Version: (using KDE KDE 3.5.3) Installed from: Slackware Packages Compiler: gcc 3.4.6 OS: Linux Hello, I currently must work on an ugly Dreamweaver-generated website, and a form with some crufty content managed to crash Konqueror. I trimmed down the problem to the following example: crashme.php ------------------------8<-------------------------- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>CRASHME</title> </head> <body> <form action="#" method="post" enctype="multipart/form-data"> <input name="img" type="file" /> <input name="link" type="text" class="online_main_copy" size="40" /> <a href="#" onclick=submit()> </a> <a href="#" onclick=submit()> <img src="" width="50" height="50" alt="crashme" onclick=submit() name="image" id="image" /> </a> </form> </body> </html> ------------------------8<-------------------------- As you can see, there is three onclick="submit()" in this insane piece of code, and when the form is filled and the user click on the 'crashme' image, Konqueror asks if this is OK to send the file *twice*, then segfaults. 100% reproduceable. Here is the backtrace: [KCrash handler] #5 0xb5717aba in KHTMLView::nonPasswordStorableSite () from /opt/kde/lib/libkhtml.so.4 #6 0xb57e32ff in QPtrList<DOM::HTMLGenericFormElementImpl>::deleteItem () from /opt/kde/lib/libkhtml.so.4 #7 0xb57e3f18 in QPtrList<DOM::HTMLGenericFormElementImpl>::deleteItem () from /opt/kde/lib/libkhtml.so.4 #8 0xb5959918 in DOM::HTMLFormElement::submit () from /opt/kde/lib/libkhtml.so.4 #9 0xb58ba1f1 in QValueListPrivate<DOM::Node>::~QValueListPrivate () from /opt/kde/lib/libkhtml.so.4 #10 0xb589d8d4 in QValueList<khtml::TokenizerSubstring>::detachInternal () from /opt/kde/lib/libkhtml.so.4 #11 0xb56347a0 in KJS::Object::call () from /opt/kde/lib/libkjs.so.1 #12 0xb55fb00d in KJS::DateObjectFuncImp::~DateObjectFuncImp () from /opt/kde/lib/libkjs.so.1 #13 0xb55ffd45 in KJS::DateObjectFuncImp::~DateObjectFuncImp () from /opt/kde/lib/libkjs.so.1 #14 0xb56069ae in KJS::DateObjectFuncImp::~DateObjectFuncImp () from /opt/kde/lib/libkjs.so.1 #15 0xb55ffb4f in KJS::DateObjectFuncImp::~DateObjectFuncImp () from /opt/kde/lib/libkjs.so.1 #16 0xb562ddec in KJS::DeclaredFunctionImp::execute () from /opt/kde/lib/libkjs.so.1 #17 0xb562d2e0 in KJS::FunctionImp::call () from /opt/kde/lib/libkjs.so.1 #18 0xb56347a0 in KJS::Object::call () from /opt/kde/lib/libkjs.so.1 #19 0xb5917620 in TestFunctionImp::~TestFunctionImp () from /opt/kde/lib/libkhtml.so.4 #20 0xb59178b2 in TestFunctionImp::~TestFunctionImp () from /opt/kde/lib/libkhtml.so.4 #21 0xb5793645 in DOM::RegisteredListenerList::getHTMLEventListener () from /opt/kde/lib/libkhtml.so.4 #22 0xb579385b in DOM::RegisteredListenerList::getHTMLEventListener () from /opt/kde/lib/libkhtml.so.4 #23 0xb5793c52 in DOM::RegisteredListenerList::getHTMLEventListener () from /opt/kde/lib/libkhtml.so.4 #24 0xb570f133 in KHTMLView::dispatchMouseEvent () from /opt/kde/lib/libkhtml.so.4 #25 0xb570f6cf in KHTMLView::viewportMouseReleaseEvent () from /opt/kde/lib/libkhtml.so.4 #26 0xb72503e1 in QScrollView::eventFilter () from /usr/lib/qt/lib/libqt-mt.so.3 #27 0xb5715f59 in KHTMLView::eventFilter () from /opt/kde/lib/libkhtml.so.4 #28 0xb712c0bf in QObject::activate_filters () from /usr/lib/qt/lib/libqt-mt.so.3 #29 0xb712c194 in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3 #30 0xb716850f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3 #31 0xb70ca22f in QApplication::internalNotify () from /usr/lib/qt/lib/libqt-mt.so.3 #32 0xb70ca486 in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3 #33 0xb77309f5 in KApplication::notify () from /opt/kde/lib/libkdecore.so.4 #34 0xb706439b in QETWidget::translateMouseEvent () from /usr/lib/qt/lib/libqt-mt.so.3 #35 0xb7062821 in QApplication::x11ProcessEvent () from /usr/lib/qt/lib/libqt-mt.so.3 #36 0xb7075f25 in QEventLoop::processEvents () from /usr/lib/qt/lib/libqt-mt.so.3 #37 0xb70e0951 in QEventLoop::enterLoop () from /usr/lib/qt/lib/libqt-mt.so.3 #38 0xb70e08a6 in QEventLoop::exec () from /usr/lib/qt/lib/libqt-mt.so.3 #39 0xb70c938f in QApplication::exec () from /usr/lib/qt/lib/libqt-mt.so.3 #40 0xb66ea9fc in kdemain () from /opt/kde/lib/libkdeinit_konqueror.so #41 0xb762e7d4 in kdeinitmain () from /opt/kde/lib/kde3/konqueror.so #42 0x0804e4b4 in ?? () #43 0x00000002 in ?? () #44 0x080ea490 in ?? () #45 0x00000001 in ?? () #46 0x00000000 in ?? () Have a nice day :)
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1235495232 (LWP 3173)] 0xb5e87be8 in KHTMLView::nonPasswordStorableSite (this=0x0, host=@0xbfe26d30) at khtmlview.cpp:3072 3072 if (!d->formCompletions) { (gdb) bt #0 0xb5e87be8 in KHTMLView::nonPasswordStorableSite (this=0x0, host=@0xbfe26d30) at khtmlview.cpp:3072 #1 0xb5f614cb in DOM::HTMLFormElementImpl::gatherWalletData (this=0x8525a08) at html_formimpl.cpp:515 #2 0xb5f61825 in DOM::HTMLFormElementImpl::submit (this=0x8525a08) at html_formimpl.cpp:578 #3 0xb6118a5a in DOM::HTMLFormElement::submit (this=0xbfe2702c) at html_form.cpp:290 #4 0xb6063a4e in KJS::HTMLElementFunction::tryCall (this=0x84df4f0, exec=0xbfe2761c, thisObj=@0xbfe273f8, args=@0xbfe27408) at kjs_html.cpp:2143 #5 0xb603fa42 in KJS::DOMFunction::call (this=0x84df4f0, exec=0xbfe2761c, thisObj=@0xbfe273f8, args=@0xbfe27408) at kjs_binding.cpp:114 #6 0xb5cc6729 in KJS::Object::call (this=0xbfe27400, exec=0xbfe2761c, thisObj=@0xbfe273f8, args=@0xbfe27408) at object.cpp:73 #7 0xb5c85e28 in KJS::FunctionCallNode::evaluate (this=0x8591590, exec=0xbfe2761c) at nodes.cpp:870 #8 0xb5c8ba69 in KJS::ExprStatementNode::execute (this=0x8587628, exec=0xbfe2761c) at nodes.cpp:1980 #9 0xb5c924f9 in KJS::SourceElementsNode::execute (this=0x858fb20, exec=0xbfe2761c) at nodes.cpp:3091 #10 0xb5c8b864 in KJS::BlockNode::execute (this=0x85862d8, exec=0xbfe2761c) at nodes.cpp:1942 #11 0xb5cbf80f in KJS::DeclaredFunctionImp::execute (this=0x8586830,
*** Bug 144034 has been marked as a duplicate of this bug. ***
Cannot reproduce using current trunk (r887467).