Bug 106795

Summary: [test case] <FRAMESET onLoad="foo"> crashes konqueror
Product: [Applications] konqueror Reporter: Grzegorz Jaskiewicz <gj>
Component: khtml eventAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: christophe_goudey, lecit, maksim, shr3kst3r
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:

Description Grzegorz Jaskiewicz 2005-06-04 21:17:08 UTC 
Version:           3.4.0 (using KDE 3.4.89 (>= 20050508), compiled sources)
Compiler:          gcc version 3.4.4 20050314 (prerelease) (Debian 3.4.3-12)
OS:                Linux (i686) release 2.6.11.7

Dunno what site it was, konqy just crashed.. 
Using host libthread_db library "/lib/tls/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread -1231574816 (LWP 22679)]
[KCrash handler]
#3  0xb6244641 in DOM::Node::nodeType (this=0x740068)
    at /home/gj/kde-sources/kdelibs/khtml/dom/dom_node.cpp:202
#4  0xb61b3d22 in KJS::getDOMNode (exec=0x8505a70, n=@0xbfffda50)
    at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_dom.cpp:1427
#5  0xb62218e1 in KJS::JSLazyEventListener::parseCode (this=0x8372968)
    at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_events.cpp:207
#6  0xb62245dd in KJS::JSLazyEventListener::handleEvent (this=0x8372968, 
    evt=@0xbfffdb70)
    at /home/gj/kde-sources/kdelibs/khtml/ecma/kjs_events.cpp:155
#7  0xb60aabdb in DOM::NodeImpl::handleLocalEvents (this=0x83c87a0, 
    evt=0x84eba28, useCapture=false)
    at /home/gj/kde-sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:652
#8  0xb60aad57 in DOM::NodeImpl::dispatchGenericEvent (this=0x83722fc, 
    evt=0x84eba28) at qptrlist.h:174
#9  0xb60aaf87 in DOM::NodeImpl::dispatchWindowEvent (this=0x83722fc, _id=17, 
    canBubbleArg=false, cancelableArg=false)
    at /home/gj/kde-sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:497
#10 0xb60d7ad4 in DOM::HTMLDocumentImpl::close (this=0x83722d0)
    at dom_nodeimpl.h:237
#11 0xb605c68b in KHTMLPart::checkEmitLoadEvent (this=0x83eaf78)
    at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2288
#12 0xb605c9d4 in KHTMLPart::checkCompleted (this=0x83eaf78)
    at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2210
#13 0xb605e239 in KHTMLPart::slotLoaderRequestDone (this=0x83eaf78, 
    dl=0x740068, obj=0x740068)
    at /home/gj/kde-sources/kdelibs/khtml/khtml_part.cpp:2063
#14 0xb60712a2 in KHTMLPart::qt_invoke (this=0x83eaf78, _id=63, _o=0xbfffdf80)
    at qucom_p.h:312
#15 0xb7121e7b in QObject::activate_signal (this=0x8434b78, clist=0x836ce88, 
    o=0xbfffdf80) at kernel/qobject.cpp:2355
#16 0xb619dbd2 in khtml::Loader::requestFailed (this=0x8434b78, t0=0x85174b0, 
    t1=0x853a4a0) at loader.moc:254
#17 0xb619ffc0 in khtml::Loader::slotFinished (this=0x8434b78, job=0x0)
    at /home/gj/kde-sources/kdelibs/khtml/misc/loader.cpp:1125
#18 0xb61a0224 in khtml::Loader::qt_invoke (this=0x8434b78, _id=139233736, 
    _o=0x8434b78) at qucom_p.h:312
#19 0xb7121e7b in QObject::activate_signal (this=0x84c89c8, clist=0x84d89e8, 
    o=0xbfffe0f0) at kernel/qobject.cpp:2355
#20 0xb7d5d45f in KIO::Job::result (this=0x84c89c8, t0=0x84c89c8)
    at jobclasses.moc:156
#21 0xb7d5d4ea in KIO::Job::emitResult (this=0x84c89c8)
    at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:218
#22 0xb7d5f9f9 in KIO::SimpleJob::slotFinished (this=0x84c89c8)
    at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:551
#23 0xb7d7077d in KIO::TransferJob::slotFinished (this=0x84c89c8)
    at /home/gj/kde-sources/kdelibs/kio/kio/job.cpp:916
#24 0xb7d5eb5e in KIO::TransferJob::qt_invoke (this=0x84c89c8, _id=17, 
    _o=0xbfffe4b0) at jobclasses.moc:1050
#25 0xb7121e7b in QObject::activate_signal (this=0x84dfdf0, clist=0x84d9c78, 
    o=0xbfffe4b0) at kernel/qobject.cpp:2355
#26 0xb7121d1d in QObject::activate_signal (this=0x84dfdf0, signal=6)
    at kernel/qobject.cpp:2324
#27 0xb7d47769 in KIO::SlaveInterface::finished (this=0x84dfdf0)
    at qmetaobject.h:261
#28 0xb7d4b467 in KIO::SlaveInterface::dispatch (this=0x84dfdf0, _cmd=104, 
    rawdata=@0xbfffe7c0)
    at /home/gj/kde-sources/kdelibs/kio/kio/slaveinterface.cpp:243
#29 0xb7d49b71 in KIO::SlaveInterface::dispatch (this=0x84dfdf0)
    at /home/gj/kde-sources/kdelibs/kio/kio/slaveinterface.cpp:173
#30 0xb7d439f7 in KIO::Slave::gotInput (this=0x84dfdf0)
    at /home/gj/kde-sources/kdelibs/kio/kio/slave.cpp:300
#31 0xb7d44909 in KIO::Slave::qt_invoke (this=0x84dfdf0, _id=4, _o=0xbfffe950)
    at slave.moc:113
#32 0xb7121e7b in QObject::activate_signal (this=0x84aaf88, clist=0x8518b08, 
    o=0xbfffe950) at kernel/qobject.cpp:2355
#33 0xb71221d4 in QObject::activate_signal (this=0x84aaf88, signal=2, 
    param=22) at kernel/qobject.cpp:2448
#34 0xb7487fcd in QSocketNotifier::activated (this=0x84aaf88, t0=22)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85
#35 0xb7142c98 in QSocketNotifier::event (this=0x84aaf88, e=0xbfffec50)
    at kernel/qsocketnotifier.cpp:258
#36 0xb70bd4fd in QApplication::internalNotify (this=0xbffff2d0, 
    receiver=0x84aaf88, e=0xbfffec50) at kernel/qapplication.cpp:2635
#37 0xb70bc9c1 in QApplication::notify (this=0xbffff2d0, receiver=0x84aaf88, 
    e=0xbfffec50) at kernel/qapplication.cpp:2358
#38 0xb7766eb3 in KApplication::notify (this=0xbffff2d0, receiver=0x84aaf88, 
    event=0xbfffec50)
    at /home/gj/kde-sources/kdelibs/kdecore/kapplication.cpp:549
#39 0xb704e945 in QApplication::sendEvent (receiver=0x84aaf88, 
    event=0xbfffec50) at qapplication.h:491
#40 0xb70ab3f7 in QEventLoop::activateSocketNotifiers (this=0x8098c78)
    at kernel/qeventloop_unix.cpp:578
#41 0xb70625e4 in QEventLoop::processEvents (this=0x8098c78, flags=4)
    at kernel/qeventloop_x11.cpp:383
#42 0xb70d2588 in QEventLoop::enterLoop (this=0x8098c78)
    at kernel/qeventloop.cpp:198
#43 0xb70d24a6 in QEventLoop::exec (this=0x8098c78)
    at kernel/qeventloop.cpp:145
#44 0xb70bd67d in QApplication::exec (this=0xbffff2d0)
    at kernel/qapplication.cpp:2758
#45 0xb681be7c in kdemain (argc=2, argv=0x8076818)
    at /home/gj/kde-sources/kdebase/konqueror/konq_main.cc:206
#46 0xb767e980 in kdeinitmain (argc=2, argv=0x8076818)
    at ./konqueror/kdeinit_konqueror.la.cpp:2
#47 0x0804e274 in launch (argc=2, _name=0x8077774 "konqueror", 
    args=0x8077788 "\001", cwd=0x0, envc=1, envs=0x8077799 "", 
    reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x8050c66 "0")
    at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:636
#48 0x0804ea1e in handle_launcher_request (sock=8)
    at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1200
#49 0x0804efcd in handle_requests (waitForPid=0)
    at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1403
#50 0x0804f754 in main (argc=2, argv=0xbffffbf4, envp=0xbffffc00)
    at /home/gj/kde-sources/kdelibs/kinit/kinit.cpp:1847
Comment 1 Grzegorz Jaskiewicz 2005-06-04 23:19:50 UTC 
Both created with meangle2.cgi (random html output)

http://gj.pointblue.com.pl/1117917369744413000.html
http://gj.pointblue.com.pl/1117917387153980000.html

valgrind output:
gj.pointblue.com.pl/kafilah.pid17054
Comment 2 Harri Porten 2005-06-06 21:14:21 UTC 
Reduced version:

<BODY> <FRAMESET onLoad="foo">
Comment 3 Harri Porten 2005-06-06 23:16:38 UTC 
Probably related:

http://lists.kde.org/?l=kfm-devel&m=111659456130916&w=2
Comment 4 Tommi Tervo 2005-08-19 11:09:50 UTC 
*** Bug 111055 has been marked as a duplicate of this bug. ***
Comment 5 Maksim Orlovich 2006-02-11 17:22:29 UTC 
*** Bug 121759 has been marked as a duplicate of this bug. ***
Comment 6 Tommi Tervo 2006-07-06 08:28:49 UTC 
*** Bug 130323 has been marked as a duplicate of this bug. ***
Comment 7 Maksim Orlovich 2006-07-08 20:06:21 UTC 
SVN commit 559960 by orlovich:

Remove the listeners when we die, in case the parser kills us, or some unforseen JS evil does
(This is the only case where it matters --- all others are added to self or have null/default scope).

BUG:106795


 M  +15 -4     html_baseimpl.cpp  
 M  +3 -0      html_baseimpl.h  


--- branches/KDE/3.5/kdelibs/khtml/html/html_baseimpl.cpp #559959:559960
@@ -445,10 +445,21 @@
     noresize = false;
 
     m_resizing = false;
+
+    m_onLoad = m_onUnLoad = 0;
 }
 
 HTMLFrameSetElementImpl::~HTMLFrameSetElementImpl()
 {
+    //### this is likely not quite right since we may be effectively "overriding" some old value,
+    //which needs to be recomputed, but this is better than crashing...
+    if (m_onLoad && getDocument()->getHTMLEventListener(EventImpl::LOAD_EVENT) == m_onLoad)
+        getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT, 0);
+
+    if (m_onUnLoad && getDocument()->getHTMLEventListener(EventImpl::UNLOAD_EVENT) == m_onUnLoad)
+        getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT, 0);
+
+
     delete [] m_rows;
     delete [] m_cols;
 }
@@ -491,12 +502,12 @@
             frameborder = false;
         break;
     case ATTR_ONLOAD:
-        getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT,
-	    getDocument()->createHTMLEventListener(attr->value().string(), "onload", this));
+        m_onLoad = getDocument()->createHTMLEventListener(attr->value().string(), "onload", this);
+        getDocument()->setHTMLEventListener(EventImpl::LOAD_EVENT, m_onLoad);
         break;
     case ATTR_ONUNLOAD:
-        getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT,
-	    getDocument()->createHTMLEventListener(attr->value().string(), "onunload", this));
+        m_onUnLoad = getDocument()->createHTMLEventListener(attr->value().string(), "onunload", this);
+        getDocument()->setHTMLEventListener(EventImpl::UNLOAD_EVENT, m_onUnLoad);
         break;
     default:
         HTMLElementImpl::parseAttribute(attr);
--- branches/KDE/3.5/kdelibs/khtml/html/html_baseimpl.h #559959:559960
@@ -149,6 +149,9 @@
     bool frameBorderSet : 1;
     bool noresize : 1;
     bool m_resizing : 1;  // is the user resizing currently
+    
+    EventListener* m_onLoad;
+    EventListener* m_onUnLoad;
 };
 
 // -------------------------------------------------------------------------
Comment 8 Maksim Orlovich 2006-07-08 20:12:58 UTC 
SVN commit 559965 by orlovich:

Testcase + baseline
CCBUG:106795


 A             baseline/unsorted/106795.html-dom  
 A             baseline/unsorted/106795.html-render  
 M  +1 -0      baseline/unsorted/svnignore  
 A             tests/unsorted/106795.html  


--- trunk/tests/khtmltests/regression/baseline/unsorted/svnignore #559964:559965
@@ -42,3 +42,4 @@
 110036.html-dump.png
 116325.html-dump.png
 116599.html-dump.png
+106795.html-dump.png