Version: 3.5.1 (using KDE KDE 3.5.1) Installed from: Debian testing/unstable Packages OS: Linux Accessing XMLHttpRequest()s .responseXML when the response XML contains a script tag with a src attribute crashes Konqueror. Changing the tag or attribute name makes the crash go away. There is no difference between accessing the files localy or through a webserver. To reproduce this save crash.html and data.xml below in the same directory. Open crash.html and click on the link. result: Konqueror crashes with SIGSEGV Now rename the script tag in data.xml to scrript and click on the link. result: Konqueror does not crash --- start crash.html --- <html> <head> <title>Konqueror Crash</title> <script type="text/javascript"> <!-- function loadFile(url) { var connection = new XMLHttpRequest(); connection.open("GET", url, false); connection.setRequestHeader('Content-Type', 'text/xml'); connection.send(null); alert(connection.responseXML); } --> </script> </head> <body> <a href="javascript:loadFile("data.xml");">Crash Me</a> </body> </html> --- end crash.html --- --- start data.xml --- <?xml version="1.0" encoding="UTF-8"?> <result> <script src="Some_Random_Value" /> </result> --- end data.xml Backtrace: (no debugging symbols found) Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (no debugging symbols found) ... (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1234483520 (LWP 13729)] (no debugging symbols found) ... (no debugging symbols found) [KCrash handler] #6 0xb5e509e9 in DOM::XMLAttributeReader::~XMLAttributeReader () from /usr/lib/libkhtml.so.4 #7 0xb5e54c3c in DOM::XMLAttributeReader::~XMLAttributeReader () from /usr/lib/libkhtml.so.4 #8 0xb5e36308 in KHTMLWalletQueue::~KHTMLWalletQueue () from /usr/lib/libkhtml.so.4 #9 0xb5fad059 in EmbedLiveConnect::call () from /usr/lib/libkhtml.so.4 #10 0xb5fad2ec in EmbedLiveConnect::call () from /usr/lib/libkhtml.so.4 #11 0xb5f742a6 in EmbedLiveConnect::EmbedLiveConnect () from /usr/lib/libkhtml.so.4 #12 0xb5cdf932 in KJS::Reference::getValue () from /usr/lib/libkjs.so.1 #13 0xb5cdfe82 in KJS::Reference::getValue () from /usr/lib/libkjs.so.1 #14 0xb5ce2c66 in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1 #15 0xb5ce2d87 in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1 #16 0xb5cf199a in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #17 0xb5cf3fff in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #18 0xb5cf8afd in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #19 0xb5cf3e5c in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #20 0xb5cf9b19 in KJS::DeclaredFunctionImp::execute () from /usr/lib/libkjs.so.1 #21 0xb5ce023d in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1 #22 0xb5ce39a0 in KJS::Object::call () from /usr/lib/libkjs.so.1 #23 0xb5cf1cd2 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #24 0xb5cf3fff in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #25 0xb5cf8a67 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #26 0xb5cf3e5c in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #27 0xb5cf95b7 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1 #28 0xb5cf9aca in KJS::Interpreter::evaluate () from /usr/lib/libkjs.so.1 #29 0xb5f968c9 in EmbedLiveConnect::toString () from /usr/lib/libkhtml.so.4 #30 0xb5e1ae3f in KHTMLPart::executeScript () from /usr/lib/libkhtml.so.4 #31 0xb5e1d86b in KHTMLPart::crossFrameExecuteScript () from /usr/lib/libkhtml.so.4 #32 0xb5e1fc6f in KHTMLPart::urlSelectedIntern () from /usr/lib/libkhtml.so.4 #33 0xb5e20a6d in KHTMLPart::urlSelected () from /usr/lib/libkhtml.so.4 #34 0xb5e7d860 in DOM::checkChild () from /usr/lib/libkhtml.so.4 #35 0xb5e5a457 in DOM::XMLAttributeReader::~XMLAttributeReader () from /usr/lib/libkhtml.so.4 #36 0xb5e5a862 in DOM::XMLAttributeReader::~XMLAttributeReader () from /usr/lib/libkhtml.so.4 #37 0xb5de48d8 in KHTMLView::dispatchMouseEvent () from /usr/lib/libkhtml.so.4 #38 0xb5dea10f in KHTMLView::viewportMouseReleaseEvent () from /usr/lib/libkhtml.so.4 #39 0xb6d921c5 in QScrollView::eventFilter () from /usr/lib/libqt-mt.so.3 #40 0xb5de2c79 in KHTMLView::eventFilter () from /usr/lib/libkhtml.so.4 #41 0xb6c55b52 in QObject::activate_filters () from /usr/lib/libqt-mt.so.3 #42 0xb6c55bdb in QObject::event () from /usr/lib/libqt-mt.so.3 #43 0xb6c93dcd in QWidget::event () from /usr/lib/libqt-mt.so.3 #44 0xb6bee698 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 #45 0xb6beec6b in QApplication::notify () from /usr/lib/libqt-mt.so.3 #46 0xb7390d4e in KApplication::notify () from /usr/lib/libkdecore.so.4 #47 0xb6b7e653 in QApplication::sendSpontaneousEvent () from /usr/lib/libqt-mt.so.3 #48 0xb6b79ae4 in QETWidget::translateMouseEvent () from /usr/lib/libqt-mt.so.3 #49 0xb6b77dbe in QApplication::x11ProcessEvent () from /usr/lib/libqt-mt.so.3 #50 0xb6b918c0 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3 #51 0xb6c06da2 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3 #52 0xb6c06ccb in QEventLoop::exec () from /usr/lib/libqt-mt.so.3 #53 0xb6bed225 in QApplication::exec () from /usr/lib/libqt-mt.so.3 #54 0xb7ecaf9c in kdemain () from /usr/lib/libkdeinit_konqueror.so #55 0xb7bf1eb0 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6 #56 0x080483d1 in ?? ()
hmm, this suggests some bad stuff about namespace handling :-(
SVN commit 517910 by orlovich: Properly handle script namespace in XML parser BUG:123490 M +2 -2 xml_tokenizer.cpp --- branches/KDE/3.5/kdelibs/khtml/xml/xml_tokenizer.cpp #517909:517910 @@ -157,7 +157,7 @@ return false; } - if (newElement->id() == ID_SCRIPT) + if (newElement->id() == makeId(xhtmlNamespace, ID_SCRIPT)) static_cast<HTMLScriptElementImpl *>(newElement)->setCreatedByParser(true); //this is tricky. in general the node doesn't have to attach to the one it's in. as far @@ -491,7 +491,7 @@ // Recursively go through the entire document tree, looking for html <script> tags. For each of these // that is found, add it to the m_scripts list from which they will be executed - if (n->id() == ID_SCRIPT) { + if (n->id() == makeId(xhtmlNamespace, ID_SCRIPT)) { m_scripts.append(static_cast<HTMLScriptElementImpl*>(n)); }
hmm, wrong :-(. This sucks.
SVN commit 517915 by orlovich: Revert. Need to sort out the no namespace vs. xhtml namespace mess to fix this: CCBUG:123490 M +2 -2 xml_tokenizer.cpp --- branches/KDE/3.5/kdelibs/khtml/xml/xml_tokenizer.cpp #517914:517915 @@ -157,7 +157,7 @@ return false; } - if (newElement->id() == makeId(xhtmlNamespace, ID_SCRIPT)) + if (newElement->id() == ID_SCRIPT) static_cast<HTMLScriptElementImpl *>(newElement)->setCreatedByParser(true); //this is tricky. in general the node doesn't have to attach to the one it's in. as far @@ -491,7 +491,7 @@ // Recursively go through the entire document tree, looking for html <script> tags. For each of these // that is found, add it to the m_scripts list from which they will be executed - if (n->id() == makeId(xhtmlNamespace, ID_SCRIPT)) { + if (n->id() == ID_SCRIPT) { m_scripts.append(static_cast<HTMLScriptElementImpl*>(n)); }
Konqueror 4.0.3 produces no crash. Bug appears to be fixed. I put an online copy of this for ease of testing: http://nixeagle.org/kdebugs/123490/crash.html - when the page opens, just click the link. You should get a popup, if not I presume you will get a lovely crash. Using Gentoo Linux ~x86 (testing in gentoo lingo). KDE 4.0.3 and the majority of packages compiled using gcc 4.3.0.
Cannot reproduce the crash on 3.5.9 AND konqueror trunk (revision 800924). The bug has been fixed :-)
No, it hasn't been. It just luckily doesn't crash.
Thank you for the report, Frederik. As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved. I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!