146688 – crash on website with special java script code

Bug 146688 - crash on website with special java script code

Summary: crash on website with special java script code

Status:	RESOLVED DUPLICATE of bug 137678

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	unspecified
Platform:	Debian testing Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-06-12 03:00 UTC by Florian Grunow
Modified:	2008-04-29 11:52 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Grunow 2007-06-12 03:00:18 UTC

Version:           3.5.5a.dfsg.1-6 (using KDE KDE 3.5.5)
Installed from:    Debian testing/unstable Packages
Compiler:          apt-get precompiled 
OS:                Linux

Hi there!

I just stumbled over this issue and don't know if this is known or might even be exploited, so I submit it here:

konqueror often crashes with this setting:

You need two html files. See the code below. Put them on a webserver, it doesn't seem to be possible to trigger this bug local. Go to test.html and click the fsckup button. Click "Cancel", click "Cancel" again and see konqueror crash. A dump is included at the end.

Is this some sort of race condition or something?

Greetz,

yorn


-------- test.html ---------
<html>
<head>
<script type="text/javascript">

function killme()
{
        if (parent.data.wtf)
                document.location = "blib";
}

function fsckup()
{
        document.location = "blub";
        setTimeout("killme()", 200);
}

</script>
</head>
<body>

<input name="fsckup" type="button" style="width: 100px;height: 22px;background-image: url(grey.png); background-repeat: repeat-x; color: #000000; " value="fsckup" onclick="javascript:fsckup()">
<iframe name="data" src="fsckup.html" height="0" frameborder="0" framemargin="0" framewidth="0"></iframe>

</body>
</html>
---------- END OF test.html ----------

And you obviously need fsckup.html, which contains this code:

---------- fsckup.html ----------

<html>
<body>
<script>
        var wtf = "A";
</script>
</body>
</html>

---------- END fsckup.html ------------


CRASHDUMP:


[...]
(no debugging symbols found)
[KCrash handler]
#5  0xb7ecafa6 in KonqRun::foundMimeType ()
   from /usr/lib/libkdeinit_konqueror.so
#6  0xb7aeaea5 in KParts::BrowserRun::slotBrowserMimetype ()
   from /usr/lib/libkparts.so.2
#7  0xb7aeb00e in KParts::BrowserRun::qt_invoke ()
   from /usr/lib/libkparts.so.2
#8  0xb7e8e9f8 in KonqRun::qt_invoke () from /usr/lib/libkdeinit_konqueror.so
#9  0xb6c7bd4f in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#10 0xb78a32e0 in KIO::TransferJob::mimetype () from /usr/lib/libkio.so.4
#11 0xb78a3362 in KIO::TransferJob::slotMimetype () from /usr/lib/libkio.so.4
#12 0xb78e0e4d in KIO::TransferJob::qt_invoke () from /usr/lib/libkio.so.4
#13 0xb6c7bd4f in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#14 0xb6c7c27c in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb78ae723 in KIO::SlaveInterface::mimeType () from /usr/lib/libkio.so.4
#16 0xb7900da2 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#17 0xb78feed8 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#18 0xb78affab in KIO::Slave::gotInput () from /usr/lib/libkio.so.4
#19 0xb78eea60 in KIO::Slave::qt_invoke () from /usr/lib/libkio.so.4
#20 0xb6c7bd4f in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#21 0xb6c7c656 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#22 0xb7005c7b in QSocketNotifier::activated () from /usr/lib/libqt-mt.so.3
#23 0xb6c9e4fa in QSocketNotifier::event () from /usr/lib/libqt-mt.so.3
#24 0xb6c13c26 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#25 0xb6c15a43 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#26 0xb73d7e0e in KApplication::notify () from /usr/lib/libkdecore.so.4
#27 0xb6ba7421 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#28 0xb6c05fd9 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/libqt-mt.so.3
#29 0xb6bbb754 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#30 0xb6c2e179 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#31 0xb6c2df9a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#32 0xb6c157bf in QApplication::exec () from /usr/lib/libqt-mt.so.3
#33 0xb7ed7495 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#34 0x08048482 in ?? ()
#35 0x00000003 in ?? ()
#36 0xbfb86794 in ?? ()
#37 0xbfb86718 in ?? ()
#38 0x080484f9 in ?? ()
#39 0xb7befc8c in ?? () from /lib/tls/libc.so.6
#40 0xbfb86720 in ?? ()
#41 0xbfb86768 in ?? ()
#42 0xb7bf9ea8 in __libc_start_main () from /lib/tls/libc.so.6
#43 0xb7bf9ea8 in __libc_start_main () from /lib/tls/libc.so.6
#44 0x080483d1 in ?? ()

Comment 1 Tommi Tervo 2007-06-12 09:10:34 UTC

Cannot reproduce. Could you install kdelibs-dbg and kdebase-dbg packages and paste full backtrace here.

Comment 2 Florian Grunow 2007-06-12 10:18:10 UTC

I forgot to mention:

You need two files in the directory of the html files. One named "blub" and one named "blib" (touch blub blib is enough). You see "blib" first, after you click cancel, "blub" shows up and when you click on cancel again, konqueror crashes. 

Make sure that you:
1) use a webserver for this, don't do it local
2) have the files in place
3) try it more than once (maybe its a timing isue) if it doesn't work for the first shot

It works like a charm here.

I'm actually not able to get the frames 3-4 somehow. They disappear in the kcrash dialog. Why that? I appended some gdb output additionally.

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1234266432 (LWP 3347)]
[KCrash handler]

0xb7ca505c in nanosleep () from /lib/tls/libc.so.6
#0  0xb7ca505c in nanosleep () from /lib/tls/libc.so.6
#1  0xb7ca4e8e in sleep () from /lib/tls/libc.so.6
[...]
#5  0xb7efbfa6 in KonqRun::foundMimeType (this=0x81f27b0, _type=@0xbfdb0934)
    at /usr/share/qt3/include/qguardedptr.h:94
#6  0xb7b1bea5 in KParts::BrowserRun::slotBrowserMimetype (this=0x81f27b0, 
    _job=0x82b0328, type=@0x82d9df0)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kparts/browserrun.cpp:200
#7  0xb7b1c00e in KParts::BrowserRun::qt_invoke (this=0x81f27b0, _id=7, 
    _o=0xbfdb0a00) at ./browserrun.moc:102
#8  0xb7ebf9f8 in KonqRun::qt_invoke (this=0x81f27b0, _id=7, _o=0xbfdb0a00)
    at ./konq_run.moc:88
#9  0xb6cacd4f in QObject::activate_signal (this=0x82b0328, clist=0x82b4a80, 
    o=0xbfdb0a00) at kernel/qobject.cpp:2356
#10 0xb78d42e0 in KIO::TransferJob::mimetype (this=0x82b0328, t0=0x82b0328, 
    t1=@0x82b0438) at ./jobclasses.moc:1050
#11 0xb78d4362 in KIO::TransferJob::slotMimetype (this=0x82b0328, 
    type=@0x82d9ec8)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kio/kio/job.cpp:1084
#12 0xb7911e4d in KIO::TransferJob::qt_invoke (this=0x82b0328, _id=20, 
    _o=0xbfdb0b38) at ./jobclasses.moc:1074
#13 0xb6cacd4f in QObject::activate_signal (this=0x831d9c0, clist=0x820f648, 
    o=0xbfdb0b38) at kernel/qobject.cpp:2356
#14 0xb6cad27c in QObject::activate_signal (this=0x831d9c0, signal=19, 
    param=@0xbfdb0b8c) at kernel/qobject.cpp:2451
#15 0xb78df723 in KIO::SlaveInterface::mimeType (this=0x831d9c0, 
    t0=@0xbfdb0d30) at ./slaveinterface.moc:370
#16 0xb7931da2 in KIO::SlaveInterface::dispatch (this=0x831d9c0, _cmd=21, 
    rawdata=@0xbfdb0d70)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kio/kio/slaveinterface.cpp:338
#17 0xb792fed8 in KIO::SlaveInterface::dispatch (this=0x831d9c0)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kio/kio/slaveinterface.cpp:173
#18 0xb78e0fab in KIO::Slave::gotInput (this=0x831d9c0)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kio/kio/slave.cpp:300
#19 0xb791fa60 in KIO::Slave::qt_invoke (this=0x831d9c0, _id=4, _o=0xbfdb0e98)
    at ./slave.moc:113
#20 0xb6cacd4f in QObject::activate_signal (this=0x80e8288, clist=0x831dc38, 
    o=0xbfdb0e98) at kernel/qobject.cpp:2356
#21 0xb6cad656 in QObject::activate_signal (this=0x80e8288, signal=2, 
    param=15) at kernel/qobject.cpp:2449
#22 0xb7036c7b in QSocketNotifier::activated (this=0x80e8288, t0=15)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85
#23 0xb6ccf4fa in QSocketNotifier::event (this=0x80e8288, e=0xbfdb11f0)
    at kernel/qsocketnotifier.cpp:258
#24 0xb6c44c26 in QApplication::internalNotify (this=0xbfdb152c, 
    receiver=0x80e8288, e=0xbfdb11f0) at kernel/qapplication.cpp:2635
#25 0xb6c46a43 in QApplication::notify (this=0xbfdb152c, receiver=0x80e8288, 
    e=0xbfdb11f0) at kernel/qapplication.cpp:2358
#26 0xb7408e0e in KApplication::notify (this=0xbfdb152c, receiver=0x80e8288, 
    event=0xbfdb11f0)
    at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kdecore/kapplication.cpp:550
#27 0xb6bd8421 in QApplication::sendEvent (receiver=0x80e8288, 
    event=0xbfdb11f0) at ../include/qapplication.h:520
#28 0xb6c36fd9 in QEventLoop::activateSocketNotifiers (this=0x807def8)
    at kernel/qeventloop_unix.cpp:578
#29 0xb6bec754 in QEventLoop::processEvents (this=0x807def8, flags=4)
    at kernel/qeventloop_x11.cpp:383
#30 0xb6c5f179 in QEventLoop::enterLoop (this=0x807def8)
    at kernel/qeventloop.cpp:198
#31 0xb6c5ef9a in QEventLoop::exec (this=0x807def8)
    at kernel/qeventloop.cpp:145
#32 0xb6c467bf in QApplication::exec (this=0xbfdb152c)
    at kernel/qapplication.cpp:2758
#33 0xb7f08495 in kdemain (argc=3, argv=0xbfdb19c4)
    at /tmp/buildd/kdebase-3.5.5a.dfsg.1/./konqueror/konq_main.cc:206
#34 0x08048482 in main (argc=) at konqueror.la.cc:2
#35 0xb7c2aea8 in __libc_start_main () from /lib/tls/libc.so.6
#36 0x080483d1 in _start () at ../sysdeps/i386/elf/start.S:119

gdb says at time of crash:
gdb> i r
eax            0x120    0x120
ecx            0x81fd2f0        0x81fd2f0
edx            0xbfc84544       0xbfc84544
ebx            0xb712ef04       0xb712ef04
esp            0xbfc84520       0xbfc84520
ebp            0xbfc84558       0xbfc84558
esi            0x1      0x1
edi            0x0      0x0
eip            0xb6c01c15       0xb6c01c15 <QApplication::internalNotify(QObject*, QEvent*)+607>
eflags         0x10202  [ IF RF ]
cs             0x73     0x73
ss             0x7b     0x7b
ds             0x7b     0x7b
es             0x7b     0x7b
fs             0x0      0x0
gs             0x33     0x33

gdb> bt
#0  0xb6c01c15 in QApplication::internalNotify (this=0xbfc84b5c, receiver=0x81fd2f0, e=0xbfc84808) at kernel/qapplication.cpp:2635
#1  0xb6c03a43 in QApplication::notify (this=0xbfc84b5c, receiver=0x81fd2f0, e=0xbfc84808) at kernel/qapplication.cpp:2358
#2  0xb73c5e0e in KApplication::notify (this=0xbfc84b5c, receiver=0x81fd2f0, event=0xbfc84808) at /tmp/buildd/kdelibs-3.5.5a.dfsg.1/./kdecore/kapplication.cpp:550
#3  0xb6b95421 in QApplication::sendEvent (receiver=0x81fd2f0, event=0xbfc84808) at ../include/qapplication.h:520
#4  0xb6bf4623 in QEventLoop::activateTimers (this=0x807eb28) at kernel/qeventloop_unix.cpp:556
#5  0xb6ba976f in QEventLoop::processEvents (this=0x807eb28, flags=0x4) at kernel/qeventloop_x11.cpp:389
#6  0xb6c1c179 in QEventLoop::enterLoop (this=0x807eb28) at kernel/qeventloop.cpp:198
#7  0xb6c1bf9a in QEventLoop::exec (this=0x807eb28) at kernel/qeventloop.cpp:145
#8  0xb6c037bf in QApplication::exec (this=0xbfc84b5c) at kernel/qapplication.cpp:2758
#9  0xb7ec5495 in kdemain (argc=0x1, argv=0xbfc84ff4) at /tmp/buildd/kdebase-3.5.5a.dfsg.1/./konqueror/konq_main.cc:206
#10 0x08048482 in main (argc=0x100, argv=0x4) at konqueror.la.cc:2
#11 0xb7be7ea8 in __libc_start_main () from /lib/tls/libc.so.6
#12 0x080483d1 in _start () at ../sysdeps/i386/elf/start.S:119

Comment 3 Tommi Tervo 2007-06-12 10:45:31 UTC

OK, I managed to reproduce this crash too. Possible duplicate candidates here:
http://bugs.kde.org/show_bug.cgi?id=137678 and
http://bugs.kde.org/show_bug.cgi?id=122205

Comment 4 A. Spehr 2008-04-29 11:52:12 UTC

I think teve is right, this is a dup.

*** This bug has been marked as a duplicate of 137678 ***