97085 2005-01-15 19:21:03 +0000 Konqueror crash after click on a link 2005-05-08 15:59:02 +0000 1 1 2 Applications konqueror khtml renderer unspecified Compiled Sources Linux RESOLVED FIXED NOR crash --- 1 twardowski konqueror-bugs-null benoit.amiaux enleth jos 0 oldest_to_newest 303311 0 twardowski 2005-01-15 19:21:03 +0000 Version: (using KDE KDE 3.3.91) Installed from: Compiled From Sources Compiler: gcc (GCC) 3.3.3 20040412 (Red Hat Linux 3.3.3-7) STEPS TO REPRODUCE: 1. Go to http://marcoos.jogger.pl 2. Click a "komentarzy" link 3. [Konqueror crash] BACKTRACE: Using host libthread_db library "/lib/tls/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread -151169984 (LWP 19299)] [KCrash handler] #4 0x017acb34 in collectHorizontalBoxCoordinates (box=0x9d105f8, pointArray=@0xfef87880, bottom=false, limit=-500000) at render_inline.cpp:501 #5 0x017acba2 in collectHorizontalBoxCoordinates (box=0x9dbe978, pointArray=@0xfef87880, bottom=false, limit=-500000) at render_inline.cpp:512 #6 0x017ad3af in khtml::RenderInline::paintOutlines (this=0x9c85714, p=0x9b568e0, _tx=141, _ty=188) at render_inline.cpp:632 #7 0x017ac8ca in khtml::RenderInline::paint (this=0x9c85714, i=@0xfef87d70, _tx=141, _ty=188) at render_inline.cpp:280 #8 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c8569c, pI=@0xfef87d70, _tx=141, _ty=188) at render_block.cpp:1306 #9 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c8569c, pI=@0xfef87d70, _tx=141, _ty=188) at render_block.cpp:1262 #10 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c85354, pI=@0xfef87d70, _tx=141, _ty=124) at render_block.cpp:1306 #11 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c85354, pI=@0xfef87d70, _tx=141, _ty=124) at render_block.cpp:1262 #12 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c852dc, pI=@0xfef87d70, _tx=134, _ty=112) at render_block.cpp:1306 #13 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c852dc, pI=@0xfef87d70, _tx=134, _ty=112) at render_block.cpp:1262 #14 0x017a80aa in khtml::RenderBlock::paintFloats (this=0x0, pI=@0xfef87d70, _tx=133, _ty=10, paintSelection=false) at render_block.cpp:1352 #15 0x017a7daa in khtml::RenderBlock::paintObject (this=0x9c8503c, pI=@0xfef87d70, _tx=133, _ty=10) at render_block.cpp:1320 #16 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c8503c, pI=@0xfef87d70, _tx=133, _ty=10) at render_block.cpp:1262 #17 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c84fc0, pI=@0xfef87d70, _tx=0, _ty=10) at render_block.cpp:1306 #18 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c84fc0, pI=@0xfef87d70, _tx=0, _ty=10) at render_block.cpp:1262 #19 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c84eec, pI=@0xfef87d70, _tx=0, _ty=0) at render_block.cpp:1306 #20 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c84eec, pI=@0xfef87d70, _tx=0, _ty=0) at render_block.cpp:1262 #21 0x017c927e in khtml::RenderLayer::paintLayer (this=0x9c84f64, rootLayer=0x9c84e90, p=0x9b568e0, paintDirtyRect=@0xfef87fe0, selectionOnly=false) at render_layer.h:137 #22 0x017c910b in khtml::RenderLayer::paintLayer (this=0x9c84e90, rootLayer=0x9c84e90, p=0x9b568e0, paintDirtyRect=@0xfef87fe0, selectionOnly=false) at render_layer.cpp:810 #23 0x017c8e09 in khtml::RenderLayer::paint (this=0xfef877c0, p=0x0, damageRect=@0x0) at render_layer.cpp:693 #24 0x016eacc6 in KHTMLView::drawContents (this=0x9b56268, p=0xfef88110, ex=140, ey=187, ew=87, eh=19) at dom_nodeimpl.h:278 #25 0x066487b3 in QScrollView::drawContentsOffset () from /usr/lib/qt/lib/libqt-mt.so.3 #26 0x0664726c in QScrollView::viewportPaintEvent () from /usr/lib/qt/lib/libqt-mt.so.3 #27 0x06646d62 in QScrollView::eventFilter () from /usr/lib/qt/lib/libqt-mt.so.3 #28 0x016ef59c in KHTMLView::eventFilter (this=0x9b56268, o=0x9ae3b00, e=0xfef887f0) at khtmlview.cpp:1843 #29 0x0652fb4e in QObject::activate_filters () from /usr/lib/qt/lib/libqt-mt.so.3 #30 0x0652fa7c in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3 #31 0x0656822f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3 #32 0x064d5cdf in QApplication::internalNotify () from /usr/lib/qt/lib/libqt-mt.so.3 #33 0x064d52de in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3 #34 0x00dbd8f2 in KApplication::notify (this=0xfef89400, receiver=0x9ae3b00, event=0xfef887f0) at kapplication.cpp:548 #35 0x0649f78d in QWidget::repaint () from /usr/lib/qt/lib/libqt-mt.so.3 #36 0x066486d5 in QScrollView::repaintContents () from /usr/lib/qt/lib/libqt-mt.so.3 #37 0x06648561 in QScrollView::repaintContents () from /usr/lib/qt/lib/libqt-mt.so.3 #38 0x016f6128 in KHTMLView::timerEvent (this=0x9b56268, e=0x0) at khtmlview.cpp:2937 #39 0x0652fa43 in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3 #40 0x0656822f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3 #41 0x064d5cdf in QApplication::internalNotify () from /usr/lib/qt/lib/libqt-mt.so.3 #42 0x064d52de in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3 #43 0x00dbd8f2 in KApplication::notify (this=0xfef89400, receiver=0x9b56268, event=0xfef88de0) at kapplication.cpp:548 #44 0x064c55c5 in QEventLoop::activateTimers () from /usr/lib/qt/lib/libqt-mt.so.3 #45 0x0647ff3b in QEventLoop::processEvents () from /usr/lib/qt/lib/libqt-mt.so.3 #46 0x064e7f28 in QEventLoop::enterLoop () from /usr/lib/qt/lib/libqt-mt.so.3 #47 0x064e7dd8 in QEventLoop::exec () from /usr/lib/qt/lib/libqt-mt.so.3 #48 0x064d5f31 in QApplication::exec () from /usr/lib/qt/lib/libqt-mt.so.3 #49 0x010300e8 in kdemain (argc=0, argv=0x0) at konq_main.cc:206 #50 0x0032e566 in kdeinitmain (argc=0, argv=0x0) at konqueror_dummy.cc:2 #51 0x0804cc91 in launch (argc=4, _name=0x97f6384 "konqueror", args=0x97f63bb "/home/kdt", cwd=0x97f63bb "/home/kdt", envc=35, envs=0x97f682f "", reset_env=true, tty=0x0, avoid_loops=false, startup_id_str=0x0) at kinit.cpp:623 #52 0x0804e274 in handle_launcher_request (sock=4) at kinit.cpp:1187 #53 0x0804e8ab in handle_requests (waitForPid=0) at kinit.cpp:1378 #54 0x0804f924 in main (argc=2, argv=0xfef89b24, envp=0x0) at kinit.cpp:1841 303679 1 thiago 2005-01-17 02:37:22 +0000 Confirmed. My backtrace looks exactly the same. 318165 2 staikos 2005-02-25 06:45:15 +0000 Seems to work fine now with CVS-HEAD. Confirm? 318198 3 tommi.tervo 2005-02-25 09:42:11 +0000 For me konqi 3.4.0 crashes, bt looks same. 318336 4 staikos 2005-02-25 16:56:52 +0000 Valgrind log then? 318351 5 staikos 2005-02-25 17:42:26 +0000 ==30947== Invalid read of size 4 ==30947== at 0x1E253685: collectHorizontalBoxCoordinates(khtml::InlineBox*, QValueVector<QPoint>&, bool, int) (render_inline.cpp:497) ==30947== by 0x1E2536F9: collectHorizontalBoxCoordinates(khtml::InlineBox*, QValueVector<QPoint>&, bool, int) (render_inline.cpp:508) ==30947== by 0x1E253F24: khtml::RenderInline::paintOutlines(QPainter*, int, int) (render_inline.cpp:632) ==30947== by 0x1E2543E7: khtml::RenderInline::paint(khtml::RenderObject::PaintInfo&, int, int) (render_inline.cpp:276) ==30947== by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E24A19B: khtml::RenderBlock::paintFloats(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1353) ==30947== by 0x1E24DFEA: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1321) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307) ==30947== by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263) ==30947== by 0x1E273C49: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.h:137) ==30947== by 0x1E273B51: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:810) ==30947== by 0x1E273E7A: khtml::RenderLayer::paint(QPainter*, QRect const&, bool) (render_layer.cpp:693) ==30947== by 0x1E19C345: KHTMLView::drawContents(QPainter*, int, int, int, int) (dom_nodeimpl.h:280) ==30947== by 0x1C8BCBCF: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (qscrollview.cpp:2334) ==30947== by 0x1C8BB441: QScrollView::viewportPaintEvent(QPaintEvent*) (qscrollview.cpp:1693) ==30947== by 0x1C8BAD18: QScrollView::eventFilter(QObject*, QEvent*) (qscrollview.cpp:1490) ==30947== by 0x1E193B44: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:1904) ==30947== by 0x1C7941BB: QObject::activate_filters(QEvent*) (qobject.cpp:902) ==30947== by 0x1C79402D: QObject::event(QEvent*) (qobject.cpp:735) ==30947== by 0x1C7CE9DE: QWidget::event(QEvent*) (qwidget.cpp:4655) ==30947== by 0x1C7339D2: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635) ==30947== by 0x1C733602: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2523) ==30947== by 0x1C2367F9: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:549) ==30947== by 0x1C6C9396: QApplication::sendEvent(QObject*, QEvent*) (qapplication.h:491) ==30947== by 0x1C6FD2A4: QWidget::repaint(QRegion const&, bool) (qwidget_x11.cpp:1626) ==30947== by 0x1C7348C6: QApplication::sendPostedEvents(QObject*, int) (qapplication.cpp:3258) ==30947== by 0x1C734672: QApplication::sendPostedEvents() (qapplication.cpp:3172) ==30947== by 0x1C6DA6DA: QEventLoop::processEvents(unsigned) (qeventloop_x11.cpp:202) ==30947== by 0x1C747C0D: QEventLoop::enterLoop() (qeventloop.cpp:198) ==30947== by 0x1C747B29: QEventLoop::exec() (qeventloop.cpp:145) ==30947== by 0x1C733B52: QApplication::exec() (qapplication.cpp:2758) ==30947== by 0x1B955D4D: kdemain (konq_main.cc:206) ==30947== by 0x80486F7: main (konqueror.la.cc:2) ==30947== Address 0xC is not stack'd, malloc'd or (recently) free'd 318733 6 thiago 2005-02-27 02:56:26 +0000 *** Bug 100346 has been marked as a duplicate of this bug. *** 320576 7 germain 2005-03-03 14:17:25 +0000 CVS commit by ggarand: Don't delete this's placeholder box on layout, parent will take care of it. Fix crash in dynamic pop-ups. BUG: 97085 M +2 -0 render_box.cpp 1.256 M +0 -1 render_flow.cpp 1.362 --- kdelibs/khtml/rendering/render_box.cpp #1.255:1.256 @@ -201,4 +201,6 @@ void RenderBox::detach() InlineBox* RenderBox::createInlineBox(bool /*makePlaceHolderBox*/, bool /*isRootLineBox*/) { + if (m_placeHolderBox) + m_placeHolderBox->detach(renderArena()); return (m_placeHolderBox = new (renderArena()) InlineBox(this)); } --- kdelibs/khtml/rendering/render_flow.cpp #1.361:1.362 @@ -141,5 +141,4 @@ void RenderFlow::deleteInlineBoxes(Rende m_lastLineBox = 0; } - RenderBox::deleteInlineBoxes(arena); } 325292 8 germain 2005-03-18 17:28:08 +0000 CVS commit by ggarand: backport crash fix CCBUG: 97085 M +2 -0 render_box.cpp 1.255.2.1 M +0 -1 render_flow.cpp 1.361.2.1 --- kdelibs/khtml/rendering/render_box.cpp #1.255:1.255.2.1 @@ -201,4 +201,6 @@ void RenderBox::detach() InlineBox* RenderBox::createInlineBox(bool /*makePlaceHolderBox*/, bool /*isRootLineBox*/) { + if (m_placeHolderBox) + m_placeHolderBox->detach(renderArena()); return (m_placeHolderBox = new (renderArena()) InlineBox(this)); } --- kdelibs/khtml/rendering/render_flow.cpp #1.361:1.361.2.1 @@ -141,5 +141,4 @@ void RenderFlow::deleteInlineBoxes(Rende m_lastLineBox = 0; } - RenderBox::deleteInlineBoxes(arena); } 329380 9 tommi.tervo 2005-03-29 12:30:16 +0000 *** Bug 102729 has been marked as a duplicate of this bug. *** 340365 10 maksim 2005-05-08 15:59:02 +0000 *** Bug 105287 has been marked as a duplicate of this bug. ***