94997 – [test case] konqueror will crash if a floated link uses :hover:before or :hover:after to create a positioned element

Bug 94997 - [test case] konqueror will crash if a floated link uses :hover:before or :hover:after to create a positioned element

Summary: [test case] konqueror will crash if a floated link uses :hover:before or :hov...

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml renderer (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Duplicates (2):	125656 126027 (view as bug list)
Depends on:
Blocks:

Reported:	2004-12-12 17:56 UTC by _
Modified:	2006-04-21 16:27 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description _ 2004-12-12 17:56:55 UTC

Version:            (using KDE KDE 3.3.1)
Installed from:    Compiled From Sources
Compiler:          gcc 3.3.4 
OS:                Linux

The following combination of styles cause Konqueror to crash when the mouse hovers over the link:
#someLink { float: left; }
#someLink:hover:after { position: absolute; content: "some text"; }

Test case: http://www.howtocreate.co.uk/safari/hoverContentCrash.html

This bug is also confirmed on KDE 3.3.89.

Comment 1 Tommi Tervo 2004-12-13 10:26:04 UTC

Khtml HEAD:

==5852==    by 0x4103BB3E: __assert_fail (in /lib/libc-2.3.2.so)
==5852==    by 0x1DAB0DFF: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:447)
==5852==    by 0x1DAB0C0C: khtml::RenderBlock::layout() (render_block.cpp:434)
==5852==    by 0x1DB118E5: khtml::RenderObject::layoutIfNeeded() (render_object.h:375)
==5852==    by 0x1DAB3957: khtml::RenderBlock::layoutPositionedObjects(bool) (render_block.cpp:1227)
==5852==    by 0x1DAB158A: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:571)
==5852==    by 0x1DAB0C0C: khtml::RenderBlock::layout() (render_block.cpp:434)
==5852==    by 0x1DB118E5: khtml::RenderObject::layoutIfNeeded() (render_object.h:375)
==5852==    by 0x1DAB2581: khtml::RenderBlock::layoutBlockChildren(bool) (render_block.cpp:878)
==5852==    by 0x1DAB1114: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:530)
==5852==    by 0x1DAB0C0C: khtml::RenderBlock::layout() (render_block.cpp:434)
==5852==    by 0x1DAFDF57: khtml::RenderCanvas::layout() (render_canvas.cpp:160)
==5852==    by 0x1D9F78B5: KHTMLView::layout() (khtmlview.cpp:746)
==5852==    by 0x1DA000C8: KHTMLView::timerEvent(QTimerEvent*) (khtmlview.cpp:2754)
==5852==    by 0x1C6E8252: QObject::event(QEvent*) (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C720B0E: QWidget::event(QEvent*) (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C68E0BE: QApplication::internalNotify(QObject*, QEvent*) (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C68D6BD: QApplication::notify(QObject*, QEvent*) (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C226D96: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:495)
==5852==    by 0x1C67D8F4: QEventLoop::activateTimers() (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C636CCA: QEventLoop::processEvents(unsigned) (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C6A0477: QEventLoop::enterLoop() (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C6A0327: QEventLoop::exec() (in /opt/qt333/lib/libqt-mt.so.3.3.3)
==5852==    by 0x1C68E310: QApplication::exec() (in /opt/qt333/lib/libqt-mt.so.3.3.3)

Comment 2 Tommi Tervo 2005-05-20 10:13:28 UTC

konqueror: RenderBlock (positioned)(1): 0x85243dc  ci an ps nl rmm zI: auto  <a:after> (0,0,560,20) [560-560] { mT: 0 qT: 0 mB: 0 qB: 0} layer=0x8524458
konqueror:   RenderText(1): 0x85244b4  il an mmk zI: auto  (0,0,417,20) [69-427] { mT: 0 qT: 0 mB: 0 qB: 0} " It looks "
 this object = 0x85243dc, (null)
assertion "minMaxKnown()" failed: file "render_block.cpp", line 448


#3  0x29b8fec7 in khtml::RenderBlock::layoutBlock (this=0x85243dc,
    relayoutChildren=false) at render_block.cpp:448
#4  0x29b8fc6e in khtml::RenderBlock::layout (this=0x85243dc)
    at render_block.cpp:435
#5  0x29c04d2b in khtml::RenderObject::layoutIfNeeded (this=0x85243dc)
    at ../../khtml/rendering/render_object.h:393
#6  0x29b9463e in khtml::RenderBlock::layoutPositionedObjects (this=0x8524128,
    relayoutChildren=false) at render_block.cpp:1228
#7  0x29b90c35 in khtml::RenderBlock::layoutBlock (this=0x8524128,
    relayoutChildren=false) at render_block.cpp:572
#8  0x29b8fc6e in khtml::RenderBlock::layout (this=0x8524128)
    at render_block.cpp:435
#9  0x29c04d2b in khtml::RenderObject::layoutIfNeeded (this=0x8524128)
    at ../../khtml/rendering/render_object.h:393
#10 0x29b926b2 in khtml::RenderBlock::layoutBlockChildren (this=0x8524010,
    relayoutChildren=false) at render_block.cpp:879
#11 0x29b90304 in khtml::RenderBlock::layoutBlock (this=0x8524010,
    relayoutChildren=false) at render_block.cpp:531
#12 0x29b8fc6e in khtml::RenderBlock::layout (this=0x8524010)
    at render_block.cpp:435
#13 0x29bead60 in khtml::RenderCanvas::layout (this=0x85
    at render_canvas.cpp:160
#14 0x29ab099c in KHTMLView::layout (this=0x82ea900) at
#15 0x29abbeec in KHTMLView::timerEvent (this=0x82ea900,

Comment 3 Mathias Brodala 2006-04-06 20:08:14 UTC

The same happens with the following code:

a {
  position:relative;
}
a:hover::after {
  content:"#";
  position:absolute;
}

The crashdump:

---
(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1503181120 (LWP 8446)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[KCrash handler]
#5  0xa605b908 in non-virtual thunk to DOM::HTMLObjectBaseElementImpl::~HTMLObjectBaseElementImpl() () from /usr/lib/libkhtml.so.4
#6  0x0813ac18 in ?? ()
#7  0x0830a248 in ?? ()
#8  0xafbc0678 in ?? ()
#9  0xa6054dfd in non-virtual thunk to DOM::HTMLObjectBaseElementImpl::~HTMLObjectBaseElementImpl() () from /usr/lib/libkhtml.so.4
#10 0x0813a754 in ?? ()
#11 0xafbc0664 in ?? ()
#12 0xafbc0664 in ?? ()
#13 0x001f618c in ?? ()
#14 0x0813a754 in ?? ()
#15 0x00000014 in ?? ()
#16 0x00bc0678 in ?? ()
#17 0xa6093632 in non-virtual thunk to khtml::RenderSelect::calcMinMaxWidth()
    () from /usr/lib/libkhtml.so.4
#18 0x0813a754 in ?? ()
#19 0x0830a248 in ?? ()
#20 0x082986e8 in ?? ()
#21 0xa61f618c in ?? () from /usr/lib/libkhtml.so.4
#22 0x00000014 in ?? ()
#23 0x00000014 in ?? ()
#24 0xafbc06c8 in ?? ()
#25 0xa607b700 in non-virtual thunk to DOM::HTMLObjectBaseElementImpl::~HTMLObjectBaseElementImpl() () from /usr/lib/libkhtml.so.4
#26 0x0813a754 in ?? ()
#27 0x00000000 in ?? ()

Comment 4 Tommi Tervo 2006-04-16 10:07:17 UTC

*** Bug 125656 has been marked as a duplicate of this bug. ***

Comment 5 Allan Sandfeld 2006-04-19 18:07:41 UTC

SVN commit 531609 by carewolf:

Remove the pseudo-container from any special rendering-lists it might have been part of.
BUG: 94997


 M  +1 -0      render_container.cpp  


--- branches/KDE/3.5/kdelibs/khtml/rendering/render_container.cpp #531608:531609
@@ -275,6 +275,7 @@
     {
         // The child needs to be removed.
         oldContentPresent = false;
+        child->removeFromObjectLists();
         removeChild(child);
         child = (type == RenderStyle::BEFORE) ? firstChild() : lastChild();
     }

Comment 6 Tommi Tervo 2006-04-21 16:27:30 UTC

*** Bug 126027 has been marked as a duplicate of this bug. ***