Bug 149157 - Konqueror crashes when calling removeAttribute("id") on an element in an XML document
Summary: Konqueror crashes when calling removeAttribute("id") on an element in an XML ...
Status: RESOLVED DUPLICATE of bug 145612
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-24 07:56 UTC by Dean Brettle
Modified: 2007-08-24 09:05 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Dean Brettle 2007-08-24 07:56:24 UTC 
Version:            (using KDE KDE 3.5.7)
Installed from:    Fedora RPMs
OS:                Linux

To reproduce:

Open the following HTML file with Konqueror:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Untrusted HTML With Javascript</title>
</head>
<body>
	<p>
	Trying to set or remove the ID attribute of an element in an XML document causes Konqueror to crash.
	</p>
	<script type="text/javascript">
		var xmlDoc=document.implementation.createDocument("", null, null);
		xmlDoc.loadXML('<doc id="testId"></doc>');
		var elem = xmlDoc.firstChild;
		// Either of the following lines will crash Konqueror
		elem.removeAttribute("id");
		elem.setAttribute("id", "newId");
	</script>
</body>
</html>

Expected Behavior:

No crash. :)

Actual Behavior:

Crashes everytime.

Backtrace:

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
...
[Thread debugging using libthread_db enabled]
[New Thread -1209091872 (LWP 20115)]
(no debugging symbols found)
...
[KCrash handler]
#6  0x0712dbaa in DOM::ElementMappingCache::remove ()
   from /usr/lib/libkhtml.so.4
#7  0x0713cb9d in DOM::ElementImpl::removeId () from /usr/lib/libkhtml.so.4
#8  0x0713c160 in DOM::ElementImpl::updateId () from /usr/lib/libkhtml.so.4
#9  0x0713fda9 in DOM::NamedAttrMapImpl::removeNamedItem ()
   from /usr/lib/libkhtml.so.4
#10 0x07304d0b in DOM::Element::removeAttribute () from /usr/lib/libkhtml.so.4
#11 0x0724b491 in KJS::DOMElementProtoFunc::tryCall ()
   from /usr/lib/libkhtml.so.4
#12 0x072419b4 in KJS::DOMFunction::call () from /usr/lib/libkhtml.so.4
#13 0x00d8513c in KJS::Object::call () from /usr/lib/libkjs.so.1
#14 0x00d53002 in KJS::FunctionCallNode::evaluate () from /usr/lib/libkjs.so.1
#15 0x00d4ef7f in KJS::ExprStatementNode::execute () from /usr/lib/libkjs.so.1
#16 0x00d4c430 in KJS::SourceElementsNode::execute () from /usr/lib/libkjs.so.1
#17 0x00d4a2f2 in KJS::BlockNode::execute () from /usr/lib/libkjs.so.1
#18 0x00d71833 in KJS::InterpreterImp::evaluate () from /usr/lib/libkjs.so.1
#19 0x00d8625a in KJS::Interpreter::evaluate () from /usr/lib/libkjs.so.1
#20 0x072b11c7 in KJS::KJSProxyImpl::evaluate () from /usr/lib/libkhtml.so.4
#21 0x070ea145 in KHTMLPart::executeScript () from /usr/lib/libkhtml.so.4
#22 0x07159324 in khtml::HTMLTokenizer::scriptExecution ()
   from /usr/lib/libkhtml.so.4
#23 0x0715995d in khtml::HTMLTokenizer::scriptHandler ()
   from /usr/lib/libkhtml.so.4
#24 0x0715a3d4 in khtml::HTMLTokenizer::parseSpecial ()
   from /usr/lib/libkhtml.so.4
#25 0x0715c3b2 in khtml::HTMLTokenizer::parseTag () from /usr/lib/libkhtml.so.4
#26 0x0715c750 in khtml::HTMLTokenizer::write () from /usr/lib/libkhtml.so.4
#27 0x070e63a5 in KHTMLPart::write () from /usr/lib/libkhtml.so.4
#28 0x070e7ebe in KHTMLPart::slotData () from /usr/lib/libkhtml.so.4
#29 0x070ee60f in KHTMLPart::qt_invoke () from /usr/lib/libkhtml.so.4
#30 0x022b2ffa in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#31 0x06b77003 in KIO::TransferJob::data () from /usr/lib/libkio.so.4
#32 0x06b79a05 in KIO::TransferJob::slotData () from /usr/lib/libkio.so.4
#33 0x06b7d552 in KIO::TransferJob::qt_invoke () from /usr/lib/libkio.so.4
#34 0x022b2ffa in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#35 0x06b664e7 in KIO::SlaveInterface::data () from /usr/lib/libkio.so.4
#36 0x06b67790 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#37 0x06b68320 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4
#38 0x06b6318d in KIO::Slave::gotInput () from /usr/lib/libkio.so.4
#39 0x06b65238 in KIO::Slave::qt_invoke () from /usr/lib/libkio.so.4
#40 0x022b2ffa in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#41 0x022b3892 in QObject::activate_signal ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#42 0x026460d0 in QSocketNotifier::activated ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#43 0x022d39c0 in QSocketNotifier::event ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#44 0x02249bab in QApplication::internalNotify ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#45 0x0224b009 in QApplication::notify ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#46 0x009f475e in KApplication::notify () from /usr/lib/libkdecore.so.4
#47 0x0223d321 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#48 0x021f19a1 in QEventLoop::processEvents ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#49 0x022630c0 in QEventLoop::enterLoop ()
   from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#50 0x02262f76 in QEventLoop::exec () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#51 0x022496bf in QApplication::exec () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#52 0x06e22ae4 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#53 0x08048472 in ?? ()
#54 0x00457dec in __libc_start_main () from /lib/libc.so.6
#55 0x080483c1 in ?? ()
Comment 1 Tommi Tervo 2007-08-24 09:05:34 UTC 
Thanks for the nice test case

*** This bug has been marked as a duplicate of 145612 ***