Version: (using KDE KDE 3.3.2) Installed from: Mandrake RPMs OS: Linux (From http://qa.mandrakesoft.com/show_bug.cgi?id=13821) Description: When the cursor leaves a hover menu on http://www.crpp-bordeaux.cnrs.fr/~cgay/index.html konqueror crashes. Backtraces Unfortunately my backtrace is not useful because I don't have debugging compiled in... How to reproduce: (I'll attach a testcase) 1. Hover over the text that says "Hover here for crash" 2. Move off said text Expected Behaviour The word Submenu to appear then disappear Actual Behaviour The word Submenu appears but while moving off konqueror crashes. Additional Information: The problem seems to go away if the ul is not floated.
Created attachment 9740 [details] Reduced testcase Reduced testcase of aforementioned URL.
worked #0 0x41f96003 in khtml::RenderBlock::nodeAtPoint (this=0x8508a28, info=@0xbfffe0f0, _x=50, _y=10, _tx=10, _ty=0, hitTestAction=HitTestAll, inBox=false) at /home/coolo/prod/kdelibs/khtml/rendering/render_block.cpp:2057 #1 0x41f960d5 in khtml::RenderBlock::nodeAtPoint (this=0x8508858, info=@0xbfffe0f0, _x=50, _y=10, _tx=0, _ty=0, hitTestAction=HitTestChildrenOnly, inBox=false) at /home/coolo/prod/kdelibs/khtml/rendering/render_block.cpp:2058 #2 0x41fc03b6 in khtml::RenderLayer::nodeAtPointForLayer (this=0x85088d4, rootLayer=0x85087fc, info=@0xbfffe0f0, xMousePos=50, yMousePos=10, hitTestRect=@0xbfffe050) at /home/coolo/prod/kdelibs/khtml/rendering/render_layer.cpp:897 #3 0x41fc02e7 in khtml::RenderLayer::nodeAtPointForLayer (this=0x85087fc, rootLayer=0x85087fc, info=@0xbfffe0f0, xMousePos=50, yMousePos=10, hitTestRect=@0xbfffe050) at /home/coolo/prod/kdelibs/khtml/rendering/render_layer.cpp:889 #4 0x41fc0182 in khtml::RenderLayer::nodeAtPoint (this=0x85087fc, info=@0xbfffe0f0, x=50, y=10) at /home/coolo/prod/kdelibs/khtml/rendering/render_layer.cpp:851 #5 0x41f2eb7f in DOM::DocumentImpl::prepareMouseEvent (this=0x870e1f8, readonly=true, _x=50, _y=10, ev=0xbfffe180) at /home/coolo/prod/kdelibs/khtml/xml/dom_docimpl.cpp:1562 #6 0x41ecb461 in KHTMLView::dispatchMouseEvent (this=0x82da480, eventId=8, targetNode=0x8634738, targetNodeNonShared=0x8634738, cancelable=false, detail=0, _mouse=0xbfffe810, setUnder=true, mouseEventType=4) at /home/coolo/prod/kdelibs/khtml/khtmlview.cpp:2687 #7 0x41ec4339 in KHTMLView::viewportMouseMoveEvent (this=0x82da480, _mouse=0xbfffe810) at /home/coolo/prod/kdelibs/khtml/khtmlview.cpp:1086
i confirm this bug too
CVS commit by ggarand: fix logic error in removeFromObjectLists leading to crash BUG: 99854 M +7 -4 render_object.cpp 1.286 --- kdelibs/khtml/rendering/render_object.cpp #1.285:1.286 @@ -1484,8 +1484,11 @@ void RenderObject::removeFromObjectLists if (isFloating()) { RenderBlock* outermostBlock = containingBlock(); - for (RenderBlock* p = outermostBlock; - p && !p->isCanvas() && p->containsFloat(this) && !p->isFloatingOrPositioned(); - outermostBlock = p, p = p->containingBlock()) - ; + for (RenderBlock* p = outermostBlock; p && !p->isCanvas() && p->containsFloat(this);) { + outermostBlock = p; + if (p->isFloatingOrPositioned()) + break; + p = p->containingBlock(); + } + if (outermostBlock) outermostBlock->markAllDescendantsWithFloatsForLayout(this);