Bug 127025 - Konqueror crashes on ratp.fr in 64bit
Summary: Konqueror crashes on ratp.fr in 64bit
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml ecma (show other bugs)
Version: unspecified
Platform: Debian testing Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 136909 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-05-09 17:43 UTC by Gonéri Le Bouder
Modified: 2009-08-23 18:13 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
konqueror backtrace (6.93 KB, text/plain)
2006-05-09 17:43 UTC, Gonéri Le Bouder
Details
backtrace 4.0.3 (4.94 KB, text/plain)
2008-04-20 13:24 UTC, Nic Gould
Details
"crash on exit on ratp.fr" backtrace with debug info (konqueror-4.0.74) (1.44 KB, text/plain)
2008-05-22 16:02 UTC, Thierry Vignaud
Details
backtrace with debug info with konqueror-4.0.74 (7.56 KB, text/plain)
2008-05-22 16:10 UTC, Thierry Vignaud
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gonéri Le Bouder 2006-05-09 17:43:04 UTC
Version:           3.5.2 (using KDE KDE 3.5.2)
Installed from:    Debian testing/unstable Packages
OS:                Linux

If i select a station in departure and then another station in destination Konqueror crashes.
To see the list you have to select "Station" and type caractere in the text box.

If i select destination station first it doesn't crash.

Regards,
Comment 1 Gonéri Le Bouder 2006-05-09 17:43:51 UTC
Created attachment 15989 [details]
konqueror backtrace
Comment 2 Tommi Tervo 2006-05-09 21:15:22 UTC
#11 0x4060cb48 in KListBox::slotSettingsChanged (this=0x87fe1a0, category=0)
    at klistbox.cpp:80
#12 0x4060cc81 in KListBox (this=0x87fe1a0, parent=0x8619e80, 
    name=0x420a364c "__khtml", f=0) at klistbox.cpp:37
#13 0x41f43826 in khtml::RenderSelect::createListBox (this=0x880b85c)
    at render_form.cpp:1203
#14 0x41f4399c in RenderSelect (this=0x880b85c, element=0x87fa708)
    at render_form.cpp:924
#15 0x41ecaf75 in DOM::HTMLSelectElementImpl::attach (this=0x87fa708)
    at html_formimpl.cpp:2277
#16 0x41e7d9c3 in DOM::NodeBaseImpl::appendChild (this=0x874cb78, 
    newChild=0x8513620, exceptioncode=@0xbfa8955c) at dom_nodeimpl.cpp:1288
#17 0x41eb302d in DOM::HTMLElementImpl::setInnerHTML (this=0x874cb78, 
    html=@0xbfa8991c, exceptioncode=@0xbfa8955c) at html_elementimpl.cpp:576
#18 0x420693f5 in DOM::HTMLElement::setInnerHTML (this=0xbfa89908, 
    html=@0xbfa8991c) at html_element.cpp:145
#19 0x41fd6814 in KJS::HTMLElement::putValueProperty (this=0x87d5d48, 
    exec=0xbfa89f5c, token=352, value=@0xbfa89bb8) at kjs_html.cpp:3103
#20 0x41ff3486 in KJS::DOMObjectLookupPut<KJS::HTMLElement, KJS::DOMElement> (
    exec=0xbfa89f5c, propertyName=@0xbfa89bcc, value=@0xbfa89bb8, attr=0, 
    table=0x4210422c, thisObj=0x87d5d48) at kjs_binding.h:245
Comment 3 Allan Sandfeld 2006-05-13 14:33:24 UTC
Valgrind output. While it didn't crash this time. Lots of stuff happened:

==345== Invalid read of size 4
==345==    at 0x6FD8E39: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:36)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==    by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320)
==345==  Address 0x5795924 is 4 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x6FD8E46: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:37)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==    by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320)
==345==  Address 0x5795928 is 8 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x6FD8E55: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==    by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320)
==345==  Address 0x5795920 is 0 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid write of size 4
==345==    at 0x704269F: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:84)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==  Address 0x5795920 is 0 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x70426A1: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:86)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==  Address 0x5795938 is 24 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x70426B0: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:88)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==  Address 0x579592C is 12 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x70426BF: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:90)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==  Address 0x5795930 is 16 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== More than 100 errors detected.  Subsequent errors
==345== will still be recorded, but in less detail than before.
==345==
==345== Invalid read of size 4
==345==    at 0x70426D6: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:92)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==    by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==345==  Address 0x5795934 is 20 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid read of size 4
==345==    at 0x704264D: DOM::RegisteredListenerList::~RegisteredListenerList() (dom_nodeimpl.cpp:2031)
==345==    by 0x70426F7: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==  Address 0x579593C is 28 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid write of size 4
==345==    at 0x7042663: DOM::RegisteredListenerList::~RegisteredListenerList() (dom_nodeimpl.cpp:2031)
==345==    by 0x70426F7: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==  Address 0x579593C is 28 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==
==345== Invalid free() / delete / delete[]
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x704270A: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173)
==345==    by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91)
==345==    by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132)
==345==    by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
==345==    by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==345==    by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==345==    by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335)
==345==    by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==345==  Address 0x5795920 is 0 bytes inside a block of size 84 free'd
==345==    at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246)
==345==    by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984)
==345==    by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38)
==345==    by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79)
==345==    by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315)
==345==    by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403)
==345==    by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16)
==345==    by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68)
==345==    by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308)
==345==    by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494)
==345==    by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589)
==345==    by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222)
Comment 4 Allan Sandfeld 2006-05-13 14:38:22 UTC
Seems it starts going wrong in the garbage collector each time.
Comment 5 Tommi Tervo 2006-11-10 15:34:41 UTC
*** Bug 136909 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Vignaud 2006-11-10 19:31:08 UTC
This may be related to focus issues. I've saw that with both firefox and konqueror, sometimes one may have to click quite a lot of times in order to get the focus in the right textbox.
Maybe some javascript is playing with the focus...
Comment 7 Nic Gould 2008-04-20 13:24:46 UTC
Created attachment 24439 [details]
backtrace 4.0.3

Tested in 4.0.3 and bug still exists, Konq crashed after selecting a departure
station then an arrival station.
Comment 8 Thierry Vignaud 2008-05-22 16:02:22 UTC
Created attachment 24890 [details]
"crash on exit on ratp.fr" backtrace with debug info (konqueror-4.0.74)

(real trace after at #5, after drKonki's "pollution")
Comment 9 Thierry Vignaud 2008-05-22 16:10:06 UTC
Created attachment 24891 [details]
backtrace with debug info with konqueror-4.0.74

Oops, the previous trace was a crash on exit on http://ratp.fr.
This one is the real backtrace with _debug_ info.
Comment 10 Thierry Vignaud 2008-05-22 16:27:45 UTC
This bug was reproduced with KDE 3.5.1, 3.5.5, 4.0.3 and 4.0.74.

Note that sometimes, it won't instaneously crashes in JS.
It will then crash on exiting konqueror (see Bug #162474).
Comment 11 Thierry Vignaud 2008-05-22 16:35:27 UTC
For the record, 3.5.9 is also affected.
Comment 12 A. Spehr 2008-05-23 09:46:20 UTC
 4.00.80 (KDE 4.0.80 >= (KDE 4.1 Beta1) or svn trunk r811446

seems to have finally fixed this problem, yay! 
Comment 13 Thierry Vignaud 2008-08-07 08:58:03 UTC
No it doesn't.
It still crashes as of kde-4.1.00.
See attached trace
Comment 14 Thierry Vignaud 2008-08-07 09:02:59 UTC
Please reopen this bug which was opened at kde-3.5.x time and
is still valid and don't close it until a commit fixes it.
Thanks.
Comment 15 Thierry Vignaud 2008-08-07 09:04:20 UTC
I got hit by bugs.kde.org showing another bug report after editing current one and so attachment got attached to the wrong bug report.
See attachment #26709 [details] :
https://bugs.kde.org/attachment.cgi?id=26709&action=edit
Comment 16 Thierry Vignaud 2008-08-07 09:05:22 UTC
Here's attachment's log:

GDB trace of konqueror-4.1.00 crashing on ratp.fr 
 
In order to reproduce, just: 
- start konqueror 
- open http://ratp.fr 
- type "chate" in first text zone & choose any of the 
  completion choices 
- type "cach" in the second text zone & the completion 
  will makes konqueror crashes 
Comment 17 A. Spehr 2008-08-07 13:00:51 UTC
Ok, this does crash, but only in 64bit. Not in 32bit. I'm running 4.1.60 atm, 32bit compiled, and no crash. Others running in 64bit report crashes. One of them kindly provided this bt:


Application: Konqueror (konqueror), signal SIGSEGV
 [?1034h[Thread debugging using libthread_db enabled]
0x0000003e450a63c1 in nanosleep () from /lib64/libc.so.6
[Current thread is 1 (Thread 0x7f9504c1a800 (LWP 13200))]
 
Thread 1 (Thread 0x7f9504c1a800 (LWP 13200)):
[KCrash Handler]
#5  0x00007f94fae14e22 in ~DOMNode (this=0x7f94f847d8c0) at /home/madcat/mandriva/sources/kdelibs/khtml/misc/shared.h:65
#6  0x00007f94fa7df86a in KJS::Collector::collect () at /home/madcat/mandriva/sources/kdelibs/kjs/collector.cpp:714
#7  0x00007f94fa7dfd3d in KJS::Collector::allocate (s=16) at /home/madcat/mandriva/sources/kdelibs/kjs/collector.cpp:326
#8  0x00007f94fa814ffe in KJS::jsOwnedString (s=@0x21cf690) at /home/madcat/mandriva/sources/kdelibs/kjs/value.cpp:197
#9  0x00007f94fa82de48 in KJS::Machine::runBlock (exec=0x7fff0e6bdcd0, codeBlock=<value optimized out>, parentExec=0x7fff0e6be5d0) at codes.def:833
#10 0x00007f94fa8103fa in KJS::FunctionImp::callAsFunction (this=0x7f94f85a8800, exec=0x7fff0e6be5d0, thisObj=<value optimized out>, args=@0x7fff0e6be550)
    at /home/madcat/mandriva/sources/kdelibs/kjs/function.cpp:143
#11 0x00007f94fa81754c in KJS::JSObject::call (this=0x7f94f85a8800, exec=0x7fff0e6be5d0, thisObj=0x7f94f85b0180, args=@0x7fff0e6be550) at /home/madcat/mandriva/sources/kdelibs/kjs/object.cpp:99
#12 0x00007f94fa8336f9 in KJS::Machine::runBlock (exec=0x7fff0e6be5d0, codeBlock=<value optimized out>, parentExec=0x183c500) at codes.def:1206
#13 0x00007f94fa8103fa in KJS::FunctionImp::callAsFunction (this=0x7f94f847d340, exec=0x183c500, thisObj=<value optimized out>, args=@0x7fff0e6be810)
    at /home/madcat/mandriva/sources/kdelibs/kjs/function.cpp:143
#14 0x00007f94fa81754c in KJS::JSObject::call (this=0x7f94f847d340, exec=0x183c500, thisObj=0x7f94f85aa880, args=@0x7fff0e6be810) at /home/madcat/mandriva/sources/kdelibs/kjs/object.cpp:99
#15 0x00007f94fae7d635 in KJS::JSEventListener::handleEvent (this=0x1ab9bb0, evt=@0x7fff0e6be890) at /home/madcat/mandriva/sources/kdelibs/khtml/ecma/kjs_events.cpp:106
#16 0x00007f94fac88cfb in DOM::NodeImpl::handleLocalEvents (this=<value optimized out>, evt=0x1af0050, useCapture=false) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:727
#17 0x00007f94fac891d9 in DOM::NodeImpl::dispatchGenericEvent (this=0x1ab9ae0, evt=0x1af0050) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:498
#18 0x00007f94fac8925e in DOM::NodeImpl::dispatchEvent (this=0x1ab9ae0, evt=0x1af0050, exceptioncode=@0x7fff0e6be994, tempEvent=true)
    at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:450
#19 0x00007f94fac89b90 in DOM::NodeImpl::dispatchKeyEvent (this=0x1ab9ae0, key=0x7fff0e6bf010, keypress=<value optimized out>) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:703
#20 0x00007f94fabf03fd in KHTMLView::dispatchKeyEvent (this=0x1cc85e0, _ke=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:1606
#21 0x00007f94fabf4ebe in KHTMLView::keyReleaseEvent (this=0x1cc85e0, _ke=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:1958
#22 0x00007f94fabec306 in KHTMLView::eventFilter (this=0x2293d70, o=0x23738b0, e=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:2258
#23 0x000000345fb40ae8 in QCoreApplicationPrivate::sendThroughObjectEventFilters () from /usr/lib64/libQtCore.so.4
#24 0x000000346017fccc in QApplicationPrivate::notify_helper () from /usr/lib64/libQtGui.so.4
#25 0x00000034601887fa in QApplication::notify () from /usr/lib64/libQtGui.so.4
#26 0x00007f9505e2d31b in KApplication::notify (this=0x7fff0e6c02e0, receiver=0x23738b0, event=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/kdeui/kernel/kapplication.cpp:311
#27 0x000000345fb4180f in QCoreApplication::notifyInternal () from /usr/lib64/libQtCore.so.4
#28 0x000000346020c6a4 in ?? () from /usr/lib64/libQtGui.so.4
#29 0x000000346020e987 in ?? () from /usr/lib64/libQtGui.so.4
#30 0x00000034601e9bb0 in QApplication::x11ProcessEvent () from /usr/lib64/libQtGui.so.4
#31 0x00000034602103a4 in ?? () from /usr/lib64/libQtGui.so.4
#32 0x0000003e46c374db in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#33 0x0000003e46c3acbd in ?? () from /lib64/libglib-2.0.so.0
#34 0x0000003e46c3ae7b in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#35 0x000000345fb69b5f in QEventDispatcherGlib::processEvents () from /usr/lib64/libQtCore.so.4
#36 0x000000346020fb4f in ?? () from /usr/lib64/libQtGui.so.4
#37 0x000000345fb40132 in QEventLoop::processEvents () from /usr/lib64/libQtCore.so.4
#38 0x000000345fb402bd in QEventLoop::exec () from /usr/lib64/libQtCore.so.4
#39 0x000000345fb4276d in QCoreApplication::exec () from /usr/lib64/libQtCore.so.4
#40 0x00000000006cd701 in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /home/madcat/mandriva/sources/kdebase/apps/konqueror/src/konqmain.cpp:227
#41 0x0000003e4501e32a in __libc_start_main () from /lib64/libc.so.6
#42 0x0000000000400769 in _start ()
Comment 18 FiNeX 2009-08-23 18:13:53 UTC
It doesn't crash anymore on current trunk and 64bit. Now it works :-)