Summary: | Konqueror crashes on ratp.fr in 64bit | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Gonéri Le Bouder <goneri> |
Component: | khtml ecma | Assignee: | Konqueror Bugs <konqueror-bugs-null> |
Status: | RESOLVED WORKSFORME | ||
Severity: | crash | CC: | finex, maksim, tvignaud, zahl |
Priority: | NOR | ||
Version First Reported In: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Debian testing | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: | |||
Attachments: |
konqueror backtrace
backtrace 4.0.3 "crash on exit on ratp.fr" backtrace with debug info (konqueror-4.0.74) backtrace with debug info with konqueror-4.0.74 |
Description
Gonéri Le Bouder
2006-05-09 17:43:04 UTC
Created attachment 15989 [details]
konqueror backtrace
#11 0x4060cb48 in KListBox::slotSettingsChanged (this=0x87fe1a0, category=0) at klistbox.cpp:80 #12 0x4060cc81 in KListBox (this=0x87fe1a0, parent=0x8619e80, name=0x420a364c "__khtml", f=0) at klistbox.cpp:37 #13 0x41f43826 in khtml::RenderSelect::createListBox (this=0x880b85c) at render_form.cpp:1203 #14 0x41f4399c in RenderSelect (this=0x880b85c, element=0x87fa708) at render_form.cpp:924 #15 0x41ecaf75 in DOM::HTMLSelectElementImpl::attach (this=0x87fa708) at html_formimpl.cpp:2277 #16 0x41e7d9c3 in DOM::NodeBaseImpl::appendChild (this=0x874cb78, newChild=0x8513620, exceptioncode=@0xbfa8955c) at dom_nodeimpl.cpp:1288 #17 0x41eb302d in DOM::HTMLElementImpl::setInnerHTML (this=0x874cb78, html=@0xbfa8991c, exceptioncode=@0xbfa8955c) at html_elementimpl.cpp:576 #18 0x420693f5 in DOM::HTMLElement::setInnerHTML (this=0xbfa89908, html=@0xbfa8991c) at html_element.cpp:145 #19 0x41fd6814 in KJS::HTMLElement::putValueProperty (this=0x87d5d48, exec=0xbfa89f5c, token=352, value=@0xbfa89bb8) at kjs_html.cpp:3103 #20 0x41ff3486 in KJS::DOMObjectLookupPut<KJS::HTMLElement, KJS::DOMElement> ( exec=0xbfa89f5c, propertyName=@0xbfa89bcc, value=@0xbfa89bb8, attr=0, table=0x4210422c, thisObj=0x87d5d48) at kjs_binding.h:245 Valgrind output. While it didn't crash this time. Lots of stuff happened: ==345== Invalid read of size 4 ==345== at 0x6FD8E39: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:36) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320) ==345== Address 0x5795924 is 4 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x6FD8E46: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:37) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320) ==345== Address 0x5795928 is 8 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x6FD8E55: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== by 0x73005F7: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320) ==345== Address 0x5795920 is 0 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid write of size 4 ==345== at 0x704269F: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:84) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== Address 0x5795920 is 0 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x70426A1: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:86) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== Address 0x5795938 is 24 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x70426B0: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:88) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== Address 0x579592C is 12 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x70426BF: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:90) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== Address 0x5795930 is 16 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== More than 100 errors detected. Subsequent errors ==345== will still be recorded, but in less detail than before. ==345== ==345== Invalid read of size 4 ==345== at 0x70426D6: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:92) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== by 0x7300478: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73) ==345== Address 0x5795934 is 20 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid read of size 4 ==345== at 0x704264D: DOM::RegisteredListenerList::~RegisteredListenerList() (dom_nodeimpl.cpp:2031) ==345== by 0x70426F7: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== Address 0x579593C is 28 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid write of size 4 ==345== at 0x7042663: DOM::RegisteredListenerList::~RegisteredListenerList() (dom_nodeimpl.cpp:2031) ==345== by 0x70426F7: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== Address 0x579593C is 28 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== ==345== Invalid free() / delete / delete[] ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x704270A: DOM::NodeImpl::~NodeImpl() (dom_nodeimpl.cpp:94) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x71D04A1: DOM::Node::~Node() (dom_node.cpp:173) ==345== by 0x7145171: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:91) ==345== by 0x7155EE7: KJS::DOMElement::~DOMElement() (kjs_dom.h:132) ==345== by 0x7178F57: KJS::HTMLElement::~HTMLElement() (kjs_html.h:56) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) ==345== by 0x72C3C5F: KJS::Collector::allocate(unsigned) (collector.cpp:85) ==345== by 0x72FD5DC: KJS::ValueImp::operator new(unsigned) (value.cpp:84) ==345== by 0x72FDDF8: KJS::String::String(KJS::UString const&) (value.cpp:335) ==345== by 0x72E33D0: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209) ==345== Address 0x5795920 is 0 bytes inside a block of size 84 free'd ==345== at 0x401D304: operator delete(void*) (vg_replace_malloc.c:246) ==345== by 0x70839CF: DOM::HTMLSelectElementImpl::~HTMLSelectElementImpl() (html_formimpl.cpp:1984) ==345== by 0x6FD8E5D: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:38) ==345== by 0x7057DC5: DOM::EventImpl::~EventImpl() (dom2_eventsimpl.cpp:79) ==345== by 0x705966B: DOM::UIEventImpl::~UIEventImpl() (dom2_eventsimpl.cpp:315) ==345== by 0x70598AE: DOM::MouseEventImpl::~MouseEventImpl() (dom2_eventsimpl.cpp:403) ==345== by 0x6FDA4F6: khtml::Shared<DOM::EventImpl>::deref() (shared.h:16) ==345== by 0x71F7AD1: DOM::Event::~Event() (dom2_events.cpp:68) ==345== by 0x71A8311: KJS::DOMEvent::~DOMEvent() (kjs_events.cpp:308) ==345== by 0x71A9167: KJS::DOMUIEvent::~DOMUIEvent() (kjs_events.cpp:494) ==345== by 0x71A9B97: KJS::DOMMouseEvent::~DOMMouseEvent() (kjs_events.cpp:589) ==345== by 0x72C3A3E: KJS::Collector::collect() (collector.cpp:222) Seems it starts going wrong in the garbage collector each time. *** Bug 136909 has been marked as a duplicate of this bug. *** This may be related to focus issues. I've saw that with both firefox and konqueror, sometimes one may have to click quite a lot of times in order to get the focus in the right textbox. Maybe some javascript is playing with the focus... Created attachment 24439 [details]
backtrace 4.0.3
Tested in 4.0.3 and bug still exists, Konq crashed after selecting a departure
station then an arrival station.
Created attachment 24890 [details]
"crash on exit on ratp.fr" backtrace with debug info (konqueror-4.0.74)
(real trace after at #5, after drKonki's "pollution")
Created attachment 24891 [details] backtrace with debug info with konqueror-4.0.74 Oops, the previous trace was a crash on exit on http://ratp.fr. This one is the real backtrace with _debug_ info. This bug was reproduced with KDE 3.5.1, 3.5.5, 4.0.3 and 4.0.74. Note that sometimes, it won't instaneously crashes in JS. It will then crash on exiting konqueror (see Bug #162474). For the record, 3.5.9 is also affected. 4.00.80 (KDE 4.0.80 >= (KDE 4.1 Beta1) or svn trunk r811446 seems to have finally fixed this problem, yay! No it doesn't. It still crashes as of kde-4.1.00. See attached trace Please reopen this bug which was opened at kde-3.5.x time and is still valid and don't close it until a commit fixes it. Thanks. I got hit by bugs.kde.org showing another bug report after editing current one and so attachment got attached to the wrong bug report. See attachment #26709 [details] : https://bugs.kde.org/attachment.cgi?id=26709&action=edit Here's attachment's log: GDB trace of konqueror-4.1.00 crashing on ratp.fr In order to reproduce, just: - start konqueror - open http://ratp.fr - type "chate" in first text zone & choose any of the completion choices - type "cach" in the second text zone & the completion will makes konqueror crashes Ok, this does crash, but only in 64bit. Not in 32bit. I'm running 4.1.60 atm, 32bit compiled, and no crash. Others running in 64bit report crashes. One of them kindly provided this bt: Application: Konqueror (konqueror), signal SIGSEGV [?1034h[Thread debugging using libthread_db enabled] 0x0000003e450a63c1 in nanosleep () from /lib64/libc.so.6 [Current thread is 1 (Thread 0x7f9504c1a800 (LWP 13200))] Thread 1 (Thread 0x7f9504c1a800 (LWP 13200)): [KCrash Handler] #5 0x00007f94fae14e22 in ~DOMNode (this=0x7f94f847d8c0) at /home/madcat/mandriva/sources/kdelibs/khtml/misc/shared.h:65 #6 0x00007f94fa7df86a in KJS::Collector::collect () at /home/madcat/mandriva/sources/kdelibs/kjs/collector.cpp:714 #7 0x00007f94fa7dfd3d in KJS::Collector::allocate (s=16) at /home/madcat/mandriva/sources/kdelibs/kjs/collector.cpp:326 #8 0x00007f94fa814ffe in KJS::jsOwnedString (s=@0x21cf690) at /home/madcat/mandriva/sources/kdelibs/kjs/value.cpp:197 #9 0x00007f94fa82de48 in KJS::Machine::runBlock (exec=0x7fff0e6bdcd0, codeBlock=<value optimized out>, parentExec=0x7fff0e6be5d0) at codes.def:833 #10 0x00007f94fa8103fa in KJS::FunctionImp::callAsFunction (this=0x7f94f85a8800, exec=0x7fff0e6be5d0, thisObj=<value optimized out>, args=@0x7fff0e6be550) at /home/madcat/mandriva/sources/kdelibs/kjs/function.cpp:143 #11 0x00007f94fa81754c in KJS::JSObject::call (this=0x7f94f85a8800, exec=0x7fff0e6be5d0, thisObj=0x7f94f85b0180, args=@0x7fff0e6be550) at /home/madcat/mandriva/sources/kdelibs/kjs/object.cpp:99 #12 0x00007f94fa8336f9 in KJS::Machine::runBlock (exec=0x7fff0e6be5d0, codeBlock=<value optimized out>, parentExec=0x183c500) at codes.def:1206 #13 0x00007f94fa8103fa in KJS::FunctionImp::callAsFunction (this=0x7f94f847d340, exec=0x183c500, thisObj=<value optimized out>, args=@0x7fff0e6be810) at /home/madcat/mandriva/sources/kdelibs/kjs/function.cpp:143 #14 0x00007f94fa81754c in KJS::JSObject::call (this=0x7f94f847d340, exec=0x183c500, thisObj=0x7f94f85aa880, args=@0x7fff0e6be810) at /home/madcat/mandriva/sources/kdelibs/kjs/object.cpp:99 #15 0x00007f94fae7d635 in KJS::JSEventListener::handleEvent (this=0x1ab9bb0, evt=@0x7fff0e6be890) at /home/madcat/mandriva/sources/kdelibs/khtml/ecma/kjs_events.cpp:106 #16 0x00007f94fac88cfb in DOM::NodeImpl::handleLocalEvents (this=<value optimized out>, evt=0x1af0050, useCapture=false) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:727 #17 0x00007f94fac891d9 in DOM::NodeImpl::dispatchGenericEvent (this=0x1ab9ae0, evt=0x1af0050) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:498 #18 0x00007f94fac8925e in DOM::NodeImpl::dispatchEvent (this=0x1ab9ae0, evt=0x1af0050, exceptioncode=@0x7fff0e6be994, tempEvent=true) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:450 #19 0x00007f94fac89b90 in DOM::NodeImpl::dispatchKeyEvent (this=0x1ab9ae0, key=0x7fff0e6bf010, keypress=<value optimized out>) at /home/madcat/mandriva/sources/kdelibs/khtml/xml/dom_nodeimpl.cpp:703 #20 0x00007f94fabf03fd in KHTMLView::dispatchKeyEvent (this=0x1cc85e0, _ke=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:1606 #21 0x00007f94fabf4ebe in KHTMLView::keyReleaseEvent (this=0x1cc85e0, _ke=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:1958 #22 0x00007f94fabec306 in KHTMLView::eventFilter (this=0x2293d70, o=0x23738b0, e=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/khtml/khtmlview.cpp:2258 #23 0x000000345fb40ae8 in QCoreApplicationPrivate::sendThroughObjectEventFilters () from /usr/lib64/libQtCore.so.4 #24 0x000000346017fccc in QApplicationPrivate::notify_helper () from /usr/lib64/libQtGui.so.4 #25 0x00000034601887fa in QApplication::notify () from /usr/lib64/libQtGui.so.4 #26 0x00007f9505e2d31b in KApplication::notify (this=0x7fff0e6c02e0, receiver=0x23738b0, event=0x7fff0e6bf010) at /home/madcat/mandriva/sources/kdelibs/kdeui/kernel/kapplication.cpp:311 #27 0x000000345fb4180f in QCoreApplication::notifyInternal () from /usr/lib64/libQtCore.so.4 #28 0x000000346020c6a4 in ?? () from /usr/lib64/libQtGui.so.4 #29 0x000000346020e987 in ?? () from /usr/lib64/libQtGui.so.4 #30 0x00000034601e9bb0 in QApplication::x11ProcessEvent () from /usr/lib64/libQtGui.so.4 #31 0x00000034602103a4 in ?? () from /usr/lib64/libQtGui.so.4 #32 0x0000003e46c374db in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #33 0x0000003e46c3acbd in ?? () from /lib64/libglib-2.0.so.0 #34 0x0000003e46c3ae7b in g_main_context_iteration () from /lib64/libglib-2.0.so.0 #35 0x000000345fb69b5f in QEventDispatcherGlib::processEvents () from /usr/lib64/libQtCore.so.4 #36 0x000000346020fb4f in ?? () from /usr/lib64/libQtGui.so.4 #37 0x000000345fb40132 in QEventLoop::processEvents () from /usr/lib64/libQtCore.so.4 #38 0x000000345fb402bd in QEventLoop::exec () from /usr/lib64/libQtCore.so.4 #39 0x000000345fb4276d in QCoreApplication::exec () from /usr/lib64/libQtCore.so.4 #40 0x00000000006cd701 in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /home/madcat/mandriva/sources/kdebase/apps/konqueror/src/konqmain.cpp:227 #41 0x0000003e4501e32a in __libc_start_main () from /lib64/libc.so.6 #42 0x0000000000400769 in _start () It doesn't crash anymore on current trunk and 64bit. Now it works :-) |