Version: 3.5 (using KDE 3.5.0, Kubuntu Package 4:3.5.0-0ubuntu0breezy1 breezy) Compiler: Target: i486-linux-gnu OS: Linux (i686) release 2.6.12-10-386 Konqueror crashes after you create a mutationevent and do a check if its realy an event. Some times with a backtrace, but most of the time no backtrace, only with the word "AlarmClock" on commandline. including backtrace and a xhtml testpage. More info on how to reproduce in the testpage. Regards Fredrik Johansson
Created attachment 14178 [details] backtrace
Created attachment 14179 [details] Testpage with reproduce info
I could't get valid backtrace and konqueror won't crash under valgrind.
==9491== Invalid read of size 4 ==9491== at 0x6EA6964: khtml::Shared<DOM::DOMStringImpl>::deref() (shared.h:14) ==9491== by 0x6EC300A: DOM::MutationEventImpl::~MutationEventImpl() (dom2_eventsimpl.cpp:811) ==9491== by 0x6E4CCD6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==9491== by 0x7038401: DOM::Event::~Event() (dom2_events.cpp:68) ==9491== by 0x6FF137B: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==9491== by 0x6FF4766: KJS::DOMMutationEvent::~DOMMutationEvent() (kjs_events.cpp:846) ==9491== by 0x7107B90: KJS::Collector::collect() (collector.cpp:222) ==9491== by 0x7140A15: KJS::Interpreter::collect() (interpreter.cpp:336) ==9491== by 0x6FDFB5B: KJS::KJSProxyImpl::clear() (kjs_proxy.cpp:225) ==9491== by 0x6E6635E: KHTMLPart::clear() (khtml_part.cpp:1412) ==9491== by 0x6E67FBD: KHTMLPart::~KHTMLPart() (khtml_part.cpp:506) ==9491== by 0x407ED03: KonqView::~KonqView() (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==9491== Address 0x6089B28 is 0 bytes inside a block of size 12 free'd ==9491== at 0x401C1EB: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==9491== by 0x6EA6981: khtml::Shared<DOM::DOMStringImpl>::deref() (shared.h:16) ==9491== by 0x70193FE: DOM::DOMString::~DOMString() (dom_string.cpp:71) ==9491== by 0x6FF4FFC: KJS::DOMMutationEventProtoFunc::tryCall(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_events.cpp:885) ==9491== by 0x6F97230: KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_binding.cpp:114) ==9491== by 0x713F9FD: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:70) ==9491== by 0x710ABBE: KJS::FunctionCallNode::evaluate(KJS::ExecState*) const (nodes.cpp:870) ==9491== by 0x710F549: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:1980) ==9491== by 0x7114997: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3097) ==9491== by 0x710F36E: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:1942) ==9491== by 0x7139A5E: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:579) ==9491== by 0x7138F65: KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (function.cpp:354)
SVN commit 495677 by orlovich: Fix obvious copy-paste error. Hmm, this file refs/derefs stuff in wrong order, so crashes are possible when init* is called twice. Fixes 119734, and near certainly 107686, but I don't have the time to test that one. BUG:119734 CCBUG:107686 M +2 -2 dom2_eventsimpl.cpp --- branches/KDE/3.5/kdelibs/khtml/xml/dom2_eventsimpl.cpp #495676:495677 @@ -794,8 +794,8 @@ if (m_newValue) m_newValue->ref(); m_attrName = attrNameArg.implementation(); - if (m_newValue) - m_newValue->ref(); + if (m_attrName) + m_attrName->ref(); m_attrChange = attrChangeArg; }