*** Bug 78350 has been marked as a duplicate of this bug. ***

*** Bug 80903 has been marked as a duplicate of this bug. ***

Created attachment 6065 [details]
Testcase from 80903

To reproduce with testcase, you'll have to open it twice.

[New Thread 1024 (LWP 29514)]
0x420b48d9 in wait4 () from /lib/i686/libc.so.6
#0  0x420b48d9 in wait4 () from /lib/i686/libc.so.6
#1  0x4213030c in __DTOR_END__ () from /lib/i686/libc.so.6
#2  0x411bdc33 in waitpid () from /lib/i686/libpthread.so.0
#3  0x40733908 in KCrash::defaultCrashHandler (sig=6) at kcrash.cpp:246
#4  0x411bbf05 in pthread_sighandler () from /lib/i686/libpthread.so.0
#5  <signal handler called>
#6  0x42029331 in kill () from /lib/i686/libc.so.6
#7  0x411bbbdb in raise () from /lib/i686/libpthread.so.0
#8  0x4202a8c2 in abort () from /lib/i686/libc.so.6
#9  0x42022ecb in __assert_fail () from /lib/i686/libc.so.6
#10 0x416f776e in DOM::NodeImpl::attach (this=0x841feb8)
    at dom_nodeimpl.cpp:887
#11 0x416f8de3 in DOM::NodeBaseImpl::attach (this=0x841feb8)
    at dom_nodeimpl.cpp:1430
#12 0x41728ad7 in DOM::HTMLImageElementImpl::attach (this=0x841feb8)
    at html_imageimpl.cpp:184
#13 0x41712cb9 in khtml::KHTMLParser::insertNode (this=0x855ca80, n=0x841feb8, 
    flat=true) at htmlparser.cpp:329
#14 0x41712b1a in khtml::KHTMLParser::parseToken (this=0x855ca80, t=0x8558d1c)
    at htmlparser.cpp:279
#15 0x4171b7e1 in khtml::HTMLTokenizer::processToken (this=0x8558ce8)
    at htmltokenizer.cpp:1577
#16 0x41719e9a in khtml::HTMLTokenizer::parseTag (this=0x8558ce8, 
    src=@0x8558dfc) at htmltokenizer.cpp:1090
#17 0x4171aa03 in khtml::HTMLTokenizer::write (this=0x8558ce8, 
    str=@0xbfffe0c0, appendData=true) at htmltokenizer.cpp:1345
#18 0x416ae5e8 in KHTMLPart::write (this=0x84d6748, 
    str=0x85386d0 "<html> \n <body > \n   <table style=\"display: block;\"> \n 
    <tr> \n	 <td><img src=\"image.png\"></td> \n	  </tr> \n   </table>
\n </body> \n </html> \n", len=150) at khtml_part.cpp:1728
#19 0x416ad04c in KHTMLPart::slotData (this=0x84d6748, kio_job=0x84e4ff0, 
    data=@0xbfffe7b0) at khtml_part.cpp:1416
#20 0x416c657e in KHTMLPart::qt_invoke (this=0x84d6748, _id=16, _o=0xbfffe4e0)
    at khtml_part.moc:470
#21 0x40b8742b in QObject::activate_signal (this=0x84e4ff0, clist=0x84fe108, 
    o=0xbfffe4e0) at kernel/qobject.cpp:2356
#22 0x401b3fca in KIO::StatJob::permanentRedirection (this=0x84e4ff0, 
    t0=0x84e4ff0, t1=@0xbfffe7b0, t2=@0x401a3370) at jobclasses.moc:536
#23 0x401a33c9 in KIO::stat (url=@0x84e4ff0, sideIsSource=176, details=16410, 
    showProgressInfo=85) at job.cpp:752
#24 0x401b474c in KIO::TransferJob::redirection (this=0x84e4ff0, t0=0x12, 
    t1=@0xbfffe600) at jobclasses.moc:750
#25 0x40b8742b in QObject::activate_signal (this=0x8406ea8, clist=0x8528530, 
    o=0xbfffe600) at kernel/qobject.cpp:2356
#26 0x4019883e in KIO::SlaveInterface::messageBox (this=0x8406ea8, 
    type=-1073748048, text=@0x1, _caption=@0x40196dbf, buttonYes=@0x40814ac8, 
    buttonNo=@0x18) at slaveinterface.cpp:515
#27 0x40196fe6 in KIO::SlaveInterface::calcSpeed (this=0x8406ea8)
    at slaveinterface.cpp:220
#28 0x40196ada in operator>> (s=@0x8406ea8, e=@0x4100d7e8)
    at slaveinterface.cpp:81
#29 0x40194a1c in KIO::Slave::hold (this=0x8406ea8, url=@0x4100d7e8)
    at slave.cpp:238
#30 0x40196513 in KIO::Slave::holdSlave (protocol=@0x8406ea8, url=@0x4)
    at slave.cpp:484
#31 0x40b8742b in QObject::activate_signal (this=0x829fd30, clist=0x833f160, 
    o=0xbfffe8e0) at kernel/qobject.cpp:2356
#32 0x40b877e2 in QObject::activate_signal (this=0x829fd30, signal=2, param=23)
    at kernel/qobject.cpp:2449
#33 0x40ecc074 in QSocketNotifier::activated (this=0x829fd30, t0=23)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85
#34 0x40ba56a6 in QSocketNotifier::event (this=0x829fd30, e=0xbfffeb30)
    at kernel/qsocketnotifier.cpp:280
#35 0x40b28442 in QApplication::internalNotify (this=0xbffff090, 
    receiver=0x829fd30, e=0xbfffeb30) at kernel/qapplication.cpp:2620
#36 0x40b27572 in QApplication::notify (this=0xbffff090, receiver=0x829fd30, 
    e=0xbfffeb30) at kernel/qapplication.cpp:2343
#37 0x406c8faa in KApplication::notify (this=0xbffff090, receiver=0x829fd30, 
    event=0xbfffeb30) at kapplication.cpp:507
#38 0x4005386a in QApplication::sendEvent (receiver=0x829fd30, 
    event=0xbfffeb30) at /opt/qt331post/include/qapplication.h:491
#39 0x40b17a27 in QEventLoop::activateSocketNotifiers (this=0x80a62c0)
    at kernel/qeventloop_unix.cpp:580
#40 0x40ad196b in QEventLoop::processEvents (this=0x80a62c0, flags=4)
    at kernel/qeventloop_x11.cpp:383
#41 0x40b3af91 in QEventLoop::enterLoop (this=0x80a62c0)
    at kernel/qeventloop.cpp:198
#42 0x40b3aeb4 in QEventLoop::exec (this=0x80a62c0)
    at kernel/qeventloop.cpp:145
#43 0x40b285db in QApplication::exec (this=0xbffff090)
    at kernel/qapplication.cpp:2743
#44 0x41322b12 in kdemain (argc=2, argv=0x8061a88) at konq_main.cc:184
#45 0x408558a1 in kdeinitmain (argc=2, argv=0x8061a88) at konqueror_dummy.cc:2
#46 0x0804e1dc in launch (argc=2, _name=0x8060344 "konqueror", 
    args=0x8060357 "\001", cwd=0x0, envc=1, envs=0x8060368 "", 
    reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x806036c
"v10-dhcp-76-190.ntc.nokia.com;1085078432;391442;5698") at kinit.cpp:604
#47 0x0804f5e1 in handle_launcher_request (sock=8) at kinit.cpp:1170
#48 0x0804fd2d in handle_requests (waitForPid=0) at kinit.cpp:1361
#49 0x08051318 in main (argc=3, argv=0xbffff744, envp=0xbffff754)
    at kinit.cpp:1798
#50 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

Ok, running konqueror in a console show me

konqueror: dom_nodeimpl.cpp:910: virtual void DOM::NodeImpl::attach(): Assertion `!attached()' failed.

Here is the place where it crash  (we are at #10):

void NodeImpl::attach()
{
    assert(!attached());
    assert(!m_render || (m_render->style() && m_render->parent()));
    [...]


But, on the other hand, by browsing the backtrace up (#12):

void HTMLImageElementImpl::attach()
{
    assert(!attached());
    assert(!m_render);
    assert(parentNode());
    RenderStyle* _style = getDocument()->styleSelector()->styleForElement(this);
    _style->ref();
    if (parentNode()->renderer() && parentNode()->renderer()->childAllowed() &&   _style->display() != NONE)
    {
        m_render = new (getDocument()->renderArena()) RenderImage(this);
        m_render->setStyle(getDocument()->styleSelector()->styleForElement(this));
        parentNode()->renderer()->addChild(m_render, nextRenderer());
        m_render->updateFromElement();
    }
    _style->deref();
    NodeBaseImpl::attach();
}

So it seems that attached() switched from false to true between theses two points (because the first assert didn't match).

I added some debug ouput, and it seems that
        m_render->updateFromElement();
call itself the parent node to be attached. And in NodeBaseImpl::attach() the original <img> is attached "again"


I wonder also why the crash only happen if you refresh the test case twice.
the first time
	m_render->updateFromElement();
does not seems to attach anything.

Anyway, it's late, and i don't understand well khtml structure.  I hope this help.

It seems to be fixed,  I cannot reproduce it anymore with the testcase in KDE 3.3
Great job!

CVS commit by coolo: 

works fine
CCMAIL: 78205-done@bugs.kde.org


  A            78205.html   1.1

*** Bug 88217 has been marked as a duplicate of this bug. ***

Euhm.. i'm using KDE 3.3, and my original bug still crashes for me.. So it doesn't seem like it's a duplicate of this bug....

*** Bug 88235 has been marked as a duplicate of this bug. ***

*** Bug 88472 has been marked as a duplicate of this bug. ***

*** Bug 88701 has been marked as a duplicate of this bug. ***

Konqueror 3.3 on gentoo linux, clicking on the second link and following the directions provided by Bart Verwilst, it goes on SIGABRT with this debug info:

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 18107)]
0x414b6818 in waitpid () from /lib/libpthread.so.0
#0  0x414b6818 in waitpid () from /lib/libpthread.so.0
#1  0x40a5e624 in ?? () from /usr/kde/3.3/lib/libkdecore.so.4
#2  0x4095fe01 in KCrash::defaultCrashHandler ()
   from /usr/kde/3.3/lib/libkdecore.so.4
#3  0x000046bb in ?? ()
#4  0x00000000 in ?? ()
#5  0x08847c80 in ?? ()
#6  0x41da35cb in DOM::HTMLElementImpl::recalcStyle ()
   from /usr/kde/3.3/lib/libkhtml.so.4
#7  0x086c7e90 in ?? ()
#8  0x00000000 in ?? ()
#9  0x40a6c700 in kde_malloc_is_used () from /usr/kde/3.3/lib/libkdecore.so.4
#10 0x4107e7ee in qt_check_pointer () from /usr/qt/3/lib/libqt-mt.so.3

Portage 2.0.51_rc6 (default-x86-2004.0, gcc-3.4.2, glibc-2.3.4.20040808-r0, 2.6.9-rc1-nitro4 i686)
=================================================================
System uname: 2.6.9-rc1-nitro4 i686 AMD Athlon(tm) XP 2000+
Gentoo Base System version 1.5.3
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers:  sys-kernel/linux26-headers-2.6.8.1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer -falign-functions=64 -falign-jumps=16 -pipe -ftracer -fprefetch-loop-arrays"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer -falign-functions=64 -falign-jumps=16 -pipe -ftracer -fprefetch-loop-arrays -fvisibility-inlines-hidden "



here are some system specs: 

same problem on page www.runescape.com. 

Gavrila: Second link crash is dupe of bug #88778. Cannot reproduce www.runescape.com crash. 

Tommi, first time i went to runescape.com it worked fine, then I clicked on create account button, and sinc then, everytime I go there the page loads the banner on left-top corner, and when it tries (I guess) to render the page it crashes with the same debugging output I posted above

Anyway it's not a dupe of bug #88778, since I cannot reproduce it. Please reopen the bug.

With KDE 3.3.1 (selfcompiled/Debian Sarge) Konqueror crashes with the Ikea link.
And with the link of comment #15 it also crashes. 

For me Konqueror 3.3.1 also crashs on ikea.de's product search site. The debug output is:

Using host libthread_db library "/lib/libthread_db.so.1".
[KCrash handler]
#34 0xb6a531b1 in kill () from /lib/libc.so.6
#35 0xb6c5c9c1 in pthread_kill () from /lib/libpthread.so.0
#36 0xb6c5cccb in raise () from /lib/libpthread.so.0
#37 0xb6a52df4 in raise () from /lib/libc.so.6
#38 0xb6a545a8 in abort () from /lib/libc.so.6
#39 0xb6a4c56c in __assert_fail () from /lib/libc.so.6
#40 0xb6b52ee0 in _IO_2_1_stdout_ () from /lib/libc.so.6
#41 0xbffffc7b in ?? ()
#42 0xb6b4bfe6 in in6addr_loopback () from /lib/libc.so.6
#43 0xb6624cbe in typeinfo name for KStaticDeleter<QPtrList<DOM::DocumentImpl> > () from /opt/kde/lib/libkhtml.so.4
#44 0x00000348 in ?? ()
#45 0xb6624c80 in typeinfo name for KStaticDeleter<QPtrList<DOM::DocumentImpl> > () from /opt/kde/lib/libkhtml.so.4
#46 0xb6b4bfe6 in in6addr_loopback () from /lib/libc.so.6
#47 0xb66241db in typeinfo name for KHTMLInfoDlg ()
   from /opt/kde/lib/libkhtml.so.4
#48 0xb6b560a0 in __after_morecore_hook () from /lib/libc.so.6
#49 0xbfffde08 in ?? ()
#50 0x0876d960 in ?? ()
#51 0xb669f4ac in ?? () from /opt/kde/lib/libkhtml.so.4
#52 0x0876cbe0 in ?? ()
#53 0xbfffde18 in ?? ()
#54 0xb648c27f in KStaticDeleter<QPtrList<DOM::DocumentImpl> >::~KStaticDeleter () from /opt/kde/lib/libkhtml.so.4

works for me on gentoo linux kde 3.3.1 gcc-3.4.2 glibc-2.3.4 with nptl  and kernel 2.9.6-rc4-mm1 and sun-jdk-1.4.2

KDE 3.3.89 (CVS >= 20040820), Gentoo Linux (i686) release 2.6.8-gentoo-r3
gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)

eehh dohh ... worx for me, can't get the thing down :)
> KDE 3.3.89 (CVS >= 20040820), Gentoo Linux (i686) release 2.6.8-gentoo-r3
> gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)

so isn't it fixed?

No, konqueror from cvs head crashes still.

I recompiled kdelibs and kdebase with --enable-debug=full. Here is the backtrace. Hope that helps. 

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 1097846688 (LWP 27396)]
[KCrash handler]
#3  0x414c1f19 in raise () from /lib/tls/libc.so.6
#4  0x415cfebc in ?? () from /lib/tls/libc.so.6
#5  0xbffff020 in ?? ()
#6  0x414c3771 in abort () from /lib/tls/libc.so.6
#7  0x00000000 in ?? ()
#8  0x00000020 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000000 in ?? ()
#11 0x00000000 in ?? ()
#12 0x00000000 in ?? ()
#13 0x00000000 in ?? ()
#14 0x00000000 in ?? ()
#15 0x00000000 in ?? ()
#16 0x00000000 in ?? ()
#17 0x00000000 in ?? ()
#18 0x00000000 in ?? ()
#19 0x00000000 in ?? ()
#20 0x00000000 in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
#23 0x00000000 in ?? ()
#24 0x00000000 in ?? ()
#25 0x00000000 in ?? ()
#26 0x00000000 in ?? ()
#27 0x00000000 in ?? ()
#28 0x00000000 in ?? ()
#29 0x00000000 in ?? ()
#30 0x00000000 in ?? ()
#31 0x00000000 in ?? ()
#32 0x00000000 in ?? ()
#33 0x00000000 in ?? ()
#34 0x00000000 in ?? ()
#35 0x00000000 in ?? ()
#36 0x00000000 in ?? ()
#37 0x00000000 in ?? ()
#38 0x00000000 in ?? ()
#39 0x00000000 in ?? ()
#40 0x415073e9 in _IO_file_write () from /lib/tls/libc.so.6
#41 0x4150660f in _IO_do_write () from /lib/tls/libc.so.6
#42 0x41507567 in _IO_file_xsputn () from /lib/tls/libc.so.6
#43 0x415cfebc in ?? () from /lib/tls/libc.so.6
#44 0x415d0840 in __after_morecore_hook () from /lib/tls/libc.so.6
#45 0x08850070 in ?? ()
#46 0xbfffeb48 in ?? ()
#47 0x4150c2a0 in free () from /lib/tls/libc.so.6
#48 0x415d0840 in __after_morecore_hook () from /lib/tls/libc.so.6
#49 0x08850070 in ?? ()
#50 0x415cfebc in ?? () from /lib/tls/libc.so.6
#51 0x415cfebc in ?? () from /lib/tls/libc.so.6
#52 0x08850070 in ?? ()
#53 0x414bb473 in __assert_fail () from /lib/tls/libc.so.6
#54 0xbffffdb4 in ?? ()
#55 0x415c1bd4 in in6addr_loopback () from /lib/tls/libc.so.6
#56 0x41e9d22e in DOM::NodeImpl::dispatchUIEvent(int, int)::__PRETTY_FUNCTION__ () from /opt/kde/lib/libkhtml.so.4
#57 0x00000348 in ?? ()
#58 0x41e9d340 in DOM::NodeImpl::closeRenderer()::__PRETTY_FUNCTION__ ()
   from /opt/kde/lib/libkhtml.so.4
#59 0x415c1bd4 in in6addr_loopback () from /lib/tls/libc.so.6
#60 0x41e9d365 in DOM::NodeImpl::attach()::__PRETTY_FUNCTION__ ()
   from /opt/kde/lib/libkhtml.so.4
#61 0x08850070 in ?? ()
#62 0x41f192f4 in __JCR_LIST__ () from /opt/kde/lib/libkhtml.so.4
#63 0x00000000 in ?? ()
#64 0x41cedf91 in DOM::NodeImpl::attach (this=0x0) at dom_nodeimpl.cpp:840

*** Bug 92735 has been marked as a duplicate of this bug. ***

*** Bug 88778 has been marked as a duplicate of this bug. ***

*** Bug 93415 has been marked as a duplicate of this bug. ***

Backtrace with HEAD:

#0  0x4177b6b1 in kill () from /lib/libc.so.6
#1  0x4153a771 in pthread_kill () from /lib/libpthread.so.0
#2  0x4153aa7b in raise () from /lib/libpthread.so.0
#3  0x4177b444 in raise () from /lib/libc.so.6
#4  0x4177c978 in abort () from /lib/libc.so.6
#5  0x41774b3f in __assert_fail () from /lib/libc.so.6
#6  0x41ecd099 in DOM::NodeImpl::attach (this=0x8624ec8) at dom_nodeimpl.cpp:843
#7  0x41ece4c1 in DOM::NodeBaseImpl::attach (this=0x8624ec8) at dom_nodeimpl.cpp:1333
#8  0x41eff981 in DOM::HTMLImageElementImpl::attach (this=0x8624ec8) at html_imageimpl.cpp:184
#9  0x41ee64d6 in khtml::KHTMLParser::insertNode (this=0x8296210, n=0x8624ec8, flat=true)
    at htmlparser.cpp:328
#10 0x41ee6359 in khtml::KHTMLParser::parseToken (this=0x8296210, t=0x831fcf4) at htmlparser.cpp:278
#11 0x41eeed57 in khtml::HTMLTokenizer::processToken (this=0x831fcc0) at htmltokenizer.cpp:1612
#12 0x41eed75f in khtml::HTMLTokenizer::parseTag (this=0x831fcc0, src=@0x831fdd4) at htmltokenizer.cpp:1125
#13 0x41eee13d in khtml::HTMLTokenizer::write (this=0x831fcc0, str=@0xbfffc940, appendData=false)
    at htmltokenizer.cpp:1380
#14 0x41eef390 in khtml::HTMLTokenizer::notifyFinished (this=0x831fcc0) at htmltokenizer.cpp:1681
#15 0x41fa9cb9 in khtml::CachedScript::checkNotify (this=0x830eac0) at loader.cpp:328
#16 0x41fa9c3d in khtml::CachedScript::data (this=0x830eac0, buffer=@0x830ebd4, eof=true) at loader.cpp:320
#17 0x41fad6e2 in khtml::Loader::slotFinished (this=0x82853f0, job=0x857b4e0) at loader.cpp:1100
#18 0x41faf417 in khtml::Loader::qt_invoke (this=0x82853f0, _id=2, _o=0xbfffcb80) at loader.moc:260
#19 0x40eeba21 in QObject::activate_signal (this=0x857b4e0, clist=0x8325d98, o=0xbfffcb80)
    at kernel/qobject.cpp:2357
#20 0x403c8b11 in KIO::Job::result (this=0x857b4e0, t0=0x857b4e0) at jobclasses.moc:156
#21 0x403b4342 in KIO::Job::emitResult (this=0x857b4e0) at job.cpp:216
#22 0x403b592c in KIO::SimpleJob::slotFinished (this=0x857b4e0) at job.cpp:533
#23 0x403b7c75 in KIO::TransferJob::slotFinished (this=0x857b4e0) at job.cpp:893
#24 0x403cb2a6 in KIO::TransferJob::qt_invoke (this=0x857b4e0, _id=17, _o=0xbfffce50) at jobclasses.moc:1050
#25 0x40eeba21 in QObject::activate_signal (this=0x8366528, clist=0x82eee28, o=0xbfffce50)
    at kernel/qobject.cpp:2357
#26 0x40eeb8c1 in QObject::activate_signal (this=0x8366528, signal=6) at kernel/qobject.cpp:2326
#27 0x403a7129 in KIO::SlaveInterface::finished (this=0x8366528) at slaveinterface.moc:226
#28 0x403a57d8 in KIO::SlaveInterface::dispatch (this=0x8366528, _cmd=104, rawdata=@0xbfffd020)
---Type <return> to continue, or q <return> to quit---
    at slaveinterface.cpp:237
#29 0x403a547a in KIO::SlaveInterface::dispatch (this=0x8366528) at slaveinterface.cpp:173
#30 0x403a2f9b in KIO::Slave::gotInput (this=0x8366528) at slave.cpp:300
#31 0x403a497f in KIO::Slave::qt_invoke (this=0x8366528, _id=4, _o=0xbfffd150) at slave.moc:113
#32 0x40eeba21 in QObject::activate_signal (this=0x835f4e8, clist=0x82f7180, o=0xbfffd150)
    at kernel/qobject.cpp:2357
#33 0x40eebd74 in QObject::activate_signal (this=0x835f4e8, signal=2, param=25) at kernel/qobject.cpp:2450
#34 0x4124dbed in QSocketNotifier::activated (this=0x835f4e8, t0=25)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85
#35 0x40f0bcf3 in QSocketNotifier::event (this=0x835f4e8, e=0xbfffd400) at kernel/qsocketnotifier.cpp:280
#36 0x40e885f1 in QApplication::internalNotify (this=0xbfffd7f0, receiver=0x835f4e8, e=0xbfffd400)
    at kernel/qapplication.cpp:2635
#37 0x40e87b29 in QApplication::notify (this=0xbfffd7f0, receiver=0x835f4e8, e=0xbfffd400)
    at kernel/qapplication.cpp:2358
#38 0x409bd5ef in KApplication::notify (this=0xbfffd7f0, receiver=0x835f4e8, event=0xbfffd400)
    at kapplication.cpp:516
#39 0x4008ada2 in QApplication::sendEvent (receiver=0x835f4e8, event=0xbfffd400) at qapplication.h:491
#40 0x40e76e0d in QEventLoop::activateSocketNotifiers (this=0x809d728) at kernel/qeventloop_unix.cpp:580
#41 0x40e2f7eb in QEventLoop::processEvents (this=0x809d728, flags=4) at kernel/qeventloop_x11.cpp:383
#42 0x40e9cbd1 in QEventLoop::enterLoop (this=0x809d728) at kernel/qeventloop.cpp:198
#43 0x40e9caea in QEventLoop::exec (this=0x809d728) at kernel/qeventloop.cpp:145
#44 0x40e8875d in QApplication::exec (this=0xbfffd7f0) at kernel/qapplication.cpp:2758
#45 0x400758d7 in kdemain (argc=1, argv=0xbfffd944) at konq_main.cc:204
#46 0x080486b6 in main (argc=1, argv=0xbfffd944) at konqueror.la.cc:2

I can't make Konq crash. My system:

Qt: 3.3.3
KDE: 3.3.1
Konqueror: 3.3.1
gcc (GCC) 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)

The above URL's work here too..

Qt: 3.3.3
KDE: 3.3.1

Fedora Core 3, ( kde-redhat apt repo )

I could only get it to crash using the second method, i.e. going to:
 http://www.ikea.de/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10101&storeId=5&categoryId=10411&langId=-3&parentCats=10104*10173*10411&chapterId=10437&cattype=sub 
     
and clicking on "IVAR Seitenteil 6,00". 

*** Bug 94642 has been marked as a duplicate of this bug. ***

*** Bug 95043 has been marked as a duplicate of this bug. ***

*** Bug 94960 has been marked as a duplicate of this bug. ***

*** Bug 83272 has been marked as a duplicate of this bug. ***

Using konqueror 3.3.91 compiled from CVS Head. I just got a konqueror crash which to me resembles this bug. I provide my backtrace  and the konsole output, showing the web I was visiting:

Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1220036800 (LWP 9462)]
[KCrash handler]
#4  0xffffe410 in __kernel_vsyscall ()
#5  0x4f94d805 in raise () from /lib/tls/i686/cmov/libc.so.6
#6  0x4f94ef82 in abort () from /lib/tls/i686/cmov/libc.so.6
#7  0x4f9472a8 in __assert_fail () from /lib/tls/i686/cmov/libc.so.6
#8  0xb6dbf25e in DOM::NodeImpl::attach ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#9  0xb6dc010a in DOM::NodeBaseImpl::attach ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#10 0xb6df0cb5 in DOM::HTMLImageElementImpl::attach ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#11 0xb6dbf9cf in DOM::NodeBaseImpl::insertBefore ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#12 0xb6f43d72 in DOM::Node::insertBefore ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#13 0xb6eafe1a in KJS::DOMNodeProtoFunc::tryCall ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#14 0xb6eaa30e in KJS::DOMFunction::call ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#15 0xb6c76e7e in KJS::Object::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#16 0xb6c40f43 in KJS::FunctionCallNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#17 0xb6c4541a in KJS::ExprStatementNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#18 0xb6c45755 in KJS::IfNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#19 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#20 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#21 0xb6c4b073 in KJS::FunctionBodyNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#22 0xb6c71ecc in KJS::DeclaredFunctionImp::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#23 0xb6c712dc in KJS::FunctionImp::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#24 0xb6c76e7e in KJS::Object::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#25 0xb6c40f43 in KJS::FunctionCallNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#26 0xb6c438b4 in KJS::AssignNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#27 0xb6c4541a in KJS::ExprStatementNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#28 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#29 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#30 0xb6c45755 in KJS::IfNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#31 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#32 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#33 0xb6c461a3 in KJS::WhileNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#34 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#35 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#36 0xb6c4b073 in KJS::FunctionBodyNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#37 0xb6c71ecc in KJS::DeclaredFunctionImp::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#38 0xb6c712dc in KJS::FunctionImp::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#39 0xb6c76e7e in KJS::Object::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#40 0xb6c40f43 in KJS::FunctionCallNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#41 0xb6c438b4 in KJS::AssignNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#42 0xb6c4541a in KJS::ExprStatementNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#43 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#44 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#45 0xb6c45755 in KJS::IfNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#46 0xb6c4bb46 in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#47 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#48 0xb6c4b073 in KJS::FunctionBodyNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#49 0xb6c71ecc in KJS::DeclaredFunctionImp::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#50 0xb6c712dc in KJS::FunctionImp::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#51 0xb6c76e7e in KJS::Object::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#52 0xb6c40f43 in KJS::FunctionCallNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#53 0xb6c4541a in KJS::ExprStatementNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#54 0xb6c45755 in KJS::IfNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#55 0xb6c4bbbc in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#56 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#57 0xb6c4b073 in KJS::FunctionBodyNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#58 0xb6c71ecc in KJS::DeclaredFunctionImp::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#59 0xb6c712dc in KJS::FunctionImp::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#60 0xb6c76e7e in KJS::Object::call ()
   from /home/pleira/big/build/lib/libkjs.so.1
#61 0xb6c40f43 in KJS::FunctionCallNode::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#62 0xb6c4541a in KJS::ExprStatementNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#63 0xb6c4bb46 in KJS::SourceElementsNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#64 0xb6c4523d in KJS::BlockNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#65 0xb6c4b073 in KJS::FunctionBodyNode::execute ()
   from /home/pleira/big/build/lib/libkjs.so.1
#66 0xb6c6585d in KJS::InterpreterImp::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#67 0xb6c78dba in KJS::Interpreter::evaluate ()
   from /home/pleira/big/build/lib/libkjs.so.1
#68 0xb6f052ed in KJS::KJSProxyImpl::evaluate ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#69 0xb6d67c37 in KHTMLPart::executeScript ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#70 0xb6ef6fb9 in KJS::ScheduledAction::execute ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#71 0xb6ef83ee in KJS::WindowQObject::timerEvent ()
   from /home/pleira/big/build/lib/libkhtml.so.4
#72 0x42adc633 in QObject::event () from /usr/share/qt3/lib/libqt-mt.so.3
#73 0x42a8245f in QApplication::internalNotify ()
   from /usr/share/qt3/lib/libqt-mt.so.3
#74 0x42a81a5e in QApplication::notify () from /usr/share/qt3/lib/libqt-mt.so.3
#75 0xb759fc92 in KApplication::notify ()
   from /home/pleira/big/build/lib/libkdecore.so.4
#76 0x42a71c85 in QEventLoop::activateTimers ()
   from /usr/share/qt3/lib/libqt-mt.so.3
#77 0x42a2b4cb in QEventLoop::processEvents ()
   from /usr/share/qt3/lib/libqt-mt.so.3
#78 0x42a947b8 in QEventLoop::enterLoop ()
   from /usr/share/qt3/lib/libqt-mt.so.3
#79 0x42a94668 in QEventLoop::exec () from /usr/share/qt3/lib/libqt-mt.so.3
#80 0x42a826b1 in QApplication::exec () from /usr/share/qt3/lib/libqt-mt.so.3
#81 0xb7f666a8 in kdemain ()
   from /home/pleira/big/build/lib/libkdeinit_konqueror.so
#82 0x0804866b in main ()

The output in the konsole shows:

libkonq: ## addToHistory: http://www.spasa.es/contenidos/content.asp?contentid=251&nodeid=239 Typed URL: http://www.spasa.es/contenidos/content.asp?contentid=251&nodeid=239, Title:
konqueror: KonqMainWindow::openView ok=true bOthersFollowed=false returning true
kio (Scheduler): Resume metadata is ''
kio (Scheduler): HOLD: Reusing held slave for http://www.spasa.es/contenidos/content.asp?contentid=251&nodeid=239
konqueror: KonqMainWindow::slotRunFinished()
khtml (html):  using compatibility parseMode
konqueror: KonqMainWindow::setCaption(Web del Grupo Aciturri - Procesos de Automatización y Robotización)
khtml (jscript): WARNING: Script threw exception: TypeError: Attempted to access 'pixelLeft' property on undefined object (result of expression this.css.pixelLeft)
khtml (part): saveState this=0x8cf09b0 '' saving URL http://www.spasa.es/contenidos/content.asp?contentid=251&nodeid=239
libkonq: ## addToHistory: http://www.spasa.es/contenidos/content.asp?contentid=251&nodeid=239 Typed URL: , Title: Web del Grupo Aciturri - Procesos de Automatización y Robotización
konqueror: /home/pleira/big/kdecvs/kdelibs/khtml/xml/dom_nodeimpl.cpp:851: virtual void DOM::NodeImpl::attach(): La declaración `!attached()' no se cumple.
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = konqueror path = <unknown> pid = 8206

*** Bug 98584 has been marked as a duplicate of this bug. ***

I can obtain a crash too with this url

http://www.radio404.org

It seems that Kaffeine player is involved in the crash, I have konqueror 3.3.2

Console output :

konqueror: KaffeinePart: Creating new KaffeinePart...
konqueror: KaffeinePart: Argument: align="center"
konqueror: KaffeinePart: Argument: height="25"
konqueror: KaffeinePart: Argument: src="http://www.erreur404.org/html2/real.rpm"
konqueror: KaffeinePart: Argument: width="100"
konqueror: KaffeinePart: Argument: autostart="false"
konqueror: KaffeinePart: Found parameter autoStart=false, disable autostart
konqueror: KaffeinePart: Argument: controls="ControlPanel"
konqueror: KaffeinePart: Not an ImageWindow object
konqueror: KaffeinePart: Argument: __KHTML__PLUGINEMBED="YES"
konqueror: KaffeinePart: Argument: __KHTML__PLUGINBASEURL="http://www.erreur404.org/html2/radio.php3"
KCrash: Application 'konqueror' crashing...

Stack call

(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)
...
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1232087360 (LWP 2538)]
(no debugging symbols found)
...
(no debugging symbols found)
[KCrash handler]
#7  0xb623d526 in khtml::RenderPart::setWidget ()
   from /opt/kde/lib/libkhtml.so.4
#8  0xb618146b in KHTMLPart::processObjectRequest ()
   from /opt/kde/lib/libkhtml.so.4
#9  0xb61822dc in KHTMLRun::foundMimeType () from /opt/kde/lib/libkhtml.so.4
#10 0xb7e8333d in KParts::BrowserRun::slotBrowserMimetype ()
   from /opt/kde/lib/libkparts.so.2
#11 0xb7e854a9 in KParts::BrowserRun::qt_invoke ()
   from /opt/kde/lib/libkparts.so.2
#12 0xb615783b in KHTMLRun::qt_invoke () from /opt/kde/lib/libkhtml.so.4
#13 0xb70a6f44 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#14 0xb7c44a39 in KIO::TransferJob::mimetype () from /opt/kde/lib/libkio.so.4
#15 0xb7c44ab2 in KIO::TransferJob::slotMimetype ()
   from /opt/kde/lib/libkio.so.4
#16 0xb7c6d38e in KIO::TransferJob::qt_invoke () from /opt/kde/lib/libkio.so.4
#17 0xb70a6f44 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#18 0xb70a722b in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#19 0xb7c3e5e3 in KIO::SlaveInterface::mimeType ()
   from /opt/kde/lib/libkio.so.4
#20 0xb7c8b3dc in KIO::SlaveInterface::dispatch ()
   from /opt/kde/lib/libkio.so.4
#21 0xb7c6b703 in KIO::SlaveInterface::dispatch ()
   from /opt/kde/lib/libkio.so.4
#22 0xb7c6228b in KIO::Slave::gotInput () from /opt/kde/lib/libkio.so.4
#23 0xb7c69ea8 in KIO::Slave::qt_invoke () from /opt/kde/lib/libkio.so.4
#24 0xb70a6f44 in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#25 0xb70a756b in QObject::activate_signal () from /opt/qt/lib/libqt-mt.so.3
#26 0xb73fcfb0 in QSocketNotifier::activated () from /opt/qt/lib/libqt-mt.so.3
#27 0xb70c3f70 in QSocketNotifier::event () from /opt/qt/lib/libqt-mt.so.3
#28 0xb704353f in QApplication::internalNotify ()
   from /opt/qt/lib/libqt-mt.so.3
#29 0xb7043732 in QApplication::notify () from /opt/qt/lib/libqt-mt.so.3
#30 0xb7784b15 in KApplication::notify () from /opt/kde/lib/libkdecore.so.4
#31 0xb7036ce3 in QEventLoop::activateSocketNotifiers ()
   from /opt/qt/lib/libqt-mt.so.3
#32 0xb6fefce2 in QEventLoop::processEvents () from /opt/qt/lib/libqt-mt.so.3
#33 0xb7059bb1 in QEventLoop::enterLoop () from /opt/qt/lib/libqt-mt.so.3
#34 0xb7059b06 in QEventLoop::exec () from /opt/qt/lib/libqt-mt.so.3
#35 0xb70426af in QApplication::exec () from /opt/qt/lib/libqt-mt.so.3
#36 0xb7fc3acc in kdemain () from /opt/kde/lib/libkdeinit_konqueror.so
#37 0x080486be in ?? ()
#38 0x00000001 in ?? ()
#39 0xbffff774 in ?? ()
#40 0x080497b8 in ?? ()
#41 0xb6a6dff8 in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__ () from /lib/tls/libc.so.6
#42 0x00000000 in ?? ()
#43 0xb8000440 in __stack_prot () from /lib/ld-linux.so.2
#44 0xbffff748 in ?? ()
#45 0xb696d19d in __libc_start_main () from /lib/tls/libc.so.6
#46 0xb696d19d in __libc_start_main () from /lib/tls/libc.so.6
#47 0x08048601 in ?? ()

*** Bug 100199 has been marked as a duplicate of this bug. ***

*** Bug 95547 has been marked as a duplicate of this bug. ***

*** Bug 95469 has been marked as a duplicate of this bug. ***

*** Bug 77250 has been marked as a duplicate of this bug. ***

*** Bug 89038 has been marked as a duplicate of this bug. ***

CVS commit by ggarand: 

fix crashes

BUG: 78205
CCBUG: 84173


  M +7 -5      html_imageimpl.cpp   1.150


--- kdelibs/khtml/html/html_imageimpl.cpp  #1.149:1.150
@@ -182,7 +182,6 @@ void HTMLImageElementImpl::attach()
     {
         m_render = new (getDocument()->renderArena()) RenderImage(this);
-        m_render->setStyle(getDocument()->styleSelector()->styleForElement(this));
+        m_render->setStyle(_style);
         parentNode()->renderer()->addChild(m_render, nextRenderer());
-        m_render->updateFromElement();
     }
     _style->deref();
@@ -187,6 +186,7 @@ void HTMLImageElementImpl::attach()
     }
     _style->deref();
-
     NodeBaseImpl::attach();
+    if (m_render)
+        m_render->updateFromElement();
 }
 
@@ -202,5 +202,6 @@ long HTMLImageElementImpl::width() const
     }
 
-    return m_render->contentWidth();
+    return m_render ? m_render->contentWidth() : 
+                      getAttribute(ATTR_WIDTH).toInt();
 }
 
@@ -216,5 +217,6 @@ long HTMLImageElementImpl::height() cons
     }
 
-    return m_render->contentHeight();
+    return m_render ? m_render->contentHeight() :
+                      getAttribute(ATTR_HEIGHT).toInt();
 }
 

CVS commit by ggarand: 

backport crash fix
CCBUG: 78205, 84173


  M +7 -5      html_imageimpl.cpp   1.149.2.1


--- kdelibs/khtml/html/html_imageimpl.cpp  #1.149:1.149.2.1
@@ -182,7 +182,6 @@ void HTMLImageElementImpl::attach()
     {
         m_render = new (getDocument()->renderArena()) RenderImage(this);
-        m_render->setStyle(getDocument()->styleSelector()->styleForElement(this));
+        m_render->setStyle(_style);
         parentNode()->renderer()->addChild(m_render, nextRenderer());
-        m_render->updateFromElement();
     }
     _style->deref();
@@ -187,6 +186,7 @@ void HTMLImageElementImpl::attach()
     }
     _style->deref();
-
     NodeBaseImpl::attach();
+    if (m_render)
+        m_render->updateFromElement();
 }
 
@@ -202,5 +202,6 @@ long HTMLImageElementImpl::width() const
     }
 
-    return m_render->contentWidth();
+    return m_render ? m_render->contentWidth() : 
+                      getAttribute(ATTR_WIDTH).toInt();
 }
 
@@ -216,5 +217,6 @@ long HTMLImageElementImpl::height() cons
     }
 
-    return m_render->contentHeight();
+    return m_render ? m_render->contentHeight() :
+                      getAttribute(ATTR_HEIGHT).toInt();
 }
 

*** Bug 111062 has been marked as a duplicate of this bug. ***

I have just recently run into a similar problem. Starting today, anytime I go to Yahoo to check my mail, I get a SIGSEGV seg fault.