Bug 204297 - (site, non-reduced testcase) crash when opening http://www.xmpp.org/extensions/xep-0244.html (khtml::RenderTableSection::addCell, khtml::RenderTableRow::addChild)
Summary: (site, non-reduced testcase) crash when opening http://www.xmpp.org/extension...
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Unlisted Binaries Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 198274 205650 206672 207003 207008 210817 212880 213696 213712 215640 219020 219334 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-08-18 17:12 UTC by Detlev Casanova
Modified: 2013-07-02 18:20 UTC (History)
14 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Valgrind output (30.12 KB, text/plain)
2009-08-18 17:58 UTC, Dario Andres 		Details
Compressed and non-reduced testcase page (web save) (14.43 KB, application/x-gzip)
2009-08-18 17:59 UTC, Dario Andres 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Detlev Casanova 2009-08-18 17:12:01 UTC 
Application that crashed: konqueror
Version of the application: 4.3.00 (KDE 4.3.0)
KDE Version: 4.3.00 (KDE 4.3.0)
Qt Version: 4.5.2
Operating System: Linux 2.6.30-gentoo-r4 x86_64

What I was doing when the application crashed:
The title says it, when opening that URL, Konqueror crashes.
Other xmpp extensions webpages do not make konqueror crash.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Aborted
[Current thread is 0 (LWP 9977)]

Thread 2 (Thread 0x7ff5f6a3c950 (LWP 9980)):
#0  0x00007ff60af5404d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#1  0x00007ff60b1c22f7 in QWaitCondition::wait (this=0xc7ac48, mutex=0xc7ac40, time=30000) at thread/qwaitcondition_unix.cpp:85
#2  0x00007ff60b1b8149 in QThreadPoolThread::run (this=0x6b87a0) at concurrent/qthreadpool.cpp:140
#3  0x00007ff60b1c1744 in QThreadPrivate::start (arg=0x6b87a0) at thread/qthread_unix.cpp:188
#4  0x00007ff60af50017 in start_thread () from /lib/libpthread.so.0
#5  0x00007ff607b6e48d in clone () from /lib/libc.so.6
#6  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7ff60b74c760 (LWP 9977)):
[KCrash Handler]
#5  0x00007ff607ad0205 in raise () from /lib/libc.so.6
#6  0x00007ff607ad1723 in abort () from /lib/libc.so.6
#7  0x00007ff60b1b8fa5 in qt_message_output (msgType=QtFatalMsg, buf=<value optimized out>) at global/qglobal.cpp:2042
#8  0x00007ff60b1b90c0 in qFatal (msg=<value optimized out>) at global/qglobal.cpp:2241
#9  0x00007ff5f90af69e in QVector<khtml::RenderTableCell*>::operator[] (this=0xe1cf40, i=9) at /usr/include/qt4/QtCore/qvector.h:337
#10 0x00007ff5f90a9ba5 in khtml::RenderTableSection::addCell (this=0xe13150, cell=0xe13910, row=<value optimized out>)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/rendering/render_table.cpp:1331
#11 0x00007ff5f90aa476 in khtml::RenderTableRow::addChild (this=0xe13890, child=0xe13910, beforeChild=0x0)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/rendering/render_table.cpp:2279
#12 0x00007ff5f8fd58c5 in DOM::NodeImpl::createRendererIfNeeded (this=0xe29740) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/xml/dom_nodeimpl.cpp:1084
#13 0x00007ff5f8fdf5aa in DOM::ElementImpl::attach (this=0xe29740) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/xml/dom_elementimpl.cpp:862
#14 0x00007ff5f90087d6 in khtml::KHTMLParser::insertNode (this=0xccc580, n=0xe29740, flat=false) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/html/htmlparser.cpp:429
#15 0x00007ff5f900aa4d in khtml::KHTMLParser::parseToken (this=0xccc580, t=0xcc8a98) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/html/htmlparser.cpp:302
#16 0x00007ff5f900c06b in khtml::HTMLTokenizer::processToken (this=0xcc8a70) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/html/htmltokenizer.cpp:2056
#17 0x00007ff5f90103ca in khtml::HTMLTokenizer::parseTag (this=0xcc8a70, src=@0xcc8fd8) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/html/htmltokenizer.cpp:1529
#18 0x00007ff5f9012890 in khtml::HTMLTokenizer::write (this=0xcc8a70, str=@0xda6a72, appendData=<value optimized out>)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/html/htmltokenizer.cpp:1810
#19 0x00007ff5f8f7cc44 in KHTMLPart::write (this=<value optimized out>, 
    data=0xe1eed8 "gt;\n      &lt;out/&gt;\n      &lt;error/&gt;\n      &lt;status&gt;\n         &lt;elapsed/&gt;\n         &lt;remaining/&gt;\n         &lt;percentage/&gt;\n         &lt;information/&gt;\n      &lt;/status&gt;\n"..., len=<value optimized out>) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/khtml_part.cpp:2100
#20 0x00007ff5f8f7ea22 in KHTMLPart::slotData (this=0xb92390, kio_job=<value optimized out>, data=@0x7fff1185cea0)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/khtml/khtml_part.cpp:1785
#21 0x00007ff5f8f856a8 in KHTMLPart::qt_metacall (this=0xb92390, _c=QMetaObject::InvokeMetaMethod, _id=<value optimized out>, _a=0x7fff1185cb50)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/khtml/khtml_part.moc:271
#22 0x00007ff60b2b9175 in QMetaObject::activate (sender=0xc82010, from_signal_index=<value optimized out>, to_signal_index=40, argv=0xffffffffffffffff) at kernel/qobject.cpp:3101
#23 0x00007ff60a1ca6c4 in KIO::TransferJob::data (this=0x26f9, _t1=0xc82010, _t2=<value optimized out>) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/kio/jobclasses.moc:364
#24 0x00007ff60a1d4319 in KIO::TransferJob::qt_metacall (this=0xc82010, _c=QMetaObject::InvokeMetaMethod, _id=<value optimized out>, _a=0x7fff1185cc90)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/kio/jobclasses.moc:344
#25 0x00007ff60b2b9175 in QMetaObject::activate (sender=0xc475b0, from_signal_index=<value optimized out>, to_signal_index=4, argv=0xffffffffffffffff) at kernel/qobject.cpp:3101
#26 0x00007ff60a268db2 in KIO::SlaveInterface::data (this=0x26f9, _t1=<value optimized out>) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/kio/slaveinterface.moc:140
#27 0x00007ff60a26ab78 in KIO::SlaveInterface::dispatch (this=0xc475b0, _cmd=100, rawdata=<value optimized out>)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kio/kio/slaveinterface.cpp:163
#28 0x00007ff60a26adc4 in KIO::SlaveInterface::dispatch (this=0xc475b0) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kio/kio/slaveinterface.cpp:91
#29 0x00007ff60a25fcfa in KIO::Slave::gotInput (this=0xc475b0) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kio/kio/slave.cpp:322
#30 0x00007ff60a260de8 in KIO::Slave::qt_metacall (this=0xc475b0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fff1185d010)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/kio/slave.moc:76
#31 0x00007ff60b2b9175 in QMetaObject::activate (sender=0x9cc770, from_signal_index=<value optimized out>, to_signal_index=4, argv=0xffffffffffffffff) at kernel/qobject.cpp:3101
#32 0x00007ff60a1a67ab in KIO::ConnectionPrivate::dequeue (this=0x917d20) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kio/kio/connection.cpp:82
#33 0x00007ff60a1a753a in KIO::Connection::qt_metacall (this=0x9cc770, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x99d2d0)
    at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0_build/kio/connection.moc:73
#34 0x00007ff60b2b3b21 in QObject::event (this=0x9cc770, e=0xc87b00) at kernel/qobject.cpp:1099
#35 0x00007ff60873608d in QApplicationPrivate::notify_helper () from /usr/lib64/qt4/libQtGui.so.4
#36 0x00007ff60873ed0e in QApplication::notify () from /usr/lib64/qt4/libQtGui.so.4
#37 0x00007ff60977ed31 in KApplication::notify (this=0x7fff1185de30, receiver=0x9cc770, event=0xc87b00) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kdeui/kernel/kapplication.cpp:302
#38 0x00007ff60b2a379c in QCoreApplication::notifyInternal (this=0x7fff1185de30, receiver=0x9cc770, event=0xc87b00) at kernel/qcoreapplication.cpp:606
#39 0x00007ff60b2a6e44 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x611de0) at kernel/qcoreapplication.h:213
#40 0x00007ff6087c56aa in ?? () from /usr/lib64/qt4/libQtGui.so.4
#41 0x00007ff60b2a23e2 in QEventLoop::processEvents (this=<value optimized out>, flags={i = 293985152}) at kernel/qeventloop.cpp:149
#42 0x00007ff60b2a257c in QEventLoop::exec (this=0x7fff1185dbc0, flags={i = 293985232}) at kernel/qeventloop.cpp:197
#43 0x00007ff60b2a70fe in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#44 0x00007ff5ffe08482 in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /var/tmp/portage/kde-base/konqueror-4.3.0-r1/work/konqueror-4.3.0/konqueror/src/konqmain.cpp:257
#45 0x000000000040773d in launch (argc=4, _name=0x662e38 "konqueror", args=0x662e82 "", cwd=0x662e83 "/home/detlev", envc=52, envs=<value optimized out>, reset_env=true, tty=0x0, avoid_loops=false, 
    startup_id_str=0x66393a "naboo;1250608008;490069;7058_TIME31163571") at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kinit/kinit.cpp:676
#46 0x0000000000407dd2 in handle_launcher_request (sock=80, who=<value optimized out>) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kinit/kinit.cpp:1168
#47 0x00000000004085b4 in handle_requests (waitForPid=0) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kinit/kinit.cpp:1352
#48 0x0000000000408a6e in main (argc=2, argv=0x7fff1185f228, envp=0x7fff1185f240) at /var/tmp/portage/kde-base/kdelibs-4.3.0/work/kdelibs-4.3.0/kinit/kinit.cpp:1788

Reported using DrKonqi
Comment 1 Dario Andres 2009-08-18 17:56:33 UTC 
I can reproduce the crash here using:

Qt: 4.5.2 (KDE-Qt git commit 5b7a2eb42acfdea07c6075556cb43e2c95852145
        Date:   Tue Jul 28 14:10:47 2009 -0300)
KDE: 4.3.64 (KDE 4.3.64 (KDE 4.4 >= 20090812))
kdelibs svn rev. 1011989 / kdebase svn rev. 1011989
on ArchLinux i686 - Kernel 2.6.30.4

Valgrind log to come
Comment 2 Dario Andres 2009-08-18 17:58:13 UTC 
Created attachment 36260 [details]
Valgrind output
Comment 3 Dario Andres 2009-08-18 17:59:21 UTC 
Created attachment 36261 [details]
Compressed and non-reduced testcase page (web save)
Comment 4 Maksim Orlovich 2009-08-20 05:12:05 UTC 
Reduction:
<table>
    <tr>
        <th colspan="" rowspan="">Transaction Type</th>
        <th colspan="" rowspan="">Purpose</th>
        <th colspan="" rowspan="">Associated Ad-Hoc Command</th>
        <th colspan="" rowspan="">REQUIRED for generic XEP compatibility</th>
        <th colspan="" rowspan="">Contained Elements</th>
    </tr>
    <tr>
        <th colspan="" rowspan="">io-schemata-get</th>
        <th colspan="" rowspan="">To request the schemata of input and output.</th>
        <th colspan="" rowspan="">execute</th>
        <th colspan="" rowspan="">yes</th>
        <th colspan="" rowspan="">-</th>
    </tr>
</table>
Comment 5 Maksim Orlovich 2009-08-30 18:02:42 UTC 
*** Bug 205650 has been marked as a duplicate of this bug. ***
Comment 6 Tommi Tervo 2009-09-07 21:18:11 UTC 
*** Bug 206672 has been marked as a duplicate of this bug. ***
Comment 7 Dario Andres 2009-09-16 05:31:32 UTC 
*** Bug 207008 has been marked as a duplicate of this bug. ***
Comment 8 Dario Andres 2009-09-16 05:32:43 UTC 
*** Bug 207003 has been marked as a duplicate of this bug. ***
Comment 9 Tommi Tervo 2009-11-03 19:16:53 UTC 
*** Bug 212880 has been marked as a duplicate of this bug. ***
Comment 10 Tommi Tervo 2009-11-08 19:43:48 UTC 
*** Bug 213696 has been marked as a duplicate of this bug. ***
Comment 11 Tommi Tervo 2009-11-08 19:47:44 UTC 
*** Bug 213712 has been marked as a duplicate of this bug. ***
Comment 12 FiNeX 2009-11-29 22:27:59 UTC 
*** Bug 198274 has been marked as a duplicate of this bug. ***
Comment 13 FiNeX 2009-11-29 22:28:03 UTC 
*** Bug 210765 has been marked as a duplicate of this bug. ***
Comment 14 FiNeX 2009-11-29 22:28:11 UTC 
*** Bug 210817 has been marked as a duplicate of this bug. ***
Comment 15 FiNeX 2009-11-29 22:28:15 UTC 
*** Bug 215640 has been marked as a duplicate of this bug. ***
Comment 16 Tommi Tervo 2009-12-17 11:49:53 UTC 
*** Bug 219020 has been marked as a duplicate of this bug. ***
Comment 17 Germain Garand 2010-02-22 20:12:18 UTC 
SVN commit 1094429 by ggarand:

.rowspan="" should map to rowspan=1, not rowspan=0
  avoids a crash on xmpp.org pages

.only actually enables the HTML 4.01 meaning of colspan/rowspan zero in
  standard/almost-standard mode matching Gecko engines

CCBUG: 204297
BUG: 227109

 M  +10 -6     html_tableimpl.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1094429
Comment 18 Germain Garand 2010-02-22 22:06:37 UTC 
SVN commit 1094488 by ggarand:

automatically merged revision 1094429:
.rowspan="" should map to rowspan=1, not rowspan=0
  avoids a crash on xmpp.org pages

.only actually enables the HTML 4.01 meaning of colspan/rowspan zero in
  standard/almost-standard mode matching Gecko engines

CCBUG: 204297

 M  +10 -6     html_tableimpl.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1094488
Comment 19 FiNeX 2010-08-15 17:27:06 UTC 
konqueror (KDE 4.4.5 and KDE 4.5.0) doesn't crash using the testcase on comments #3 and #4 .
Comment 20 Tomas Trnka 2010-08-15 21:07:39 UTC 
Indeed, doesn't crash anymore on KDE 4.4.3 and later...
Comment 21 Andrea Iacovitti 2013-07-02 18:20:53 UTC 
*** Bug 219334 has been marked as a duplicate of this bug. ***