Bug 68523 - crashes on specific javascript
Summary: crashes on specific javascript
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: khtml ecma (show other bugs)
Version: unspecified
Platform: Debian testing Linux
: NOR grave
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 69247 71967 76234 79334 80107 81417 81487 81490 81664 82367 82556 82566 83211 83780 87441 87736 89040 91592 91816 93489 93590 93997 94059 95287 96206 96751 98094 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-11-18 20:18 UTC by Alexander Vodomerov
Modified: 2005-04-06 08:07 UTC (History)
25 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Bugfix: Make DOM::DocumentImpl::close() not delete the khtml::HTMLTokenizer object on close with scripts running from that HTML tokenizer object (1.60 KB, patch)
2005-01-15 03:46 UTC, Sarah 		Details
proposed patch (5.18 KB, patch)
2005-02-09 01:51 UTC, Germain Garand 		Details
proposed patch (7.27 KB, patch)
2005-02-15 03:54 UTC, Germain Garand 		Details
Show Obsolete (1) View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Vodomerov 2003-11-18 20:18:48 UTC 
Version:            (using KDE KDE 3.1.4)
Installed from:    Debian testing/unstable Packages
Compiler:          gcc-3.3.2 
OS:          Linux

Konqueror crashes every time when I trying to open the following html page:

<html>
<body>
<iframe id='tst'></iframe>
<script>
doc=window.frames['tst'].document;
doc.write("<script src=1.js></sc"+"ript>");
</script>
</body>
</html>

with 1.js file in the same directory containing:

document.close();

I've put same files on my home page for convinience: http://lorien.s2s.msu.ru/1.html
I'm using Debian unstable GNU/Linux distribution (package konqueror-3.1.3)
Comment 1 David Faure 2003-11-24 18:16:12 UTC 
konqueror: htmltokenizer.cpp:158: void khtml::HTMLTokenizer::reset(): Assertion `m_executingScript == 0' failed.
Dirk?
Comment 2 Stephan Kulow 2003-11-29 00:42:36 UTC 
*** Bug 69247 has been marked as a duplicate of this bug. ***
Comment 3 Tommi Tervo 2004-02-22 23:27:24 UTC 
*** Bug 71967 has been marked as a duplicate of this bug. ***
Comment 4 Tommi Tervo 2004-02-27 08:48:30 UTC 
*** Bug 76234 has been marked as a duplicate of this bug. ***
Comment 5 Tommi Tervo 2004-04-22 10:03:32 UTC 
*** Bug 80107 has been marked as a duplicate of this bug. ***
Comment 6 Stephan Kulow 2004-05-12 16:06:51 UTC 
*** Bug 81417 has been marked as a duplicate of this bug. ***
Comment 7 Tommi Tervo 2004-05-13 18:45:19 UTC 
*** Bug 81490 has been marked as a duplicate of this bug. ***
Comment 8 Alexander Vodomerov 2004-05-13 19:36:06 UTC 
I still can reproduce this bug on new KDE 3.2.2
I'm using Debian GNU/Linux distribution (unstable)
kdelibs, kdebase package version 3.2.2-2
gcc compiler version 3.3.3, kernel 2.6.6 on ix86 processor
Comment 9 Tommi Tervo 2004-05-16 09:29:19 UTC 
*** Bug 81664 has been marked as a duplicate of this bug. ***
Comment 10 Tommi Tervo 2004-05-16 09:33:51 UTC 
*** Bug 81487 has been marked as a duplicate of this bug. ***
Comment 11 Stephan Kulow 2004-05-28 13:42:21 UTC 
*** Bug 82367 has been marked as a duplicate of this bug. ***
Comment 12 Tommi Tervo 2004-05-31 18:57:12 UTC 
*** Bug 82566 has been marked as a duplicate of this bug. ***
Comment 13 Tommi Tervo 2004-05-31 19:14:44 UTC 
*** Bug 79334 has been marked as a duplicate of this bug. ***
Comment 14 Waldo Bastian 2004-06-04 16:00:55 UTC 
*** Bug 82556 has been marked as a duplicate of this bug. ***
Comment 15 agalakhov 2004-06-10 08:48:41 UTC 
Exactly this bug occurs on hundreds of JavaScript-enabled sites (that's why it has so many duplicates). With JavaScript enabled, Konqueror crashes on every site that uses banners from adnet.ru (that is, on 30% of Russian sites I visit) as well as on many other sites. That's a big pain if I had many tabs opened in the browser. So it is quite critical, at least for me.

It is NOT Debian-specific. RedHat people found that as well.

This bug seems to be introduced in KDE 3.1 and is still there in every next release. Is there any developer working on it?
Comment 16 Stephan Kulow 2004-06-10 10:48:44 UTC 
It's a bit harder to fix. I suggest echo "127.0.0.1 www.adnet.ru" >> /etc/hosts
as work around
Comment 17 agalakhov 2004-06-10 12:22:58 UTC 
Stephan, thanks for the workaround.

Can you please explain what exactly is happening? I have backtrace only. Probably you tried to fix it and can explain it better than backtrace :).
I want to try to fix it but I don't want to reinvent the wheel.
Comment 18 Stephan Kulow 2004-06-10 12:35:25 UTC 
see #1 - the HTML tokenizer doesn't like this
Comment 19 Maksim Orlovich 2004-06-22 16:29:45 UTC 
*** Bug 83780 has been marked as a duplicate of this bug. ***
Comment 20 Tommi Tervo 2004-06-28 20:26:22 UTC 
*** Bug 83211 has been marked as a duplicate of this bug. ***
Comment 21 Tommi Tervo 2004-08-20 15:10:38 UTC 
*** Bug 87441 has been marked as a duplicate of this bug. ***
Comment 22 Tommi Tervo 2004-08-25 12:57:34 UTC 
*** Bug 87736 has been marked as a duplicate of this bug. ***
Comment 23 Dmitry Kolesnikov 2004-08-25 13:36:38 UTC 
Anybody working on this bug? It's really annoying...
(Also affected Safari 1.2.2)
Comment 24 Tommi Tervo 2004-09-08 10:28:45 UTC 
*** Bug 89040 has been marked as a duplicate of this bug. ***
Comment 25 Tommi Tervo 2004-10-19 09:07:11 UTC 
*** Bug 91592 has been marked as a duplicate of this bug. ***
Comment 26 Tommi Tervo 2004-10-21 12:41:47 UTC 
*** Bug 91816 has been marked as a duplicate of this bug. ***
Comment 27 Tommi Tervo 2004-11-18 08:59:33 UTC 
*** Bug 93489 has been marked as a duplicate of this bug. ***
Comment 28 Tommi Tervo 2004-11-22 10:14:04 UTC 
*** Bug 93590 has been marked as a duplicate of this bug. ***
Comment 29 Stephan Kulow 2004-11-29 11:04:52 UTC 
*** Bug 93997 has been marked as a duplicate of this bug. ***
Comment 30 Tommi Tervo 2004-11-29 15:27:23 UTC 
*** Bug 94059 has been marked as a duplicate of this bug. ***
Comment 31 Allan Sandfeld 2004-12-26 00:45:51 UTC 
Boosting severity, this the most reported crash in KHTML. 

I had a few suggestions ping-ponged with Germain back in October. We better go back find a solution.
Comment 32 Stephan Kulow 2005-01-13 14:15:31 UTC 
*** Bug 96206 has been marked as a duplicate of this bug. ***
Comment 33 Sarah 2005-01-15 03:46:29 UTC 
Created attachment 9101 [details]
Bugfix: Make DOM::DocumentImpl::close() not delete the khtml::HTMLTokenizer object on close with scripts running from that HTML tokenizer object

This patches KHTML to not delete the in-use khtml::HTMLTokenizer object that it
has in use when document.close() is called from within JavaScript on a web
page.

To fix the bug, I added another virtual method to khtml::Tokenizer - const bool
isRunningScriptFromTokenizer(). It's default implementation returns 'false',
since it appears that only the HTML tokenizer executes scripts during the
parsing of the page. The HTML tokenizer was extended with support for the
method, which returns true if the current execution context is within any
scripting context.

Konqueror doesn't crash at this instance of the code, so I'm going to assume
that this patch fixes the bug. I can't say for certain that it does because I
don't know all of the possible test cases.
Comment 34 Tommi Tervo 2005-01-17 14:11:19 UTC 
*** Bug 95287 has been marked as a duplicate of this bug. ***
Comment 35 Gleb Litvjak 2005-01-17 17:07:47 UTC 
The fix by Sarah really works! Thanks!
Comment 36 Thiago Macieira 2005-01-28 23:06:54 UTC 
*** Bug 98094 has been marked as a duplicate of this bug. ***
Comment 37 Tommi Tervo 2005-01-31 13:45:42 UTC 
*** Bug 96751 has been marked as a duplicate of this bug. ***
Comment 38 Gleb Litvjak 2005-02-04 22:11:24 UTC 
Is the patch included in CVS? And, more important, will it be included in kde 3.4 final? I didn't have a single problem with konqueror since I patched the sources and recompiled.
Comment 39 Thiago Macieira 2005-02-05 02:14:17 UTC 
No, the patch isn't in CVS yet.
Comment 40 Germain Garand 2005-02-05 12:22:12 UTC 
I'm working on this. Patch #33 is a turnaround that was already proposed by Allan some time ago, but it's not the proper fix. We need something more generally solving crossframe scripting (responsible for other crashes on early popup closing).
Comment 41 Germain Garand 2005-02-09 01:51:27 UTC 
Created attachment 9491 [details]
proposed patch

when a cross-frame script writes to a document, we have to toggle parsing on
again and reset the part's complete state. 
We also need to have the tokenizer check itself regularly, to know when it is
finished (we can't rely on the script issuing a close() )
Comment 42 Germain Garand 2005-02-15 03:54:05 UTC 
Created attachment 9639 [details]
proposed patch

attachment #9491 [details] is fine for scripts document.writing on closed documents, but
does not address cases where this happens before the tokenizer is deleted, such
as for onLoad triggered scripts.
In that latter case, attachment #9101 [details] still makes sense, so I attached a
version merging the two.

regression tested ; tested on every duplicate of this bug.

Please review. Unless there are objections, I'll commit this shortly.
Comment 43 Germain Garand 2005-02-16 23:16:37 UTC 
CVS commit by ggarand: 

- sanitize part/tokenizer state (for cross-document scripts).

- don't delete a tokenizer still executing a script on explicit
  close (patch from Allan Sandfeld and Sarah <sarah@b0rked.dhs.org>)

BUG: 68523
+ crashes on early pop-up closing.


  M +18 -0     ChangeLog   1.382
  M +12 -0     khtml_part.cpp   1.1091
  M +1 -0      khtml_part.h   1.279
  M +26 -1     html/htmltokenizer.cpp   1.298
  M +8 -3      html/htmltokenizer.h   1.85
  M +6 -2      xml/dom_docimpl.cpp   1.308
  M +4 -0      xml/xml_tokenizer.h   1.26
Comment 44 Peter Volkov 2005-02-20 17:33:46 UTC 
Thank you Germain.

I've just finished to test your patch...

This *WAS* my most hated bugs.!!!

Excelent work!!!

Gentoo users. You can take a patch from here: http://bugs.gentoo.org/show_bug.cgi?id=78058
Comment 45 Peter Volkov 2005-02-21 12:24:00 UTC 
Hello again. Gentoo developers need this patch to be backported to 2.3.2. Please can anybody do this?

Or plese tell us that the patch I posted at http://bugs.gentoo.org/show_bug.cgi?id=78058
does it's work...

Thank you very much again,
Peter.
Comment 46 mi+kde 2005-02-21 17:29:41 UTC 
I'm sure, projects other than Gentoo and FreeBSD will appreciate a back-ported patch too :-). 3.4 is far from release...
Comment 47 Germain Garand 2005-02-22 20:45:18 UTC 
mmh, OK, I can go for a backport but that will take some time, I have to rebuild a branch and do some testing.
Comment 48 Rob Hughes 2005-04-05 15:11:54 UTC 
Javascript is still crashing konq in 3.4. On the kde-redhat list, we have multiple confirmations on multiple releases. The only commonality is KDE 3.4. Try going to ebay with javascript enabled. I don't think it has anything to do with banners, though root cause may be the same.
Comment 49 Peter Volkov 2005-04-05 15:40:54 UTC 
Strange. I do not have such problem. Although I'm using gentoo. And may be I used the wrong link. Can you give me direct link? I've tried www.ebay.com. And played a bit... No problems there.
Comment 50 Oleg 2005-04-05 23:19:40 UTC 

    


    


      



        
          Comment 51
        

        
          Gleb Litvjak

        

        
        

        
          2005-04-06 06:19:44 UTC
        

      






Well, updown.ru didn't crash my konqueror (although the design and colors are horrible, it's the worst pr0nsite i've seen). I'm running kde 3.4 on gentoo (compiled using gcc 3.4.3)

    


    


      



        
          Comment 52
        

        
          Peter Volkov

        

        
        

        
          2005-04-06 06:43:09 UTC
        

      






I'm also using kde in gentoo. No crashes.

    


    


      



        
          Comment 53
        

        
          mi+kde

        

        
        

        
          2005-04-06 08:07:32 UTC
        

      






In particular, try "Ask seller a question" on eBay. Find an item -- any item.
Click on the "Ask seller a question" on the top right side of the item's page.

On the new page, that opens, click into the TEXTAREA to start typing the question. Last I tried that, Konqueror ran out of stack space (JavaScript-code went into recursion) and died. A different bug from the one reported here.