Bug 139488 - crash when finding backwards
Summary: crash when finding backwards
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: unspecified
Platform: Gentoo Packages Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-02 01:59 UTC by Peter Oberndorfer
Modified: 2007-01-03 18:45 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Oberndorfer 2007-01-02 01:59:17 UTC 
Version:           kdelibs-3.5.5-r7 (using KDE KDE 3.5.5)
Installed from:    Gentoo Packages
OS:                Linux

open http://subsignal.org/doc/AliensBashTutorial.html in konqueror
start find as you type for '>' (without quotes) by pressing / or whatever shortcut find as you type has
press F3 until you see this line
password: <here I type "mypass">
press Shift F3 to search backwards
maybe alternate searching backward/forward by pressing F3/Shift-F3 a few times
konqueror now crashes

Backtrace:
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1230264656 (LWP 6772)]
[KCrash handler]
#6  0xb659e47b in khtml::RenderObject::objectAbove () from /usr/kde/3.5/lib/libkhtml.so.4
#7  0xb64f2d8e in KHTMLPart::findTextNext () from /usr/kde/3.5/lib/libkhtml.so.4
#8  0xb6509a51 in KHTMLPart::slotFindPrev () from /usr/kde/3.5/lib/libkhtml.so.4
#9  0xb651496f in KHTMLPart::qt_invoke () from /usr/kde/3.5/lib/libkhtml.so.4
#10 0xb72343d9 in ?? () from /usr/qt/3/lib/libqt-mt.so.3
#11 0x09804d98 in ?? ()
#12 0x00000028 in ?? ()
#13 0xbfef59c8 in ?? ()
#14 0xb6bd812c in main_arena () from /lib/libc.so.6
#15 0xb675590c in vtable for KHTMLPart () from /usr/kde/3.5/lib/libkhtml.so.4
#16 0x00000020 in ?? ()
#17 0x0a0d0ee0 in ?? ()
#18 0xb77f7d1e in KAccelPrivate::staticMetaObject () from /usr/kde/3.5/lib/libkdecore.so.4
#19 0xb723502d in QMapPrivate<int, QString>::insert () from /usr/qt/3/lib/libqt-mt.so.3
#20 0x08b70170 in ?? ()
#21 0x08b703d8 in ?? ()
#22 0xbfef59c8 in ?? ()
#23 0xb7a90c1e in KAction::staticMetaObject () from /usr/kde/3.5/lib/libkdeui.so.4
#24 0xb7aa7269 in KAction::activated () from /usr/kde/3.5/lib/libkdeui.so.4
#25 0xb7ae8521 in KAction::slotActivated () from /usr/kde/3.5/lib/libkdeui.so.4
#26 0xb7bd8f7f in KAction::qt_invoke () from /usr/kde/3.5/lib/libkdeui.so.4
#27 0xb72343d9 in ?? () from /usr/qt/3/lib/libqt-mt.so.3
#28 0x08b70170 in ?? ()
#29 0x0000000f in ?? ()
#30 0xbfef5ab8 in ?? ()
#31 0xbfef5ac4 in ?? ()
#32 0xb7c3e5e8 in vtable for KAction () from /usr/kde/3.5/lib/libkdeui.so.4
#33 0xb7694d9c in vtable for QMotifStyle () from /usr/qt/3/lib/libqt-mt.so.3
#34 0x08118fe8 in ?? ()
#35 0xb74fe152 in mergeInto () from /usr/qt/3/lib/libqt-mt.so.3
#36 0x08da33a0 in ?? ()
#37 0xffffffff in ?? ()
#38 0x00000010 in ?? ()
#39 0xb7694d9c in vtable for QMotifStyle () from /usr/qt/3/lib/libqt-mt.so.3
#40 0xbfef5ab8 in ?? ()
#41 0x0a58c388 in ?? ()
#42 0xbfef5ad8 in ?? ()
#43 0xb723502d in QMapPrivate<int, QString>::insert () from /usr/qt/3/lib/libqt-mt.so.3
#44 0x0a58c388 in ?? ()
#45 0x0a617de0 in ?? ()
#46 0xbfef5ab8 in ?? ()
#47 0xb77f7d1e in KAccelPrivate::staticMetaObject ()
   from /usr/kde/3.5/lib/libkdecore.so.4
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

(gdb) disas 0xb659e47b
Dump of assembler code for function _ZNK5khtml12RenderObject11objectAboveEv:
0xb659e470 <_ZNK5khtml12RenderObject11objectAboveEv+0>: push   %ebp
0xb659e471 <_ZNK5khtml12RenderObject11objectAboveEv+1>: mov    %esp,%ebp
0xb659e473 <_ZNK5khtml12RenderObject11objectAboveEv+3>: push   %edi
0xb659e474 <_ZNK5khtml12RenderObject11objectAboveEv+4>: push   %esi
0xb659e475 <_ZNK5khtml12RenderObject11objectAboveEv+5>: sub    $0x10,%esp
0xb659e478 <_ZNK5khtml12RenderObject11objectAboveEv+8>: mov    0x8(%ebp),%eax
0xb659e47b <_ZNK5khtml12RenderObject11objectAboveEv+11>:        mov    0x10(%eax),%edi <----- crash here, this == 0? previousSibling()
0xb659e47e <_ZNK5khtml12RenderObject11objectAboveEv+14>:        test   %edi,%edi
0xb659e480 <_ZNK5khtml12RenderObject11objectAboveEv+16>:        je     0xb659e4ad <_ZNK5khtml12RenderObject11objectAboveEv+61>
0xb659e482 <_ZNK5khtml12RenderObject11objectAboveEv+18>:        mov    (%edi),%eax
0xb659e484 <_ZNK5khtml12RenderObject11objectAboveEv+20>:        mov    %edi,(%esp)
0xb659e487 <_ZNK5khtml12RenderObject11objectAboveEv+23>:        call   *0x1c(%eax)
0xb659e48a <_ZNK5khtml12RenderObject11objectAboveEv+26>:        test   %eax,%eax
0xb659e48c <_ZNK5khtml12RenderObject11objectAboveEv+28>:        mov    %eax,%esi
0xb659e48e <_ZNK5khtml12RenderObject11objectAboveEv+30>:        jne    0xb659e494 <_ZNK5khtml12RenderObject11objectAboveEv+36>
0xb659e490 <_ZNK5khtml12RenderObject11objectAboveEv+32>:        jmp    0xb659e4a4 <_ZNK5khtml12RenderObject11objectAboveEv+52>
0xb659e492 <_ZNK5khtml12RenderObject11objectAboveEv+34>:        mov    %eax,%esi
0xb659e494 <_ZNK5khtml12RenderObject11objectAboveEv+36>:        mov    (%esi),%eax
0xb659e496 <_ZNK5khtml12RenderObject11objectAboveEv+38>:        mov    %esi,(%esp)
0xb659e499 <_ZNK5khtml12RenderObject11objectAboveEv+41>:        call   *0x1c(%eax)
0xb659e49c <_ZNK5khtml12RenderObject11objectAboveEv+44>:        test   %eax,%eax
0xb659e49e <_ZNK5khtml12RenderObject11objectAboveEv+46>:        mov    %esi,%esi
0xb659e4a0 <_ZNK5khtml12RenderObject11objectAboveEv+48>:        jne    0xb659e492 <_ZNK5khtml12RenderObject11objectAboveEv+34>
0xb659e4a2 <_ZNK5khtml12RenderObject11objectAboveEv+50>:        mov    %esi,%edi
0xb659e4a4 <_ZNK5khtml12RenderObject11objectAboveEv+52>:        add    $0x10,%esp
0xb659e4a7 <_ZNK5khtml12RenderObject11objectAboveEv+55>:        mov    %edi,%eax
0xb659e4a9 <_ZNK5khtml12RenderObject11objectAboveEv+57>:        pop    %esi
0xb659e4aa <_ZNK5khtml12RenderObject11objectAboveEv+58>:        pop    %edi
0xb659e4ab <_ZNK5khtml12RenderObject11objectAboveEv+59>:        pop    %ebp
0xb659e4ac <_ZNK5khtml12RenderObject11objectAboveEv+60>:        ret
0xb659e4ad <_ZNK5khtml12RenderObject11objectAboveEv+61>:        mov    0xc(%eax),%edi parent()
0xb659e4b0 <_ZNK5khtml12RenderObject11objectAboveEv+64>:        add    $0x10,%esp
0xb659e4b3 <_ZNK5khtml12RenderObject11objectAboveEv+67>:        pop    %esi
0xb659e4b4 <_ZNK5khtml12RenderObject11objectAboveEv+68>:        mov    %edi,%eax
0xb659e4b6 <_ZNK5khtml12RenderObject11objectAboveEv+70>:        pop    %edi
0xb659e4b7 <_ZNK5khtml12RenderObject11objectAboveEv+71>:        pop    %ebp
0xb659e4b8 <_ZNK5khtml12RenderObject11objectAboveEv+72>:        ret
End of assembler dump.

It looks like this is NULL.
Which looks reasonable, when looking at the caller
khtml_part.cpp:3112 khtml::RenderObject* obj = d->m_findNode ? d->m_findNode->renderer() : 0;
...
obj = (options & KFindDialog::FindBackwards) ? obj->objectAbove() : obj->objectBelow();
Comment 1 Martin Koller 2007-01-03 18:40:05 UTC 
I can easily reproduce this with any page (current SVN head):
start find for seomething, Press F3, Shift F3, F3, Shift F3 -> crash
Comment 2 Martin Koller 2007-01-03 18:45:13 UTC 
SVN commit 619552 by mkoller:

BUG: 139488

Avoid 0-pointer deref


 M  +1 -1      khtml_part.cpp  


--- branches/KDE/3.5/kdelibs/khtml/khtml_part.cpp #619551:619552
@@ -3119,7 +3119,7 @@
     khtml::RenderObject* end = d->m_findNodeEnd ? d->m_findNodeEnd->renderer() : 0;
     if ( obj == end )
       obj = 0L;
-    else
+    else if ( obj )
     {
       do {
         obj = (options & KFindDialog::FindBackwards) ? obj->objectAbove() : obj->objectBelow();