| Summary: | khtml crashes after using initMutationEvent using javascript | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Fredrik Johansson <fredrik> |
| Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | ||
| Priority: | NOR | ||
| Version: | 3.5 | ||
| Target Milestone: | --- | ||
| Platform: | unspecified | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
backtrace
Testpage with reproduce info |
||
|
Description
Fredrik Johansson
2006-01-08 14:16:23 UTC
Created attachment 14178 [details]
backtrace
Created attachment 14179 [details]
Testpage with reproduce info
I could't get valid backtrace and konqueror won't crash under valgrind. ==9491== Invalid read of size 4 ==9491== at 0x6EA6964: khtml::Shared<DOM::DOMStringImpl>::deref() (shared.h:14) ==9491== by 0x6EC300A: DOM::MutationEventImpl::~MutationEventImpl() (dom2_eventsimpl.cpp:811) ==9491== by 0x6E4CCD6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==9491== by 0x7038401: DOM::Event::~Event() (dom2_events.cpp:68) ==9491== by 0x6FF137B: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==9491== by 0x6FF4766: KJS::DOMMutationEvent::~DOMMutationEvent() (kjs_events.cpp:846) ==9491== by 0x7107B90: KJS::Collector::collect() (collector.cpp:222) ==9491== by 0x7140A15: KJS::Interpreter::collect() (interpreter.cpp:336) ==9491== by 0x6FDFB5B: KJS::KJSProxyImpl::clear() (kjs_proxy.cpp:225) ==9491== by 0x6E6635E: KHTMLPart::clear() (khtml_part.cpp:1412) ==9491== by 0x6E67FBD: KHTMLPart::~KHTMLPart() (khtml_part.cpp:506) ==9491== by 0x407ED03: KonqView::~KonqView() (in /opt/kde3.4/lib/libkdeinit_konqueror.so) ==9491== Address 0x6089B28 is 0 bytes inside a block of size 12 free'd ==9491== at 0x401C1EB: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==9491== by 0x6EA6981: khtml::Shared<DOM::DOMStringImpl>::deref() (shared.h:16) ==9491== by 0x70193FE: DOM::DOMString::~DOMString() (dom_string.cpp:71) ==9491== by 0x6FF4FFC: KJS::DOMMutationEventProtoFunc::tryCall(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_events.cpp:885) ==9491== by 0x6F97230: KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (kjs_binding.cpp:114) ==9491== by 0x713F9FD: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:70) ==9491== by 0x710ABBE: KJS::FunctionCallNode::evaluate(KJS::ExecState*) const (nodes.cpp:870) ==9491== by 0x710F549: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:1980) ==9491== by 0x7114997: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3097) ==9491== by 0x710F36E: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:1942) ==9491== by 0x7139A5E: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:579) ==9491== by 0x7138F65: KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (function.cpp:354) SVN commit 495677 by orlovich:
Fix obvious copy-paste error. Hmm, this file refs/derefs stuff in wrong order,
so crashes are possible when init* is called twice.
Fixes 119734, and near certainly 107686, but I don't have the time to test that one.
BUG:119734
CCBUG:107686
M +2 -2 dom2_eventsimpl.cpp
--- branches/KDE/3.5/kdelibs/khtml/xml/dom2_eventsimpl.cpp #495676:495677
@@ -794,8 +794,8 @@
if (m_newValue)
m_newValue->ref();
m_attrName = attrNameArg.implementation();
- if (m_newValue)
- m_newValue->ref();
+ if (m_attrName)
+ m_attrName->ref();
m_attrChange = attrChangeArg;
}
|