Version: (using KDE Devel) Installed from: Compiled sources Compiler: gcc 3.2 OS: Linux 1) Go to http://www.starnberger-fuenf-seen-land.de/index.html (Who comes up with these domain names? :) 2) Click on the image in the upper left-hand corner (Starnberger 5-Seen Land) 3) Click on the "Back" button 4) Crash Here's the backtrace: #0 0x41c2dc25 in KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const (this=0x0, exec=0xbfffc2a0) at value.cpp:165 #1 0x41bff512 in KJS::Node::toBoolean(KJS::ExecState*) const (this=0xbfffbfe0, exec=0x0) at value.h:218 #2 0x41c06405 in KJS::IfNode::execute(KJS::ExecState*) (this=0x83637b8, exec=0xbfffc2a0) at nodes.cpp:1975 #3 0x41c0bb6b in KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0xbfffc0b0, exec=0xbfffc2a0) at nodes.cpp:3088 #4 0x41c05f63 in KJS::BlockNode::execute(KJS::ExecState*) (this=0x8331bd0, exec=0xbfffc2a0) at nodes.cpp:1902 #5 0x41c0b0fc in KJS::FunctionBodyNode::execute(KJS::ExecState*) (this=0x8331bd0, exec=0xbfffc2a0) at nodes.cpp:2915 #6 0x41bfddc3 in KJS::InterpreterImp::evaluate(KJS::UString const&, KJS::Value const&) (this=0x83cb548, code=@0x0, thisV=@0xbfffc420) at internal.cpp:855 #7 0x41c30fd9 in KJS::Interpreter::evaluate(KJS::UString const&, KJS::Value const&) (this=0xbfffbfe0, code=@0xbfffc410, thisV=@0xbfffc420) at interpreter.cpp:161 #8 0x41b004ad in KJSProxyImpl::evaluate(QString, int, QString const&, DOM::Node const&, KJS::Completion*) (this=0x821e670, filename= {static null = {static null = <same as static member of an already seen type>, d = 0x804b978, static shared_null = 0x804b978}, d = 0x0, static shared_null = 0x804b978}, baseLine=1, str=@0xbfffc570, n=@0xbfffc510, completion=0x0) at kjs_proxy.cpp:148 #9 0x419ceb59 in KHTMLPart::executeScript(QString const&, int, DOM::Node const&, QString const&) (this=0x8319268, filename=@0xbfffc520, baseLine=1, n=@0xbfffc510, script=@0xbfffc570) at khtml_part.cpp:875 #10 0x41a2aadf in khtml::HTMLTokenizer::scriptExecution(QString const&, QString const&, int) (this=0x8393050, str=@0xbfffc570, scriptURL=@0xbfffc500, baseLine=0) at ../../khtml/khtmlview.h:107 #11 0x41a2ee0b in khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (this=0x8393050) at htmltokenizer.cpp:1617 #12 0x41ab17b9 in khtml::CachedScript::ref(khtml::CachedObjectClient*) (this=0x8299f30, c=0x8393078) at loader.cpp:301 #13 0x41a2a6c5 in khtml::HTMLTokenizer::scriptHandler() (this=0x8393050) at htmltokenizer.cpp:387 #14 0x41a2a3d9 in khtml::HTMLTokenizer::parseSpecial(khtml::DOMStringIt&) (this=0x8393050, src=@0x839315c) at htmltokenizer.cpp:316 #15 0x41a2cf5f in khtml::HTMLTokenizer::parseTag(khtml::DOMStringIt&) (this=0x8393050, src=@0x839315c) at htmltokenizer.cpp:1123 #16 0x41a2db8f in khtml::HTMLTokenizer::write(QString const&, bool) (this=0x8393050, str=@0xbfffcc40, appendData=224) at htmltokenizer.cpp:1330 #17 0x419d2a52 in KHTMLPart::write(char const*, int) (this=0x8319268, str=0xbfffce60 "<html>\n<head>\n<title>Tourismusverband Starnberger Fünf-Seen-Land</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n<script language=\"JavaScript\" type=\"text/JavaScri"..., len=134558576) at khtml_part.cpp:1583 #18 0x419d1068 in KHTMLPart::slotRestoreData(QMemArray<char> const&) (this=0x8319268, data=@0xbfffce50) at /usr/lib/qt3/include/qmemarray.h:64 #19 0x419e97e0 in KHTMLPart::qt_invoke(int, QUObject*) (this=0x8319268, _id=12, _o=0xbfffcde0) at /usr/lib/qt3/include/private/qucom_p.h:312 #20 0x40c7e507 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x83867d0, clist=0x8330188, o=0xbfffcde0) at kernel/qobject.cpp:2333 #21 0x419fc3b6 in KHTMLPageCacheDelivery::emitData(QMemArray<char> const&) (this=0x83867d0, t0=@0xbfffce50) at khtml_pagecache.moc:177 #22 0x419fbda6 in KHTMLPageCache::sendData() (this=0x821d9a0) at khtml_pagecache.cpp:264 #23 0x419fc18a in KHTMLPageCache::qt_invoke(int, QUObject*) (this=0x821d9a0, _id=2, _o=0xbfffef20) at khtml_pagecache.moc:82 #24 0x40c7e507 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x80fba38, clist=0x832a538, o=0xbfffef20) at kernel/qobject.cpp:2333 #25 0x40fc1efa in QSignal::signal(QVariant const&) (this=0x80fba38, t0=@0x80fba60) at .moc/debug-shared-mt/moc_qsignal.cpp:100 #26 0x40c9b6c5 in QSignal::activate() (this=0x80fba38) at kernel/qsignal.cpp:204 #27 0x40ca29f3 in QSingleShotTimer::event(QEvent*) (this=0x80fba10) at kernel/qtimer.cpp:277 #28 0x40c1c489 in QApplication::internalNotify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, e=0xbffff180) at kernel/qapplication.cpp:2578 #29 0x40c1b946 in QApplication::notify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, e=0xbffff180) at kernel/qapplication.cpp:2302 #30 0x407b242e in KApplication::notify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, event=0xbffff180) at kapplication.cpp:460 #31 0x40bb4551 in QApplication::sendEvent(QObject*, QEvent*) (receiver=0x80fba10, event=0xbffff180) at kernel/qapplication.h:490 #32 0x40c0a4d2 in QEventLoop::activateTimers() (this=0x8095bd8) at kernel/qeventloop_unix.cpp:557 #33 0x40bc5f2f in QEventLoop::processEvents(unsigned) (this=0x8095bd8, flags=4) at kernel/qeventloop_x11.cpp:346 #34 0x40c31c6c in QEventLoop::enterLoop() (this=0x8095bd8) at kernel/qeventloop.cpp:198 ---Type <return> to continue, or q <return> to quit--- #35 0x40c31b86 in QEventLoop::exec() (this=0x8095bd8) at kernel/qeventloop.cpp:145 #36 0x40c1c605 in QApplication::exec() (this=0xbffff680) at kernel/qapplication.cpp:2701 #37 0x40055b2b in kdemain () from /opt/kde32/lib/libkdeinit_konqueror.so.0 #38 0x08048677 in main () #39 0x4144e082 in __libc_start_main () from /lib/i686/libc.so.6 This is with CVS HEAD from a few days ago. regards, Ralf
Subject: Re: New: KJS related crash on www.starnberger-fuenf-seen-land.de On Sunday 20 July 2003 13:19, Ralf Holzer wrote: > 1) Go to http://www.starnberger-fuenf-seen-land.de/index.html (Who comes up > with these domain names? :) 2) Click on the image in the upper left-hand > corner (Starnberger 5-Seen Land) 3) Click on the "Back" button > 4) Crash > > Here's the backtrace: > > #0 0x41c2dc25 in KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const > (this=0x0, exec=0xbfffc2a0) at value.cpp:165 #1 0x41bff512 in > KJS::Node::toBoolean(KJS::ExecState*) const (this=0xbfffbfe0, exec=0x0) at > value.h:218 #2 0x41c06405 in KJS::IfNode::execute(KJS::ExecState*) > (this=0x83637b8, exec=0xbfffc2a0) at nodes.cpp:1975 #3 0x41c0bb6b in > KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0xbfffc0b0, > exec=0xbfffc2a0) at nodes.cpp:3088 #4 0x41c05f63 in This bt is misleading. At least for me I dont' get exec=0x0, but KJS::ValueImp::dispatchToBoolean has this=0x0, indicating that rep=0x0 in toBoolean(). Seems to indicate that the expression for the if() statement is Null. The problem is in menu8_com.js:13... if(!MacExp4&&Trigger.onload)Dummy=Trigger.onload;
Works with current cvs.
Hermann Jansen reported a very similar crash that still exists in ~7 days old CVS sources. Go to http://www.heimatverein-boerger.de/1024x768/default.htm (1st bug: menu doesn't appear). Invoke "Reload Frame" and enjoy the crash: #5 0x4179c6b8 in sigaction () from /lib/libc.so.6 #6 0x41fd189b in KJS::Node::toBoolean () from /home/porten/kde/lib/libkjs.so.1 #7 0x41fd8e89 in KJS::IfNode::execute () from /home/porten/kde/lib/libkjs.so.1 #8 0x41fdf614 in KJS::SourceElementsNode::execute () from /home/porten/kde/lib/libkjs.so.1 #9 0x41fd897a in KJS::BlockNode::execute () from /home/porten/kde/lib/libkjs.so.1 #10 0x41fdea2c in KJS::FunctionBodyNode::execute () from /home/porten/kde/lib/libkjs.so.1 #11 0x41fcfd8b in KJS::InterpreterImp::evaluate () from /home/porten/kde/lib/libkjs.so.1 #12 0x42004e44 in KJS::Interpreter::evaluate () from /home/porten/kde/lib/libkjs.so.1 #13 0x41e79f51 in KJSProxyImpl::evaluate () from /home/porten/kde/lib/libkhtml.so.4 #14 0x41d1c15d in KHTMLPart::executeScript () from /home/porten/kde/lib/libkhtml.so.4
Heimat verein crash (click "Reload Frame" in frame with counter): ==3893== Invalid read of size 4 ==3893== at 0x49B65D72: KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const (value.cpp:174) ==3893== by 0x49B35FE1: KJS::Node::toBoolean(KJS::ExecState*) const (value.h:218) ==3893== by 0x49B3D184: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:1951) ==3893== by 0x49B42FCA: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3035) [snip] ==3893== Address 0x0 is not stack'd, malloc'd or free'd The problem seems to be in: bool Node::toBoolean(ExecState *exec) const { // fprintf(stderr, "Node(%s)::toBoolean()\n", typeid(*this).name()); return evaluate(exec).toBoolean(exec); } Where evaluate(exec) returns an invalid value. Dunno if it matters, but exec->hadException() is false in this case. It seems to me that Node::toBoolean(), Node::toNumber() and Noder::toString() should all check whether evaluate() returns a valid value before processing it further. There is something else wrong as well.. sometimes "rep" seems to have a value of 0x1 in dispatchToBoolean()
Something like this: bool Node::toBoolean(ExecState *exec) const { Value v = evaluate(exec); if (!v.isValid()) { throwError(exec, GeneralError, "Condition could not be evaluated."); return false; } return v.toBoolean(exec); } Solves the crash for me....
cma/kjs_events.h (clear): set listener object to Null(), not to an invalid Object(), which will crash when the listener is stored in another frame (#61467). Maybe it would be better to really remove the event listener in this case, but this is hard to do efficiently. CCMAIL: 61467-done@bugs.kde.org M +4 -0 ChangeLog 1.162.2.11 M +6 -14 ecma/kjs_events.cpp 1.80.2.1 M +6 -8 ecma/kjs_events.h 1.30.2.1