Version: (using KDE Devel) Installed from: Compiled sources Hi, I was just reading http://www.freedesktop.org/standards/menu-spec/menu-spec-0.8.html and wanted to scroll using the page up/down keys when konqueror crashed. The caret mode seemed to be activated somehow. This is the backtrace (slightly hand-edited): ----------------------------------------------- [New Thread 1024 (LWP 19611)] [KCrash handler] #6 0x447be0df in seekLeafInlineBox (box=0x83d58b4) at khtml_caret.cpp:125 #7 0x447b9e7b in InlineBoxIterator (this=0xbfffe350, lit=@0x8400d1c, fromEnd=false, initBox=0x0) at khtml_caret.cpp:164 #8 0x447c2502 in EditableInlineBoxIterator (this=0xbfffe350, lit=@0xbfffe400, fromEnd=false, initBox=0x0) at khtml_caret_p.h:406 #9 0x447c4209 in khtml::EditableLineIterator::isEditable(khtml::LineIterator&) (this=0xbfffe400, it=@0x0) at khtml_caret_p.h:598 #10 0x447c25d1 in khtml::EditableLineIterator::operator++() (this=0xbfffe400) at khtml_caret_p.h:527 #11 0x447bb552 in khtml::ErgonomicEditableLineIterator::operator++() ( this=0xbfffe400) at khtml_caret.cpp:1390 #12 0x447bf467 in moveIteratorByPage (ld=@0xbfffe4a0, it=@0xbfffe490, mindist=133, next=true) at khtml_caret.cpp:1596 #13 0x447bdc78 in KHTMLView::moveCaretByPage(bool) (this=0x825ead0, next=true) at $srcdir/kdelibs/khtml/khtmlview.cpp:3116 #14 0x447bde47 in KHTMLView::moveCaretNextPage() (this=0x0) at $srcdir/kdelibs/khtml/khtmlview.cpp:3151 #15 0x447bcb4a in KHTMLView::caretKeyPressEvent(QKeyEvent*) (this=0x825ead0, _ke=0xbfffeb00) at $srcdir/kdelibs/khtml/khtmlview.cpp:2758 #16 0x447b4b62 in KHTMLView::keyPressEvent(QKeyEvent*) (this=0x825ead0, _ke=0xbfffeb00) at $srcdir/kdelibs/khtml/khtmlview.cpp:1020 #17 0x40c257b8 in QWidget::event(QEvent*) () from /usr/lib/qt3/lib/libqt-mt.so.3 #18 0x40b966cf in QApplication::internalNotify(QObject*, QEvent*) () from /usr/lib/qt3/lib/libqt-mt.so.3 #19 0x40b961fc in QApplication::notify(QObject*, QEvent*) () from /usr/lib/qt3/lib/libqt-mt.so.3 #20 0x4074308e in KApplication::notify(QObject*, QEvent*) (this=0xbffff180, receiver=0x825ead0, event=0xbfffeb00) at $srcdir/kdelibs/kdecore/kapplication.cpp:506 #21 0x40b2947f in QETWidget::translateKeyEvent(_XEvent const*, bool) () from /usr/lib/qt3/lib/libqt-mt.so.3 #22 0x40b25587 in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/qt3/lib/libqt-mt.so.3 #23 0x40b3e456 in QEventLoop::processEvents(unsigned) () from /usr/lib/qt3/lib/libqt-mt.so.3 #24 0x40ba9e78 in QEventLoop::enterLoop() () from /usr/lib/qt3/lib/libqt-mt.so.3 #25 0x40ba9d28 in QEventLoop::exec() () from /usr/lib/qt3/lib/libqt-mt.so.3 #26 0x40b96901 in QApplication::exec() () from /usr/lib/qt3/lib/libqt-mt.so.3 #27 0x41749927 in kdemain (argc=0, argv=0x0) at $srcdir/kdebase/konqueror/konq_main.cc:184 #28 0x408c8966 in kdeinitmain (argc=0, argv=0x0) at konqueror_dummy.cc:2 #29 0x0804e0a7 in launch (argc=2, _name=0x805f064 "konqueror", args=0x805f077 "\001", cwd=0x0, envc=1, envs=0x805f088 "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x0) at $srcdir/kdelibs/kinit/kinit.cpp:604 #30 0x0805048a in handle_launcher_request (sock=8) at $srcdir/kdelibs/kinit/kinit.cpp:1167 #31 0x0804f277 in handle_requests (waitForPid=0) at $srcdir/kdelibs/kinit/kinit.cpp:1360 #32 0x0804d525 in main (argc=3, argv=0xbffff884, envp=0x0) at $srcdir/kdelibs/kinit/kinit.cpp:1797 ----------------------------------------------- Hope this helps
I run KDE CVS-HEAD of 2004-02-12. BTW I could almost immediately reproduce this crash at that web page. Just go there, hit F7 and then PgUp/PgDn several times.
==14588== Memcheck, a memory error detector for x86-linux. ==14588== Copyright (C) 2002-2003, and GNU GPL'd, by Julian Seward. ==14588== Using valgrind-2.1.0, a program supervision framework for x86-linux. ==14588== Copyright (C) 2000-2003, and GNU GPL'd, by Julian Seward. ==14588== ==14588== My PID = 14588, parent PID = 14434. Prog and args are: ==14588== konqueror ==14588== Estimated CPU clock rate is 648 MHz ==14588== For more details, rerun with: -v ==14588== ==14588== Conditional jump or move depends on uninitialised value(s) ==14588== at 0x40ADCD92: kDebugBackend(unsigned short, unsigned, char const*) (kdebug.cpp:257) ==14588== by 0x40ADB4F0: kdbgstream::flush() (kdebug.cpp:335) ==14588== by 0x402909C9: kdbgstream::operator<<(char const*) (kdebug.h:224) ==14588== by 0x40290A8B: endl(kdbgstream&) (kdebug.h:406) ==14588== ==14588== Conditional jump or move depends on uninitialised value(s) ==14588== at 0x40ADCD98: kDebugBackend(unsigned short, unsigned, char const*) (kdebug.cpp:257) ==14588== by 0x40ADB4F0: kdbgstream::flush() (kdebug.cpp:335) ==14588== by 0x402909C9: kdbgstream::operator<<(char const*) (kdebug.h:224) ==14588== by 0x40290A8B: endl(kdbgstream&) (kdebug.h:406) ==14588== ... the crash starts here: ==14588== Invalid read of size 4 ==14588== at 0x4E0C10DF: khtml::seekLeafInlineBox(khtml::InlineBox*) (khtml_caret.cpp:125) ==14588== by 0x4E0BCE7A: khtml::InlineBoxIterator::InlineBoxIterator(khtml::LineIterator&, bool, khtml::InlineBox*) (khtml_caret.cpp:164) ==14588== by 0x4E0C5501: khtml::EditableInlineBoxIterator::EditableInlineBoxIterator(khtml::LineIterator&, bool, khtml::InlineBox*) (khtml_caret_p.h:406) ==14588== by 0x4E0C7208: khtml::EditableLineIterator::isEditable(khtml::LineIterator&) (khtml_caret_p.h:598) ==14588== Address 0xC is not stack'd, malloc'd or free'd ==14588== Warning: invalid file descriptor 821 in syscall close() ==14588== Use --logfile-fd=<number> to select an alternative logfile fd. ==14588== Warning: invalid file descriptor 822 in syscall close() ==14588== Warning: invalid file descriptor 823 in syscall close() ==14588== Warning: invalid file descriptor 824 in syscall close() ... and so on, up to ... ==14588== Warning: invalid file descriptor 1023 in syscall close() ==14588== ==14588== ERROR SUMMARY: 61 errors from 3 contexts (suppressed: 472 from 11) ==14588== malloc/free: in use at exit: 3347200 bytes in 79161 blocks. ==14588== malloc/free: 397368 allocs, 318208 frees, 17894967 bytes allocated. ==14588== For counts of detected errors, rerun with: -v ==14588== searching for pointers to 79161 not-freed blocks. ==14588== checked 77202976 bytes. ==14588== ==14588== ==14588== 0 bytes in 1 blocks are definitely lost in loss record 1 of 1582 ==14588== at 0x4002AC16: malloc (vg_replace_malloc.c:160) ==14588== by 0x40EDB6FA: QRegion::clipRectangles(int&) const (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x40ED33A4: QPainter::setClipping(bool) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x40ED35F4: QPainter::setClipRegion(QRegion const&, QPainter::CoordinateMode) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== ==14588== ==14588== 0 bytes in 19 blocks are definitely lost in loss record 2 of 1582 ==14588== at 0x4002B13E: operator new[](unsigned) (vg_replace_malloc.c:168) ==14588== by 0x4123320D: internalLatin1ToUnicode(char const*, unsigned*, unsigned) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x412316B9: QString::fromLatin1(char const*, int) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x412519DB: QLatin15Codec::toUnicode(char const*, int) const (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== ==14588== ==14588== 4 bytes in 1 blocks are definitely lost in loss record 143 of 1582 ==14588== at 0x4002B6AD: calloc (vg_replace_malloc.c:201) ==14588== by 0x41831AB0: XF86DRIGetClientDriverName (in /usr/X11R6/lib/libGL.so.1.2) ==14588== by 0x455B4DD7: __driUtilCreateScreen (in /usr/X11R6/lib/modules/dri/mga_dri.so) ==14588== by 0x456F8414: __driCreateScreen (in /usr/X11R6/lib/modules/dri/mga_dri.so) ==14588== ==14588== ==14588== 12 bytes in 1 blocks are definitely lost in loss record 199 of 1582 ==14588== at 0x4002AE26: operator new(unsigned) (vg_replace_malloc.c:162) ==14588== by 0x4E0D2BAC: KHTMLPart::setUserStyleSheet(KURL const&) (khtml_part.cpp:2162) ==14588== by 0x4E0D08E2: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1674) ==14588== by 0x4E0CEB3F: KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (khtml_part.cpp:1322) ==14588== ==14588== ==14588== 16 bytes in 1 blocks are definitely lost in loss record 326 of 1582 ==14588== at 0x4002AC16: malloc (vg_replace_malloc.c:160) ==14588== by 0x4002B76E: realloc (vg_replace_malloc.c:219) ==14588== by 0x4168809B: __argz_append (in /lib/libc.so.6) ==14588== by 0x41633D85: __newlocale (in /lib/libc.so.6) ==14588== ==14588== ==14588== 76 bytes in 1 blocks are possibly lost in loss record 909 of 1582 ==14588== at 0x4002B13E: operator new[](unsigned) (vg_replace_malloc.c:168) ==14588== by 0x40F262FA: QDragManager::QDragManager() (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x40F26640: QDragObject::QDragObject(QWidget*, char const*) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== by 0x40F26F5C: QTextDrag::QTextDrag(QString const&, QWidget*, char const*) (in /usr/lib/qt-x11-free-3.2.1/lib/libqt-mt.so.3.2.1) ==14588== ==14588== ==14588== 168 bytes in 2 blocks are possibly lost in loss record 1098 of 1582 ==14588== at 0x4002AE26: operator new(unsigned) (vg_replace_malloc.c:162) ==14588== by 0x4E12F8FE: khtml::KHTMLParser::getElement(khtml::Token*) (htmlparser.cpp:760) ==14588== by 0x4E12DF86: khtml::KHTMLParser::parseToken(khtml::Token*) (htmlparser.cpp:243) ==14588== by 0x4E134BCD: khtml::HTMLTokenizer::processToken() (htmltokenizer.cpp:1577) ==14588== ==14588== ==14588== 216 bytes in 1 blocks are definitely lost in loss record 1164 of 1582 ==14588== at 0x4002AC16: malloc (vg_replace_malloc.c:160) ==14588== by 0x4B054CC5: _XimOpenIM (in /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2) ==14588== by 0x4148739D: _XDynamicOpenIM (in /usr/X11R6/lib/libX11.so.6.2) ==14588== by 0x4B05448A: _XimRegisterIMInstantiateCallback (in /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2) ==14588== ==14588== ==14588== 2048 bytes in 1 blocks are definitely lost in loss record 1434 of 1582 ==14588== at 0x4002AC16: malloc (vg_replace_malloc.c:160) ==14588== by 0x455B5F60: drmMalloc (in /usr/X11R6/lib/modules/dri/mga_dri.so) ==14588== by 0x455B65B0: drmMapBufs (in /usr/X11R6/lib/modules/dri/mga_dri.so) ==14588== by 0x456F869A: mgaInitDriver (in /usr/X11R6/lib/modules/dri/mga_dri.so) ==14588== ==14588== LEAK SUMMARY: ==14588== definitely lost: 2296 bytes in 25 blocks. ==14588== possibly lost: 244 bytes in 3 blocks. ==14588== still reachable: 3344460 bytes in 79132 blocks. ==14588== suppressed: 200 bytes in 1 blocks. ==14588== Reachable blocks (those to which a pointer was found) are not shown. ==14588== To see them, rerun with: --show-reachable=yes
it doesn't crash without caret mode for me
Yes without caret mode there's no crash. That would be the workaround. The first time I saw the crash I had turned on the caret mode only by mistake (so that's no big annoyance for me). In the other cases I tried to trigger the crash :-) This works reliably, although you'll have to scroll down quite a bit - till the large table in appendix A, or even further.
Quidquid id est. I cannot reproduce it. I loaded this bug report on KDE 3.2 branch, activated caret mode, clicked the link, and while the page was loading, pressed PgDn until eod, then PgUp until top. No crash. Which compiler do you use?
gcc-3.3.1, binutils-2.14; KDE C(XX)FLAGS="-O3 -march=athlon -mcpu=athlon -mmmx -m3dnow" >and while the page was loading, That's not necessary. I start trying when page loading has finished.
ehh, I forgot "--enable-fast-malloc=full --enable-debug=full" in the C(XX)FLAGS
I additionally tried with DEBUG_CARETMODE 3 and DEBUG_CARETMODE 0 (for if it makes a difference whether debug msgs are printed), but no crash whatsoever. I also valground it, no access violations either. It may be a compiler optimization problem. I'm using gcc-2.95.2 with -O2 --enable-debug. You probably can't test on gcc-2.95, but you could try to recompile khtml on gcc 3.3 with -O2, and check if the crash prevails. Coolo, can you reproduce the crash, too?
On Wednesday 25 February 2004 14:46, Leo Savernik wrote: > Coolo, can you reproduce the crash, too? Yes, F7 and pgdown till ~70 of the document -> bang #0 0x42121a14 in seekLeafInlineBox (box=0x89696b0) at khtml_caret.cpp:125 #1 0x4211b231 in InlineBoxIterator (this=0xbfffe1d0, lit=@0xbfffe280, fromEnd=false, initBox=0x0) at khtml_caret.cpp:164 #2 0x42124814 in EditableInlineBoxIterator (this=0xbfffe1d0, lit=@0xbfffe280, fromEnd=false, initBox=0x0) at khtml_caret_p.h:406 #3 0x421263ad in khtml::EditableLineIterator::isEditable(khtml::LineIterator&) (this=0xbfffe280, it=@0xbfffe280) at khtml_caret_p.h:610 #4 0x42124903 in khtml::EditableLineIterator::operator++() (this=0xbfffe280) at khtml_caret_p.h:539 #5 0x4211e124 in khtml::ErgonomicEditableLineIterator::operator++() (this=0xbfffe280) at khtml_caret.cpp:1390 Greetings, Stephan
Hmm, I tried again starting konqueror with the page in question specified as a command line parameter, then in testkhtml. *Whatever I do, it works!* This is a really stupid situation when it crashes for everyone except for the maintainer :-(
OK, I recompiled kdelibs/khtml with -O2 (still with --enable-fast-malloc=full). I have also tried to shrink that document. I removed everything except the document headline and appendices B and C. The crash still happened.
Well, so there's definitly a bug somewhere, but without reproduction I cannot fix it. It's not that big a problem, as caret mode is by default deactivated and it hasn't been advertised for KDE 3.2 (I knew why). As a last resort, I can delete the caret action from the 3.2 branch.
>Well, so there's definitly a bug somewhere No longer, as it seems. I tested recent (2004-09-03) CVS against (my local copy of) Desktop Menu Specification Version 0.8(Konqi crash edition). There was no crash anymore. Thanks. BTW the cursor tends to get stuck in tables when scrolling upwards.