Bug 116457

Summary: [PATCH] Correct DOM script causes konqueror to crash
Product: [Applications] konqueror Reporter: Evgeny F <johnlen>
Component: khtml rendererAssignee: George Staikos <staikos>
Status: RESOLVED FIXED    
Severity: crash CC: kde
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: proposed patch
proposed patch 2

Description Evgeny F 2005-11-16 00:06:55 UTC 
Version:            (using KDE KDE 3.4.92)
Installed from:    Compiled From Sources
Compiler:          gcc (GCC) 3.3.5 (Debian 1:3.3.5-13) 
OS:                Linux

I am building a GPL CMS and some part of it uses DOM extensively. It works well in all major browsers (Mozilla, Opera, IE) but causes crash in Konqueror 3.5 beta2(version 3.3.2 crashes too).
How to reproduce the crash:
1). Go to http://qsp.homelinux.org/shevahnew/textEdit.html
2). Create a list (you'll see some kind of toolbar).
3). Select unordered list and press "Create".
4). Inside of the list: Insert a header.
5). In a header insertion form: press "Cancel".

That's it. I get something like:
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 17673)]
[KCrash handler]
#5  0x41cbfeb5 in addLayers () from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#6  0x41cbff97 in khtml::RenderObject::addLayers ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#7  0x41cc9dfd in khtml::RenderContainer::insertChildNode ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#8  0x41cc9206 in khtml::RenderContainer::addChild ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#9  0x41cae695 in khtml::RenderBlock::addChildToFlow ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#10 0x41cd0586 in khtml::RenderFlow::addChild ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#11 0x41cfb867 in khtml::RenderListItem::updateMarkerLocation ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#12 0x41cfbab5 in khtml::RenderListItem::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#13 0x41cb225b in khtml::RenderBlock::layoutBlockChildren ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#14 0x41cafd85 in khtml::RenderBlock::layoutBlock ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#15 0x41caf5f5 in khtml::RenderBlock::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#16 0x41cb225b in khtml::RenderBlock::layoutBlockChildren ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#17 0x41cafd85 in khtml::RenderBlock::layoutBlock ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#18 0x41caf5f5 in khtml::RenderBlock::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#19 0x41cb225b in khtml::RenderBlock::layoutBlockChildren ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#20 0x41cafd85 in khtml::RenderBlock::layoutBlock ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#21 0x41caf5f5 in khtml::RenderBlock::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#22 0x41d05f98 in khtml::RenderBody::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#23 0x41cb225b in khtml::RenderBlock::layoutBlockChildren ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#24 0x41cafd85 in khtml::RenderBlock::layoutBlock ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#25 0x41caf5f5 in khtml::RenderBlock::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#26 0x41cb225b in khtml::RenderBlock::layoutBlockChildren ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#27 0x41cafd85 in khtml::RenderBlock::layoutBlock ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#28 0x41caf5f5 in khtml::RenderBlock::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#29 0x41cfdcce in khtml::RenderCanvas::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#30 0x41bdea79 in KHTMLView::layout ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#31 0x41bde909 in KHTMLView::drawContents ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#32 0x40fdeb13 in QScrollView::drawContentsOffset ()
   from /usr/lib/libqt-mt.so.3
#33 0x40fdd5d2 in QScrollView::viewportPaintEvent ()
   from /usr/lib/libqt-mt.so.3
#34 0x40fdd0c4 in QScrollView::eventFilter () from /usr/lib/libqt-mt.so.3
#35 0x41be3a72 in KHTMLView::eventFilter ()
   from /home/jenia/kde3.5-beta2/lib/libkhtml.so.4
#36 0x40ec504e in QObject::activate_filters () from /usr/lib/libqt-mt.so.3
#37 0x40ec4f7c in QObject::event () from /usr/lib/libqt-mt.so.3
#38 0x40efdaaf in QWidget::event () from /usr/lib/libqt-mt.so.3
#39 0x40e6ae1f in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#40 0x40e6a41e in QApplication::notify () from /usr/lib/libqt-mt.so.3
#41 0x409c42d5 in KApplication::notify ()
   from /home/jenia/kde3.5-beta2/lib/libkdecore.so.4
#42 0x40e02266 in QETWidget::translatePaintEvent () from /usr/lib/libqt-mt.so.3
#43 0x40dfd9a4 in QApplication::x11ProcessEvent () from /usr/lib/libqt-mt.so.3
#44 0x40e14254 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#45 0x40e7d1d8 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#46 0x40e7d088 in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#47 0x40e6b071 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#48 0x4006524c in kdemain ()
   from /home/jenia/kde3.5-beta2/lib/libkdeinit_konqueror.so
#49 0x080486cb in main ()

           Even if the script is incorrect the browser shouldn't crash!
           Thanks in advance,
                 Evgeny
Comment 1 George Staikos 2005-11-16 00:25:59 UTC 
obj->layer() crashes:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 1098410912 (LWP 15564)]
[KCrash handler]
#7  0x4206e94f in addLayers (obj=0x87c25d4, parentLayer=0x87c1248, 
    newObject=@0xbfffd3d4, beforeChild=@0xbfffd3d0) at render_object.cpp:281
#8  0x4206ea40 in khtml::RenderObject::addLayers (this=0x87c25d4, 
    parentLayer=0x87c1248, newObject=0x87c25d4) at render_object.cpp:304
#9  0x42079d5a in khtml::RenderContainer::insertChildNode (this=0x87c2638, 
    child=0x87c25d4, beforeChild=0x87c26b4) at render_container.cpp:411
#10 0x42078e00 in khtml::RenderContainer::addChild (this=0x87c2638, 
    newChild=0x87c25d4, beforeChild=0x87c26b4) at render_container.cpp:145
#11 0x42056e88 in khtml::RenderBlock::addChildToFlow (this=0x87c2638, 
    newChild=0x87c25d4, beforeChild=0x87c26b4) at render_block.cpp:301
#12 0x420817a8 in khtml::RenderFlow::addChild (this=0x87c2638, 
    newChild=0x87c25d4, beforeChild=0x87c26b4) at render_flow.cpp:126
#13 0x420b3a6a in khtml::RenderListItem::updateMarkerLocation (this=0x87c254c)
    at render_list.cpp:151
#14 0x420b3cb4 in khtml::RenderListItem::layout (this=0x87c254c)
    at render_list.cpp:186
#15 0x41f91a1f in khtml::RenderObject::layoutIfNeeded (this=0x87c254c)
    at render_object.h:413
#16 0x4205b2b0 in khtml::RenderBlock::layoutBlockChildren (this=0x87c24d0, 
    relayoutChildren=false) at render_block.cpp:1343
#17 0x420583bd in khtml::RenderBlock::layoutBlock (this=0x87c24d0, 
    relayoutChildren=false) at render_block.cpp:638
#18 0x42057e54 in khtml::RenderBlock::layout (this=0x87c24d0)
    at render_block.cpp:539
#19 0x41f91a1f in khtml::RenderObject::layoutIfNeeded (this=0x87c24d0)
    at render_object.h:413
#20 0x4205b2b0 in khtml::RenderBlock::layoutBlockChildren (this=0x87c1dd0, 
    relayoutChildren=false) at render_block.cpp:1343
#21 0x420583bd in khtml::RenderBlock::layoutBlock (this=0x87c1dd0, 
    relayoutChildren=false) at render_block.cpp:638
#22 0x42057e54 in khtml::RenderBlock::layout (this=0x87c1dd0)
    at render_block.cpp:539
#23 0x41f91a1f in khtml::RenderObject::layoutIfNeeded (this=0x87c1dd0)
    at render_object.h:413
#24 0x4205b2b0 in khtml::RenderBlock::layoutBlockChildren (this=0x87c12a4, 
    relayoutChildren=false) at render_block.cpp:1343
#25 0x420583bd in khtml::RenderBlock::layoutBlock (this=0x87c12a4, 
    relayoutChildren=false) at render_block.cpp:638
#26 0x42057e54 in khtml::RenderBlock::layout (this=0x87c12a4)
    at render_block.cpp:539
#27 0x420bf242 in khtml::RenderBody::layout (this=0x87c12a4)
    at render_body.cpp:97
#28 0x41f91a1f in khtml::RenderObject::layoutIfNeeded (this=0x87c12a4)
    at render_object.h:413
#29 0x4205b2b0 in khtml::RenderBlock::layoutBlockChildren (this=0x87c11cc, 
    relayoutChildren=false) at render_block.cpp:1343
#30 0x420583bd in khtml::RenderBlock::layoutBlock (this=0x87c11cc, 
    relayoutChildren=false) at render_block.cpp:638
#31 0x42057e54 in khtml::RenderBlock::layout (this=0x87c11cc)
    at render_block.cpp:539
#32 0x41f91a1f in khtml::RenderObject::layoutIfNeeded (this=0x87c11cc)
    at render_object.h:413
#33 0x4205b2b0 in khtml::RenderBlock::layoutBlockChildren (this=0x87c10b0, 
    relayoutChildren=false) at render_block.cpp:1343
#34 0x420583bd in khtml::RenderBlock::layoutBlock (this=0x87c10b0, 
    relayoutChildren=false) at render_block.cpp:638
#35 0x42057e54 in khtml::RenderBlock::layout (this=0x87c10b0)
    at render_block.cpp:539
#36 0x420b671c in khtml::RenderCanvas::layout (this=0x87c10b0)
    at render_canvas.cpp:179
#37 0x41f75574 in KHTMLView::layout (this=0x84fb318) at khtmlview.cpp:786
#38 0x41f74b4c in KHTMLView::drawContents (this=0x84fb318, p=0xbfffdf80, 
    ex=71, ey=170, ew=590, eh=27) at khtmlview.cpp:642
#39 0x40ea8be8 in QScrollView::drawContentsOffset (this=0x84fb318, 
    p=0xbfffdf80, offsetx=-2000, offsety=-2000, clipx=71, clipy=170, 
    clipw=590, cliph=27) at qscrollview.cpp:2334
#40 0x40ea745a in QScrollView::viewportPaintEvent (this=0x84fb318, 
    pe=0xbfffe4b0) at qscrollview.cpp:1693
#41 0x40ea6d31 in QScrollView::eventFilter (this=0x84fb318, obj=0x83644e8, 
    e=0xbfffe4b0) at qscrollview.cpp:1490
#42 0x41f7a745 in KHTMLView::eventFilter (this=0x84fb318, o=0x83644e8, 
    e=0xbfffe4b0) at khtmlview.cpp:1936
#43 0x40d801bc in QObject::activate_filters (this=0x83644e8, e=0xbfffe4b0)
    at qobject.cpp:902
#44 0x40d8002e in QObject::event (this=0x83644e8, e=0xbfffe4b0)
    at qobject.cpp:735
#45 0x40dba9df in QWidget::event (this=0x83644e8, e=0xbfffe4b0)
    at qwidget.cpp:4655
#46 0x40d1f9d3 in QApplication::internalNotify (this=0xbfffecd0, 
    receiver=0x83644e8, e=0xbfffe4b0) at qapplication.cpp:2635
#47 0x40d1f603 in QApplication::notify (this=0xbfffecd0, receiver=0x83644e8, 
    e=0xbfffe4b0) at qapplication.cpp:2523
#48 0x4080a060 in KApplication::notify (this=0xbfffecd0, receiver=0x83644e8, 
    event=0xbfffe4b0) at kapplication.cpp:550
#49 0x40cb5403 in QApplication::sendSpontaneousEvent (receiver=0x83644e8, 
    event=0xbfffe4b0) at qapplication.h:494
#50 0x40cb0886 in QETWidget::translatePaintEvent (this=0x83644e8, 
    event=0xbfffe850) at qapplication_x11.cpp:5635
#51 0x40cac233 in QApplication::x11ProcessEvent (this=0xbfffecd0, 
    event=0xbfffe850) at qapplication_x11.cpp:3487
#52 0x40cc6678 in QEventLoop::processEvents (this=0x818ee10, flags=4)
    at qeventloop_x11.cpp:192
#53 0x40d33c0e in QEventLoop::enterLoop (this=0x818ee10) at qeventloop.cpp:198
#54 0x40d33b2a in QEventLoop::exec (this=0x818ee10) at qeventloop.cpp:145
#55 0x40d1fb53 in QApplication::exec (this=0xbfffecd0) at qapplication.cpp:2758
Comment 2 George Staikos 2005-11-16 00:28:14 UTC 
Almost the same as 107806 but not quite the same path to it.
Comment 3 George Staikos 2005-11-16 00:53:14 UTC 
==15933== Invalid read of size 1
==15933==    at 0x1E376ACE: khtml::RenderStyle::position() const 
(render_style.h:956)
==15933==    by 0x1E3F27A7: khtml::RenderFlow::addChild(khtml::RenderObject*, 
khtml::RenderObject*) (render_flow.cpp:126)
==15933==    by 0x1E424A69: khtml::RenderListItem::updateMarkerLocation() 
(render_list.cpp:151)
==15933==    by 0x1E424CB3: khtml::RenderListItem::layout() 
(render_list.cpp:186)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E430241: khtml::RenderBody::layout() (render_body.cpp:97)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E42771B: khtml::RenderCanvas::layout() 
(render_canvas.cpp:179)
==15933==    by 0x1E2E6573: KHTMLView::layout() (khtmlview.cpp:786)
==15933==    by 0x1E2E5B4B: KHTMLView::drawContents(QPainter*, int, int, int, 
int) (khtmlview.cpp:642)
==15933==    by 0x1C9A2BE7: QScrollView::drawContentsOffset(QPainter*, int, 
int, int, int, int, int) (qscrollview.cpp:2334)
==15933==    by 0x1C9A1459: QScrollView::viewportPaintEvent(QPaintEvent*) 
(qscrollview.cpp:1693)
==15933==    by 0x1C9A0D30: QScrollView::eventFilter(QObject*, QEvent*) 
(qscrollview.cpp:1490)
==15933==    by 0x1E2EB744: KHTMLView::eventFilter(QObject*, QEvent*) 
(khtmlview.cpp:1936)
==15933==    by 0x1C87A1BB: QObject::activate_filters(QEvent*) 
(qobject.cpp:902)
==15933==    by 0x1C87A02D: QObject::event(QEvent*) (qobject.cpp:735)
==15933==    by 0x1C8B49DE: QWidget::event(QEvent*) (qwidget.cpp:4655)
==15933==    by 0x1C8199D2: QApplication::internalNotify(QObject*, QEvent*) 
(qapplication.cpp:2635)
==15933==    by 0x1C819602: QApplication::notify(QObject*, QEvent*) 
(qapplication.cpp:2523)
==15933==    by 0x1C2FB05F: KApplication::notify(QObject*, QEvent*) 
(kapplication.cpp:550)
==15933==    by 0x1C7AF402: QApplication::sendSpontaneousEvent(QObject*, 
QEvent*) (qapplication.h:494)
==15933==    by 0x1C7AA885: QETWidget::translatePaintEvent(_XEvent const*) 
(qapplication_x11.cpp:5635)
==15933==  Address 0x1E09981E is 14 bytes inside a block of size 64 free'd
==15933==    at 0x1B905989: operator delete(void*) (vg_replace_malloc.c:155)
==15933==    by 0x1E365CF0: khtml::Shared<khtml::RenderStyle>::deref() 
(shared.h:16)
==15933==    by 0x1E3DF29C: khtml::RenderObject::~RenderObject() 
(render_object.cpp:198)
==15933==    by 0x1E3F204D: khtml::RenderContainer::~RenderContainer() 
(render_table.cpp:1801)
==15933==    by 0x1E3EBE41: khtml::RenderBox::~RenderBox() 
(render_box.cpp:188)
==15933==    by 0x1E424F3A: khtml::RenderListMarker::~RenderListMarker() 
(render_list.cpp:205)
==15933==    by 0x1E3E6142: 
khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) 
(render_object.cpp:1532)
==15933==    by 0x1E3E60FC: khtml::RenderObject::detach() 
(render_object.cpp:1523)
==15933==    by 0x1E3E9ACA: khtml::RenderContainer::detach() 
(render_container.cpp:65)
==15933==    by 0x1E3EBF3D: khtml::RenderBox::detach() (render_box.cpp:197)
==15933==    by 0x1E3E9AA0: khtml::RenderContainer::detach() 
(render_container.cpp:60)
==15933==    by 0x1E3EBF3D: khtml::RenderBox::detach() (render_box.cpp:197)
==15933==    by 0x1E36C35A: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:878)
==15933==    by 0x1E36DA78: DOM::NodeBaseImpl::detach() 
(dom_nodeimpl.cpp:1416)
==15933==    by 0x1E36D24F: DOM::NodeBaseImpl::removeChild(DOM::NodeImpl*, 
int&) (dom_nodeimpl.cpp:1205)
==15933==    by 0x1E52CDDF: DOM::Node::removeChild(DOM::Node const&) 
(dom_node.cpp:284)
==15933==    by 0x1E480FEA: KJS::DOMNodeProtoFunc::tryCall(KJS::ExecState*, 
KJS::Object&, KJS::List const&) (kjs_dom.cpp:514)
==15933==    by 0x1E4791A0: KJS::DOMFunction::call(KJS::ExecState*, 
KJS::Object&, KJS::List const&) (kjs_binding.cpp:114)
==15933==    by 0x1E674497: KJS::Object::call(KJS::ExecState*, KJS::Object&, 
KJS::List const&) (object.cpp:70)
==15933==    by 0x1E636CA3: KJS::FunctionCallNode::evaluate(KJS::ExecState*) 
const (nodes.cpp:870)
==15933==    by 0x1E63C86E: KJS::ExprStatementNode::execute(KJS::ExecState*) 
(nodes.cpp:1980)
==15933==    by 0x1E6431E7: KJS::SourceElementsNode::execute(KJS::ExecState*) 
(nodes.cpp:3097)
==15933==    by 0x1E63C698: KJS::BlockNode::execute(KJS::ExecState*) 
(nodes.cpp:1942)
==15933==    by 0x1E66EF6D: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) 
(function.cpp:579)
==15933==    by 0x1E66E0B7: KJS::FunctionImp::call(KJS::ExecState*, 
KJS::Object&, KJS::List const&) (function.cpp:354)
==15933==    by 0x1E674497: KJS::Object::call(KJS::ExecState*, KJS::Object&, 
KJS::List const&) (object.cpp:70)
==15933==    by 0x1E636CA3: KJS::FunctionCallNode::evaluate(KJS::ExecState*) 
const (nodes.cpp:870)
==15933==    by 0x1E63C86E: KJS::ExprStatementNode::execute(KJS::ExecState*) 
(nodes.cpp:1980)
==15933==    by 0x1E6430A7: KJS::SourceElementsNode::execute(KJS::ExecState*) 
(nodes.cpp:3091)
==15933==    by 0x1E63C698: KJS::BlockNode::execute(KJS::ExecState*) 
(nodes.cpp:1942)
==15933==    by 0x1E66EF6D: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) 
(function.cpp:579)
==15933==    by 0x1E66E0B7: KJS::FunctionImp::call(KJS::ExecState*, 
KJS::Object&, KJS::List const&) (function.cpp:354)
==15933==    by 0x1E674497: KJS::Object::call(KJS::ExecState*, KJS::Object&, 
KJS::List const&) (object.cpp:70)
==15933==    by 0x1E4FF270: KJS::JSEventListener::handleEvent(DOM::Event&) 
(kjs_events.cpp:95)
==15933==    by 0x1E4FFA40: KJS::JSLazyEventListener::handleEvent(DOM::Event&) 
(kjs_events.cpp:151)
==15933==    by 0x1E36BC2A: DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, 
bool) (dom_nodeimpl.cpp:675)
==15933==    by 0x1E36AF0E: 
DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) 
(dom_nodeimpl.cpp:449)
==15933==    by 0x1E36ACC9: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, 
int&, bool) (dom_nodeimpl.cpp:412)
==15933==    by 0x1E2F1578: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, 
DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int) (khtmlview.cpp:3138)
==15933==    by 0x1E2E909E: KHTMLView::viewportMouseReleaseEvent(QMouseEvent*) 
(khtmlview.cpp:1238)
==15933==
==15933== Invalid read of size 4
==15933==    at 0x1E3DF94F: addLayers(khtml::RenderObject*, 
khtml::RenderLayer*, khtml::RenderObject*&, khtml::RenderLayer*&) 
(render_object.cpp:281)
==15933==    by 0x1E3DFA3F: 
khtml::RenderObject::addLayers(khtml::RenderLayer*, khtml::RenderObject*) 
(render_object.cpp:304)
==15933==    by 0x1E3EAD59: 
khtml::RenderContainer::insertChildNode(khtml::RenderObject*, 
khtml::RenderObject*) (render_container.cpp:411)
==15933==    by 0x1E3E9DFF: 
khtml::RenderContainer::addChild(khtml::RenderObject*, khtml::RenderObject*) 
(render_container.cpp:145)
==15933==    by 0x1E3C7E87: 
khtml::RenderBlock::addChildToFlow(khtml::RenderObject*, 
khtml::RenderObject*) (render_block.cpp:301)
==15933==    by 0x1E3F27A7: khtml::RenderFlow::addChild(khtml::RenderObject*, 
khtml::RenderObject*) (render_flow.cpp:126)
==15933==    by 0x1E424A69: khtml::RenderListItem::updateMarkerLocation() 
(render_list.cpp:151)
==15933==    by 0x1E424CB3: khtml::RenderListItem::layout() 
(render_list.cpp:186)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E430241: khtml::RenderBody::layout() (render_body.cpp:97)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E302A1E: khtml::RenderObject::layoutIfNeeded() 
(render_object.h:413)
==15933==    by 0x1E3CC2AF: khtml::RenderBlock::layoutBlockChildren(bool) 
(render_block.cpp:1343)
==15933==    by 0x1E3C93BC: khtml::RenderBlock::layoutBlock(bool) 
(render_block.cpp:638)
==15933==    by 0x1E3C8E53: khtml::RenderBlock::layout() 
(render_block.cpp:539)
==15933==    by 0x1E42771B: khtml::RenderCanvas::layout() 
(render_canvas.cpp:179)
==15933==    by 0x1E2E6573: KHTMLView::layout() (khtmlview.cpp:786)
==15933==    by 0x1E2E5B4B: KHTMLView::drawContents(QPainter*, int, int, int, 
int) (khtmlview.cpp:642)
==15933==    by 0x1C9A2BE7: QScrollView::drawContentsOffset(QPainter*, int, 
int, int, int, int, int) (qscrollview.cpp:2334)
==15933==    by 0x1C9A1459: QScrollView::viewportPaintEvent(QPaintEvent*) 
(qscrollview.cpp:1693)
==15933==    by 0x1C9A0D30: QScrollView::eventFilter(QObject*, QEvent*) 
(qscrollview.cpp:1490)
==15933==    by 0x1E2EB744: KHTMLView::eventFilter(QObject*, QEvent*) 
(khtmlview.cpp:1936)
==15933==    by 0x1C87A1BB: QObject::activate_filters(QEvent*) 
(qobject.cpp:902)
==15933==    by 0x1C87A02D: QObject::event(QEvent*) (qobject.cpp:735)
==15933==    by 0x1C8B49DE: QWidget::event(QEvent*) (qwidget.cpp:4655)
==15933==    by 0x1C8199D2: QApplication::internalNotify(QObject*, QEvent*) 
(qapplication.cpp:2635)
==15933==  Address 0x24 is not stack'd, malloc'd or (recently) free'd
Comment 4 George Staikos 2005-11-16 02:29:34 UTC 
Created attachment 13488 [details]
proposed patch

At least the first hunk, but I think the second is also a valid unrelated
patch.
Comment 5 George Staikos 2005-11-16 02:33:10 UTC 
Does it look ok Allen?
Comment 6 Evgeny F 2005-11-18 06:19:05 UTC 
This patch resolves all crash issues I had with that script.
Comment 7 Maksim Orlovich 2005-11-18 06:31:58 UTC 
Please do not close the report until the patch is committed...
Comment 8 Evgeny F 2005-12-12 21:45:07 UTC 
Is this patch going to be merged?
There was already one major release since this patch was proposed.
I meanm it is critical enough to be merged ASAP.
Comment 9 George Staikos 2005-12-13 00:30:09 UTC 
I was not able to get my patch approved by anyone.
Comment 10 Evgeny F 2005-12-13 09:45:08 UTC 
So will konqueror continue to crash each time it executes correct DOM script?! What about being standards complaint, something konqueror team is very proud of?!
Comment 11 Germain Garand 2005-12-13 15:28:58 UTC 
Created attachment 13895 [details]
proposed patch 2

Cf. kfm-devel... m_marker should not be nulled out before the marker is removed
from the tree, otherwise we would have duplicates inserted on relayout
(regression tested)
Comment 12 Dirk Mueller 2005-12-13 15:35:45 UTC 
patch looks good to me.
Comment 13 Evgeny F 2005-12-19 13:11:35 UTC 
So what is the fix? Is this patch going to be merged?
Comment 14 Evgeny F 2005-12-29 17:18:47 UTC 
This critical bug will make it into the next release without being fixed?
Comment 15 Germain Garand 2006-02-28 03:44:58 UTC 
SVN commit 514339 by ggarand:


don't crash when destroying a marker before its listItem 

BUG: 116457


 M  +2 -0      render_list.cpp  
 M  +1 -0      render_list.h  


--- branches/KDE/3.5/kdelibs/khtml/rendering/render_list.cpp #514338:514339
@@ -203,6 +203,8 @@
 {
     if(m_listImage)
         m_listImage->deref(this);
+    if (m_listItem)
+        m_listItem->resetListMarker();
 }
 
 void RenderListMarker::setStyle(RenderStyle *s)
--- branches/KDE/3.5/kdelibs/khtml/rendering/render_list.h #514338:514339
@@ -69,6 +69,7 @@
 protected:
 
     void updateMarkerLocation();
+    void resetListMarker() { m_marker = 0; }
 
     RenderListMarker *m_marker;
     CounterNode *m_counter;