132050 – [testcase] new crash in kde 3.5.4

Bug 132050 - [testcase] new crash in kde 3.5.4

Summary: [testcase] new crash in kde 3.5.4

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	unspecified
Platform:	Unlisted Binaries Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-08-08 11:36 UTC by Olivier Goffart
Modified:	2006-08-09 00:20 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
testcase (453 bytes, text/html) 2006-08-08 11:36 UTC, Olivier Goffart	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Olivier Goffart 2006-08-08 11:36:14 UTC

Version:           3.5.4 (using KDE KDE 3.5.4)
Installed from:    Unspecified Linux
Compiler:          gcc 4.1 
OS:                Linux

I noticed this crash on my own blog :-(

konqueror segfault when opening the page

[KCrash handler]
#6  0xb63354ed in khtml::RenderText::setText ()
   from /opt/kde/lib/libkhtml.so.4
#7  0xb6355a08 in khtml::RenderContainer::addChild ()
   from /opt/kde/lib/libkhtml.so.4
#8  0xb6356625 in khtml::RenderInline::addChildToFlow ()
   from /opt/kde/lib/libkhtml.so.4
#9  0xb6304006 in khtml::RenderFlow::addChild ()
   from /opt/kde/lib/libkhtml.so.4
#10 0xb62991a9 in DOM::NodeImpl::createRendererIfNeeded ()
   from /opt/kde/lib/libkhtml.so.4
#11 0xb62991e2 in DOM::TextImpl::attach () from /opt/kde/lib/libkhtml.so.4
#12 0xb62d649c in khtml::KHTMLParser::insertNode ()
   from /opt/kde/lib/libkhtml.so.4
#13 0xb62e0357 in khtml::KHTMLParser::parseToken ()
   from /opt/kde/lib/libkhtml.so.4
#14 0xb62e060f in khtml::HTMLTokenizer::processToken ()
   from /opt/kde/lib/libkhtml.so.4
#15 0xb62f28e2 in khtml::HTMLTokenizer::write ()
   from /opt/kde/lib/libkhtml.so.4
#16 0xb6263a2f in KHTMLPart::write () from /opt/kde/lib/libkhtml.so.4
#17 0xb625a934 in KHTMLPart::slotData () from /opt/kde/lib/libkhtml.so.4
#18 0xb6286fa6 in KHTMLPart::qt_invoke () from /opt/kde/lib/libkhtml.so.4
#19 0xb723df19 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#20 0xb7d3d20d in KIO::TransferJob::data () from /opt/kde/lib/libkio.so.4
#21 0xb7d3d298 in KIO::TransferJob::slotData () from /opt/kde/lib/libkio.so.4
#22 0xb7d7cdd9 in KIO::TransferJob::qt_invoke () from /opt/kde/lib/libkio.so.4
#23 0xb723df19 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#24 0xb7d3b391 in KIO::SlaveInterface::data () from /opt/kde/lib/libkio.so.4
#25 0xb7da8145 in KIO::SlaveInterface::dispatch ()
   from /opt/kde/lib/libkio.so.4
#26 0xb7d980a8 in KIO::SlaveInterface::dispatch ()
   from /opt/kde/lib/libkio.so.4
#27 0xb7d4bf1b in KIO::Slave::gotInput () from /opt/kde/lib/libkio.so.4
#28 0xb7d997a0 in KIO::Slave::qt_invoke () from /opt/kde/lib/libkio.so.4
#29 0xb723df19 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#30 0xb723ea22 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#31 0xb75653c0 in QSocketNotifier::activated () from /opt/qt/lib/libqt-mt.so.3
#32 0xb725bd90 in QSocketNotifier::event () from /opt/qt/lib/libqt-mt.so.3
#33 0xb71dfc17 in QApplication::internalNotify ()
   from /opt/qt/lib/libqt-mt.so.3
#34 0xb71e09df in QApplication::notify () from /opt/qt/lib/libqt-mt.so.3
#35 0xb78f2bce in KApplication::notify () from /opt/kde/lib/libkdecore.so.4
#36 0xb71d4be1 in QEventLoop::activateSocketNotifiers ()
   from /opt/qt/lib/libqt-mt.so.3
#37 0xb718f4ee in QEventLoop::processEvents () from /opt/qt/lib/libqt-mt.so.3
#38 0xb71f64f1 in QEventLoop::enterLoop () from /opt/qt/lib/libqt-mt.so.3
#39 0xb71f63a6 in QEventLoop::exec () from /opt/qt/lib/libqt-mt.so.3
#40 0xb71df87f in QApplication::exec () from /opt/qt/lib/libqt-mt.so.3
#41 0xb6947925 in kdemain () from /opt/kde/lib/libkdeinit_konqueror.so
#42 0xb69a06f4 in kdeinitmain () from /opt/kde/lib/kde3/konqueror.so

Comment 1 Olivier Goffart 2006-08-08 11:36:36 UTC

Created attachment 17290 [details]
testcase

Comment 2 Tommi Tervo 2006-08-08 12:33:42 UTC

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1234753856 (LWP 18507)]
0xb7f2d3c0 in QChar (this=0xbf9db4a8, c=@0xfffffffe) at qstring.h:270
270     inline QChar::QChar( const QChar& c ) : ucs( c.ucs )
(gdb) bt
#0  0xb7f2d3c0 in QChar (this=0xbf9db4a8, c=@0xfffffffe) at qstring.h:270
#1  0xb606219e in khtml::RenderText::setText (this=0x84c9a44, text=0x84b5a00,
    force=true) at render_text.cpp:1155
#2  0xb605143b in khtml::RenderContainer::addChild (this=0x84c99e0,
    newChild=0x84c9a44, beforeChild=0x0) at render_container.cpp:159
#3  0xb60380e3 in khtml::RenderInline::addChildToFlow (this=0x84c99e0,
    newChild=0x84c9a44, beforeChild=0x0) at render_inline.cpp:105
#4  0xb605cf8d in khtml::RenderFlow::addChild (this=0x84c99e0,
    newChild=0x84c9a44, beforeChild=0x0) at render_flow.cpp:126
#5  0xb5fc1899 in DOM::NodeImpl::createRendererIfNeeded (this=0x84df928)
    at dom_nodeimpl.cpp:944
#6  0xb5fc6e3d in DOM::TextImpl::attach (this=0x84df928)
    at dom_textimpl.cpp:412
#7  0xb5fe44bd in khtml::KHTMLParser::insertNode (this=0x84b75d8, n=0x84df928,
    flat=true) at htmlparser.cpp:350
#8  0xb5fe74a6 in khtml::KHTMLParser::parseToken (this=0x84b75d8, t=0x84cbb0c)
    at htmlparser.cpp:289
#9  0xb5fe82cc in khtml::HTMLTokenizer::processToken (this=0x84cbad8)
    at htmltokenizer.cpp:1684
#10 0xb5fee679 in khtml::HTMLTokenizer::write (this=0x84cbad8,
    str=@0xbf9db848, appendData=true) at htmltokenizer.cpp:1439
#11 0xb5f67523 in KHTMLPart::write (this=0x83d74e0,
    str=0x84a77a8 "<!--\nCrash on konqueror 3.5.4\nWas working ine on konqueror 3.5.3\n \n  Olivier Goffart   < ogoffart at kde.org >\n-->\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n\"http://www.w3.org/TR/xhtml"...,
    len=453) at khtml_part.cpp:1989
#12 0xb5f60af3 in KHTMLPart::slotData (this=0x83d74e0, kio_job=0x84a6db0,
    data=@0xbf9dbdc8) at khtml_part.cpp:1667
#13 0xb5f7c0af in KHTMLPart::qt_invoke (this=0x83d74e0, _id=16, _o=0xbf9dbac4)
    at khtml_part.moc:500
#14 0xb6e78929 in QObject::activate_signal ()

Comment 3 Nick Warne 2006-08-08 21:48:51 UTC

Be nice to see test case source for perusal:

<!--
Crash on konqueror 3.5.4
Was working ine on konqueror 3.5.3
 
  Olivier Goffart   < ogoffart at kde.org >
-->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>testcase</title>
	<style>
p { text-transform:capitalize; }
p:first-child:before { content:""; }
	</style>
	</head>
<body>
<p><span>crash</span></p>    
</body>
</html>

Comment 4 Germain Garand 2006-08-09 00:20:03 UTC

SVN commit 571252 by ggarand:

apply patch by Andreas Hartmetz <ahartmetz@gmail.com>
fixing two crashes in capitalization code.

BUG: 132050



 M  +30 -14    render_text.cpp  


--- branches/KDE/3.5/kdelibs/khtml/rendering/render_text.cpp #571251:571252
@@ -1145,25 +1145,41 @@
         switch(style()->textTransform()) {
         case CAPITALIZE:
         {
-            // find previous text renderer if one exists
-            RenderObject* o;
+            RenderObject *o;
             bool runOnString = false;
-            for (o = previousRenderer(); o && o->isInlineFlow(); o = o->previousRenderer())
-                ;
-            if (o && o->isText()) {
-                DOMStringImpl* prevStr = static_cast<RenderText*>(o)->string();
-                QChar c = (*prevStr)[prevStr->length() - 1];
-                if (!c.isSpace())
-                    runOnString = true;
+
+            // find previous non-empty text renderer if one exists
+            for (o = previousRenderer(); o; o = o->previousRenderer()) {
+                if (!o->isInlineFlow()) {
+                    if (!o->isText())
+                        break;
+
+                    DOMStringImpl *prevStr = static_cast<RenderText*>(o)->string();
+                    // !prevStr can happen with css like "content:open-quote;"
+                    if (!prevStr)
+                        break;
+
+                    if (prevStr->length() == 0)
+                        continue;
+                    QChar c = (*prevStr)[prevStr->length() - 1];
+                    if (!c.isSpace())
+                        runOnString = true;
+
+                    break;
+                }
             }
+
             str = str->capitalize(runOnString);
         }
         break;
-	case UPPERCASE:   str = str->upper();       break;
-	case LOWERCASE:  str = str->lower();       break;
-	case NONE:
-	default:;
-	}
+
+		
+		
+        case UPPERCASE: str = str->upper();       break;
+        case LOWERCASE: str = str->lower();       break;
+        case NONE:
+        default:;
+    }
         str->ref();
         oldstr->deref();
     }