::HTMLAnchorElementImpl::defaultEventHandler ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#42 0x4195912f in DOM::NodeImpl::dispatchGenericEvent ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#43 0x41958eb2 in DOM::NodeImpl::dispatchEvent ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#44 0x418f6910 in KHTMLView::dispatchMouseEvent ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#45 0x418f0ba6 in KHTMLView::viewportMouseReleaseEvent ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#46 0x40eaae59 in QScrollView::eventFilter ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#47 0x418f2689 in KHTMLView::eventFilter ()
   from /usr/local/kde/3.3.2/lib/libkhtml.so.4
#48 0x40d9731e in QObject::activate_filters ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#49 0x40d9724c in QObject::event () from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#50 0x40dcf1ef in QWidget::event () from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#51 0x40d3dbef in QApplication::internalNotify ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#52 0x40d3d2f1 in QApplication::notify ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#53 0x4084adb7 in KApplication::notify ()
   from /usr/local/kde/3.3.2/lib/libkdecore.so.4
#54 0x40cd49c8 in QETWidget::translateMouseEvent ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#55 0x40cd267b in QApplication::x11ProcessEvent ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#56 0x40ce8fd1 in QEventLoop::processEvents ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#57 0x40d4fdc8 in QEventLoop::enterLoop ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#58 0x40d4fc78 in QEventLoop::exec ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#59 0x40d3de41 in QApplication::exec ()
   from /usr/local/kde/3.3.2/lib/libqt-mt.so.3
#60 0x4005ef6c in kdemain ()
   from /usr/local/kde/3.3.2/lib/libkdeinit_konqueror.so
#61 0x080486eb in ?? ()
#62 0x00000002 in ?? ()
#63 0xbffff6d4 in ?? ()
#64 0xbffff6a8 in ?? ()
#65 0x414d4d17 in __libc_start_main () from /lib/i686/libc.so.6
Comment 1 Maksim Orlovich 2005-09-09 22:42:11 UTC 
Works fine for me, 3.5 development branch, looks like #84173

*** This bug has been marked as a duplicate of 84173 ***