Bug 119512

Summary: Konqueror sometimes crashes when closing the window, because of a failed assertion in khtml::Cache::clear()
Product: [Applications] konqueror Reporter: gambas <g4mba5>
Component: khtml adblockAssignee: Konqueror Developers <konq-bugs>
Severity: crash CC: gschintgen, kde, rapsys, woebbeking
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Mandriva RPMs   
OS: AIX   
Latest Commit: Version Fixed In:
Attachments: Possible patch

Description gambas 2006-01-04 17:41:05 UTC
Version:            (using KDE KDE 3.5.0)
Installed from:    Mandriva RPMs
OS:                AIX

Here is what is printed in my ~/.xsession-error file:

konqueror [kdeinit] -mimetype text/html file:///home/benoit/gambas/html/gambas.sourceforge.net/index.html: loader.cpp:1317: static void khtml::Cache::clear(
):  l'assertion « it.current()->canDelete() » a échoué.
DCOP: unregister 'konqueror-8321'
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = konqueror path = <unknown> pid = 8321

And here is the backtrace:

(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)
`shared object read from target memory' has disappeared; keeping its symbols.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1234273888 (LWP 21421)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[KCrash handler]
#4  0xffffe410 in __kernel_vsyscall ()
#5  0xb6f47ef1 in raise () from /lib/tls/libc.so.6
#6  0xb6f4983b in abort () from /lib/tls/libc.so.6
#7  0xb6f41045 in __assert_fail () from /lib/tls/libc.so.6
#8  0xb5e1b260 in khtml::Cache::clear () from /usr/lib/libkhtml.so.4
#9  0xb5cc8143 in KHTMLFactory::~KHTMLFactory$delete ()
   from /usr/lib/libkhtml.so.4
#10 0xb5cb835a in KHTMLFactory::deref () from /usr/lib/libkhtml.so.4
#11 0xb5cc8047 in KHTMLFactory::~KHTMLFactory$delete ()
   from /usr/lib/libkhtml.so.4
#12 0xb7a378f9 in KLibrary::~KLibrary$delete () from /usr/lib/libkdecore.so.4
#13 0xb79a6115 in KLibrary::slotTimeout () from /usr/lib/libkdecore.so.4
#14 0xb79c9b48 in KLibrary::qt_invoke () from /usr/lib/libkdecore.so.4
#15 0xb747c98d in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#16 0xb747cdf6 in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#17 0xb77700c5 in QTimer::timeout () from /usr/lib/qt3/lib/libqt-mt.so.3
#18 0xb749daf7 in QTimer::event () from /usr/lib/qt3/lib/libqt-mt.so.3
#19 0xb7422deb in QApplication::internalNotify ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#20 0xb74234aa in QApplication::notify () from /usr/lib/qt3/lib/libqt-mt.so.3
#21 0xb7a45f74 in KApplication::notify () from /usr/lib/libkdecore.so.4
#22 0xb7417ff4 in QEventLoop::activateTimers ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#23 0xb73d490d in QEventLoop::processEvents ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#24 0xb7437731 in QEventLoop::enterLoop () from /usr/lib/qt3/lib/libqt-mt.so.3
#25 0xb7437654 in QEventLoop::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#26 0xb742259f in QApplication::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#27 0xb64fb4a3 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#28 0xb65d4564 in kdeinitmain () from /usr/lib/kde3/konqueror.so
#29 0x0804f780 in ?? ()
#30 0x0804fed7 in ?? ()
#31 0x08050605 in ?? ()
#32 0x08050c26 in ?? ()
#33 0xb6f34e40 in __libc_start_main () from /lib/tls/libc.so.6
#34 0x0804c731 in ?? ()
Comment 1 Maksim Orlovich 2006-01-04 18:22:20 UTC
I need to know the URL that causes it for this report to be of any help. This basically means an image got leaked --- and a  number of causes for that are fixed already..
Comment 2 gambas 2006-01-05 00:39:13 UTC
In this case it was 'file:///home/benoit/gambas/html/gambas.sourceforge.net/index.html', which is a copy of my web site http://gambas.sourceforge.net.

The crash happens not very often, and apparently never on the same URL. Sorry for not having more information...
Comment 3 Maksim Orlovich 2006-01-05 00:47:25 UTC
Well, just because you started konqueror with that page, doesn't meant it wasn't reused for something else... And this class of bugs should be reasonably reproducible. You don't use getComputedStyle anywhere, do you?
Comment 4 gambas 2006-01-05 00:50:35 UTC
What is getComputedStyle() ?
Comment 5 Maksim Orlovich 2006-01-05 00:56:36 UTC
A JavaScript function. A memory leak in that was one of the things fixed post 3.5 that could cause this assert. But I'll take it as a no, I guess.
Comment 6 gambas 2006-01-05 01:01:51 UTC
Actually, it could me more complicated, as if my web site do not use an y javascript, I put a link to http://frappr.com/gambas which uses tons of javascript. And maybe I had navigated on this page from the left frame of http://gambas.sourceforge.net, and came back later to the home page.

Isn't it possible to add a crash handler in konqueror that dumps more information, like all the pages that were browsed? This way, these kind of bugs would be easier to reproduce.
Comment 7 gambas 2006-01-05 01:05:13 UTC
That's it :-) I browsed to the gambas map on http://frappr.com/gambas from my web site, I displayed all the markers, and all the users in the right panel, I moved the map a little, I displayed some users on Australia, and then I closed the window. Crash!
Comment 8 gambas 2006-01-05 01:06:13 UTC
Note that you have to change the browser identity to be allowed browsing http://frappr.com. I used "Safari..."
Comment 9 Tommi Tervo 2006-01-05 08:54:14 UTC
svn -r487836

#8  0xb61c7bac in khtml::Cache::clear () at loader.cpp:1312
#9  0xb6046670 in ~KHTMLFactory (this=0x8298408) at khtml_factory.cpp:98
#10 0xb603446c in KHTMLFactory::deref () at khtml_factory.cpp:139
#11 0xb6046681 in ~KHTMLFactory (this=0x8b799d0) at khtml_factory.cpp:103
#12 0xb77188a0 in ~KLibrary (this=0x8ab2d58) at klibloader.cpp:131
#13 0xb76a6095 in KLibLoader::close_pending (this=0x8237970, wrap=0x82b79b8)
    at klibloader.cpp:516
Comment 10 Maksim Orlovich 2006-01-05 16:45:20 UTC
Hmm, I can't trigger it, though :-(. Any hints on what to do? 
Comment 11 gambas 2006-01-05 22:14:41 UTC
Here is what I do exactly:

1) Open konqueror on http://gambas.sf.net
2) Click on the "Where are we" picture in the left frame.
3) Wait a little.
4) Click on "Show 50 more markers" in right frame.
5) Click again.
6) And click again. All markers are show now.
7) Close the window.

It crashes there, the way I described.
Comment 12 Maksim Orlovich 2006-01-05 22:21:20 UTC
Doesn't crash for me when I do that... And I don't think I have any relevant in my tree. But this could be a fix you don't have -- but  Tommi's tree is new enough to have it..
Comment 13 Gilles Schintgen 2006-01-07 23:51:05 UTC
I get this crash quite often.

Try closing konqueror after visiting this URL:

Here's the backtrace:

Using host libthread_db library "/lib/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread -1209022800 (LWP 13647)]
[KCrash handler]
#4  0xffffe410 in __kernel_vsyscall ()
#5  0x473ef651 in raise () from /lib/libc.so.6
#6  0x473f115c in abort () from /lib/libc.so.6
#7  0x473e8d09 in __assert_fail () from /lib/libc.so.6
#8  0x490aea94 in khtml::Cache::clear () at loader.cpp:1313
#9  0x48f8b0f5 in ~KHTMLFactory (this=0x8445a08) at khtml_factory.cpp:98
#10 0x48f8b2e2 in KHTMLFactory::deref () at khtml_factory.cpp:139
#11 0x48f8b027 in ~KHTMLFactory (this=0x84b3dd0) at khtml_factory.cpp:103
#12 0x4818e2a5 in ~KLibrary (this=0x84e3a40) at klibloader.cpp:131
#13 0x4818eb55 in KLibrary::slotTimeout (this=0x84e3a40) at klibloader.cpp:253
#14 0x48190236 in KLibrary::qt_invoke (this=0x84e3a40, _id=4, _o=0xbf91ea10)
    at klibloader.moc:91
#15 0x47af7b13 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#16 0x47af7954 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#17 0x47e2dcab in QTimer::timeout () from /usr/qt/3/lib/libqt-mt.so.3
#18 0x47b18aa0 in QTimer::event () from /usr/qt/3/lib/libqt-mt.so.3
#19 0x47a9c5fc in QApplication::internalNotify ()
   from /usr/qt/3/lib/libqt-mt.so.3
#20 0x47a9b99d in QApplication::notify () from /usr/qt/3/lib/libqt-mt.so.3
#21 0x48104b8b in KApplication::notify (this=0xbf91f3b0, receiver=0x87fb6e0, 
    event=0xbf91ee90) at kapplication.cpp:550
#22 0x47a8c089 in QEventLoop::activateTimers ()
   from /usr/qt/3/lib/libqt-mt.so.3
#23 0x47a47447 in QEventLoop::processEvents ()
   from /usr/qt/3/lib/libqt-mt.so.3
#24 0x47aae558 in QEventLoop::enterLoop () from /usr/qt/3/lib/libqt-mt.so.3
#25 0x47aae408 in QEventLoop::exec () from /usr/qt/3/lib/libqt-mt.so.3
#26 0x47a9c831 in QApplication::exec () from /usr/qt/3/lib/libqt-mt.so.3
#27 0x46d112ec in kdemain (argc=0, argv=0x0) at konq_main.cc:206
#28 0xb7ddd7d6 in kdeinitmain (argc=0, argv=0x0) at konqueror_dummy.cc:3
#29 0x0804dcfc in launch (argc=2, _name=0x81e771c "konqueror", 
    args=0x81e772f "\001", cwd=0x0, envc=1, envs=0x81e7740 "", 
    reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x0)
    at kinit.cpp:637
#30 0x0804f329 in handle_launcher_request (sock=9) at kinit.cpp:1201
#31 0x0804f8a0 in handle_requests (waitForPid=0) at kinit.cpp:1404
#32 0x08050938 in main (argc=2, argv=0xbf91fad4, envp=0x0) at kinit.cpp:1848
Comment 14 Maksim Orlovich 2006-01-07 23:58:35 UTC
Thanks for the report --- but I don't see the problem w/3.5.x branch on that site either...
Comment 15 Tommi Tervo 2006-03-03 10:37:33 UTC
Ivor invited how to reproduce this crash. Enable adblock and add option hide images, go to some website (e.g. osnews.com) block some ad and close konqueror -> crash:
konqueror: loader.cpp:1275: static void khtml::Cache::clear(): Assertion `it.current()->canDelete()' failed.
Comment 16 Tommi Tervo 2006-04-06 22:32:32 UTC
*** Bug 125072 has been marked as a duplicate of this bug. ***
Comment 17 Tommi Tervo 2006-05-20 10:44:42 UTC
*** Bug 127701 has been marked as a duplicate of this bug. ***
Comment 18 Carsten Lohrke 2006-06-12 00:34:57 UTC
Just experienced the crash with KDE 3.5.3
Comment 19 Allan Sandfeld 2006-06-19 23:32:22 UTC
I am quite sure 99% of these crashes now are due to adblock. Redirecting the bug there.
Comment 20 Allan Sandfeld 2006-06-19 23:42:13 UTC
Created attachment 16707 [details]
Possible patch

I can't reliably trigger crashes, but I haven't had any since applying this
simplification of the adblock code.
Comment 21 Andreas Kling 2006-06-21 00:04:26 UTC
SVN commit 553393 by kling:

Death to the crash-on-exit adblock bug. Tested & verified.
Patch from Allan Sandfeld -- THANK YOU :)

BUG: 119512

 M  +6 -25     khtml_part.cpp  

--- branches/KDE/3.5/kdelibs/khtml/khtml_part.cpp #553392:553393
@@ -6703,38 +6703,19 @@
             if ( node->id() == ID_IMG ||
                  node->id() == ID_IFRAME ||
-                 (node->id() == ID_INPUT && !strcasecmp( static_cast<ElementImpl *>(node)->getAttribute(ATTR_TYPE), "image")) )
+                 (node->id() == ID_INPUT && static_cast<HTMLInputElementImpl *>(node)->inputType() == HTMLInputElementImpl::IMAGE ))
                 if ( KHTMLFactory::defaultHTMLSettings()->isAdFiltered( d->m_doc->completeURL( static_cast<ElementImpl *>(node)->getAttribute(ATTR_SRC).string() ) ) )
-                    // We found an IMG, IFRAME or INPUT (of type "image") matching a filter.
-                    // Detach the node from the document and rendering trees.
-                    node->detach();
-                    // Connect its siblings to each other instead.
-                    NodeImpl *next = node->nextSibling();
-                    NodeImpl *prev = node->previousSibling();
-                    if( next ) next->setPreviousSibling( prev );
-                    if( prev ) prev->setNextSibling( next );
-                    // If it's the first or last child of its parent, we cut it off there too.
+                    // We found an IMG, IFRAME or INPUT (of type IMAGE) matching a filter.
+                    node->ref();
                     NodeImpl *parent = node->parent();
                     if( parent )
-                        if( node == parent->firstChild() )
-                            parent->setFirstChild( next );
-                        if( node == parent->lastChild() )
-                            parent->setLastChild( prev );
+                        int exception = 0;
+                        parent->removeChild(node, exception);
-                    node->removedFromDocument();
-                    // If nobody needs this node, we can safely delete it.
-                    if( !node->refCount() )
-                        delete node;
+                    node->deref();
Comment 22 Tommi Tervo 2006-06-28 17:30:59 UTC
*** Bug 129976 has been marked as a duplicate of this bug. ***
Comment 23 Carsten Lohrke 2006-07-10 15:38:17 UTC
I just hit this again using Akregator - despite having Allan's patch applied.

Using host libthread_db library "/lib/tls/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread -1242859168 (LWP 13327)]
[KCrash handler]
#6  0xffffe410 in __kernel_vsyscall ()
#7  0xb5ef1421 in raise () from /lib/tls/libc.so.6
#8  0xb5ef2e3d in abort () from /lib/tls/libc.so.6
#9  0xb5eeacd2 in __assert_fail () from /lib/tls/libc.so.6
#10 0xb790fa6f in khtml::Cache::clear () at loader.cpp:1280
#11 0xb77e4391 in ~KHTMLFactory (this=0x818eeb0) at khtml_factory.cpp:98
#12 0xb77e3ec8 in KHTMLFactory::deref () at khtml_factory.cpp:139
#13 0xb77e4c36 in KHTMLFactory::deregisterPart (part=0x0)
    at khtml_factory.cpp:167
#14 0xb77cac3c in ~KHTMLPart (this=0x818f0a0, __vtt_parm=0xb5da6128)
    at khtml_part.cpp:523
#15 0xb5d45edf in ~Viewer (this=0x818f0a0, __vtt_parm=0xb5da6128)
    at viewer.cpp:89
#16 0xb5d47f68 in ~ArticleViewer (this=0x818f0a0) at articleviewer.cpp:182
#17 0xb74ecfa0 in KParts::Part::slotWidgetDestroyed (this=0x818f0a0)
    at part.cpp:268
#18 0xb74ed00a in KParts::Part::qt_invoke (this=0x818f0a0, _id=2, _o=0x0)
    at part.moc:108
#19 0xb74ed071 in KParts::ReadOnlyPart::qt_invoke (this=0x818f0a0, _id=2, 
    _o=0xbfe13200) at part.moc:261
#20 0xb77d6e03 in KHTMLPart::qt_invoke (this=0x818f0a0, _id=2, _o=0xbfe13200)
    at khtml_part.moc:574
#21 0xb5d47063 in Akregator::Viewer::qt_invoke (this=0x818f0a0, _id=135852192, 
    _o=0xbfe13200) at viewer.moc:201
#22 0xb5d4d60a in Akregator::ArticleViewer::qt_invoke (this=0x818f0a0, _id=2, 
    _o=0xbfe13200) at articleviewer.moc:136
#23 0xb66c04bd in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#24 0xb66c0c52 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#25 0xb6a16df9 in QObject::destroyed () from /usr/qt/3/lib/libqt-mt.so.3
#26 0xb66bee74 in QObject::~QObject () from /usr/qt/3/lib/libqt-mt.so.3
#27 0xb66f83e2 in QWidget::~QWidget () from /usr/qt/3/lib/libqt-mt.so.3
#28 0xb67e1947 in QScrollView::~QScrollView () from /usr/qt/3/lib/libqt-mt.so.3
#29 0xb779d7c2 in ~KHTMLView (this=0x81b64b8) at khtmlview.cpp:519
#30 0xb66f8475 in QWidget::~QWidget () from /usr/qt/3/lib/libqt-mt.so.3
#31 0xb67ebd2d in QSplitter::~QSplitter () from /usr/qt/3/lib/libqt-mt.so.3
#32 0xb66f7fd8 in QWidget::~QWidget () from /usr/qt/3/lib/libqt-mt.so.3
#33 0xb5d72998 in Akregator::View::slotOnShutdown (this=0x820a658)
    at akregator_view.cpp:411
#34 0xb5d6b133 in Akregator::Part::slotOnShutdown (this=0x815f628)
    at akregator_part.cpp:264
#35 0xb5d6b318 in ~Part (this=0x815f628) at akregator_part.cpp:303
#36 0x08053898 in Akregator::MainWindow::queryExit (this=0x8125980)
    at mainwindow.cpp:240
#37 0xb6fff8e4 in KMainWindow::closeEvent (this=0x8125980, e=0xbfe13970)
    at kmainwindow.cpp:651
#38 0xb66f9792 in QWidget::event () from /usr/qt/3/lib/libqt-mt.so.3
#39 0xb67bc322 in QMainWindow::event () from /usr/qt/3/lib/libqt-mt.so.3
#40 0xb665bdbf in QApplication::internalNotify ()
   from /usr/qt/3/lib/libqt-mt.so.3
#41 0xb665bf5c in QApplication::notify () from /usr/qt/3/lib/libqt-mt.so.3
#42 0xb6ca8581 in KApplication::notify (this=0xbfe14680, receiver=0x8125980, 
    event=0xbfe13970) at kapplication.cpp:550
#43 0xb66f8c93 in QWidget::close () from /usr/qt/3/lib/libqt-mt.so.3
#44 0xb7008d8c in QWidget::close (this=0x0) at qwidget.h:826
#45 0xb700839b in KSystemTray::maybeQuit (this=0x8253e50)
    at ksystemtray.cpp:208
#46 0xb70089fa in KSystemTray::qt_invoke (this=0x8253e50, _id=60, _o=0x0)
    at ksystemtray.moc:104
#47 0xb7ea5500 in Akregator::TrayIcon::qt_invoke (this=0x8253e50, _id=60, 
    _o=0xbfe13b40) at trayicon.moc:103
#48 0xb66c0534 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#49 0xb66c0c52 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#50 0xb6f93cfe in KAction::activated (this=0x0) at kaction.moc:176
#51 0xb6f947da in KAction::slotActivated (this=0xbfe13b54) at kaction.cpp:1102
#52 0xb6f9783b in KAction::slotPopupActivated (this=0x82575b0)
    at kaction.cpp:1137
#53 0xb6f97986 in KAction::qt_invoke (this=0x82575b0, _id=16, _o=0xbfe13cd0)
    at kaction.moc:219
#54 0xb66c0534 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#55 0xb6a1829d in QSignal::signal () from /usr/qt/3/lib/libqt-mt.so.3
#56 0xb66dab43 in QSignal::activate () from /usr/qt/3/lib/libqt-mt.so.3
#57 0xb67d0e08 in QPopupMenu::mouseReleaseEvent ()
   from /usr/qt/3/lib/libqt-mt.so.3
#58 0xb6f8306d in KPopupMenu::mouseReleaseEvent (this=0x82548a0, e=0xbfe14210)
    at kpopupmenu.cpp:511
#59 0xb66f9a16 in QWidget::event () from /usr/qt/3/lib/libqt-mt.so.3
#60 0xb665bdbf in QApplication::internalNotify ()
   from /usr/qt/3/lib/libqt-mt.so.3
#61 0xb665c175 in QApplication::notify () from /usr/qt/3/lib/libqt-mt.so.3
#62 0xb6ca8581 in KApplication::notify (this=0xbfe14680, receiver=0x82548a0, 
    event=0xbfe14210) at kapplication.cpp:550
#63 0xb65f36ab in QETWidget::translateMouseEvent ()
   from /usr/qt/3/lib/libqt-mt.so.3
#64 0xb65f20ce in QApplication::x11ProcessEvent ()
   from /usr/qt/3/lib/libqt-mt.so.3
#65 0xb66061e6 in QEventLoop::processEvents () from /usr/qt/3/lib/libqt-mt.so.3
#66 0xb66725b2 in QEventLoop::enterLoop () from /usr/qt/3/lib/libqt-mt.so.3
#67 0xb6672506 in QEventLoop::exec () from /usr/qt/3/lib/libqt-mt.so.3
#68 0xb665af6f in QApplication::exec () from /usr/qt/3/lib/libqt-mt.so.3
#69 0x08051b13 in main (argc=0, argv=0x0) at main.cpp:110