Bug 134291

Summary:	[test case] Crash when hiding an element through CSS
Product:	[Applications] konqueror	Reporter:	Heiner Lamprecht <heiner>
Component:	khtml	Assignee:	Konqueror Developers <konq-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	Mathias.Homann, rkrell, srowe
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	openSUSE
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	patch

Description Heiner Lamprecht 2006-09-18 19:29:46 UTC

Version:            (using KDE KDE 3.5.4)
Installed from:    SuSE RPMs

Simple HTML file:
------------------------------------------------------------------------------
<html>
<head>
 <title>Konqui-Crash</title>
 <link rel="stylesheet" href="df.css" type="text/css" media="screen" />
</head>
<p>
 This is a <a href="#">link<span class="label">This is a label</span></a>.
</p>
</body>
</html>
------------------------------------------------------------------------------

Simple CSS-file
------------------------------------------------------------------------------
a span.label {
  display: none;
  position: absolute;
}

a:hover span.label {
  display: block;
  position: absolute;
}
------------------------------------------------------------------------------

Move the mouse over the link and the label-text appears.  Move the mouse out and Konqueror crashes.  This happens only, when "position" is set to "absolute".  Changing to "relative" or removing the line, and Konqueror survives this file.

Comment 1 Tommi Tervo 2006-09-18 19:50:41 UTC

http://zebra.tky.hut.fi/~teve/kde/134291.html

#6  0xb6113e36 in khtml::InlineFlowBox::nodeAtPoint (this=0x85de6bc, 
    i=@0xbfa38314, x=71, y=11, tx=10, ty=10) at render_line.cpp:590
#7  0xb60cb44e in khtml::RenderFlow::hitTestLines (this=0x85de4dc, 
    i=@0xbfa38314, x=71, y=11, tx=10, ty=10, hitTestAction=HitTestAll)
    at render_flow.cpp:254
#8  0xb60a75f3 in khtml::RenderInline::nodeAtPoint (this=0x85de4dc, 
    info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, 
    inside=false) at render_inline.cpp:834
#9  0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de410, 
    info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, 
    inside=true) at render_object.cpp:1730
#10 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de410, 
    info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, 
    inBox=false) at render_block.cpp:2506
#11 0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de38c, 
    info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestAll, 
    inside=true) at render_object.cpp:1730
#12 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de38c, 
    info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestAll, 
    inBox=false) at render_block.cpp:2506
#13 0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de2a4, 
    info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, 
    hitTestAction=HitTestChildrenOnly, inside=false) at render_object.cpp:1730
#14 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de2a4, 
    info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, 
    hitTestAction=HitTestChildrenOnly, inBox=false) at render_block.cpp:2506
#15 0xb60d5cfb in khtml::RenderLayer::nodeAtPointForLayer (this=0x85de328, 
    rootLayer=0x85de240, info=@0xbfa38314, xMousePos=71, yMousePos=11, 
    hitTestRect=@0xbfa382b0) at render_layer.cpp:1040
#16 0xb60d5ac6 in khtml::RenderLayer::nodeAtPointForLayer (this=0x85de240, 
    rootLayer=0x85de240, info=@0xbfa38314, xMousePos=71, yMousePos=11, 
    hitTestRect=@0xbfa382b0) at render_layer.cpp:1023

Comment 2 Tommi Tervo 2006-09-18 19:57:44 UTC

==6336== Invalid read of size 4
==6336==    at 0x7442E36: khtml::InlineFlowBox::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int) (render_line.cpp:590)
==6336==    by 0x73FA44D: khtml::RenderFlow::hitTestLines(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction) (render_flow.cpp:254)
==6336==    by 0x73D65F2: khtml::RenderInline::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_inline.cpp:834)

Comment 3 Tommi Tervo 2006-09-18 20:30:24 UTC

*** Bug 133427 has been marked as a duplicate of this bug. ***

Comment 4 Maksim Orlovich 2006-09-18 22:10:54 UTC

vg analysis from build with arenas disabled:
==15528== Invalid read of size 4
==15528==    at 0x7A309B0: khtml::InlineFlowBox::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int) (render_line.cpp:584)
==15528==    by 0x79F108C: khtml::RenderFlow::hitTestLines(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction) (render_flow.cpp:254)
==15528==    by 0x79D2424: khtml::RenderInline::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_inline.cpp:834)
==15528==    by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730)
==15528==    by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506)
==15528==    by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730)
==15528==    by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506)
==15528==    by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730)
==15528==    by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506)
==15528==    by 0x79FA5D9: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1040)
==15528==    by 0x79FA425: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1023)
==15528==    by 0x79FAE19: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:984)
==15528==  Address 0x62F08F0 is 8 bytes inside a block of size 140 free'd
==15528==    at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==15528==    by 0x79F7A1B: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:126)
==15528==    by 0x79E0502: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:1606)
==15528==    by 0x79E05D8: khtml::RenderObject::detach() (render_object.cpp:1591)
==15528==    by 0x79E8973: khtml::RenderContainer::detach() (render_container.cpp:73)
==15528==    by 0x79EF804: khtml::RenderBox::detach() (render_box.cpp:190)
==15528==    by 0x796B78B: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:855)
==15528==    by 0x796BB9A: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1406)
==15528==    by 0x7974E4D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:540)
==15528==    by 0x7974A8F: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:609)
==15528==    by 0x799BB58: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:274)
==15528==    by 0x7974B7E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:639)

Comment 5 Maksim Orlovich 2006-09-18 23:12:04 UTC

Created attachment 17833 [details]
patch

The problem is that we create a place holder box in some cases inside
RenderFlow::createInlineBox by upcalling, but never clean it up when the
element is dead, since deleteInlineBoxes doesn't upcall. That's first hunk, and
the fix. The second is a guess at a potential issue, and needs feedback from
Carewolf or Spart, likely to be wrong...

Comment 6 Maksim Orlovich 2006-09-19 00:01:44 UTC

SVN commit 586170 by orlovich:

Make sure to destroy any place holder box we may have created 
by upcalling to RenderBox in the creation method in the destruction
method.
BUG:134291


 M  +2 -0      render_flow.cpp  


--- branches/KDE/3.5/kdelibs/khtml/rendering/render_flow.cpp #586169:586170
@@ -128,6 +128,8 @@
 
 void RenderFlow::deleteInlineBoxes(RenderArena* arena)
 {
+    RenderBox::deleteInlineBoxes(arena); //In case we upcalled
+                                         //during construction
     if (m_firstLineBox) {
         if (!arena)
             arena = renderArena();

Comment 7 Tommi Tervo 2006-09-19 09:14:53 UTC

*** Bug 134310 has been marked as a duplicate of this bug. ***

Comment 8 Germain Garand 2006-09-19 13:57:16 UTC

nice catch... :)
the second chunk looks fine but rather overkill as it's a rare condition and the box just wouldn't be used. I can't see how this would be a problem so I'd rather advise saving the call, but do as you see fit.

Comment 9 Tommi Tervo 2007-04-18 10:41:26 UTC

*** Bug 144334 has been marked as a duplicate of this bug. ***