Bug 140051 - [test case] onchange="submit()" crashes konqueror if content-type is text/xml
Summary: [test case] onchange="submit()" crashes konqueror if content-type is text/xml
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 3.5
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-14 10:50 UTC by Klaus S. Madsen
Modified: 2008-04-25 09:55 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Simple bash CGI script that can be used to illustrate the error (568 bytes, text/plain)
2007-01-14 10:52 UTC, Klaus S. Madsen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Klaus S. Madsen 2007-01-14 10:50:08 UTC
Version:            (using KDE KDE 3.5.5)
Installed from:    Compiled From Sources
Compiler:          gcc 3.5.5 
OS:                Linux

A simple page with a <select onchange="submit()"> on, will crash konqueror with a segmentation fault when the onchange handler is executed. However the crash only occurs if the page has text/xml as its content type.

I have verified this with KDE 3.5.5 and KDE 3.5.1 both compiled from sources on Debian. I have also verified this with KDE 3.5.5 on Ubuntu.

The backtrace from the kde crash handler with version 3.5.5 on Debian is:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1233849696 (LWP 8705)]
[KCrash handler]
#5  0xb637d9c7 in KJS::HTMLElementFunction::tryCall ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#6  0xb6349d74 in KJS::DOMFunction::call ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#7  0xb6091bf9 in KJS::Object::call () from /opt/kde/3.5.5/lib/libkjs.so.1
#8  0xb60a041b in KJS::FunctionCallNode::evaluate ()
   from /opt/kde/3.5.5/lib/libkjs.so.1
#9  0xb609cdc3 in KJS::ExprStatementNode::execute ()
   from /opt/kde/3.5.5/lib/libkjs.so.1
#10 0xb60998de in KJS::SourceElementsNode::execute ()
   from /opt/kde/3.5.5/lib/libkjs.so.1
#11 0xb6083ded in KJS::BlockNode::execute ()
   from /opt/kde/3.5.5/lib/libkjs.so.1
#12 0xb6083a0c in KJS::DeclaredFunctionImp::execute ()
   from /opt/kde/3.5.5/lib/libkjs.so.1
#13 0xb60a7070 in KJS::FunctionImp::call () from /opt/kde/3.5.5/lib/libkjs.so.1
#14 0xb6091bf9 in KJS::Object::call () from /opt/kde/3.5.5/lib/libkjs.so.1
#15 0xb63cb877 in KJS::JSEventListener::handleEvent ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#16 0xb63cbb20 in KJS::JSLazyEventListener::handleEvent ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#17 0xb6238300 in DOM::NodeImpl::handleLocalEvents ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#18 0xb62384b3 in DOM::NodeImpl::dispatchGenericEvent ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#19 0xb62388e5 in DOM::NodeImpl::dispatchEvent ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#20 0xb623b011 in DOM::NodeImpl::dispatchHTMLEvent ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#21 0xb62576e5 in DOM::HTMLGenericFormElementImpl::onChange ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#22 0xb62d84a4 in khtml::RenderSelect::slotSelected ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#23 0xb62d85c4 in khtml::RenderSelect::qt_invoke ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#24 0xb6e26b44 in QObject::activate_signal ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#25 0xb6e2710a in QObject::activate_signal ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#26 0xb7185160 in QComboBox::activated () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#27 0xb6ec8c1e in QComboBox::internalActivate ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#28 0xb71853e0 in QComboBox::qt_invoke () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#29 0xb77b0913 in KComboBox::qt_invoke () from /opt/kde/3.5.5/lib/libkdeui.so.4
#30 0xb6e26b44 in QObject::activate_signal ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#31 0xb6e2710a in QObject::activate_signal ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#32 0xb718d821 in QListBox::selected () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#33 0xb6f08732 in QListBox::mouseDoubleClickEvent ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#34 0xb6e60de7 in QWidget::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#35 0xb6dc166f in QApplication::internalNotify ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#36 0xb6dc1a1b in QApplication::notify () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#37 0xb7539406 in KApplication::notify ()
   from /opt/kde/3.5.5/lib/libkdecore.so.4
#38 0xb6ec9947 in QComboBox::eventFilter ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#39 0xb77ae94b in KComboBox::eventFilter ()
   from /opt/kde/3.5.5/lib/libkdeui.so.4
#40 0xb62a99e5 in khtml::ComboBoxWidget::eventFilter ()
   from /opt/kde/3.5.5/lib/libkhtml.so.4
#41 0xb6e23b6f in QObject::activate_filters ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#42 0xb6e23c42 in QObject::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#43 0xb6e608bf in QWidget::event () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#44 0xb6dc166f in QApplication::internalNotify ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#45 0xb6dc1a1b in QApplication::notify () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#46 0xb7539406 in KApplication::notify ()
   from /opt/kde/3.5.5/lib/libkdecore.so.4
#47 0xb6d56e8c in QETWidget::translateMouseEvent ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#48 0xb6d54eb4 in QApplication::x11ProcessEvent ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#49 0xb6d69606 in QEventLoop::processEvents ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#50 0xb6dd81d0 in QEventLoop::enterLoop ()
   from /opt/kde/3.5.5/lib/libqt-mt.so.3
#51 0xb6dd8126 in QEventLoop::exec () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#52 0xb6dc078f in QApplication::exec () from /opt/kde/3.5.5/lib/libqt-mt.so.3
#53 0xb7ed9944 in kdemain () from /opt/kde/3.5.5/lib/libkdeinit_konqueror.so
#54 0x0804868e in main ()
Comment 1 Klaus S. Madsen 2007-01-14 10:52:46 UTC
Created attachment 19276 [details]
Simple bash CGI script that can be used to illustrate the error

If this script is executed on a web-server, just accessing test.cgi and
changing the select works fine. However if ?xml is added to the URL, konqueror
will crash, when the onchange handler for the select is executed.
Comment 2 Tommi Tervo 2007-01-30 14:55:50 UTC
svn r622k

#6  0xb6193b26 in DOM::DocumentImpl::view (this=0x0) at dom_docimpl.h:281
#7  0xb62b7abc in KJS::HTMLElementFunction::tryCall (this=0x861da08, 
    exec=0xbf89f510, thisObj=@0xbf89f300, args=@0xbf89f2f4)
    at kjs_html.cpp:2113
#8  0xb629e211 in KJS::DOMFunction::call (this=0x0, exec=0xbf89f510, 
    thisObj=@0xbf89f300, args=@0xbf89f2f4) at kjs_binding.cpp:136
#9  0xb5f45bee in KJS::Object::call (this=0x0, exec=0xbf89f510, 
    thisObj=@0xbf89f300, args=@0xbf89f2f4) at object.cpp:73
#10 0xb5f0fd1f in KJS::FunctionCallNode::evaluate (this=0x9124480, 
    exec=0xbf89f510) at nodes.cpp:870
#11 0xb5f143e8 in KJS::ExprStatementNode::execute (this=0x94f6dd0, 
    exec=0xbf89f510) at nodes.cpp:1980
#12 0xb5f19718 in KJS::SourceElementsNode::execute (this=0x8f995b8, 
    exec=0xbf89f510) at nodes.cpp:3091
#13 0xb5f1423e in KJS::BlockNode::execute (this=0x87c34c0, exec=0xbf89f510)
    at nodes.cpp:1942
#14 0xb5f3fbdf in KJS::DeclaredFunctionImp::execute (this=0x0, exec=0xbf89f510)
    at function.cpp:588
#15 0xb5f3f09b in KJS::FunctionImp::call (this=0x9001b40, exec=0x8f6ed20, 
    thisObj=@0xbf89f620, args=@0xbf89f600) at function.cpp:363
#16 0xb5f45bee in KJS::Object::call (this=0x0, exec=0x8f6ed20, 
    thisObj=@0xbf89f620, args=@0xbf89f600) at object.cpp:73
#17 0xb631deb8 in KJS::JSEventListener::handleEvent (this=0x90f5268, 
    evt=@0xbf89f694) at kjs_events.cpp:96
#18 0xb631e01c in KJS::JSLazyEventListener::handleEvent (this=0x90f5268, 
    evt=@0xbf89f694) at kjs_events.cpp:152
#19 0xb619ba0d in DOM::NodeImpl::handleLocalEvents (this=0x88d67f8, 
    evt=0x9301280, useCapture=false) at dom_nodeimpl.cpp:602
#20 0xb619bc6a in DOM::NodeImpl::dispatchGenericEvent (this=0x88d67f8, 
    evt=0x9301280) at dom_nodeimpl.cpp:379
#21 0xb619c10b in DOM::NodeImpl::dispatchEvent (this=0x88d67f8, evt=0x9301280, 
    exceptioncode=@0xbf89f798, tempEvent=true) at dom_nodeimpl.cpp:342
#22 0xb619d603 in DOM::NodeImpl::dispatchHTMLEvent (this=0x88d67f8, _id=22, 
    canBubbleArg=true, cancelableArg=132) at dom_nodeimpl.cpp:423
#23 0xb61d8180 in DOM::HTMLGenericFormElementImpl::onChange (this=0x88d67f8)
    at html_formimpl.cpp:938
#24 0xb624a84d in khtml::RenderSelect::slotSelected (this=0x97de42c, index=)
    at render_form.cpp:1175
Comment 3 Tommi Tervo 2008-01-22 16:11:39 UTC
3.5.8 crashes still, fortunately konqueror 4.0.+ doesn't.

==16315== Invalid read of size 4
==16315==    at 0x77605EB: KJS::HTMLElementFunction::tryCall(KJS::ExecState*, KJS::Object&, KJS::List const&) (dom_docimpl.h:284)
==16315==    by 0x77534F3: KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_binding.cpp:136)
==16315==    by 0x78E06A8: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==16315==    by 0x78F0C20: KJS::FunctionCallNode::evaluate(KJS::ExecState*) const (nodes.cpp:870)
==16315==    by 0x78EDD2D: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:1980)
==16315==    by 0x78EA197: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3108)
==16315==    by 0x78DDC68: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:1942)
==16315==    by 0x78DDAC5: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:613)
==16315==    by 0x78DF9F3: KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (function.cpp:373)
==16315==    by 0x78E06A8: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==16315==    by 0x776CA3B: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:96)
Comment 4 Michael Leupold 2008-04-20 14:29:37 UTC
I can still reproduce this in 3.5.9, trunk r798768 still works fine.
Comment 5 James Spahlinger 2008-04-25 09:55:43 UTC
No crash in konq 4.0.3 Closing.