155434 – facebook: clicking on a button in the "requests" section causes crash

Bug 155434 - facebook: clicking on a button in the "requests" section causes crash

Summary: facebook: clicking on a button in the "requests" section causes crash

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	4.0
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-01-11 03:02 UTC by A. Spehr
Modified:	2008-01-31 20:02 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description A. Spehr 2008-01-11 03:02:41 UTC

Version:           4.0.80 >= 20080104 (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc version 4.2.3 
OS:                Linux

To reproduce: 
1) From your facebook homepage, look to the grey box on the right below the blue bar at the top. This is the box with "Requests", "Status Update", "Birthdays", etc. I mention this because I don't think you'll have "Requests" show up if you haven't had anyone try to friend you lately or invite you to some silly application.

2) Click on "Requests" (if you need some, ask! :)

3) On that page, hit the "ignore" button 

4) Crash

Note: Apparently /accepting/ doesn't crash it, instead it sends you to the "do you want to install ---?" page. Once I get more requests, I guess I can test to make sure.

Valgrind says:

==11511==
==11511== Invalid read of size 4
==11511==    at 0xA8B1C05: khtml::RenderBox::repaintRectangle(int, int, int,int, Priority, bool) (render_box.cpp:892)
==11511==    by 0xA8CC540: khtml::RenderTableCell::repaintRectangle(int, int, int, int, Priority, bool) (render_table.cpp:2405)
==11511==    by 0xA8B1D30: khtml::RenderBox::repaintRectangle(int, int, int,int, Priority, bool) (render_box.cpp:898)
==11511==    by 0xA8B21FF: khtml::RenderBox::repaint(Priority) (render_box.cpp:871)
==11511==    by 0xA8B6B30: khtml::RenderFlow::repaint(Priority) (render_flow.cpp:476)
==11511==    by 0xA8AAEA8: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_container.cpp:151)
==11511==    by 0xA8B4431: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:248)
==11511==    by 0xA8899D5: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:570)
==11511==    by 0xA8A7788: khtml::RenderObject::remove() (render_object.h:795)
==11511==    by 0xA89F421: khtml::RenderObject::detach() (render_object.cpp:1678)
==11511==    by 0xA8B4476: khtml::RenderBox::detach() (render_box.cpp:218)
==11511==    by 0xA8B71BE: khtml::RenderFlow::detach() (render_flow.cpp:361)
==11511==  Address 0x2c is not stack'd, malloc'd or (recently) free'd

Backtrace says:

#6  0x00000000 in ?? ()
#7  0xb41d0c0f in khtml::RenderBox::repaintRectangle (this=0x8454e70, x=112, 
    y=85, w=316, h=41, p=NormalPriority, f=false)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_box.cpp:892
#8  0xb41eb541 in khtml::RenderTableCell::repaintRectangle (this=0x8454e70, 
    x=10, y=85, w=316, h=41, p=NormalPriority, f=false)

With the rest at:  http://pastebin.ca/850207
btw: 
print o
$1 = (class khtml::RenderObject *) 0x842fb60

Comment 1 Maksim Orlovich 2008-01-31 19:10:18 UTC

==14130== Invalid read of size 1
==14130==    at 0xC5F5D2E: khtml::RenderObject::setMinMaxKnown(bool) (render_object.h:337)
==14130==    by 0xC5FE8C9: khtml::RenderObject::setNeedsLayoutAndMinMaxRecalc() (render_object.h:345)
==14130==    by 0xC715B85: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_container.cpp:146)
==14130==    by 0xC71DA23: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:248)
==14130==    by 0xC6F8B43: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:570)
==14130==    by 0xC71290B: khtml::RenderObject::remove() (render_object.h:795)
==14130==    by 0xC70BF35: khtml::RenderObject::detach() (render_object.cpp:1678)
==14130==    by 0xC71DA7A: khtml::RenderBox::detach() (render_box.cpp:218)
==14130==    by 0xC72000F: khtml::RenderFlow::detach() (render_flow.cpp:361)
==14130==    by 0xC672BDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:957)
==14130==    by 0xC672C57: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1548)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672F38: DOM::NodeBaseImpl::removeChildren() (dom_nodeimpl.cpp:1371)
==14130==    by 0xC6ABE6B: DOM::HTMLElementImpl::setInnerHTML(DOM::DOMString const&, int&) (html_elementimpl.cpp:578)
==14130==    by 0xC7D83FD: KJS::HTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) (kjs_html.cpp:2597)
==14130==    by 0xC7ED450: bool KJS::lookupPut<KJS::HTMLElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, KJS::HTMLElement*) (lookup.h:249)
==14130==    by 0xC7ED4A7: void KJS::lookupPut<KJS::HTMLElement, KJS::DOMElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int,KJS::HashTable const*, KJS::HTMLElement*) (lookup.h:265)
==14130==    by 0xC7D8955: KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) (kjs_html.cpp:2373)
==14130==    by 0xC2E3A50: KJS::AssignDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1830)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==    by 0xC2DA936: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2973)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC318420: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:373)
==14130==    by 0xC319A3E: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:161)
==14130==    by 0xC320CCC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:99)
==14130==    by 0xC2DDC5F: KJS::FunctionCallReferenceNode::evaluate(KJS::ExecState*) (nodes.cpp:1038)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DA936: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2973)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC31B3CF: KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:953)
==14130==    by 0xC320CCC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:99)
==14130==    by 0xC2DDC5F: KJS::FunctionCallReferenceNode::evaluate(KJS::ExecState*) (nodes.cpp:1038)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==  Address 0x7031013 is 35 bytes inside a block of size 92 free'd
==14130==    at 0x40213CC: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==14130==    by 0xC726440: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122)
==14130==    by 0xC70BEC2: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:1700)
==14130==    by 0xC70BF87: khtml::RenderObject::detach() (render_object.cpp:1685)
==14130==    by 0xC734C05: khtml::RenderTableRow::detach() (render_table.cpp:2083)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71DA72: khtml::RenderBox::detach() (render_box.cpp:217)
==14130==    by 0xC7324FD: khtml::RenderTableSection::detach() (render_table.cpp:1026)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71FF0D: khtml::RenderFlow::detach() (render_flow.cpp:326)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71FF0D: khtml::RenderFlow::detach() (render_flow.cpp:326)
==14130==    by 0xC672BDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:957)
==14130==    by 0xC672C57: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1548)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC67D359: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:794)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC661611: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1196)
==14130==    by 0xC65AF48: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1225)
==14130==    by 0xC6612B5: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1238)
==14130==    by 0xC677C28: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:510)
==14130==    by 0xC6764AA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:421)
==14130==    by 0xC678419: DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) (dom_nodeimpl.cpp:519)
==14130==    by 0xC65E6D8: DOM::DocumentImpl::setFocusNode(DOM::NodeImpl*) (dom_docimpl.cpp:2311)
==14130==    by 0xC5EE53E: KHTMLView::focusNextPrevNode(bool) (khtmlview.cpp:2365)
==14130==    by 0xC5EECCF: KHTMLView::focusNextPrevChild(bool) (khtmlview.cpp:1919)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x546226F: QWidgetPrivate::hide_helper() (qwidget.cpp:5494)

Comment 2 Maksim Orlovich 2008-01-31 20:02:19 UTC

SVN commit 769176 by orlovich:

Instead of trying to figure out whether to do a silent focus clear
when a previously-focus widget is getting destroyed in both
the document and the view (and getting them out-of-sync), have a
special quietResetFocus() method, and call it from the view's
focusNextPrevNode as appropriate. Fixes a crash when ignoring
requests on FaceBook
BUG: 155434

 M  +4 -5      khtmlview.cpp  
 M  +21 -12    xml/dom_docimpl.cpp  
 M  +3 -2      xml/dom_docimpl.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=769176