Summary: | Crash on http://www.uni-kl.de/HSSP/ | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Frank Osterfeld <osterfeld> |
Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | binner, dominik.karall, faure, hpoley, luca.casagrande, maksim, oily.rags, p0z3r |
Priority: | NOR | ||
Version: | SVN | ||
Target Milestone: | --- | ||
Platform: | Compiled Sources | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: | suggested patch |
Description
Frank Osterfeld
2005-09-19 21:21:59 UTC
Some more notes: - It doesn't crash when I go to the "Sportarten" page directly - When I leave http://www.uni-kl.de/HSSP/ by entering an URL or selecting a bookmark, it crashes as well (with the same backtrace) So it seems that the crash happens when I leave http://www.uni-kl.de/HSSP/ . This is in the new popup-queue thingie. Beineri, that's your baby; and this is not an uncommon crasher ==4674== Invalid read of size 4 ==4674== at 0x1C77EFD4: qt_inheritedBy(QMetaObject*, QObject const*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4) ==4674== by 0x1DCB3532: KHTMLPart* qt_cast<KHTMLPart*>(QObject const*) (in /code/opt/kde3.5/lib/kde3/libsearchbarplugin.so) ==4674== by 0x1E034F9A: KJS::Window::retrieve(KParts::ReadOnlyPart*) (kjs_window.cpp:373) ==4674== by 0x1E0350B6: KJS::Window::retrieveWindow(KParts::ReadOnlyPart*) (kjs_window.cpp:343) ==4674== by 0x1DE750F1: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1884) ==4674== by 0x1DE67EBE: KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (khtml_part.cpp:1578) ==4674== by 0x1DE84304: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:501) ==4674== by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4) ==4674== by 0x1BC98C10: KIO::TransferJob::data(KIO::Job*, QMemArray<char> const&) (jobclasses.moc:993) ==4674== by 0x1BC98CB0: KIO::TransferJob::slotData(QMemArray<char> const&) (job.cpp:900) ==4674== by 0x1BC98D84: KIO::TransferJob::qt_invoke(int, QUObject*) (jobclasses.moc:1072) ==4674== by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4) ==4674== Address 0x1D7CCB30 is 0 bytes inside a block of size 132 free'd ==4674== at 0x1B900647: operator delete(void*) (vg_replace_malloc.c:246) ==4674== by 0x1DE76E11: KHTMLPart::~KHTMLPart() (khtml_part.cpp:524) ==4674== by 0x1DE74C40: KHTMLPart::clear() (khtml_part.cpp:1446) ==4674== by 0x1DE74F8E: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1863) ==4674== by 0x1DE67EBE: KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (khtml_part.cpp:1578) ==4674== by 0x1DE84304: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:501) ==4674== by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4) ==4674== by 0x1BC98C10: KIO::TransferJob::data(KIO::Job*, QMemArray<char> const&) (jobclasses.moc:993) ==4674== by 0x1BC98CB0: KIO::TransferJob::slotData(QMemArray<char> const&) (job.cpp:900) ==4674== by 0x1BC98D84: KIO::TransferJob::qt_invoke(int, QUObject*) (jobclasses.moc:1072) ==4674== by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4) ==4674== by 0x1BC8378C: KIO::SlaveInterface::data(QMemArray<char> const&) (slaveinterface.moc:194) I am seeing this a lot. Seems like a must-fix for 3.5, elevating severity. *** Bug 113251 has been marked as a duplicate of this bug. *** Created attachment 12711 [details]
suggested patch
The loop in begin() iterates over m_suppressedPopupOriginParts which contains
frames/iframes that were deleted by clear(). Does this patch help?
Your patch works fine for me. Thanks, committed it. :-) This is not fixed. I can't reproduce it with the URL above, but see #113600 for another example with the same backtrace. *** Bug 113600 has been marked as a duplicate of this bug. *** valgrind trace for #113600 stuff: ==20938== Invalid read of size 4 ==20938== at 0x1C66AFBD: qt_inheritedBy(QMetaObject*, QObject const*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==20938== by 0x1D81CE34: KHTMLPart* qt_cast<KHTMLPart*>(QObject const*) (in /opt/kde3.4/lib/kde3/libsearchbarplugin.so) ==20938== by 0x1DDE2B08: KJS::Window::retrieve(KParts::ReadOnlyPart*) (kjs_window.cpp:373) ==20938== by 0x1DDE2C01: KJS::Window::retrieveWindow(KParts::ReadOnlyPart*) (kjs_window.cpp:343) ==20938== by 0x1DC63318: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1869) ==20938== by 0x1DC548F5: KHTMLPart::slotRestoreData(QMemArray<char> const&) (khtml_part.cpp:1670) ==20938== by 0x1DC7761F: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:503) ==20938== by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==20938== by 0x1DC925B1: KHTMLPageCacheDelivery::emitData(QMemArray<char> const&) (khtml_pagecache.moc:177) ==20938== by 0x1DC92EFB: KHTMLPageCache::sendData() (khtml_pagecache.cpp:264) ==20938== by 0x1DC92F8D: KHTMLPageCache::qt_invoke(int, QUObject*) (khtml_pagecache.moc:82) ==20938== by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==20938== Address 0x1E77C860 is 0 bytes inside a block of size 132 free'd ==20938== at 0x1B906959: operator delete(void*) (vg_replace_malloc.c:155) ==20938== by 0x1DC68081: KHTMLPart::~KHTMLPart() (khtml_part.cpp:524) ==20938== by 0x1DC512E0: KHTMLPart::clear() (khtml_part.cpp:1446) ==20938== by 0x1DC66D8F: KHTMLPart::restoreState(QDataStream&) (khtml_part.cpp:5532) ==20938== by 0x1DC85D58: KHTMLPartBrowserExtension::restoreState(QDataStream&) (khtml_ext.cpp:104) ==20938== by 0x1B96D297: KonqView::restoreHistory() (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==20938== by 0x1B96D5B4: KonqView::go(int) (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==20938== by 0x1B9B05D6: KonqMainWindow::slotGoHistoryDelayed() (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==20938== by 0x1B9B8EDF: KonqMainWindow::qt_invoke(int, QUObject*) (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==20938== by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==20938== by 0x1C8ED3EC: QSignal::signal(QVariant const&) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==20938== by 0x1C6816EE: QSignal::activate() (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) *** Bug 113813 has been marked as a duplicate of this bug. *** I'm getting what I think is a similar backtrace from frequent crashes on isohunt.com: Using host libthread_db library "/lib/libthread_db.so.1". `system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread -1209469264 (LWP 15629)] [KCrash handler] #4 0x00000098 in ?? () #5 0xb7bbdf87 in qt_cast<KHTMLPart*> (object=0x91a1670) at qobjectdefs.h:173 #6 0x491927d6 in KJS::Window::retrieve (p=0xb7bc1470) at kjs_window.cpp:373 #7 0x491925b6 in KJS::Window::retrieveWindow (p=0x913f858) at kjs_window.cpp:343 #8 0x49019a6c in KHTMLPart::begin (this=0x8d21248, url=@0x8d3eca8, xOffset=152, yOffset=152) at khtml_part.cpp:1884 #9 0x49017f30 in KHTMLPart::slotData (this=0x8d21248, kio_job=0x91dca90, data=@0xbfb2c960) at khtml_part.cpp:1578 #10 0x49032ff4 in KHTMLPart::qt_invoke (this=0x8d21248, _id=-1078802080, _o=0xbfb2c5dc) at khtml_part.moc:501 #11 0x47a63510 in QObject::activate_signal (this=0x91dca90, clist=0x91f21f8, o=0xbfb2c5b0) at qobject.cpp:2355 #12 0x48846210 in KIO::TransferJob::data (this=0x91dca90, t0=0x98, t1=@0x98) at jobclasses.moc:993 #13 0x48833a27 in KIO::TransferJob::slotData (this=0x91dca90, _data=@0x98) at job.cpp:900 #14 0x488467d1 in KIO::TransferJob::qt_invoke (this=0x91dca90, _id=1208523976, _o=0x48a1ace8) at jobclasses.moc:1072 #15 0x47a63510 in QObject::activate_signal (this=0x823ead8, clist=0x8dbf8e0, o=0xbfb2c6e0) at qobject.cpp:2355 #16 0x48828121 in KIO::SlaveInterface::data (this=0x823ead8, t0=@0x98) at slaveinterface.moc:194 #17 0x48826a2f in KIO::SlaveInterface::dispatch (this=0x823ead8, _cmd=100, rawdata=@0xbfb2c960) at slaveinterface.cpp:234 #18 0x4882676f in KIO::SlaveInterface::dispatch (this=0x823ead8) at slaveinterface.cpp:173 #19 0x48824955 in KIO::Slave::gotInput (this=0x823ead8) at slave.cpp:300 #20 0x4882610e in KIO::Slave::qt_invoke (this=0x823ead8, _id=4, _o=0xbfb2cac0) at slave.moc:113 #21 0x47a63510 in QObject::activate_signal (this=0x823e6b0, clist=0x823d3f0, o=0xbfb2cac0) at qobject.cpp:2355 #22 0x47a638ca in QObject::activate_signal (this=0x823e6b0, signal=2, param=13) at qobject.cpp:2448 #23 0x47e475a1 in QSocketNotifier::activated (this=0x823e6b0, t0=13) at moc_qsocketnotifier.cpp:85 #24 0x47a8845d in QSocketNotifier::event (this=0x823e6b0, e=0xbfb2cdd0) at qsocketnotifier.cpp:258 #25 0x479f30a5 in QApplication::internalNotify (this=0xbfb2d2f0, receiver=0x823e6b0, e=0xbfb2cdd0) at qapplication.cpp:2635 #26 0x479f22e8 in QApplication::notify (this=0xbfb2d2f0, receiver=0x823e6b0, e=0xbfb2cdd0) at qapplication.cpp:2358 #27 0x4818e557 in KApplication::notify (this=0xbfb2d2f0, receiver=0x823e6b0, event=0xbfb2cdd0) at kapplication.cpp:550 #28 0x48ce0c16 in QApplication::sendEvent (receiver=0x98, event=0x913f858) at qapplication.h:491 #29 0x479de6ab in QEventLoop::activateSocketNotifiers (this=0x81459e8) at qeventloop_unix.cpp:578 #30 0x4798d641 in QEventLoop::processEvents (this=0x81459e8, flags=4) at qeventloop_x11.cpp:383 #31 0x47a0a649 in QEventLoop::enterLoop (this=0x81459e8) at qeventloop.cpp:198 #32 0x47a0a562 in QEventLoop::exec (this=0x81459e8) at qeventloop.cpp:145 #33 0x479f3247 in QApplication::exec (this=0xbfb2d2f0) at qapplication.cpp:2758 #34 0x48c79966 in kdemain (argc=152, argv=0x98) at konq_main.cc:206 #35 0x0804876b in main (argc=152, argv=0x98) at konqueror.la.cc:2 SVN commit 469249 by dfaure: Don't keep deleted frames in a list, this tends to crash at some point BUG: 112905 M +1 -2 khtml_part.cpp --- branches/KDE/3.5/kdelibs/khtml/khtml_part.cpp #469248:469249 @@ -245,7 +245,6 @@ d->m_statusBarIconLabel = 0L; d->m_statusBarPopupLabel = 0L; d->m_openableSuppressedPopups = 0; - d->m_suppressedPopupOriginParts.clear(); d->m_bSecurityInQuestion = false; d->m_paLoadImages = 0; @@ -1448,6 +1447,7 @@ delete *it; } } + d->m_suppressedPopupOriginParts.clear(); if (d->m_objects.count()) { @@ -1870,7 +1870,6 @@ if (w) w->forgetSuppressedWindows(); } - d->m_suppressedPopupOriginParts.clear(); } clear(); *** Bug 117028 has been marked as a duplicate of this bug. *** *** Bug 131249 has been marked as a duplicate of this bug. *** |