143809 – Konqueror crashes on certain websites

Bug 143809 - Konqueror crashes on certain websites

Summary: Konqueror crashes on certain websites

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	3.5
Platform:	Fedora RPMs Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-04-03 22:13 UTC by keith
Modified:	2008-04-21 10:36 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
valgrind output (21.32 KB, text/plain) 2007-04-04 14:02 UTC, keith	Details
Another dump from valgrind with complete output (34.37 KB, text/plain) 2007-04-04 15:04 UTC, keith	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description keith 2007-04-03 22:13:10 UTC

Version:            (using KDE KDE 3.5.6)
Installed from:    Fedora RPMs

When trying to visit certain sites, Konqueror will crash.

Eg trying to click on the following link, after doing a Google search for 'black walnut' (without the single quote marks,) will make Konqueror crash:

Black Walnut - Wikipedia, the free encyclopedia
The Black Walnut or American Walnut (Juglans nigra L.) is a native of eastern ... The Black Walnut produces a substance that is toxic or "allelopathic" to ...
en.wikipedia.org/wiki/Black_Walnut - 30k - Cached

http://en.wikipedia.org/wiki/Black_Walnut

Konqueror crashes, and the KDE crash handler appears.

When I click on the backtrace tab, this is all the debugging output I get:

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1208514336 (LWP 3396)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[KCrash handler]
#6  0x01ddabc8 in ?? ()
#7  0x022a2bdc in DOM::HTMLAreaElementImpl::parseAttribute ()
   from /usr/lib/libkhtml.so.4
#8  0x022732d6 in DOM::ElementImpl::setAttributeMap ()
   from /usr/lib/libkhtml.so.4
#9  0x0228a980 in khtml::KHTMLParser::parseToken () from /usr/lib/libkhtml.so.4
#10 0x0228b758 in khtml::HTMLTokenizer::processToken ()
   from /usr/lib/libkhtml.so.4
#11 0x0228f9f6 in khtml::HTMLTokenizer::parseTag () from /usr/lib/libkhtml.so.4
#12 0x02290510 in khtml::HTMLTokenizer::write () from /usr/lib/libkhtml.so.4
#13 0x0228d1f3 in khtml::HTMLTokenizer::notifyFinished ()
   from /usr/lib/libkhtml.so.4
#14 0x0236a475 in khtml::CachedScript::checkNotify ()
   from /usr/lib/libkhtml.so.4
#15 0x0236d24b in khtml::CachedScript::data () from /usr/lib/libkhtml.so.4
#16 0x02369e0e in khtml::Loader::slotFinished () from /usr/lib/libkhtml.so.4
#17 0x0236a06d in khtml::Loader::qt_invoke () from /usr/lib/libkhtml.so.4
#18 0x04e7cbea in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#19 0x0737a1b7 in KIO::Job::result () from /usr/lib/libkio.so.4
#20 0x0738084d in KIO::Job::emitResult () from /usr/lib/libkio.so.4
#21 0x07380fa0 in KIO::SimpleJob::slotFinished () from /usr/lib/libkio.so.4
#22 0x0738134d in KIO::TransferJob::slotFinished () from /usr/lib/libkio.so.4
#23 0x0737f1fa in KIO::TransferJob::qt_invoke () from /usr/lib/libkio.so.4
#24 0x04e7cbea in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#25 0x04e7d71d in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#26 0x07368151 in KIO::SlaveInterface::finished () from /usr/lib/libkio.so.4
#27 0x0736963e in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#28 0x0736a180 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#29 0x07364fed in KIO::Slave::gotInput () from /usr/lib/libkio.so.4
#30 0x07367098 in KIO::Slave::qt_invoke () from /usr/lib/libkio.so.4
#31 0x04e7cbea in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#32 0x04e7d5c2 in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#33 0x05209910 in QSocketNotifier::activated ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#34 0x04e9d7d0 in QSocketNotifier::event ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#35 0x04e13e6b in QApplication::internalNotify ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#36 0x04e152e9 in QApplication::notify ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#37 0x06ca256e in KApplication::notify () from /usr/lib/libkdecore.so.4
#38 0x04e07631 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#39 0x04dbc1c1 in QEventLoop::processEvents ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#40 0x04e2d3f0 in QEventLoop::enterLoop ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#41 0x04e2d2a6 in QEventLoop::exec () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#42 0x04e1397f in QApplication::exec () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#43 0x004faa74 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#44 0x08048472 in ?? ()
#45 0x00b36f2c in __libc_start_main () from /lib/libc.so.6
#46 0x080483c1 in ?? ()

How can I enable the KDE crash handler so I can send in a complete backtrace with all debugging symbols enabled please?

Comment 1 Maksim Orlovich 2007-04-03 22:41:27 UTC

Can't confirm, but your backtrace is already pretty good -- you can probably get line numbers by installing kdelibs-debug package, but I doubt they would help all that much in this case.

Comment 2 Maksim Orlovich 2007-04-03 22:58:45 UTC

Forgot to ask: can you trigger the problem consistently?

Comment 3 keith 2007-04-03 23:59:55 UTC

Thanks Maksim. I have installed the kde-debuginfo package. The problem still occurs. Konqueror starts to load the page, then crashes. I have rebooted my machine to reclaim some memory, but this has not cured the problem.

The backtrace looks the same with kde-debuginfo installed. No extra line numbers available in the output.

Comment 4 Tommi Tervo 2007-04-04 10:08:01 UTC

Could you try valgrind? 
valgrind --tool=memcheck konqueror

Comment 5 keith 2007-04-04 13:31:40 UTC

Thanks for that Tommi. I have run Konqueror through valgrind and here is the output from the KDE Crash Handler:

This backtrace appears to be of no use.
This is probably because your packages are built in a way which prevents creation of proper backtraces, or the stack frame was seriously corrupted in the crash.

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
0x3805958c in ?? ()
#0  0x3805958c in ?? ()
#1  0x621bbeec in ?? ()
#2  0x38ae92dc in ?? ()
#3  0x000000a2 in ?? ()
#4  0x38bff060 in ?? ()
#5  0x3804be69 in ?? ()
#6  0x000000a2 in ?? ()
#7  0x38ae92dc in ?? ()
#8  0x621bbeb8 in ?? ()
#9  0x621bbeb0 in ?? ()
#10 0x00000008 in ?? ()
#11 0x621bbe48 in ?? ()
#12 0x621a8236 in ?? ()
#13 0x06d25485 in ?? ()
#14 0xbe828a9c in ?? ()
#15 0x00000000 in ?? ()

More importantly, here is the console output from valgrind:

$ valgrind --tool=memcheck konqueror
==8537== Memcheck, a memory error detector.
==8537== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==8537== Using LibVEX rev 1658, a library for dynamic binary translation.
==8537== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==8537== Using valgrind-3.2.1, a dynamic binary instrumentation framework.
==8537== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==8537== For more details, rerun with: -v
==8537==
==8537== Syscall param writev(vector[...]) points to uninitialised byte(s)
==8537==    at 0xBE6B78: writev (in /lib/libc-2.5.so)
==8537==    by 0xCFF93D: (within /usr/lib/libX11.so.6.2.0)
==8537==    by 0xCFF72E: _X11TransWritev (in /usr/lib/libX11.so.6.2.0)
==8537==    by 0xD05418: _XSend (in /usr/lib/libX11.so.6.2.0)
==8537==    by 0xCF633A: XQueryExtension (in /usr/lib/libX11.so.6.2.0)
==8537==    by 0xCEAC5A: XInitExtension (in /usr/lib/libX11.so.6.2.0)
==8537==    by 0x2C8CFF: XFixesFindDisplay (in /usr/lib/libXfixes.so.3.1.0)
==8537==    by 0x2C775E: XFixesSetCursorName (in /usr/lib/libXfixes.so.3.1.0)
==8537==    by 0x2BD9A6: XcursorImagesLoadCursor (in /usr/lib/libXcursor.so.1.0.2)
==8537==    by 0x2C0870: XcursorLibraryLoadCursor (in /usr/lib/libXcursor.so.1.0.2)
==8537==    by 0x4DB46AE: QCursor::update() const (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4DB4A73: QCursor::handle() const (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==  Address 0x403F061 is 257 bytes inside a block of size 16,384 alloc'd
==8537==    at 0x400473F: calloc (vg_replace_malloc.c:279)
==8537==    by 0xCF03B6: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==8537==    by 0x4DA74EF: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4DA7DFB: qt_init(int*, char**, QApplication::Type) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E19122: QApplication::construct(int&, char**, QApplication::Type) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E1953A: QApplication::QApplication(int&, char**, bool) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x6CA1DDD: KApplication::KApplication(bool, bool) (in /usr/lib/libkdecore.so.4.2.0)
==8537==    by 0x4FA209: kdemain (in /usr/lib/libkdeinit_konqueror.so)
==8537==    by 0x8048471: (within /usr/bin/konqueror)
==8537==    by 0xB36F2B: (below main) (in /lib/libc-2.5.so)
==8537==
==8537== Conditional jump or move depends on uninitialised value(s)
==8537==    at 0x4653709: QMapPrivate<QWidget const*, bool>::find(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x46537A1: QMap<QWidget const*, bool>::find(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x4653A37: QMap<QWidget const*, bool>::contains(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x464CBCB: PlastikStyle::drawPrimitive(QStyle::PrimitiveElement, QPainter*, QRect const&, QColorGroup const&, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x464A7FF: PlastikStyle::drawControl(QStyle::ControlElement, QPainter*, QWidget const*, QRect const&, QColorGroup const&, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x4F928BB: QMenuBar::drawContents(QPainter*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x6FFEFF4: KMenuBar::drawContents(QPainter*) (in /usr/lib/libkdeui.so.4.2.0)
==8537==    by 0x4F40FF4: QFrame::paintEvent(QPaintEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4EB9F67: QWidget::event(QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E13E6A: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E152E8: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x6CA256D: KApplication::notify(QObject*, QEvent*) (in /usr/lib/libkdecore.so.4.2.0)
==8537==
==8537== Conditional jump or move depends on uninitialised value(s)
==8537==    at 0x4653733: QMapPrivate<QWidget const*, bool>::find(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x46537A1: QMap<QWidget const*, bool>::find(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x4653A37: QMap<QWidget const*, bool>::contains(QWidget const* const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x464CBCB: PlastikStyle::drawPrimitive(QStyle::PrimitiveElement, QPainter*, QRect const&, QColorGroup const&, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x464A7FF: PlastikStyle::drawControl(QStyle::ControlElement, QPainter*, QWidget const*, QRect const&, QColorGroup const&, unsigned, QStyleOption const&) const (in /usr/lib/kde3/plugins/styles/plastik.so)
==8537==    by 0x4F928BB: QMenuBar::drawContents(QPainter*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x6FFEFF4: KMenuBar::drawContents(QPainter*) (in /usr/lib/libkdeui.so.4.2.0)
==8537==    by 0x4F40FF4: QFrame::paintEvent(QPaintEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4EB9F67: QWidget::event(QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E13E6A: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x4E152E8: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==    by 0x6CA256D: KApplication::notify(QObject*, QEvent*) (in /usr/lib/libkdecore.so.4.2.0)
==8537==
==8537== Jump to the invalid address stated on the next line
==8537==    at 0x1DDABC8: ???
==8537==    by 0x22732D5: DOM::ElementImpl::setAttributeMap(DOM::NamedAttrMapImpl*) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x228A97F: khtml::KHTMLParser::parseToken(khtml::Token*) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x228B757: khtml::HTMLTokenizer::processToken() (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x228F9F5: khtml::HTMLTokenizer::parseTag(khtml::TokenizerString&) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x229050F: khtml::HTMLTokenizer::write(khtml::TokenizerString const&, bool) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x228D1F2: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x236A474: khtml::CachedScript::checkNotify() (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x236D24A: khtml::CachedScript::data(QBuffer&, bool) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x2369E0D: khtml::Loader::slotFinished(KIO::Job*) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x236A06C: khtml::Loader::qt_invoke(int, QUObject*) (in /usr/lib/libkhtml.so.4.2.0)
==8537==    by 0x4E7CBE9: QObject::activate_signal(QConnectionList*, QUObject*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.7)
==8537==  Address 0x1DDABC8 is not stack'd, malloc'd or (recently) free'd
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = konqueror path = <unknown> pid = 8537

After hitting CTRL-C I get the following extra output:

==8537==
==8537== ERROR SUMMARY: 6 errors from 4 contexts (suppressed: 177 from 3)
==8537== malloc/free: in use at exit: 9,349,993 bytes in 221,654 blocks.
==8537== malloc/free: 1,134,074 allocs, 912,420 frees, 55,811,190 bytes allocated.
==8537== For counts of detected errors, rerun with: -v
==8537== searching for pointers to 221,654 not-freed blocks.
==8537== checked 9,467,736 bytes.
==8537==
==8537== LEAK SUMMARY:
==8537==    definitely lost: 27,434 bytes in 908 blocks.
==8537==      possibly lost: 376 bytes in 6 blocks.
==8537==    still reachable: 9,322,183 bytes in 220,740 blocks.
==8537==         suppressed: 0 bytes in 0 blocks.
==8537== Use --leak-check=full to see details of leaked memory.


I shall try some further options with valgrind, to see if it will make the error messages even more verbose.

Comment 6 keith 2007-04-04 14:02:56 UTC

Created attachment 20173 [details]
valgrind output

Here is some more verbose output from valgrind

Comment 7 keith 2007-04-04 15:04:52 UTC

Created attachment 20175 [details]
Another dump from valgrind with complete output

I left off some debug output from the last valgrind dump. I have added
debug-info for kde-base as well.

Comment 8 mutlu inek 2008-04-20 22:43:42 UTC

Not reproducible for me with Konqui from KDE 3.5.9, nor with Konqui from KDE4 trunk, r798847.

Comment 9 James Spahlinger 2008-04-21 10:36:53 UTC

Cannot reproduce in 3.5.9. Closing.