Version: 3.5.9 (using 3.5.9, Gentoo) Compiler: gcc version 3.4.6 (Gentoo 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10) OS: Linux (i686) release 2.6.24-gentoo-r8 Open just.blogsport.de an watch konqueror crash eache time you open the page. It must have to do something with Javascript. When Javascript is switched off, the page loads fine. Plugins are switched off.
[KCrash handler] #6 0x00000000 in ?? () #7 0xb3196015 in khtml::Marquee::timerEvent () from /opt/kde4/lib/libkhtml.so.5 #8 0xb74a2164 in QObject::event () from /opt/kde4/lib/libQtCore.so.4 #9 0xb6a16f7c in QApplicationPrivate::notify_helper () from /opt/kde4/lib/libQtGui.so.4 #10 0xb6a1e049 in QApplication::notify () from /opt/kde4/lib/libQtGui.so.4 #11 0xb7a579dd in KApplication::notify () from /opt/kde4/lib/libkdeui.so.5 #12 0xb74942a9 in QCoreApplication::notifyInternal () from /opt/kde4/lib/libQtCore.so.4 #13 0xb74bd031 in ?? () from /opt/kde4/lib/libQtCore.so.4 #14 0xb74bab30 in ?? () from /opt/kde4/lib/libQtCore.so.4 #15 0xb64fbdd6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #16 0xb64ff193 in ?? () from /usr/lib/libglib-2.0.so.0 #17 0xb64ff74e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0 #18 0xb74bb268 in QEventDispatcherGlib::processEvents () from /opt/kde4/lib/libQtCore.so.4 #19 0xb6a9d305 in ?? () from /opt/kde4/lib/libQtGui.so.4 #20 0xb749352d in QEventLoop::processEvents () from /opt/kde4/lib/libQtCore.so.4 #21 0xb74936c1 in QEventLoop::exec () from /opt/kde4/lib/libQtCore.so.4 #22 0xb749595a in QCoreApplication::exec () from /opt/kde4/lib/libQtCore.so.4 #23 0xb6a16687 in QApplication::exec () from /opt/kde4/lib/libQtGui.so.4 #24 0xb7f35fce in kdemain () from /opt/kde4/lib/libkdeinit4_konqueror.so #25 0x08048772 in main () #0 0xb7f4d410 in __kernel_vsyscall ()
Created attachment 27376 [details] Test case (not minimal) I reduced the page a bit, but my test case still depends on two external JS files which looked a bit ugly to me ;-). I could try to fight my way through them if you think it helps... Note that QObject: Do not delete object, 'unnamed', during its event handler! is shown in Konsole.
The crash is because RenderLayer::scrollToOffset, triggered by a marquee, runs some JavaScript which detaches the layer on after-the-execution CSS recomputation. Seeing this many bugs of this class makes me wonder if we should only be doing updateRendering off the main event loop or such? ==7959== Invalid read of size 4 ==7959== at 0xB980900: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:723) ==7959== by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184) ==7959== by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957) ==7959== by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105) ==7959== by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800) ==7959== by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392) ==7959== by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311) ==7959== by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587) ==7959== by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215) ==7959== by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166) ==7959== by 0x5E25799: g_main_context_dispatch (gmain.c:2142) ==7959== by 0x5E28EB7: g_main_context_iterate (gmain.c:2775) ==7959== by 0x5E29077: g_main_context_iteration (gmain.c:2838) ==7959== by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325) ==7959== by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) ==7959== by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) ==7959== by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196) ==7959== by 0x4E008CC: QCoreApplication::exec() (qcoreapplication.cpp:849) ==7959== by 0x541EA56: QApplication::exec() (qapplication.cpp:3330) ==7959== by 0x4127BBA: kdemain (konqmain.cpp:227) ==7959== by 0x80487A1: main (konqueror_dummy.cpp:3) ==7959== Address 0xdec0988 is 8 bytes inside a block of size 108 free'd ==7959== at 0x40218FA: free (vg_replace_malloc.c:323) ==7959== by 0xB97A445: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122) ==7959== by 0xB97ED58: khtml::RenderLayer::detach(khtml::RenderArena*) (render_layer.cpp:500) ==7959== by 0xB97100D: khtml::RenderBox::detach() (render_box.cpp:221) ==7959== by 0xB97383A: khtml::RenderFlow::detach() (render_flow.cpp:361) ==7959== by 0xB8A4BCB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:985) ==7959== by 0xB8A4C4A: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1747) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8B1422: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:937) ==7959== by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280) ==7959== by 0xB8B1526: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:968) ==7959== by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280) ==7959== by 0xB8946A9: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1266) ==7959== by 0xB88AF78: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1295) ==7959== by 0xB894295: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1308) ==7959== by 0xBA6F26B: KJS::Window::afterScriptExecution() (kjs_window.cpp:1270) ==7959== by 0xBA9949A: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119) ==7959== by 0xB88D9A6: DOM::DocumentImpl::defaultEventHandler(DOM::EventImpl*) (dom_docimpl.cpp:2699) ==7959== by 0xB8AA974: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:524) ==7959== by 0xB8A8FCA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:451) ==7959== by 0xB8AB0B9: DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) (dom_nodeimpl.cpp:550) ==7959== by 0xB9808F6: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:719) ==7959== by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184) ==7959== by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957) ==7959== by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105) ==7959== by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800) ==7959== by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392) ==7959== by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311) ==7959== by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587) ==7959== by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215) ==7959== by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166) ==7959== by 0x5E25799: g_main_context_dispatch (gmain.c:2142) ==7959== by 0x5E28EB7: g_main_context_iterate (gmain.c:2775) ==7959== by 0x5E29077: g_main_context_iteration (gmain.c:2838) ==7959== by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325) ==7959== by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) ==7959== by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) ==7959== by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196)
OK, have a fix. Now just need to figure out how to make the test standalone.. Also, the original idea doesn't really help since event handlers can handle a detach or a restyle in other ways anyway.
Fixed in r860095 I gave up on making a standalone reduction since the lighbox JS file registers a whole bunch of hooks. It'd probably be easier to figure out how to trigger an appropriately heavy detach... Shame, since it's the very sort of bug a regression test would be highly useful on..