Bug 153827 - Crash while running query against bugs.kde.org
Summary: Crash while running query against bugs.kde.org
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml parsing (show other bugs)
Version: 4.0
Platform: Compiled Sources Linux
: NOR major
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 153662 153803 153925 154312 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-12-11 08:55 UTC by Josh Berry
Modified: 2008-06-03 10:22 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Fast patch (2.44 KB, patch)
2007-12-11 14:53 UTC, Allan Sandfeld
Details
Break loop also when the character "<" is the last one of the buffer (531 bytes, patch)
2007-12-12 22:42 UTC, Pablo Pita
Details
Stdout log to verify my previous patch (54.92 KB, text/plain)
2007-12-12 23:11 UTC, Pablo Pita
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Berry 2007-12-11 08:55:07 UTC
Version:            (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc 4.2 
OS:                Linux

Konqueror (with kdelibs r747105) crashes while running a query against bugs.kde.org.

To get the crash, I did the following:
 
 - Went to http://bugs.kde.org/ 
 - Clicked on "Query existing reports" at the top 
 - Selected the "dolphin" product and hit "Search" 
 - Crash, as follows: 
 
 #5  0x00002b9b2afa1185 in raise () from /lib64/libc.so.6 
 #6  0x00002b9b2afa2630 in abort () from /lib64/libc.so.6 
 #7  0x00002b9b2af9a77f in __assert_fail () from /lib64/libc.so.6 
 #8  0x00002b9b3271e584 in KHTMLGlobal::finalCheck () 
     at /home/des/Code/kde/kdelibs/khtml/khtml_global.cpp:244 
 #9  0x00002aaaac8437c5 in ~KHTMLFactory (this=0xaaaa00) 
     at /home/des/Code/kde/kdelibs/khtml/khtml_factory.cpp:35 
 #10 0x00002b9b28cc076a in QObjectCleanupHandler::clear (this=0x9da890) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobjectcleanuphandler.cpp:133 
 #11 0x00002b9b28cc07b1 in ~QObjectCleanupHandler (this=0x5e50) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobjectcleanuphandler.cpp:79 
 #12 0x00002b9b25e9ca7b in destroy () 
     at /home/des/Code/kde/kdelibs/kdecore/util/kpluginfactory.cpp:29 
 #13 0x00002b9b25d98755 in ~KCleanUpGlobalStatic (this=0x2b9b26133430) 
     at /home/des/Code/kde/kdelibs/kdecore/kernel/kglobal.h:65 
 #14 0x00002b9b25e9c9e0 in __tcf_0 () 
     at /home/des/Code/kde/kdelibs/kdecore/util/kpluginfactory.cpp:29 
 #15 0x00002b9b2afa3b8e in exit () from /lib64/libc.so.6 
 #16 0x00002b9b28c1af0d in qt_message_output (msgType=QtFatalMsg, 
     buf=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/corelib/global/qglobal.cpp:2162 
 #17 0x00002b9b28c1b025 in qFatal (msg=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/corelib/global/qglobal.cpp:2392 
 #18 0x00002b9b326d52a1 in QString::operator[] (this=0x7fff85e25fe0, i=56) 
     at /home/des/Code/kde/build/qt-copy/include/QtCore/../../../../qt-copy/src/corelib/tools/qstring.h:638 
 #19 0x00002b9b327aa872 in parseDocTypePart (buffer=@0x7fff85e25fe0, index=56) 
     at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:280 
 #20 0x00002b9b327aac83 in parseDocTypeDeclaration (buffer=@0x7fff85e25fe0, 
     resultFlags=0x7fff85e25e7c, publicID=@0x7fff85e25e80, 
     systemID=@0x7fff85e25e90) 
     at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:345 
 #21 0x00002b9b327ac81b in DOM::HTMLDocumentImpl::determineParseMode ( 
     this=0xe2f180, str=@0x7fff85e25fe0) 
     at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:437 
 #22 0x00002b9b326f6fa9 in KHTMLPart::onFirstData (this=0x9d92c0, 
     firstData=@0x7fff85e25fe0) 
     at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1989 
 #23 0x00002b9b326f719c in KHTMLPart::write (this=0x9d92c0, 
     data=0xa5b278 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html \n ", len=56) at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1947 
 #24 0x00002b9b326f9734 in KHTMLPart::slotData (this=0x9d92c0, 
     kio_job=0xf7de10, data=@0x7fff85e271d0) 
     at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1636 
 #25 0x00002b9b32703824 in KHTMLPart::qt_metacall (this=0x9d92c0, 
     _c=QMetaObject::InvokeMetaMethod, _id=19, _a=0x7fff85e26980) 
     at /home/des/Code/kde/build/kdelibs/khtml/khtml_part.moc:263 
 #26 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xf7de10, 
     from_signal_index=40, to_signal_index=40, argv=0xffffffffffffffff) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 
 #27 0x00002b9b25927031 in KIO::TransferJob::data (this=0xf7de10, 
     _t1=0xf7de10, _t2=@0x7fff85e271d0) 
     at /home/des/Code/kde/build/kdelibs/kio/jobclasses.moc:355 
 #28 0x00002b9b259278f0 in KIO::TransferJob::slotData (this=0xf7de10, 
     _data=@0x7fff85e271d0) at /home/des/Code/kde/kdelibs/kio/kio/job.cpp:921 
 #29 0x00002b9b25931841 in KIO::TransferJob::qt_metacall (this=0xf7de10, 
     _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7fff85e26f30) 
     at /home/des/Code/kde/build/kdelibs/kio/jobclasses.moc:336 
 #30 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xbf66d0, 
     from_signal_index=4, to_signal_index=4, argv=0xffffffffffffffff) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 
 #31 0x00002b9b259c8101 in KIO::SlaveInterface::data (this=0xbf66d0, 
     _t1=@0x7fff85e271d0) 
     at /home/des/Code/kde/build/kdelibs/kio/slaveinterface.moc:137 
 #32 0x00002b9b259c9ae4 in KIO::SlaveInterface::dispatch (this=0xbf66d0, 
     _cmd=100, rawdata=@0x7fff85e271d0) 
     at /home/des/Code/kde/kdelibs/kio/kio/slaveinterface.cpp:161 
 #33 0x00002b9b259c9a0a in KIO::SlaveInterface::dispatch (this=0xbf66d0) 
     at /home/des/Code/kde/kdelibs/kio/kio/slaveinterface.cpp:88 
 #34 0x00002b9b259be135 in KIO::Slave::gotInput (this=0xbf66d0) 
     at /home/des/Code/kde/kdelibs/kio/kio/slave.cpp:318 
 #35 0x00002b9b259bf33f in KIO::Slave::qt_metacall (this=0xbf66d0, 
     _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0x7fff85e27750) 
     at /home/des/Code/kde/build/kdelibs/kio/slave.moc:74 
 #36 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xa35ca0, 
     from_signal_index=4, to_signal_index=4, argv=0xffffffffffffffff) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 
 #37 0x00002b9b25905006 in KIO::Connection::readyRead (this=0xa35ca0) 
     at /home/des/Code/kde/build/kdelibs/kio/connection.moc:83 
 #38 0x00002b9b25905dfc in KIO::ConnectionPrivate::dequeue (this=0xacf560) 
     at /home/des/Code/kde/kdelibs/kio/kio/connection.cpp:82 
 #39 0x00002b9b25906c86 in KIO::Connection::qt_metacall (this=0xa35ca0, 
     _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xf87d00) 
     at /home/des/Code/kde/build/kdelibs/kio/connection.moc:71 
 #40 0x00002b9b28cbb0b4 in QObject::event (this=0xa35ca0, e=0xffffffffffffffff) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:1128 
 #41 0x00002b9b297d69d2 in QApplicationPrivate::notify_helper (this=0x61f5d0, 
     receiver=0xa35ca0, e=0x10544e0) 
     at /home/des/Code/kde/qt-copy/src/gui/kernel/qapplication.cpp:3556 
 #42 0x00002b9b297dc5af in QApplication::notify (this=0x7fff85e281d0, 
     receiver=0xa35ca0, e=0x10544e0) 
     at /home/des/Code/kde/qt-copy/src/gui/kernel/qapplication.cpp:3497 
 #43 0x00002b9b26317f2a in KApplication::notify (this=0x7fff85e281d0, 
     receiver=0xa35ca0, event=0x10544e0) 
     at /home/des/Code/kde/kdelibs/kdeui/kernel/kapplication.cpp:319 
 #44 0x00002b9b28cae9be in QCoreApplication::notifyInternal ( 
     this=0x7fff85e281d0, receiver=0xa35ca0, event=0x10544e0) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qcoreapplication.cpp:530 
 #45 0x00002b9b28cb009b in QCoreApplicationPrivate::sendPostedEvents ( 
     receiver=0x0, event_type=0, data=0x604f60) 
     at ../../include/QtCore/../../../../qt-copy/src/corelib/kernel/qcoreapplication.h:200 
 #46 0x00002b9b28cca983 in postEventSourceDispatch (s=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:207 
 #47 0x00002b9b2c305682 in g_main_context_dispatch () 
    from /usr/lib/libglib-2.0.so.0 
 #48 0x00002b9b2c305ee5 in ?? () from /usr/lib/libglib-2.0.so.0 
 #49 0x00002b9b2c306407 in g_main_context_iteration () 
    from /usr/lib/libglib-2.0.so.0 
 #50 0x00002b9b28ccab9b in QEventDispatcherGlib::processEvents (this=0x61eed0, 
     flags=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:338 
 #51 0x00002b9b2983d0a4 in QGuiEventDispatcherGlib::processEvents ( 
     this=0x5e50, flags=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:191 
 #52 0x00002b9b28cae13c in QEventLoop::processEvents ( 
     this=<value optimized out>, flags=<value optimized out>) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventloop.cpp:140 
 #53 0x00002b9b28cae225 in QEventLoop::exec (this=0x7fff85e280e0, 
     flags=@0x7fff85e280f0) 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventloop.cpp:182 
 #54 0x00002b9b28cb03d7 in QCoreApplication::exec () 
     at /home/des/Code/kde/qt-copy/src/corelib/kernel/qcoreapplication.cpp:759 
 #55 0x00002b9b24f60611 in kdemain (argc=2, argv=0x7fff85e28cd8) 
     at /home/des/Code/kde/kdebase/apps/konqueror/src/konqmain.cpp:218 
 #56 0x000000000040098b in main (argc=2, argv=0x7fff85e28cd8) 
     at /home/des/Code/kde/build/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3 
 #0  0x00002b9b2b007c41 in nanosleep () from /lib64/libc.so.6
Comment 1 Maksim Orlovich 2007-12-11 09:03:19 UTC
*** Bug 153803 has been marked as a duplicate of this bug. ***
Comment 2 Maksim Orlovich 2007-12-11 09:03:26 UTC
*** Bug 153662 has been marked as a duplicate of this bug. ***
Comment 3 Maksim Orlovich 2007-12-11 09:06:43 UTC
Presence of problem confirmed via code inspection --- the doctype parsing code can walk outside of the string willy-nilly, and QString in Qt4 aborts on that (while Qt3 one would return a fallback value). 

I think this is a borderline showstopper, given that some of the reports involve wikipedia, and the potential for wide impact / nature of regression..

Allan, do you know that code well perchance? If so, would be nice if you could take a look, otherwise I'll try to dig throught it I guess.
Comment 4 Allan Sandfeld 2007-12-11 14:47:02 UTC
Yes I know the code and I even have a patch to fix it applied to my local tree. I will see if I can extract it. 

However my patch only fixes the crash but creates a new problem: The function never gets run to an end.
Comment 5 Allan Sandfeld 2007-12-11 14:53:11 UTC
Created attachment 22483 [details]
Fast patch

The patch probably needs some check in KHTMLPart::onFirstData, so the
determineDocType can be run again when more data is available.
Comment 6 Maksim Orlovich 2007-12-11 19:15:15 UTC
The state post-patch is what it is in 3.5.x though, right?
Comment 7 Maksim Orlovich 2007-12-12 20:36:35 UTC
*** Bug 153925 has been marked as a duplicate of this bug. ***
Comment 8 Pablo Pita 2007-12-12 22:42:05 UTC
Created attachment 22514 [details]
Break loop also when the character "<" is the last one of the buffer

Try from command line:

konqueror 
http://es.wikipedia.org/wiki/Imagen:I_Wikiencuentro_en_la_Bahía_de_Cádiz_\(Asistentes\).jpg


For some reason, the buffer in parseDocTypeDeclaration with that URL is only
"<". Therefore, there are no more characters after it and bang!. The patch
checks for that and it works here.

By the way, just to introduce myself, I am the guy in the middle with my little
daughter.
Comment 9 Pablo Pita 2007-12-12 23:11:25 UTC
Created attachment 22516 [details]
Stdout log to verify my previous patch

This is the log from command line I got to verify my previous patch. 
So konqueror loads the image succesfully and all is fine.

Look at "my output" in HTMLDocumentImpl::parseDocTypeDeclaration :
konqueror(20349):  BUFFER:  "<"
konqueror(20349):  index:  0  bf.len:  1
This gave me the hint of what was going on in the method. The point is that the
XML header is non existant. I just comment this in case there is also another
bug somewhere else.
Comment 10 Allan Sandfeld 2007-12-13 00:07:55 UTC
Excelent analysis Pablo. Unfortunately it is a well known issue, to solve it correctly requires putting more responsibility in the HTML parser/tokenizer, and thus a larger rewrite. 

I think though this is a new instance of the bug, because in KDE 3.5.x the HTTP-slave would never send just 1 byte. I would like to know what causes the HTTP-slave to send such a small buffer. It not only reveals this bug, but it is also a waste of resources
Comment 11 Pablo Pita 2007-12-13 01:53:26 UTC
FYI, checking the stdout log I attached, I see in the BUFFER that all the headers are truncated:

pleira@barebone:~$ egrep -C 1 "BUFF|index:" log_from_stdout.log
konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2
konqueror(20349):  BUFFER:  "<"
konqueror(20349):  index:  0  bf.len:  1
konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode:  using compatibility parseMode
--
konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2
konqueror(20349):  BUFFER:  "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transi"
konqueror(20349):  index:  0  bf.len:  51
konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode:  using compatibility parseMode
--
konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2
konqueror(20349):  BUFFER:  "<"
konqueror(20349):  index:  0  bf.len:  1
konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode:  using compatibility parseMode
Comment 12 Tommi Tervo 2007-12-19 12:22:13 UTC
*** Bug 154312 has been marked as a duplicate of this bug. ***
Comment 13 Allan Sandfeld 2007-12-19 19:28:37 UTC
SVN commit 750614 by carewolf:

Don't crash bugs.kde.org and other places, 
even if we risk misdetermining doctype
CCBUG: 153827


 M  +17 -2     html_documentimpl.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=750614
Comment 14 Eduardo Robles Elvira 2008-04-20 20:50:55 UTC
Can't reproduce, so I guess this is fixed by the patch sent by carewolf?
Comment 15 Josh Berry 2008-04-20 22:11:59 UTC
This does appear to be fixed in trunk.  I can no longer reproduce either.
Comment 16 FiNeX 2008-04-21 13:50:43 UTC
Cannot reproduce on r797319 too.
Comment 17 FiNeX 2008-06-03 09:01:56 UTC
Other people are confirming that the crash doesn't happen anymore in trunk.
Comment 18 Josh Berry 2008-06-03 09:25:17 UTC
Someone should mark this as RESOLVED/FIXED (I don't have permission).
Comment 19 FiNeX 2008-06-03 10:22:06 UTC
Ok