Bug 84498 - [test case] Web page www.bad-duerkheim.de/ causes Konqueror program to crash
Summary: [test case] Web page www.bad-duerkheim.de/ causes Konqueror program to crash
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 3.2.1
Platform: openSUSE Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords: testcase
Depends on:
Blocks:
 
Reported: 2004-07-05 10:00 UTC by Ruediger Wolf
Modified: 2008-11-18 01:31 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Original HTML (14.71 KB, text/html)
2004-07-06 20:00 UTC, Jorge Adriano
Details
HTML without the problematic code (14.67 KB, text/html)
2004-07-06 20:02 UTC, Jorge Adriano
Details
Test Case 1 - applet option "code" (92 bytes, text/html)
2004-07-06 20:03 UTC, Jorge Adriano
Details
Test Case 1 - applet option "codebase" (93 bytes, text/html)
2004-07-06 20:04 UTC, Jorge Adriano
Details
Here's my backtrace (7.92 KB, text/plain)
2005-04-20 02:53 UTC, lexual
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ruediger Wolf 2004-07-05 10:00:40 UTC
Version:           3.2.1 (using KDE KDE 3.2.3)
Installed from:    SuSE RPMs
OS:                Linux

I do search on google for Bad Dürkheim.
Then click on the link www.bad-duerkheim.de/ 
Konqueror attempts to load page and then crashes.

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[Thread debugging using libthread_db enabled]
[New Thread 1094897120 (LWP 7522)]
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...0xffffe415 in ?? ()
#0  0xffffe415 in ?? ()
#1  0xbfffd6ec in ?? ()
#2  0x00000000 in ?? ()
#3  0x00000000 in ?? ()
#4  0x411d7e83 in __waitpid_nocancel () from /lib/tls/libpthread.so.0
#5  0x40764d82 in KCrash::defaultCrashHandler ()
   from /opt/kde3/lib/libkdecore.so.4
#6  <signal handler called>
#7  0x41b61641 in khtml::RenderBox::calcWidth ()
   from /opt/kde3/lib/libkhtml.so.4
#8  0x41b574c6 in khtml::RenderFormElement::layout ()
   from /opt/kde3/lib/libkhtml.so.4
#9  0x41b57846 in khtml::RenderSelect::layout ()
   from /opt/kde3/lib/libkhtml.so.4
#10 0x41b56a7b in khtml::RenderSelect::calcMinMaxWidth ()
   from /opt/kde3/lib/libkhtml.so.4
#11 0x41b2c262 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#12 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#13 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#14 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#15 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#16 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#17 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#18 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#19 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#20 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#21 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#22 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#23 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#24 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#25 0x41b2c1f8 in khtml::RenderObject::recalcMinMaxWidths ()
   from /opt/kde3/lib/libkhtml.so.4
#26 0x41b6e107 in khtml::RenderCanvas::layout ()
   from /opt/kde3/lib/libkhtml.so.4
#27 0x41ac8ada in KHTMLView::layout () from /opt/kde3/lib/libkhtml.so.4
#28 0x41ac93a5 in KHTMLView::timerEvent () from /opt/kde3/lib/libkhtml.so.4
#29 0x40b21a21 in QObject::event () from /usr/lib/qt3/lib/libqt-mt.so.3
#30 0x40b564bf in QWidget::event () from /usr/lib/qt3/lib/libqt-mt.so.3
#31 0x40abfc1f in QApplication::internalNotify ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#32 0x40ac1639 in QApplication::notify () from /usr/lib/qt3/lib/libqt-mt.so.3
#33 0x407ae1f4 in KApplication::notify () from /opt/kde3/lib/libkdecore.so.4
#34 0x40ab454c in QEventLoop::activateTimers ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#35 0x40a6eca3 in QEventLoop::processEvents ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#36 0x40ad7661 in QEventLoop::enterLoop () from /usr/lib/qt3/lib/libqt-mt.so.3
#37 0x40ad74a6 in QEventLoop::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#38 0x40ac150f in QApplication::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#39 0x4155b8ac in kdemain () from /opt/kde3/lib/libkdeinit_konqueror.so
#40 0x400188e4 in kdeinitmain () from /opt/kde3/lib/kde3/konqueror.so
#41 0x0804e801 in launch ()
#42 0x0804ef0c in handle_launcher_request ()
#43 0x0804f499 in handle_requests ()
#44 0x0804fc0a in main ()
Comment 1 Tommi Tervo 2004-07-05 14:43:05 UTC
[New Thread 1024 (LWP 12645)]
[KCrash handler]
#6  0x414c601e in khtml::RenderBox::calcWidth (this=0x84703a0)
    at render_box.cpp:655
#7  0x414e1108 in khtml::RenderFormElement::layout (this=0x8470378)
    at render_form.cpp:92
#8  0x414e50c9 in khtml::RenderSelect::layout (this=0x8470378)
    at render_form.cpp:1045
#9  0x414e4da0 in khtml::RenderSelect::calcMinMaxWidth (this=0x8470378)
    at render_form.cpp:992
#10 0x414c29fb in khtml::RenderObject::recalcMinMaxWidths (this=0x84703a0)
    at render_object.cpp:1728
#11 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455ce0)
    at render_object.cpp:1714
#12 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455b6c)
    at render_object.cpp:1714
#13 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455b48)
    at render_object.cpp:1714
#14 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455508)
    at render_object.cpp:1714
#15 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455464)
    at render_object.cpp:1714
#16 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x84553dc)
    at render_object.cpp:1714
#17 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x84552b0)
    at render_object.cpp:1714
#18 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8455250)
    at render_object.cpp:1714
#19 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x84551ac)
    at render_object.cpp:1714
#20 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x84550c4)
    at render_object.cpp:1714
#21 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8454fb0)
    at render_object.cpp:1714
#22 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8454f38)
    at render_object.cpp:1714
#23 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8454e78)
    at render_object.cpp:1714
#24 0x414c2947 in khtml::RenderObject::recalcMinMaxWidths (this=0x8454d88)
    at render_object.cpp:1714
#25 0x414ea11d in khtml::RenderCanvas::layout (this=0x8454d88)
    at render_canvas.cpp:135
#26 0x41410653 in KHTMLView::layout (this=0x85196c0) at khtmlview.cpp:632
#27 0x414181a8 in KHTMLView::timerEvent (this=0x85196c0, e=0xbfffeaf0)
    at khtmlview.cpp:2470
#28 0x40a69123 in QObject::event () from /opt/qt332p2/lib/libqt-mt.so.3
#29 0x40a95fe3 in QWidget::event () from /opt/qt332p2/lib/libqt-mt.so.3
#30 0x40a1f9ca in QApplication::internalNotify ()
   from /opt/qt332p2/lib/libqt-mt.so.3
#31 0x40a1f62f in QApplication::notify () from /opt/qt332p2/lib/libqt-mt.so.3
#32 0x40633767 in KApplication::notify (this=0xbffff0c0, receiver=0x85196c0, 
    event=0xbfffeaf0) at kapplication.cpp:512
#33 0x40a124b1 in QEventLoop::activateTimers ()
   from /opt/qt332p2/lib/libqt-mt.so.3
#34 0x409d83f1 in QEventLoop::processEvents ()
   from /opt/qt332p2/lib/libqt-mt.so.3
#35 0x40a2d884 in QEventLoop::enterLoop () from /opt/qt332p2/lib/libqt-mt.so.3
#36 0x40a2d7d9 in QEventLoop::exec () from /opt/qt332p2/lib/libqt-mt.so.3
#37 0x40a1fb1e in QApplication::exec () from /opt/qt332p2/lib/libqt-mt.so.3
#38 0x411184a3 in kdemain (argc=2, argv=0x805a420) at konq_main.cc:204
#39 0x407da8a1 in kdeinitmain (argc=2, argv=0x805a420) at konqueror_dummy.cc:2
#40 0x0804cbd4 in launch (argc=2, _name=0x805d2ac "konqueror", 
    args=0x805d2bf "\001", cwd=0x0, envc=1, envs=0x805d2d0 "", 
    reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x805d2d4 "v10-dhcp-76-190.ntc.nokia.com;1089026033;281523;844_TIME577984021") at kinit.cpp:591
#41 0x0804db9f in handle_launcher_request (sock=8) at kinit.cpp:1157
#42 0x0804e0fa in handle_requests (waitForPid=0) at kinit.cpp:1348
#43 0x0804f37b in main (argc=3, argv=0xbffff7a4, envp=0xbffff7b4)
    at kinit.cpp:1785
#44 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
Comment 2 Jorge Adriano 2004-07-06 19:57:47 UTC
Hi, 
I downloaded the problematic HTML and managed to find the causes. 
The problem is in both, the "code" and "codebase" options of the "applet" tag. By removing them from the original code everything works fine. Both of this are minimal test cases:

Test Case 1:
<html>
<body>
<applet code=SiteMap2ech.class>
<select>
</select>
</applet>
</body>
</html>

Test Case 2:
<html>
<body>
<applet codebase="/x_sys/menu/">
<select>
</select>
</applet>
</body>
</html>
Comment 3 Jorge Adriano 2004-07-06 20:00:04 UTC
Created attachment 6573 [details]
Original HTML
Comment 4 Jorge Adriano 2004-07-06 20:02:11 UTC
Created attachment 6574 [details]
HTML without the problematic code

As you can check with a diff, I simply removed the "code" and "codebase"
options from the original HTML.
Comment 5 Jorge Adriano 2004-07-06 20:03:35 UTC
Created attachment 6575 [details]
Test Case 1 -  applet option "code"
Comment 6 Jorge Adriano 2004-07-06 20:04:25 UTC
Created attachment 6576 [details]
Test Case 1 - applet option "codebase"
Comment 7 jakubpol 2004-07-15 04:17:52 UTC
Site crashes in KDE3.3beta1.
Comment 8 jakubpol 2004-08-04 15:46:16 UTC
Crashes on KDE 3.3 beta2.
Comment 9 jakubpol 2004-08-08 23:41:37 UTC
Site crashed on KDE 3.3 rc1.
Comment 10 Andrew Coles 2004-10-22 17:37:01 UTC
See also:

http://cis.strath.ac.uk/~ac/break.html

Same error - no containing block after using KJAS.
Comment 11 lexual 2004-11-25 23:33:45 UTC
Site loads without crashing in kde 3.3.1 compiled from source.

Can't on other comments because I don't understand much about this stuff.
Comment 12 Allan Sandfeld 2004-11-26 01:31:37 UTC
It crashes for me (CVS-HEAD)
Comment 13 Tommi Tervo 2005-03-01 10:41:08 UTC
Cannot reproduce anymore with konqueror 3.4rc1.
Comment 14 Tommi Tervo 2005-03-11 12:13:33 UTC
3_4_BRANCH from yesterday crashes, FreeBSD-4.11

#0  0x29bade73 in khtml::RenderBox::containingBlockWidth (this=0x855b160)
    at render_box.cpp:610
#1  0x29baea8c in khtml::RenderBox::calcWidth (this=0x855b160)
    at render_box.cpp:740
#2  0x29bd912c in khtml::RenderFormElement::layout (this=0x855b138)
    at render_form.cpp:91
#3  0x29bdeebe in khtml::RenderSelect::layout (this=0x855b138)
    at render_form.cpp:1058
#4  0x29c009e7 in khtml::RenderObject::layoutIfNeeded (this=0x855b160)
    at ../../khtml/rendering/render_object.h:393
#5  0x29bde8e0 in khtml::RenderSelect::calcMinMaxWidth (this=0x855b138)
    at render_form.cpp:1002
#6  0x29ba7643 in khtml::RenderObject::recalcMinMaxWidths (this=0x855b160)
    at render_object.cpp:1832
#7  0x29ba74ad in khtml::RenderObject::recalcMinMaxWidths (this=0x855b0d0)
    at render_object.cpp:1818
#8  0x29ba74ad in khtml::RenderObject::recalcMinMaxWidths (this=0x855af44)
    at render_object.cpp:1818
#9  0x29ba74ad in khtml::RenderObject::recalcMinMaxWidths (this=0x855af18)
    at render_object.cpp:1818
#10 0x29ba74ad in khtml::RenderObject::recalcMinMaxWidths (this=0x855a838)
    at render_object.cpp:1818
#11 0x29ba74ad in khtml::RenderObject::recalcMinMaxWidths (this=0x855a78c)
Comment 15 lexual 2005-04-20 02:53:11 UTC
Created attachment 10715 [details]
Here's my backtrace

3.4.0 ubuntu hoary
Comment 16 Andrew Coles 2005-05-18 15:44:40 UTC
I've traced the problem: form elements, such as <select> groups, within <applet> tags cause the crash (even if the page validates).  

For example, the following crashes:

<applet code="HelloWorld.class" width=150 height=25>
<select name="1" size="1">
<option>one
<option>two
<option>three
</select>
</applet>

http://cis.strath.ac.uk/~ac/break6.html demonstrates this.

Section of backtrace:

#0  0xb60a7bc2 in khtml::RenderBox::containingBlockWidth (this=0x839a734) at render_box.cpp:627
#1  0xb60a8644 in khtml::RenderBox::calcWidth (this=0x839a734) at render_box.cpp:761
#2  0xb60d1b5c in khtml::RenderFormElement::layout (this=0x839a70c) at render_form.cpp:91
#3  0xb60d731d in khtml::RenderSelect::layout (this=0x839a70c) at render_form.cpp:1068
#4  0xb6083b28 in khtml::RenderObject::layoutIfNeeded (this=0x839a734) at render_object.h:394
#5  0xb60d6e85 in khtml::RenderSelect::calcMinMaxWidth (this=0x839a70c) at render_form.cpp:1012
#6  0xb60a1bb0 in khtml::RenderObject::recalcMinMaxWidths (this=0x839a734) at render_object.cpp:1844
#7  0xb60a1ac1 in khtml::RenderObject::recalcMinMaxWidths (this=0x839a6a8) at render_object.cpp:1830
#8  0xb60a1ac1 in khtml::RenderObject::recalcMinMaxWidths (this=0x839a608) at render_object.cpp:1830
#9  0xb60a1ac1 in khtml::RenderObject::recalcMinMaxWidths (this=0x839a534) at render_object.cpp:1830
#10 0xb60a1ac1 in khtml::RenderObject::recalcMinMaxWidths (this=0x839a420) at render_object.cpp:1830
#11 0xb60e0bf0 in khtml::RenderCanvas::layout (this=0x839a420) at render_canvas.cpp:140
#12 0xb5fae87e in KHTMLView::layout (this=0x835e9d8) at khtmlview.cpp:774
Comment 17 Tommi Tervo 2005-05-18 15:59:05 UTC
Hmm, 3.4-branch konqueror won't crash anymore.
Comment 18 Andrew Coles 2005-05-18 16:06:57 UTC
It crashes with trunk.

Tommi, do you have java enabled?  It doesn't crash if it's not set up.
Comment 19 Tommi Tervo 2005-05-18 16:20:22 UTC
> Tommi, do you have java enabled? It doesn't crash if it's not set up.

Right guess, I compiled with --without-java
Comment 20 Thiago Macieira 2005-05-19 04:03:12 UTC
trunk r414026 crashes, Java is enabled.
Comment 21 jakubpol 2005-11-05 11:23:17 UTC
No longer crashes with java enabled on KDE 3.5-beta2 (Gentoo).
Comment 22 Tommi Tervo 2005-11-05 12:33:08 UTC
3.5 r477828 crashes:

#4  0xb6548ea4 in khtml::RenderBox::containingBlockWidth (this=0x8a156c8)
    at render_box.cpp:633
#5  0xb654b15b in khtml::RenderBox::calcWidth (this=0x8a156c8)
    at render_box.cpp:766
#6  0xb655ceb6 in khtml::RenderFormElement::layout (this=0x8a156a0)
    at render_form.cpp:91
#7  0xb65737c1 in khtml::RenderSelect::layout (this=0x8a156a0)
    at render_form.cpp:1074
#8  0xb64c0101 in khtml::RenderObject::layoutIfNeeded (this=0x8a156c8)
    at render_object.h:413
#9  0xb655f9b5 in khtml::RenderSelect::calcMinMaxWidth (this=0x8a156a0)
    at render_form.cpp:1018
#10 0xb654529b in khtml::RenderObject::recalcMinMaxWidths (this=0x8a156c8)
    at render_object.cpp:1847
#11 0xb6545169 in khtml::RenderObject::recalcMinMaxWidths (this=0x8a15638)
    at render_object.cpp:1833
Comment 23 Dirk Mueller 2006-07-14 10:44:58 UTC
does not crash for me in KDE 3.5.3
Comment 24 Tommi Tervo 2007-08-08 12:30:29 UTC
3.5.7 still crashes with same backtrace (kubuntu.org packages), reopening.
Comment 25 Michael Leupold 2008-04-06 11:59:54 UTC
Confirmed for trunk r794020.

crashes for: c3, c5, c6, c16 (java enabled)
no crash for: c4 (java enabled), c4, c3, c6, c6, c16 (java disabled)
Comment 26 Harri Porten 2008-11-07 23:05:26 UTC
Valgrind log of testcase from comment #16 with trunk revision 881311:

==5077== Invalid read of size 8
==5077==    at 0x530D7A0: khtml::RenderBox::containingBlockWidth(khtml::RenderObject*) const (render_box.cpp:842)
==5077==    by 0x5314D55: khtml::RenderBox::calcWidth() (render_box.cpp:995)
==5077==    by 0x534969E: khtml::RenderFormElement::layout() (render_form.cpp:206)
==5077==    by 0x5349C32: khtml::RenderSelect::layout() (render_form.cpp:1633)
==5077==    by 0x534A3AD: khtml::RenderSelect::calcMinMaxWidth() (render_object.h:471)
==5077==    by 0x530596B: khtml::RenderObject::recalcMinMaxWidths() (render_object.cpp:2207)
==5077==    by 0x53058B9: khtml::RenderObject::recalcMinMaxWidths() (render_object.cpp:2193)
==5077==    by 0x53058B9: khtml::RenderObject::recalcMinMaxWidths() (render_object.cpp:2193)
==5077==    by 0x53058B9: khtml::RenderObject::recalcMinMaxWidths() (render_object.cpp:2193)
==5077==    by 0x53058B9: khtml::RenderObject::recalcMinMaxWidths() (render_object.cpp:2193)
==5077==    by 0x5353D1E: khtml::RenderCanvas::layout() (render_canvas.cpp:178)
==5077==    by 0x51AE00C: KHTMLView::layout() (khtmlview.cpp:1059)
==5077==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 27 Harri Porten 2008-11-08 21:56:35 UTC
SVN commit 881715 by porten:

Prevent a crash triggered by an internal error. The real
fix will be to recognize e.g. <object> as a block-level
element I think.

CCBUG:84498


 M  +1 -1      render_object.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=881715
Comment 28 Harri Porten 2008-11-08 22:00:12 UTC
SVN commit 881716 by porten:

Merged revision 881715:
Prevent a crash triggered by an internal error. The real
fix will be to recognize e.g. <object> as a block-level
element I think.

CCBUG:84498

 M  +1 -1      render_object.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=881716
Comment 29 Harri Porten 2008-11-18 01:31:13 UTC
Fixed in r885848. Don't allow renderers for <select> inside of <applet> renderers. The case of alternate content would be different.