Version: (using KDE KDE 3.5.5) Installed from: Compiled From Sources Compiler: gcc 3.5.5 OS: Linux A simple page with a <select onchange="submit()"> on, will crash konqueror with a segmentation fault when the onchange handler is executed. However the crash only occurs if the page has text/xml as its content type. I have verified this with KDE 3.5.5 and KDE 3.5.1 both compiled from sources on Debian. I have also verified this with KDE 3.5.5 on Ubuntu. The backtrace from the kde crash handler with version 3.5.5 on Debian is: Using host libthread_db library "/lib/tls/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread -1233849696 (LWP 8705)] [KCrash handler] #5 0xb637d9c7 in KJS::HTMLElementFunction::tryCall () from /opt/kde/3.5.5/lib/libkhtml.so.4 #6 0xb6349d74 in KJS::DOMFunction::call () from /opt/kde/3.5.5/lib/libkhtml.so.4 #7 0xb6091bf9 in KJS::Object::call () from /opt/kde/3.5.5/lib/libkjs.so.1 #8 0xb60a041b in KJS::FunctionCallNode::evaluate () from /opt/kde/3.5.5/lib/libkjs.so.1 #9 0xb609cdc3 in KJS::ExprStatementNode::execute () from /opt/kde/3.5.5/lib/libkjs.so.1 #10 0xb60998de in KJS::SourceElementsNode::execute () from /opt/kde/3.5.5/lib/libkjs.so.1 #11 0xb6083ded in KJS::BlockNode::execute () from /opt/kde/3.5.5/lib/libkjs.so.1 #12 0xb6083a0c in KJS::DeclaredFunctionImp::execute () from /opt/kde/3.5.5/lib/libkjs.so.1 #13 0xb60a7070 in KJS::FunctionImp::call () from /opt/kde/3.5.5/lib/libkjs.so.1 #14 0xb6091bf9 in KJS::Object::call () from /opt/kde/3.5.5/lib/libkjs.so.1 #15 0xb63cb877 in KJS::JSEventListener::handleEvent () from /opt/kde/3.5.5/lib/libkhtml.so.4 #16 0xb63cbb20 in KJS::JSLazyEventListener::handleEvent () from /opt/kde/3.5.5/lib/libkhtml.so.4 #17 0xb6238300 in DOM::NodeImpl::handleLocalEvents () from /opt/kde/3.5.5/lib/libkhtml.so.4 #18 0xb62384b3 in DOM::NodeImpl::dispatchGenericEvent () from /opt/kde/3.5.5/lib/libkhtml.so.4 #19 0xb62388e5 in DOM::NodeImpl::dispatchEvent () from /opt/kde/3.5.5/lib/libkhtml.so.4 #20 0xb623b011 in DOM::NodeImpl::dispatchHTMLEvent () from /opt/kde/3.5.5/lib/libkhtml.so.4 #21 0xb62576e5 in DOM::HTMLGenericFormElementImpl::onChange () from /opt/kde/3.5.5/lib/libkhtml.so.4 #22 0xb62d84a4 in khtml::RenderSelect::slotSelected () from /opt/kde/3.5.5/lib/libkhtml.so.4 #23 0xb62d85c4 in khtml::RenderSelect::qt_invoke () from /opt/kde/3.5.5/lib/libkhtml.so.4 #24 0xb6e26b44 in QObject::activate_signal () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #25 0xb6e2710a in QObject::activate_signal () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #26 0xb7185160 in QComboBox::activated () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #27 0xb6ec8c1e in QComboBox::internalActivate () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #28 0xb71853e0 in QComboBox::qt_invoke () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #29 0xb77b0913 in KComboBox::qt_invoke () from /opt/kde/3.5.5/lib/libkdeui.so.4 #30 0xb6e26b44 in QObject::activate_signal () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #31 0xb6e2710a in QObject::activate_signal () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #32 0xb718d821 in QListBox::selected () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #33 0xb6f08732 in QListBox::mouseDoubleClickEvent () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #34 0xb6e60de7 in QWidget::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #35 0xb6dc166f in QApplication::internalNotify () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #36 0xb6dc1a1b in QApplication::notify () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #37 0xb7539406 in KApplication::notify () from /opt/kde/3.5.5/lib/libkdecore.so.4 #38 0xb6ec9947 in QComboBox::eventFilter () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #39 0xb77ae94b in KComboBox::eventFilter () from /opt/kde/3.5.5/lib/libkdeui.so.4 #40 0xb62a99e5 in khtml::ComboBoxWidget::eventFilter () from /opt/kde/3.5.5/lib/libkhtml.so.4 #41 0xb6e23b6f in QObject::activate_filters () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #42 0xb6e23c42 in QObject::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #43 0xb6e608bf in QWidget::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #44 0xb6dc166f in QApplication::internalNotify () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #45 0xb6dc1a1b in QApplication::notify () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #46 0xb7539406 in KApplication::notify () from /opt/kde/3.5.5/lib/libkdecore.so.4 #47 0xb6d56e8c in QETWidget::translateMouseEvent () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #48 0xb6d54eb4 in QApplication::x11ProcessEvent () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #49 0xb6d69606 in QEventLoop::processEvents () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #50 0xb6dd81d0 in QEventLoop::enterLoop () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #51 0xb6dd8126 in QEventLoop::exec () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #52 0xb6dc078f in QApplication::exec () from /opt/kde/3.5.5/lib/libqt-mt.so.3 #53 0xb7ed9944 in kdemain () from /opt/kde/3.5.5/lib/libkdeinit_konqueror.so #54 0x0804868e in main ()
Created attachment 19276 [details] Simple bash CGI script that can be used to illustrate the error If this script is executed on a web-server, just accessing test.cgi and changing the select works fine. However if ?xml is added to the URL, konqueror will crash, when the onchange handler for the select is executed.
svn r622k #6 0xb6193b26 in DOM::DocumentImpl::view (this=0x0) at dom_docimpl.h:281 #7 0xb62b7abc in KJS::HTMLElementFunction::tryCall (this=0x861da08, exec=0xbf89f510, thisObj=@0xbf89f300, args=@0xbf89f2f4) at kjs_html.cpp:2113 #8 0xb629e211 in KJS::DOMFunction::call (this=0x0, exec=0xbf89f510, thisObj=@0xbf89f300, args=@0xbf89f2f4) at kjs_binding.cpp:136 #9 0xb5f45bee in KJS::Object::call (this=0x0, exec=0xbf89f510, thisObj=@0xbf89f300, args=@0xbf89f2f4) at object.cpp:73 #10 0xb5f0fd1f in KJS::FunctionCallNode::evaluate (this=0x9124480, exec=0xbf89f510) at nodes.cpp:870 #11 0xb5f143e8 in KJS::ExprStatementNode::execute (this=0x94f6dd0, exec=0xbf89f510) at nodes.cpp:1980 #12 0xb5f19718 in KJS::SourceElementsNode::execute (this=0x8f995b8, exec=0xbf89f510) at nodes.cpp:3091 #13 0xb5f1423e in KJS::BlockNode::execute (this=0x87c34c0, exec=0xbf89f510) at nodes.cpp:1942 #14 0xb5f3fbdf in KJS::DeclaredFunctionImp::execute (this=0x0, exec=0xbf89f510) at function.cpp:588 #15 0xb5f3f09b in KJS::FunctionImp::call (this=0x9001b40, exec=0x8f6ed20, thisObj=@0xbf89f620, args=@0xbf89f600) at function.cpp:363 #16 0xb5f45bee in KJS::Object::call (this=0x0, exec=0x8f6ed20, thisObj=@0xbf89f620, args=@0xbf89f600) at object.cpp:73 #17 0xb631deb8 in KJS::JSEventListener::handleEvent (this=0x90f5268, evt=@0xbf89f694) at kjs_events.cpp:96 #18 0xb631e01c in KJS::JSLazyEventListener::handleEvent (this=0x90f5268, evt=@0xbf89f694) at kjs_events.cpp:152 #19 0xb619ba0d in DOM::NodeImpl::handleLocalEvents (this=0x88d67f8, evt=0x9301280, useCapture=false) at dom_nodeimpl.cpp:602 #20 0xb619bc6a in DOM::NodeImpl::dispatchGenericEvent (this=0x88d67f8, evt=0x9301280) at dom_nodeimpl.cpp:379 #21 0xb619c10b in DOM::NodeImpl::dispatchEvent (this=0x88d67f8, evt=0x9301280, exceptioncode=@0xbf89f798, tempEvent=true) at dom_nodeimpl.cpp:342 #22 0xb619d603 in DOM::NodeImpl::dispatchHTMLEvent (this=0x88d67f8, _id=22, canBubbleArg=true, cancelableArg=132) at dom_nodeimpl.cpp:423 #23 0xb61d8180 in DOM::HTMLGenericFormElementImpl::onChange (this=0x88d67f8) at html_formimpl.cpp:938 #24 0xb624a84d in khtml::RenderSelect::slotSelected (this=0x97de42c, index=) at render_form.cpp:1175
3.5.8 crashes still, fortunately konqueror 4.0.+ doesn't. ==16315== Invalid read of size 4 ==16315== at 0x77605EB: KJS::HTMLElementFunction::tryCall(KJS::ExecState*, KJS::Object&, KJS::List const&) (dom_docimpl.h:284) ==16315== by 0x77534F3: KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_binding.cpp:136) ==16315== by 0x78E06A8: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==16315== by 0x78F0C20: KJS::FunctionCallNode::evaluate(KJS::ExecState*) const (nodes.cpp:870) ==16315== by 0x78EDD2D: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:1980) ==16315== by 0x78EA197: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3108) ==16315== by 0x78DDC68: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:1942) ==16315== by 0x78DDAC5: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:613) ==16315== by 0x78DF9F3: KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (function.cpp:373) ==16315== by 0x78E06A8: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==16315== by 0x776CA3B: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:96)
I can still reproduce this in 3.5.9, trunk r798768 still works fine.
No crash in konq 4.0.3 Closing.