Bug 131411 - Konqueror segfault on crufty onclick=submit()
Summary: Konqueror segfault on crufty onclick=submit()
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: unspecified
Platform: Slackware Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 144034 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-07-26 19:28 UTC by jaguarwan
Modified: 2008-11-22 02:24 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description jaguarwan 2006-07-26 19:28:57 UTC 
Version:            (using KDE KDE 3.5.3)
Installed from:    Slackware Packages
Compiler:          gcc 3.4.6
 
OS:                Linux

Hello,

I currently must work on an ugly Dreamweaver-generated website, and a form with some crufty content managed to crash Konqueror. I trimmed down the problem to the following example:

crashme.php
------------------------8<--------------------------
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
        <title>CRASHME</title>
    </head>
    <body>
        <form action="#" method="post" enctype="multipart/form-data">
            <input name="img" type="file" />
            <input name="link" type="text" class="online_main_copy" size="40" />
            <a href="#" onclick=submit()>
            </a>
            <a href="#" onclick=submit()>
                <img
                src=""
                width="50"
                height="50"
                alt="crashme"
                onclick=submit()
                name="image"
                id="image"
                />
            </a>
        </form>
    </body>
</html>
------------------------8<--------------------------

As you can see, there is three onclick="submit()" in this insane piece of code, and when the form is filled and the user click on the 'crashme' image, Konqueror asks if this is OK to send the file *twice*, then segfaults. 100% reproduceable.

Here is the backtrace:
[KCrash handler]
#5  0xb5717aba in KHTMLView::nonPasswordStorableSite ()
   from /opt/kde/lib/libkhtml.so.4
#6  0xb57e32ff in QPtrList<DOM::HTMLGenericFormElementImpl>::deleteItem ()
   from /opt/kde/lib/libkhtml.so.4
#7  0xb57e3f18 in QPtrList<DOM::HTMLGenericFormElementImpl>::deleteItem ()
   from /opt/kde/lib/libkhtml.so.4
#8  0xb5959918 in DOM::HTMLFormElement::submit ()
   from /opt/kde/lib/libkhtml.so.4
#9  0xb58ba1f1 in QValueListPrivate<DOM::Node>::~QValueListPrivate ()
   from /opt/kde/lib/libkhtml.so.4
#10 0xb589d8d4 in QValueList<khtml::TokenizerSubstring>::detachInternal ()
   from /opt/kde/lib/libkhtml.so.4
#11 0xb56347a0 in KJS::Object::call () from /opt/kde/lib/libkjs.so.1
#12 0xb55fb00d in KJS::DateObjectFuncImp::~DateObjectFuncImp ()
   from /opt/kde/lib/libkjs.so.1
#13 0xb55ffd45 in KJS::DateObjectFuncImp::~DateObjectFuncImp ()
   from /opt/kde/lib/libkjs.so.1
#14 0xb56069ae in KJS::DateObjectFuncImp::~DateObjectFuncImp ()
   from /opt/kde/lib/libkjs.so.1
#15 0xb55ffb4f in KJS::DateObjectFuncImp::~DateObjectFuncImp ()
   from /opt/kde/lib/libkjs.so.1
#16 0xb562ddec in KJS::DeclaredFunctionImp::execute ()
   from /opt/kde/lib/libkjs.so.1
#17 0xb562d2e0 in KJS::FunctionImp::call () from /opt/kde/lib/libkjs.so.1
#18 0xb56347a0 in KJS::Object::call () from /opt/kde/lib/libkjs.so.1
#19 0xb5917620 in TestFunctionImp::~TestFunctionImp ()
   from /opt/kde/lib/libkhtml.so.4
#20 0xb59178b2 in TestFunctionImp::~TestFunctionImp ()
   from /opt/kde/lib/libkhtml.so.4
#21 0xb5793645 in DOM::RegisteredListenerList::getHTMLEventListener ()
   from /opt/kde/lib/libkhtml.so.4
#22 0xb579385b in DOM::RegisteredListenerList::getHTMLEventListener ()
   from /opt/kde/lib/libkhtml.so.4
#23 0xb5793c52 in DOM::RegisteredListenerList::getHTMLEventListener ()
   from /opt/kde/lib/libkhtml.so.4
#24 0xb570f133 in KHTMLView::dispatchMouseEvent ()
   from /opt/kde/lib/libkhtml.so.4
#25 0xb570f6cf in KHTMLView::viewportMouseReleaseEvent ()
   from /opt/kde/lib/libkhtml.so.4
#26 0xb72503e1 in QScrollView::eventFilter ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#27 0xb5715f59 in KHTMLView::eventFilter () from /opt/kde/lib/libkhtml.so.4
#28 0xb712c0bf in QObject::activate_filters ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#29 0xb712c194 in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3
#30 0xb716850f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3
#31 0xb70ca22f in QApplication::internalNotify ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#32 0xb70ca486 in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3
#33 0xb77309f5 in KApplication::notify () from /opt/kde/lib/libkdecore.so.4
#34 0xb706439b in QETWidget::translateMouseEvent ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#35 0xb7062821 in QApplication::x11ProcessEvent ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#36 0xb7075f25 in QEventLoop::processEvents ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#37 0xb70e0951 in QEventLoop::enterLoop () from /usr/lib/qt/lib/libqt-mt.so.3
#38 0xb70e08a6 in QEventLoop::exec () from /usr/lib/qt/lib/libqt-mt.so.3
#39 0xb70c938f in QApplication::exec () from /usr/lib/qt/lib/libqt-mt.so.3
#40 0xb66ea9fc in kdemain () from /opt/kde/lib/libkdeinit_konqueror.so
#41 0xb762e7d4 in kdeinitmain () from /opt/kde/lib/kde3/konqueror.so
#42 0x0804e4b4 in ?? ()
#43 0x00000002 in ?? ()
#44 0x080ea490 in ?? ()
#45 0x00000001 in ?? ()
#46 0x00000000 in ?? ()

Have a nice day :)
Comment 1 Tommi Tervo 2006-07-27 08:33:15 UTC 
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1235495232 (LWP 3173)]
0xb5e87be8 in KHTMLView::nonPasswordStorableSite (this=0x0, host=@0xbfe26d30)
    at khtmlview.cpp:3072
3072        if (!d->formCompletions) {
(gdb) bt
#0  0xb5e87be8 in KHTMLView::nonPasswordStorableSite (this=0x0,
    host=@0xbfe26d30) at khtmlview.cpp:3072
#1  0xb5f614cb in DOM::HTMLFormElementImpl::gatherWalletData (this=0x8525a08)
    at html_formimpl.cpp:515
#2  0xb5f61825 in DOM::HTMLFormElementImpl::submit (this=0x8525a08)
    at html_formimpl.cpp:578
#3  0xb6118a5a in DOM::HTMLFormElement::submit (this=0xbfe2702c)
    at html_form.cpp:290
#4  0xb6063a4e in KJS::HTMLElementFunction::tryCall (this=0x84df4f0,
    exec=0xbfe2761c, thisObj=@0xbfe273f8, args=@0xbfe27408)
    at kjs_html.cpp:2143
#5  0xb603fa42 in KJS::DOMFunction::call (this=0x84df4f0, exec=0xbfe2761c,
    thisObj=@0xbfe273f8, args=@0xbfe27408) at kjs_binding.cpp:114
#6  0xb5cc6729 in KJS::Object::call (this=0xbfe27400, exec=0xbfe2761c,
    thisObj=@0xbfe273f8, args=@0xbfe27408) at object.cpp:73
#7  0xb5c85e28 in KJS::FunctionCallNode::evaluate (this=0x8591590,
    exec=0xbfe2761c) at nodes.cpp:870
#8  0xb5c8ba69 in KJS::ExprStatementNode::execute (this=0x8587628,
    exec=0xbfe2761c) at nodes.cpp:1980
#9  0xb5c924f9 in KJS::SourceElementsNode::execute (this=0x858fb20,
    exec=0xbfe2761c) at nodes.cpp:3091
#10 0xb5c8b864 in KJS::BlockNode::execute (this=0x85862d8, exec=0xbfe2761c)
    at nodes.cpp:1942
#11 0xb5cbf80f in KJS::DeclaredFunctionImp::execute (this=0x8586830,
Comment 2 Tommi Tervo 2007-04-11 07:51:34 UTC 
*** Bug 144034 has been marked as a duplicate of this bug. ***
Comment 3 FiNeX 2008-11-22 02:24:07 UTC 
Cannot reproduce using current trunk (r887467).