| Summary: | [test case] <FRAMESET onLoad="foo"> crashes konqueror | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Grzegorz Jaskiewicz <gj> |
| Component: | khtml event | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | CC: | christophe_goudey, lecit, maksim, shr3kst3r |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | unspecified | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
Both created with meangle2.cgi (random html output) http://gj.pointblue.com.pl/1117917369744413000.html http://gj.pointblue.com.pl/1117917387153980000.html valgrind output: gj.pointblue.com.pl/kafilah.pid17054 Reduced version: <BODY> <FRAMESET onLoad="foo"> Probably related: http://lists.kde.org/?l=kfm-devel&m=111659456130916&w=2 *** Bug 111055 has been marked as a duplicate of this bug. *** *** Bug 121759 has been marked as a duplicate of this bug. *** *** Bug 130323 has been marked as a duplicate of this bug. *** SVN commit 559960 by orlovich:
Remove the listeners when we die, in case the parser kills us, or some unforseen JS evil does
(This is the only case where it matters --- all others are added to self or have null/default scope).
BUG:106795
M +15 -4 html_baseimpl.cpp
M +3 -0 html_baseimpl.h
--- branches/KDE/3.5/kdelibs/khtml/html/html_baseimpl.cpp #559959:559960
@@ -445,10 +445,21 @@
noresize = false;
m_resizing = false;
+
+ m_onLoad = m_onUnLoad = 0;
}
HTMLFrameSetElementImpl::~HTMLFrameSetElementImpl()
{
+ //### this is likely not quite right since we may be effectively "overriding" some old value,
+ //which needs to be recomputed, but this is better than crashing...
+ if (m_onLoad && getDocument()->getHTMLEventListener(EventImpl::LOAD_EVENT) == m_onLoad)
+ getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT, 0);
+
+ if (m_onUnLoad && getDocument()->getHTMLEventListener(EventImpl::UNLOAD_EVENT) == m_onUnLoad)
+ getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT, 0);
+
+
delete [] m_rows;
delete [] m_cols;
}
@@ -491,12 +502,12 @@
frameborder = false;
break;
case ATTR_ONLOAD:
- getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT,
- getDocument()->createHTMLEventListener(attr->value().string(), "onload", this));
+ m_onLoad = getDocument()->createHTMLEventListener(attr->value().string(), "onload", this);
+ getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT, m_onLoad);
break;
case ATTR_ONUNLOAD:
- getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT,
- getDocument()->createHTMLEventListener(attr->value().string(), "onunload", this));
+ m_onUnLoad = getDocument()->createHTMLEventListener(attr->value().string(), "onunload", this);
+ getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT, m_onUnLoad);
break;
default:
HTMLElementImpl::parseAttribute(attr);
--- branches/KDE/3.5/kdelibs/khtml/html/html_baseimpl.h #559959:559960
@@ -149,6 +149,9 @@
bool frameBorderSet : 1;
bool noresize : 1;
bool m_resizing : 1; // is the user resizing currently
+
+ EventListener* m_onLoad;
+ EventListener* m_onUnLoad;
};
// -------------------------------------------------------------------------
SVN commit 559965 by orlovich: Testcase + baseline CCBUG:106795 A baseline/unsorted/106795.html-dom A baseline/unsorted/106795.html-render M +1 -0 baseline/unsorted/svnignore A tests/unsorted/106795.html --- trunk/tests/khtmltests/regression/baseline/unsorted/svnignore #559964:559965 @@ -42,3 +42,4 @@ 110036.html-dump.png 116325.html-dump.png 116599.html-dump.png +106795.html-dump.png |
Version: 3.4.0 (using KDE 3.4.89 (>= 20050508), compiled sources) Compiler: gcc version 3.4.4 20050314 (prerelease) (Debian 3.4.3-12) OS: Linux (i686) release 2.6.11.7 Dunno what site it was, konqy just crashed.. Using host libthread_db library "/lib/tls/libthread_db.so.1". `system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread -1231574816 (LWP 22679)] [KCrash handler] #3 0xb6244641 in DOM::Node::nodeType (this=0x740068) at /home/gj/kde-sources/kdelibs/khtml/dom/dom_node.cpp:202 #4 0xb61b3d22 in KJS::getDOMNode (exec=0x8505a70, n=@0xbfffda50) at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_dom.cpp:1427 #5 0xb62218e1 in KJS::JSLazyEventListener::parseCode (this=0x8372968) at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_events.cpp:207 #6 0xb62245dd in KJS::JSLazyEventListener::handleEvent (this=0x8372968, evt=@0xbfffdb70) at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_events.cpp:155 #7 0xb60aabdb in DOM::NodeImpl::handleLocalEvents (this=0x83c87a0, evt=0x84eba28, useCapture=false) at /home/gj/kde-sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:652 #8 0xb60aad57 in DOM::NodeImpl::dispatchGenericEvent (this=0x83722fc, evt=0x84eba28) at qptrlist.h:174 #9 0xb60aaf87 in DOM::NodeImpl::dispatchWindowEvent (this=0x83722fc, _id=17, canBubbleArg=false, cancelableArg=false) at /home/gj/kde-sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:497 #10 0xb60d7ad4 in DOM::HTMLDocumentImpl::close (this=0x83722d0) at dom_nodeimpl.h:237 #11 0xb605c68b in KHTMLPart::checkEmitLoadEvent (this=0x83eaf78) at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2288 #12 0xb605c9d4 in KHTMLPart::checkCompleted (this=0x83eaf78) at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2210 #13 0xb605e239 in KHTMLPart::slotLoaderRequestDone (this=0x83eaf78, dl=0x740068, obj=0x740068) at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2063 #14 0xb60712a2 in KHTMLPart::qt_invoke (this=0x83eaf78, _id=63, _o=0xbfffdf80) at qucom_p.h:312 #15 0xb7121e7b in QObject::activate_signal (this=0x8434b78, clist=0x836ce88, o=0xbfffdf80) at kernel/qobject.cpp:2355 #16 0xb619dbd2 in khtml::Loader::requestFailed (this=0x8434b78, t0=0x85174b0, t1=0x853a4a0) at loader.moc:254 #17 0xb619ffc0 in khtml::Loader::slotFinished (this=0x8434b78, job=0x0) at /home/gj/kde-sources/kdelibs/khtml/misc/loader.cpp:1125 #18 0xb61a0224 in khtml::Loader::qt_invoke (this=0x8434b78, _id=139233736, _o=0x8434b78) at qucom_p.h:312 #19 0xb7121e7b in QObject::activate_signal (this=0x84c89c8, clist=0x84d89e8, o=0xbfffe0f0) at kernel/qobject.cpp:2355 #20 0xb7d5d45f in KIO::Job::result (this=0x84c89c8, t0=0x84c89c8) at jobclasses.moc:156 #21 0xb7d5d4ea in KIO::Job::emitResult (this=0x84c89c8) at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:218 #22 0xb7d5f9f9 in KIO::SimpleJob::slotFinished (this=0x84c89c8) at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:551 #23 0xb7d7077d in KIO::TransferJob::slotFinished (this=0x84c89c8) at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:916 #24 0xb7d5eb5e in KIO::TransferJob::qt_invoke (this=0x84c89c8, _id=17, _o=0xbfffe4b0) at jobclasses.moc:1050 #25 0xb7121e7b in QObject::activate_signal (this=0x84dfdf0, clist=0x84d9c78, o=0xbfffe4b0) at kernel/qobject.cpp:2355 #26 0xb7121d1d in QObject::activate_signal (this=0x84dfdf0, signal=6) at kernel/qobject.cpp:2324 #27 0xb7d47769 in KIO::SlaveInterface::finished (this=0x84dfdf0) at qmetaobject.h:261 #28 0xb7d4b467 in KIO::SlaveInterface::dispatch (this=0x84dfdf0, _cmd=104, rawdata=@0xbfffe7c0) at /home/gj/kde-sources/kdelibs/kio/kio/slaveinterface.cpp:243 #29 0xb7d49b71 in KIO::SlaveInterface::dispatch (this=0x84dfdf0) at /home/gj/kde-sources/kdelibs/kio/kio/slaveinterface.cpp:173 #30 0xb7d439f7 in KIO::Slave::gotInput (this=0x84dfdf0) at /home/gj/kde-sources/kdelibs/kio/kio/slave.cpp:300 #31 0xb7d44909 in KIO::Slave::qt_invoke (this=0x84dfdf0, _id=4, _o=0xbfffe950) at slave.moc:113 #32 0xb7121e7b in QObject::activate_signal (this=0x84aaf88, clist=0x8518b08, o=0xbfffe950) at kernel/qobject.cpp:2355 #33 0xb71221d4 in QObject::activate_signal (this=0x84aaf88, signal=2, param=22) at kernel/qobject.cpp:2448 #34 0xb7487fcd in QSocketNotifier::activated (this=0x84aaf88, t0=22) at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85 #35 0xb7142c98 in QSocketNotifier::event (this=0x84aaf88, e=0xbfffec50) at kernel/qsocketnotifier.cpp:258 #36 0xb70bd4fd in QApplication::internalNotify (this=0xbffff2d0, receiver=0x84aaf88, e=0xbfffec50) at kernel/qapplication.cpp:2635 #37 0xb70bc9c1 in QApplication::notify (this=0xbffff2d0, receiver=0x84aaf88, e=0xbfffec50) at kernel/qapplication.cpp:2358 #38 0xb7766eb3 in KApplication::notify (this=0xbffff2d0, receiver=0x84aaf88, event=0xbfffec50) at /home/gj/kde-sources/kdelibs/kdecore/kapplication.cpp:549 #39 0xb704e945 in QApplication::sendEvent (receiver=0x84aaf88, event=0xbfffec50) at qapplication.h:491 #40 0xb70ab3f7 in QEventLoop::activateSocketNotifiers (this=0x8098c78) at kernel/qeventloop_unix.cpp:578 #41 0xb70625e4 in QEventLoop::processEvents (this=0x8098c78, flags=4) at kernel/qeventloop_x11.cpp:383 #42 0xb70d2588 in QEventLoop::enterLoop (this=0x8098c78) at kernel/qeventloop.cpp:198 #43 0xb70d24a6 in QEventLoop::exec (this=0x8098c78) at kernel/qeventloop.cpp:145 #44 0xb70bd67d in QApplication::exec (this=0xbffff2d0) at kernel/qapplication.cpp:2758 #45 0xb681be7c in kdemain (argc=2, argv=0x8076818) at /home/gj/kde-sources/kdebase/konqueror/konq_main.cc:206 #46 0xb767e980 in kdeinitmain (argc=2, argv=0x8076818) at ./konqueror/kdeinit_konqueror.la.cpp:2 #47 0x0804e274 in launch (argc=2, _name=0x8077774 "konqueror", args=0x8077788 "\001", cwd=0x0, envc=1, envs=0x8077799 "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x8050c66 "0") at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:636 #48 0x0804ea1e in handle_launcher_request (sock=8) at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1200 #49 0x0804efcd in handle_requests (waitForPid=0) at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1403 #50 0x0804f754 in main (argc=2, argv=0xbffffbf4, envp=0xbffffc00) at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1847