Version: (using KDE KDE 3.1.4) Installed from: Debian testing/unstable Packages OS: Linux Konqueror crashes on many JavaScript enabled pages. Problem seen at least in Debian/Unstable (at least three different builds), RedHat 9 and possibly others, at least on five different machines. Depending on the website, the problem may be or may be not always reproducible (looks like there is some JavaScript command sequence that does it). Turning off JavaScript (globally or on per-site basis) resolves the problem. How to reproduce: Make sure you have JavaScript enabled, then close Konqueror (just in case, also crashes without it), start it again and go to http://3mp3.ru/ru/ . Konqueror will crash almost immediately when the page just starts to display. On this page, the bug is 99% reproducible, so try again if you don't see the crash. It's better to try just after starting Konqueror, it crashes always in this case.
Backtrace running cvs head from 20040105. no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...[New Thread 16384 (LWP 13098)] 0x410cfa28 in waitpid () from /lib/libpthread.so.0 #0 0x410cfa28 in waitpid () from /lib/libpthread.so.0 #1 0x40801bcc in __JCR_LIST__ () from /usr/kde/cvs/lib/libkdecore.so.4 #2 0x410ce6d5 in __pthread_sighandler () from /lib/libpthread.so.0 #3 <signal handler called> #4 0x40f37941 in typeinfo name for QObject () from /usr/qt/3/lib/libqt-mt.so.3 #5 0x40f5d3e8 in vtable for QObject () from /usr/qt/3/lib/libqt-mt.so.3 #6 0x421b3d03 in khtml::CachedScript::checkNotify() () from /usr/kde/cvs/lib/libkhtml.so.4 #7 0x421b3c4f in khtml::CachedScript::data(QBuffer&, bool) () from /usr/kde/cvs/lib/libkhtml.so.4 #8 0x421b7c82 in khtml::Loader::slotFinished(KIO::Job*) () from /usr/kde/cvs/lib/libkhtml.so.4 #9 0x421ba09d in khtml::Loader::qt_invoke(int, QUObject*) () from /usr/kde/cvs/lib/libkhtml.so.4 #10 0x40b1fbac in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/qt/3/lib/libqt-mt.so.3 #11 0x4018be3a in KIO::Job::result(KIO::Job*) () from /usr/kde/cvs/lib/libkio.so.4 #12 0x401776cc in KIO::Job::emitResult() () from /usr/kde/cvs/lib/libkio.so.4 #13 0x40178cde in KIO::SimpleJob::slotFinished() () from /usr/kde/cvs/lib/libkio.so.4 #14 0x4017b9ef in KIO::TransferJob::slotFinished() () from /usr/kde/cvs/lib/libkio.so.4 #15 0x4018d5fd in KIO::TransferJob::qt_invoke(int, QUObject*) () from /usr/kde/cvs/lib/libkio.so.4 #16 0x40b1fbac in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/qt/3/lib/libqt-mt.so.3 #17 0x40b1f9e4 in QObject::activate_signal(int) () from /usr/qt/3/lib/libqt-mt.so.3 #18 0x4016b6fe in KIO::SlaveInterface::finished() () from /usr/kde/cvs/lib/libkio.so.4 #19 0x4016a366 in KIO::SlaveInterface::dispatch(int, QMemArray<char> const&) () from /usr/kde/cvs/lib/libkio.so.4 #20 0x40169919 in KIO::SlaveInterface::dispatch() () from /usr/kde/cvs/lib/libkio.so.4 #21 0x401672fb in KIO::Slave::gotInput() () from /usr/kde/cvs/lib/libkio.so.4 #22 0x40168f38 in KIO::Slave::qt_invoke(int, QUObject*) () from /usr/kde/cvs/lib/libkio.so.4 #23 0x40b1fbac in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/qt/3/lib/libqt-mt.so.3 #24 0x40b1fd0d in QObject::activate_signal(int, int) () from /usr/qt/3/lib/libqt-mt.so.3 #25 0x40e4f122 in QSocketNotifier::activated(int) () from /usr/qt/3/lib/libqt-mt.so.3 #26 0x40b3bd90 in QSocketNotifier::event(QEvent*) () from /usr/qt/3/lib/libqt-mt.so.3 #27 0x40ac499f in QApplication::internalNotify(QObject*, QEvent*) () from /usr/qt/3/lib/libqt-mt.so.3 #28 0x40ac3d15 in QApplication::notify(QObject*, QEvent*) () from /usr/qt/3/lib/libqt-mt.so.3 #29 0x406a7c5d in KApplication::notify(QObject*, QEvent*) () from /usr/kde/cvs/lib/libkdecore.so.4 #30 0x40ab43aa in QEventLoop::activateSocketNotifiers() () from /usr/qt/3/lib/libqt-mt.so.3 #31 0x40a702f1 in QEventLoop::processEvents(unsigned) () from /usr/qt/3/lib/libqt-mt.so.3 #32 0x40ad69b8 in QEventLoop::enterLoop() () from /usr/qt/3/lib/libqt-mt.so.3 #33 0x40ad6868 in QEventLoop::exec() () from /usr/qt/3/lib/libqt-mt.so.3 #34 0x40ac4bf1 in QApplication::exec() () from /usr/qt/3/lib/libqt-mt.so.3 #35 0x41570c4c in kdemain () from /usr/kde/cvs/lib/libkdeinit_konqueror.so #36 0x4083c8c6 in kdeinitmain () from /usr/kde/cvs/lib/kde3/konqueror.so #37 0x0804d19c in strcpy () #38 0x0804f85b in strcpy () #39 0x0804e6aa in strcpy () #40 0x0804c500 in strcpy () #41 0x4122fcc4 in __libc_start_main () from /lib/libc.so.6 Cheers Jo
you really should compile with --enable-debug=full if you want to provide stack traces :) #0 0x414f5b71 in kill () from /lib/i686/libc.so.6 #1 0x41375cf1 in pthread_kill () from /lib/i686/libpthread.so.0 #2 0x4137600b in raise () from /lib/i686/libpthread.so.0 #3 0x414f5904 in raise () from /lib/i686/libc.so.6 #4 0x414f6e8c in abort () from /lib/i686/libc.so.6 #5 0x414eee84 in __assert_fail () from /lib/i686/libc.so.6 #6 0x4318f372 in khtml::HTMLTokenizer::reset() (this=0x8855fa0) at /home/coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:158 #7 0x431943d1 in ~HTMLTokenizer (this=0x8855fa0) at /home/coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:1593 #8 0x43166dca in DOM::DocumentImpl::close() (this=0x886c2d8) at /home/coolo/prod/kdelibs/khtml/xml/dom_docimpl.cpp:1136 #9 0x4319d9bc in DOM::HTMLDocumentImpl::close() (this=0x886c2d8) at /home/coolo/prod/kdelibs/khtml/html/html_documentimpl.cpp:292 #10 0x432dddc6 in DOM::HTMLDocument::close() (this=0xbfffdab0) at /home/coolo/prod/kdelibs/khtml/dom/html_document.cpp:201 #11 0x4325db31 in KJS::HTMLDocFunction::tryCall(KJS::ExecState*, KJS::Object&, KJS::List const&) ( this=0x8912c10, exec=0xbfffdf30, thisObj=@0xbfffdc10, args=@0xbfffdc60) at /home/coolo/prod/kdelibs/khtml/ecma/kjs_html.cpp:93 #12 0x432423aa in KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (this=0x8912c10, exec=0xbfffdf30, thisObj=@0xbfffdc10, args=@0xbfffdc60) at /home/coolo/prod/kdelibs/khtml/ecma/kjs_binding.cpp:109 #13 0x43409bc8 in KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (this=0xbfffdc40, exec=0xbfffdf30, thisObj=@0xbfffdc10, args=@0xbfffdc60) at /home/coolo/prod/kdelibs/kjs/object.cpp:70 #14 0x433d13bb in KJS::FunctionCallNode::evaluate(KJS::ExecState*) const (this=0x89cc828, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:831 #15 0x433d6cc1 in KJS::ExprStatementNode::execute(KJS::ExecState*) (this=0x89cc840, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:1916 #16 0x433dd37f in KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0x89cc870, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:3029 #17 0x433d6aeb in KJS::BlockNode::execute(KJS::ExecState*) (this=0x89cc8a8, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:1878 #18 0x433d7100 in KJS::IfNode::execute(KJS::ExecState*) (this=0x89cc8d8, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:1963 #19 0x433dd4ae in KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0x8882410, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:3035 #20 0x433d6aeb in KJS::BlockNode::execute(KJS::ExecState*) (this=0x89cc948, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:1878 #21 0x433dc795 in KJS::FunctionBodyNode::execute(KJS::ExecState*) (this=0x89cc948, exec=0xbfffdf30) at /home/coolo/prod/kdelibs/kjs/nodes.cpp:2881 ---Type <return> to continue, or q <return> to quit--- #22 0x433cb983 in KJS::InterpreterImp::evaluate(KJS::UString const&, KJS::Value const&) (this=0x8871ce8, code=@0xbfffe050, thisV=@0xbfffe070) at /home/coolo/prod/kdelibs/kjs/internal.cpp:896 #23 0x4340bd5e in KJS::Interpreter::evaluate(KJS::UString const&, KJS::Value const&) (this=0x8871cb0, code=@0xbfffe050, thisV=@0xbfffe070) at /home/coolo/prod/kdelibs/kjs/interpreter.cpp:166 #24 0x432a0877 in KJSProxyImpl::evaluate(QString, int, QString const&, DOM::Node const&, KJS::Completion*) ( this=0x88549e0, filename= {static null = {static null = <same as static member of an already seen type>, d = 0x8077a78, static shared_null = 0x8077a78}, d = 0x8855048, static shared_null = 0x8077a78}, baseLine=1, str=@0xbfffe200, n=@0xbfffe1b0, completion=0xbfffe130) at /home/coolo/prod/kdelibs/khtml/ecma/kjs_proxy.cpp:148 #25 0x4312798e in KHTMLPart::executeScript(QString const&, int, DOM::Node const&, QString const&) ( this=0x8858a38, filename=@0xbfffe1c0, baseLine=1, n=@0xbfffe1b0, script=@0xbfffe200) at /home/coolo/prod/kdelibs/khtml/khtml_part.cpp:963 #26 0x4319062d in khtml::HTMLTokenizer::scriptExecution(QString const&, QString const&, int) (this=0x8855fa0, str=@0xbfffe200, scriptURL=@0xbfffe210, baseLine=0) at /home/coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:437 #27 0x431946e9 in khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (this=0x8855fa0) at /home/coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:1635 #28 0x43237f4c in khtml::CachedScript::checkNotify() (this=0x85e50b0) at /home/coolo/prod/kdelibs/khtml/misc/loader.cpp:340 #29 0x43237ec3 in khtml::CachedScript::data(QBuffer&, bool) (this=0x85e50b0, buffer=@0x85e4e34, eof=true) at /home/coolo/prod/kdelibs/khtml/misc/loader.cpp:332 #30 0x4323b8e9 in khtml::Loader::slotFinished(KIO::Job*) (this=0x84fd668, job=0x8891938) at /home/coolo/prod/kdelibs/khtml/misc/loader.cpp:1149 #31 0x4323e0a0 in khtml::Loader::qt_invoke(int, QUObject*) (this=0x84fd668, _id=2, _o=0xbfffe440) at loader.moc:260 #32 0x40c37a15 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x8891938, clist=0x8891710, o=0xbfffe440) at kernel/qobject.cpp:2333 #33 0x401dbc8c in KIO::CopyJob::qt_emit(int, QUObject*) (this=0x8891938, _id=143202616, _o=0xbfffe550) at jobclasses.moc:1775 #34 0x401ca375 in MimetypeJob (this=0x8891938, url=@0xbfffe540, command=-1073748656, packedArgs=@0x401cb7f0, showProgressInfo=64) at /home/coolo/prod/kdelibs/kio/kio/job.cpp:1247 #35 0x401cba8b in KIO::FileCopyJob::slotCanResume(KIO::Job*, unsigned long long) (this=0x8891938, job=0xb3800000, offset=0) at /home/coolo/prod/kdelibs/kio/kio/job.cpp:1536 #36 0x401cd7fc in KIO::CopyJob::slotResultStating(KIO::Job*) (this=0x8891938, job=0x887c0c8) at /home/coolo/prod/kdelibs/kio/kio/job.cpp:1907 #37 0x401dd9f4 in QValueList<int>::operator=(QValueList<int> const&) (this=0x8891938, l=@0x11) at qvaluelist.h:445 #38 0x40c37a15 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x84516c8, clist=0x83b6ee0, o=0xbfffe700) at kernel/qobject.cpp:2333 ---Type <return> to continue, or q <return> to quit--- #39 0x40c378b4 in QObject::activate_signal(int) (this=0x84516c8, signal=6) at kernel/qobject.cpp:2302 #40 0x401bca8d in Scheduler (this=0x84516c8, __vtt_parm=0xbfffe860) at /home/coolo/prod/kdelibs/kio/kio/scheduler.cpp:132 #41 0x401bb1cb in ~AuthDataList (this=0x84516c8) at /home/coolo/prod/kdelibs/kio/kio/sessiondata.cpp:94 #42 0x401bae34 in KIO::SessionData::staticMetaObject() () at sessiondata.moc:53 #43 0x401b8941 in KIO::SlaveInterface::speed(unsigned long) (this=0x84516c8, t0=138463056) at slaveinterface.moc:358 #44 0x401ba36d in operator<< (s=@0x84516c8, a=@0x4) at slaveinterface.h:267 #45 0x40c37a15 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x860e418, clist=0x845cbb0, o=0xbfffea00) at kernel/qobject.cpp:2333 #46 0x40c37d87 in QObject::activate_signal(int, int) (this=0x860e418, signal=2, param=21) at kernel/qobject.cpp:2426 #47 0x40f79ae5 in QSocketNotifier::activated(int) (this=0x860e418, t0=21) at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85 #48 0x40c576f0 in QSocketNotifier::event(QEvent*) (this=0x860e418, e=0xbfffec70) at kernel/qsocketnotifier.cpp:271 #49 0x40bd4c5f in QApplication::internalNotify(QObject*, QEvent*) (this=0xbfffefa0, receiver=0x860e418, e=0xbfffec70) at kernel/qapplication.cpp:2582 #50 0x40bd411c in QApplication::notify(QObject*, QEvent*) (this=0xbfffefa0, receiver=0x860e418, e=0xbfffec70) at kernel/qapplication.cpp:2305 #51 0x40743f79 in KApplication::notify(QObject*, QEvent*) (this=0xbfffefa0, receiver=0x860e418, event=0xbfffec70) at /home/coolo/prod/kdelibs/kdecore/kapplication.cpp:497 #52 0x4004e00f in ~PartActivateEvent (this=0x860e418) at /home/coolo/prod/kdelibs/kparts/partmanager.cpp:412 #53 0x40bc2e74 in QEventLoop::activateSocketNotifiers() (this=0x812d070) at kernel/qeventloop_unix.cpp:579 #54 0x40b7d157 in QEventLoop::processEvents(unsigned) (this=0x812d070, flags=4) at kernel/qeventloop_x11.cpp:340 #55 0x40bea72e in QEventLoop::enterLoop() (this=0x812d070) at kernel/qeventloop.cpp:198 #56 0x40bea64a in QEventLoop::exec() (this=0x812d070) at kernel/qeventloop.cpp:145 #57 0x40bd4ddf in QApplication::exec() (this=0xbfffefa0) at kernel/qapplication.cpp:2705 #58 0x417404cf in kdemain (argc=4, argv=0x808c288) at /home/coolo/prod/kdebase/konqueror/konq_main.cc:184 #59 0x0804e326 in launch (argc=4, _name=0x8089954 "konqueror", args=0x808999c "/home/coolo", cwd=0x808999c "/home/coolo", envc=78, envs=0x808a342 "", reset_env=true, tty=0x0, avoid_loops=false, startup_id_str=0x808a346 "othello;1073393399;472353;2588") at /home/coolo/prod/kdelibs/kinit/kinit.cpp:604 #60 0x0804f637 in handle_launcher_request (sock=4) at /home/coolo/prod/kdelibs/kinit/kinit.cpp:1167 #61 0x0804fbcb in handle_requests (waitForPid=0) at /home/coolo/prod/kdelibs/kinit/kinit.cpp:1334 #62 0x08051150 in main (argc=3, argv=0xbffff5a4, envp=0xbffff5b4) at /home/coolo/prod/kdelibs/kinit/kinit.cpp:1797
Can't reproduce. (Did the website change? Can someone else still reproduce?)
The bug is still here (Konqueror 3.1.5, Debian/Unstable). Yes, the website changed. Another way to reproduce (the same bug?): Go to http://www.e1.ru (sorry, in Russian) Click 5th item from the left in the site's menu (russian "Gorspravka" = "City information"). A drop-down list will appear. Click 1th item in the list (russian "Karta goroda" = "City map"). Now you crashed it. Probability is about 80%.
I can't reproduce either bugs today ;( agalakhov - can you check what stacktrace you got with the other page? Spaciba ;)
*** Bug 73343 has been marked as a duplicate of this bug. ***
I can not reproduce the crash on sharereactor.ru either
I propose to split this bug into two bugs. The reason is that I cannot reproduce a bug on 3mp3.ru without Macromedia Flash plugin installed. Two other crashes (e1.ru and sharereactor.ru) are reproducible here with Konqueror 3.1.4 compiled from sources.
The crash on http://www.e1.ru/resource/citymap/ is caused by the 640x60 banners. Now I am trying to cut as much as possible from the saved copy of the page to prepare the minimal testcase.
below is the stripped down version of the page that causes crash. Warning: it still sepends on external sources (www.adnet.ru) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv name="Content-Type" value="text/html; charset=cp1251"> <title> E1.RU </title> </head> <body> <script> var adnet_login = "e1"; var adnet_options = ""; var adnet_random = 54321; // was random var i = 0; function getbanner(id){ if(!eval('document.adnet_loaded_'+id)){if(document.all&&!window.opera){doc=window.frames['adnet'+id].document;}else{if(window.opera){while(!document.getElementById("adnet"+id).contentDocument){};};doc=document.getElementById("adnet"+id).contentDocument;};doc.open(); doc.write("<sc"+"ript src=http://www"+eval('document.adnet_mirror_'+id)+".adnet.ru/cgi-bin/iframe/"+adnet_login+"?"+id+"&options=F"+adnet_options+"'></sc"+"ript>"); eval('document.adnet_mirror_'+id+'++'); setTimeout('getbanner('+id+')',5000);^M }} document.write("<span><iframe id='adnet"+adnet_random+"' width=468 height=60 marginwidth=0 marginheight=0 scrolling=no frameborder=0></iframe></span>"); eval('document.adnet_mirror_'+adnet_random+'=""');getbanner(adnet_random); </script> </body> </html>
Created attachment 4497 [details] A simple example how to crash Konqueror with local files only. I simplified the scripts from adnet.ru and e1.ru so that they do not require any external sources anymore. They still work .. uh, ... crash fine. The crash happens on the page with JS that writes another JS (using the timer).
Alexander told me in a private call that the bug is still reproducible in CVS. Sorry, I decided to reopen it.
Valgrind output. 3_2_BRANCH: http://www.e1.ru/resource/citymap/ konqueror: htmltokenizer.cpp:158: void khtml::HTMLTokenizer::reset (): Assertion `m_executingScript == 0' failed.
*** This bug has been marked as a duplicate of 68523 ***
works fine for me
As of KDE 3.2.2 (Debian/testing), still does NOT work for me