Bug 95177 - [test case] crash when assigning to innerHTML
Summary: [test case] crash when assigning to innerHTML
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 3.3.1
Platform: Gentoo Packages Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-15 00:13 UTC by Simon Strandgaard
Modified: 2008-11-22 02:13 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Testcase attached (1.23 KB, text/html)
2004-12-15 10:46 UTC, Tommi Tervo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Strandgaard 2004-12-15 00:13:01 UTC
Version:            (using KDE KDE 3.3.1)
Installed from:    Gentoo Packages
Compiler:          gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) 
OS:                Linux

This bug is similar to  http://bugs.kde.org/show_bug.cgi?id=34530


I have made a proof of concept, which crashes Konqueror 3.3.1.
  1. Click on the blue area.
  2. Replace content of input field with the empty string.
  3. Hit enter
  4. Crash.



--
Simon Strandgaard



<html><head>
<style type="text/css">#button{width:100px; height:100px; background-color:blue;}</style>
<script type="text/javascript" language="JavaScript">
function Slider(element) {
        this.element = element;
}
Slider.prototype.event_down = function(event) {
        var slider = this;
        document.onmouseup = function(event) {
                slider.event_up(event);
                return false;
        };
}
Slider.prototype.event_up = function(event) {
        var div = this.element;
        var input = document.createElement('input');
        input.setAttribute('value', div.innerHTML);
        div.removeChild(div.firstChild);
        var slider = this;
        input.onblur = input.onchange = function(event) {
                div.innerHTML = input.value;
                return false;
        }
        div.appendChild(input);
        input.focus();
}
window.onload = function() {
        var el = document.getElementById("button");
        var slider = new Slider(el);
        el.onmousedown = function(event) {
                slider.event_down(event);
                return false;
        }
}
</script></head><body>
<div id="button">XXX</div>
</body></html>
Comment 1 Ismail Donmez 2004-12-15 10:19:29 UTC
Can confirm on latest cvs head.
Comment 2 Tommi Tervo 2004-12-15 10:46:52 UTC
Created attachment 8677 [details]
Testcase attached

#22 0x41bddfba in khtml::RenderStyle::backgroundImage (this=0x82bcb98)
    at render_style.h:913
#23 0x41c5080e in ~RenderObject (this=0x8666d38) at render_object.cpp:187
#24 0x41ca3d6f in ~RenderContainer (this=0x8666d38) at render_box.cpp:56
#25 0x41c5aec3 in ~RenderBox (this=0x8666d38) at render_box.cpp:186
#26 0x41ca6461 in ~RenderReplaced (this=0x8666d38) at render_image.cpp:57
#27 0x41c7cb59 in ~RenderWidget (this=0x8666d10) at render_replaced.cpp:132
#28 0x41c7fb6d in ~RenderFormElement (this=0x8666d10) at render_form.cpp:69
#29 0x41ca7bdd in ~RenderLineEdit (this=0x8666d10) at render_frames.moc:207
#30 0x41c57750 in khtml::RenderObject::arenaDelete (this=0x8666d38, 
    arena=0x88b6e80, base=0x8666d10) at render_object.cpp:1483
#31 0x41c577c4 in khtml::RenderObject::arenaDelete (this=0x8666d38, 
    arena=0x88b6e80) at render_object.cpp:1496
#32 0x41c7f540 in khtml::RenderWidget::deref (this=0x8666d10)
    at render_replaced.cpp:796
#33 0x41c7c9f1 in khtml::RenderWidget::detach (this=0x8666d10)
    at render_replaced.cpp:123
#34 0x41beca0a in DOM::NodeImpl::detach (this=0x8a03128)
    at dom_nodeimpl.cpp:858
#35 0x41bedda9 in DOM::NodeBaseImpl::detach (this=0x8a03128)
    at dom_nodeimpl.cpp:1345
#36 0x41bed5b5 in DOM::NodeBaseImpl::removeChild (this=0x84ea970, 
    oldChild=0x8a03128, exceptioncode=@0xbfffdbac) at dom_nodeimpl.cpp:1134
#37 0x41d8af8a in DOM::Node::removeChild (this=0xbfffdd10, 
    oldChild=@0xbfffdcb0) at dom_node.cpp:282
#38 0x41ce8ea9 in KJS::DOMNodeProtoFunc::tryCall (this=0x8442c50, 
    exec=0xbfffe110, thisObj=@0xbfffde80, args=@0xbfffded0) at kjs_dom.cpp:484
#39 0x41ce2bda in KJS::DOMFunction::call (this=0x8442c50, exec=0xbfffe110, 
    thisObj=@0xbfffde80, args=@0xbfffded0) at kjs_binding.cpp:107
#40 0x41eb106e in KJS::Object::call (this=0xbfffdeb0, exec=0xbfffe110, 
    thisObj=@0xbfffde80, args=@0xbfffded0) at object.cpp:70
#41 0x41e7d96e in KJS::FunctionCallNode::evaluate (this=0x86f45d0, 
    exec=0xbfffe110) at nodes.cpp:850
#42 0x41e82e03 in KJS::ExprStatementNode::execute (this=0x87c8c58, 
    exec=0xbfffe110) at nodes.cpp:1953
#43 0x41e897e3 in KJS::SourceElementsNode::execute (this=0x867d048, 
    exec=0xbfffe110) at nodes.cpp:3073
#44 0x41e82c28 in KJS::BlockNode::execute (this=0x89d1198, exec=0xbfffe110)
    at nodes.cpp:1915
#45 0x41e88a58 in KJS::FunctionBodyNode::execute (this=0x89d1198, 
    exec=0xbfffe110) at nodes.cpp:2919
#46 0x41eac755 in KJS::DeclaredFunctionImp::execute (this=0x84ea928, 
    exec=0xbfffe110) at function.cpp:579
#47 0x41eab912 in KJS::FunctionImp::call (this=0x84ea928, exec=0xbfffe4b0, 
    thisObj=@0xbfffe220, args=@0xbfffe270) at function.cpp:354
#48 0x41eb106e in KJS::Object::call (this=0xbfffe250, exec=0xbfffe4b0, 
    thisObj=@0xbfffe220, args=@0xbfffe270) at object.cpp:70
#49 0x41e7d96e in KJS::FunctionCallNode::evaluate (this=0x83e6228, 
    exec=0xbfffe4b0) at nodes.cpp:850
#50 0x41e82e03 in KJS::ExprStatementNode::execute (this=0x85b0968, 
    exec=0xbfffe4b0) at nodes.cpp:1953
#51 0x41e89691 in KJS::SourceElementsNode::execute (this=0x86f4680, 
    exec=0xbfffe4b0) at nodes.cpp:3067
#52 0x41e82c28 in KJS::BlockNode::execute (this=0x8ae68f0, exec=0xbfffe4b0)
    at nodes.cpp:1915
#53 0x41e88a58 in KJS::FunctionBodyNode::execute (this=0x8ae68f0, 
    exec=0xbfffe4b0) at nodes.cpp:2919
#54 0x41eac755 in KJS::DeclaredFunctionImp::execute (this=0x8514690, 
    exec=0xbfffe4b0) at function.cpp:579
#55 0x41eab912 in KJS::FunctionImp::call (this=0x8514690, exec=0x84b0890, 
    thisObj=@0xbfffe610, args=@0xbfffe630) at function.cpp:354
#56 0x41eb106e in KJS::Object::call (this=0x866897c, exec=0x84b0890, 
    thisObj=@0xbfffe610, args=@0xbfffe630) at object.cpp:70
#57 0x41d4a6d0 in KJS::JSEventListener::handleEvent (this=0x8668970, 
    evt=@0xbfffe6b0) at kjs_events.cpp:109
#58 0x41bec2c6 in DOM::NodeImpl::handleLocalEvents (this=0x88668a4, 
    evt=0x8772ce0, useCapture=false) at dom_nodeimpl.cpp:650
#59 0x41beb75a in DOM::NodeImpl::dispatchGenericEvent (this=0x8a03128, 
    evt=0x8772ce0) at dom_nodeimpl.cpp:448
#60 0x41beb481 in DOM::NodeImpl::dispatchEvent (this=0x8a03128, evt=0x8772ce0, 

    exceptioncode=@0xbfffe868, tempEvent=true) at dom_nodeimpl.cpp:400
#61 0x41b914ef in KHTMLView::dispatchMouseEvent (this=0x88d20e0, eventId=6, 
    targetNode=0x8a03128, targetNodeNonShared=0x8a03128, cancelable=true, 
    detail=1, _mouse=0xbfffea20, setUnder=false, mouseEventType=1)
    at khtmlview.cpp:2553
#62 0x41b8ae32 in KHTMLView::viewportMouseReleaseEvent (this=0x88d20e0, 
    _mouse=0xbfffea20) at khtmlview.cpp:1045
#63 0x41b8d459 in KHTMLView::eventFilter (this=0x88d20e0, o=0x8700578, 
    e=0xbfffefc0) at khtmlview.cpp:1694
#64 0x40c8635e in QObject::activate_filters ()
   from /opt/qt333/lib/libqt-mt.so.3
#65 0x40c8628c in QObject::event () from /opt/qt333/lib/libqt-mt.so.3
#66 0x40cbeb0f in QWidget::event () from /opt/qt333/lib/libqt-mt.so.3
#67 0x40d4f0ee in QLineEdit::event () from /opt/qt333/lib/libqt-mt.so.3
#68 0x41c81e90 in khtml::LineEditWidget::event (this=0x8700578, e=0xbfffefc0)
    at render_form.cpp:403
#69 0x40c2c0bf in QApplication::internalNotify ()
   from /opt/qt333/lib/libqt-mt.so.3
#70 0x40c2b7b4 in QApplication::notify () from /opt/qt333/lib/libqt-mt.so.3
#71 0x407b6d97 in KApplication::notify (this=0xbffff6a0, receiver=0x8700578, 
    event=0xbfffefc0) at kapplication.cpp:495
#72 0x40bc022e in QETWidget::translateMouseEvent ()
   from /opt/qt333/lib/libqt-mt.so.3
#73 0x40bbddfe in QApplication::x11ProcessEvent ()
   from /opt/qt333/lib/libqt-mt.so.3
#74 0x40bd5224 in QEventLoop::processEvents ()
   from /opt/qt333/lib/libqt-mt.so.3
#75 0x40c3e478 in QEventLoop::enterLoop () from /opt/qt333/lib/libqt-mt.so.3
#76 0x40c3e328 in QEventLoop::exec () from /opt/qt333/lib/libqt-mt.so.3
#77 0x40c2c311 in QApplication::exec () from /opt/qt333/lib/libqt-mt.so.3
#78 0x41804e17 in kdemain (argc=2, argv=0x80efbe8) at konq_main.cc:204
#79 0x40979938 in kdeinitmain (argc=2, argv=0x80efbe8) at konqueror_dummy.cc:2
#80 0x0804e454 in launch (argc=2, _name=0x80ef384 "konqueror", 
    args=0x80ef397 "\001", cwd=0x0, envc=1, envs=0x80ef3a8 "", 
    reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x80ef3ac "baron;1103100588;185;30903_TIME1188128280")
    at kinit.cpp:623
#81 0x0804f768 in handle_launcher_request (sock=8) at kinit.cpp:1187
#82 0x0804fe5b in handle_requests (waitForPid=0) at kinit.cpp:1388
#83 0x080514c5 in main (argc=3, argv=0xbffffd24, envp=0xbffffd34)
    at kinit.cpp:1841
Comment 3 Thiago Macieira 2005-07-10 20:44:12 UTC
Still crashes on trunk 430645.
Comment 4 Allan Sandfeld 2006-10-24 14:04:31 UTC
It doesn't crash here anymore.

Fixed?
Comment 5 Ismail Donmez 2006-10-24 14:19:48 UTC
Still crashes here with the latest 3.5 branch SVN.
Comment 6 lexual 2006-10-25 04:32:00 UTC
no crash 3.5.4 amd64 etch.
Comment 7 Maksim Orlovich 2006-10-27 19:54:51 UTC
Still crashes...
Comment 8 Tommi Tervo 2008-02-05 13:35:05 UTC
Cannot reproduce original crash with 4.0.1 but I found a different one with same test case. When clicking a lot of test case input field suddenly it starts to spread out of blue box. If you continue on clicking that blue box konqueror will eventually crash. Backtraces seems to vary, here is one:

#6  0xb4483276 in DOM::NodeImpl::nextSibling (this=0x0)
    at /home/teve/src/kdelibs/khtml/xml/dom_nodeimpl.h:111
#7  0xb4527288 in DOM::RangeImpl::compareBoundaryPoints
    (containerA=0x9701788, 
    offsetA=6, containerB=0x9924730, offsetB=4)
    at /home/teve/src/kdelibs/khtml/xml/dom2_rangeimpl.cpp:369
#8  0xb449264a in KHTMLPart::extendSelectionTo (this=0x90392f8, x=177,
    y=462, 
    absX=10, absY=10, innerNode=@0xbff98fbc)
    at /home/teve/src/kdelibs/khtml/khtml_part.cpp:6397
#9  0xb44a0881 in KHTMLPart::khtmlMouseMoveEvent (this=0x90392f8, 
    event=0xbff99520) at
    /home/teve/src/kdelibs/khtml/khtml_part.cpp:6550
#10 0xb44929de in KHTMLPart::customEvent (this=0x90392f8,
    event=0xbff99520)
    at /home/teve/src/kdelibs/khtml/khtml_part.cpp:6016
#11 0xb724d5f9 in QObject::event () from /usr/lib/libQtCore.so.4
#12 0xb6b1509d in QApplicationPrivate::notify_helper ()
Comment 9 Jure Repinc 2008-04-07 11:24:04 UTC
I also don't get a crash for the original report, using Konqueror from SVN r794088. And as noted in the last comment it does start to behave strangely if I just keep clicking around on the input fields. It grows and grows and when I close Konqueror I get a crash:

Application: Konqueror (konqueror), signal SIGABRT
[Thread debugging using libthread_db enabled]
[New Thread 0x2acaa87977d0 (LWP 7414)]
[KCrash handler]
#5  0x00002acaa693d185 in raise () from /lib64/libc.so.6
#6  0x00002acaa693e630 in abort () from /lib64/libc.so.6
#7  0x00002acaa697bbbf in ?? () from /lib64/libc.so.6
#8  0x00002acaae10966e in ~TreeShared (this=0xc123c0)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/shared.h:57
#9  0x00002acaae10857b in khtml::TreeShared<DOM::NodeImpl>::removedLastRef (
    this=0xc123c0)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/shared.h:59
#10 0x00002acaae080f56 in khtml::TreeShared<DOM::NodeImpl>::deref (
    this=0xc123c0)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/shared.h:65
#11 0x00002acaae118017 in ~SharedPtr (this=0x2acab0cf45a8)
    at /home/kde-devel/kde/src/KDE/kdelibs/kjs/wtf/SharedPtr.h:35
#12 0x00002acaae2a173d in ~DOMNode (this=0x2acab0cf4580)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_dom.cpp:114
#13 0x00002acaae2d01b7 in ~DOMElement (this=0x2acab0cf4580)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_dom.h:154
#14 0x00002acaae2d0227 in ~HTMLElement (this=0x2acab0cf4580)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_html.h:63
#15 0x00002acaae98d135 in KJS::Collector::collect ()
    at /home/kde-devel/kde/src/KDE/kdelibs/kjs/collector.cpp:693
#16 0x00002acaae9eea2b in KJS::Interpreter::collect ()
    at /home/kde-devel/kde/src/KDE/kdelibs/kjs/interpreter.cpp:668
#17 0x00002acaae2fb15a in KJS::KJSProxyImpl::clear (this=0xb24ab0)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_proxy.cpp:224
#18 0x00002acaae0a9338 in KHTMLPart::clear (this=0xa39290)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:1412
#19 0x00002acaae0b9bb7 in ~KHTMLPart (this=0xa39290)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:509
#20 0x00002aca9fc3967a in ~KonqView (this=0xa3a5f0)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqview.cpp:132
#21 0x00002aca9fc41a05 in KonqViewManager::clear (this=0x7157b0)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqviewmanager.cpp:653
#22 0x00002aca9fc66778 in KonqMainWindow::stayPreloaded (this=0x7262c0)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmainwindow.cpp:5594
#23 0x00002aca9fc694a2 in KonqMainWindow::queryExit (this=0x7262c0)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmainwindow.cpp:5055
#24 0x00002acaa11590e1 in KMainWindow::closeEvent (this=0x7262c0, 
    e=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/widgets/kmainwindow.cpp:533
#25 0x00002aca9fc79312 in KonqMainWindow::closeEvent (this=0x7262c0, 
    e=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmainwindow.cpp:5013
#26 0x00002acaa4d3fc20 in QWidget::event (this=0x7262c0, event=0x7fff0b0ceb00)
    at kernel/qwidget.cpp:7070
#27 0x00002acaa50a50fc in QMainWindow::event (this=0x7262c0, 
    event=0x7fff0b0ceb00) at widgets/qmainwindow.cpp:1252
#28 0x00002acaa115b2d0 in KMainWindow::event (this=0x7262c0, 
    ev=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/widgets/kmainwindow.cpp:1028
#29 0x00002acaa118e52b in KXmlGuiWindow::event (this=0x7262c0, 
    ev=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:123
#30 0x00002aca9fc66de2 in KonqMainWindow::event (this=0x7262c0, 
    e=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmainwindow.cpp:5577
#31 0x00002acaa4ce5f67 in QApplicationPrivate::notify_helper (this=0x61aad0, 
    receiver=0x7262c0, e=0x7fff0b0ceb00) at kernel/qapplication.cpp:3766
#32 0x00002acaa4ce7bd1 in QApplication::notify (this=0x7fff0b0cf760, 
    receiver=0x7262c0, e=0x7fff0b0ceb00) at kernel/qapplication.cpp:3733
#33 0x00002acaa10a5d6c in KApplication::notify (this=0x7fff0b0cf760, 
    receiver=0x7262c0, event=0x7fff0b0ceb00)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:311
#34 0x00002acaa412420e in QCoreApplication::notifyInternal (
    this=0x7fff0b0cf760, receiver=0x7262c0, event=0x7fff0b0ceb00)
    at kernel/qcoreapplication.cpp:583
#35 0x00002acaa4cf2081 in QCoreApplication::sendSpontaneousEvent (
    receiver=0x7262c0, event=0x7fff0b0ceb00)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#36 0x00002acaa4d3d5b5 in QWidgetPrivate::close_helper (this=0x72a8a0, 
    mode=QWidgetPrivate::CloseWithSpontaneousEvent) at kernel/qwidget.cpp:6493
#37 0x00002acaa4d4cd81 in QETWidget::translateCloseEvent (this=0x7262c0)
    at kernel/qapplication_x11.cpp:4879
#38 0x00002acaa4d4f430 in QApplication::x11ClientMessage (
    this=0x7fff0b0cf760, w=0x7262c0, event=0x7fff0b0cf2c0, passive_only=false)
    at kernel/qapplication_x11.cpp:2808
#39 0x00002acaa4d5cb14 in QApplication::x11ProcessEvent (this=0x7fff0b0cf760, 
    event=0x7fff0b0cf2c0) at kernel/qapplication_x11.cpp:3365
#40 0x00002acaa4d87313 in x11EventSourceDispatch (s=0x61e580, callback=0, 
    user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:148
#41 0x00002acaa7b8de01 in g_main_context_dispatch ()
   from /usr/lib/libglib-2.0.so.0
#42 0x00002acaa7b91096 in ?? () from /usr/lib/libglib-2.0.so.0
#43 0x00002acaa7b9152f in g_main_context_iteration ()
   from /usr/lib/libglib-2.0.so.0
#44 0x00002acaa4152374 in QEventDispatcherGlib::processEvents (this=0x616460, 
    flags=@0x7fff0b0cf560) at kernel/qeventdispatcher_glib.cpp:325
#45 0x00002acaa4d86b5b in QGuiEventDispatcherGlib::processEvents (
    this=0x616460, flags=@0x7fff0b0cf5c0)
    at kernel/qguieventdispatcher_glib.cpp:204
#46 0x00002acaa412133c in QEventLoop::processEvents (this=0x7fff0b0cf670, 
    flags=@0x7fff0b0cf620) at kernel/qeventloop.cpp:149
#47 0x00002acaa4121538 in QEventLoop::exec (this=0x7fff0b0cf670, 
    flags=@0x7fff0b0cf680) at kernel/qeventloop.cpp:196
#48 0x00002acaa4124a58 in QCoreApplication::exec ()
    at kernel/qcoreapplication.cpp:845
#49 0x00002acaa4ce5cc8 in QApplication::exec ()
    at kernel/qapplication.cpp:3298
#50 0x00002aca9fcae60d in kdemain (argc=4, argv=0x7fff0b0d0268)
    at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmain.cpp:218
#51 0x00000000004009b3 in main (argc=4, argv=0x7fff0b0d0268)
    at /home/kde-devel/kde/build/KDE/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3
#0  0x00002acaa69a3bf0 in nanosleep () from /lib64/libc.so.6
Comment 10 FiNeX 2008-11-22 02:13:53 UTC
It doesn't crash anymore with current trunk. It has been (finally) solved :)