Bug 150006

Summary:	Konqueror crash on laptopykomputery.pl
Product:	[Applications] konqueror	Reporter:	Maciej Pilichowski <bluedzins>
Component:	khtml renderer	Assignee:	Konqueror Developers <konq-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	aacid, bugzilla, Chemtux, dront78, f-k, finex, g_sauthoff, helllamer, javierjc1982, kde, kde, marcus, nerijus, rob.opensuse.linux, seajey.serg, sergey.n.zaitsev, stanislav.karchebny, ted
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	openSUSE
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Patch Corrected patch

Description Maciej Pilichowski 2007-09-19 15:24:43 UTC

Version:            (using KDE KDE 3.5.7)
Installed from:    SuSE RPMs

Just go to the page:
http://www.laptopykomputery.pl

For example, Opera displays it without any problem, while Konqueror...

System configuration startup check disabled.

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1230964224 (LWP 12937)]
[KCrash handler]
#9  0xb60e9707 in khtml::RenderBlock::addChildToFlow ()
   from /opt/kde3/lib/libkhtml.so.4
#10 0xb60c3ff6 in khtml::RenderFlow::addChild ()
   from /opt/kde3/lib/libkhtml.so.4
#11 0xb60e958f in khtml::RenderBlock::addChildToFlow ()
   from /opt/kde3/lib/libkhtml.so.4
#12 0xb60c3ff6 in khtml::RenderFlow::addChild ()
   from /opt/kde3/lib/libkhtml.so.4
#13 0xb60307b9 in DOM::NodeImpl::createRendererIfNeeded ()
   from /opt/kde3/lib/libkhtml.so.4
#14 0xb60307e2 in DOM::ElementImpl::attach () from /opt/kde3/lib/libkhtml.so.4
#15 0xb603066a in DOM::ElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#16 0xb6057199 in DOM::HTMLElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#17 0xb60305bf in DOM::ElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#18 0xb6057199 in DOM::HTMLElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#19 0xb60305bf in DOM::ElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#20 0xb6057199 in DOM::HTMLElementImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#21 0xb6039c82 in DOM::DocumentImpl::recalcStyle ()
   from /opt/kde3/lib/libkhtml.so.4
#22 0xb6040f0f in DOM::DocumentImpl::updateStyleSelector ()
   from /opt/kde3/lib/libkhtml.so.4
#23 0xb604162c in DOM::DocumentImpl::styleSheetLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#24 0xb60580a1 in DOM::HTMLStyleElementImpl::sheetLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#25 0xb6104747 in DOM::CSSStyleSheetImpl::checkLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#26 0xb60fe808 in DOM::StyleBaseImpl::checkLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#27 0xb6104735 in DOM::CSSStyleSheetImpl::checkLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#28 0xb60fe808 in DOM::StyleBaseImpl::checkLoaded ()
   from /opt/kde3/lib/libkhtml.so.4
#29 0xb61078e5 in DOM::CSSImportRuleImpl::setStyleSheet ()
   from /opt/kde3/lib/libkhtml.so.4
#30 0xb613df37 in khtml::CachedCSSStyleSheet::checkNotify ()
   from /opt/kde3/lib/libkhtml.so.4
#31 0xb613e132 in khtml::CachedCSSStyleSheet::data ()
   from /opt/kde3/lib/libkhtml.so.4
#32 0xb6140a7e in khtml::Loader::slotFinished ()
   from /opt/kde3/lib/libkhtml.so.4
#33 0xb614123a in khtml::Loader::qt_invoke () from /opt/kde3/lib/libkhtml.so.4
#34 0xb7559f4d in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#35 0xb7d356fe in KIO::Job::result () from /opt/kde3/lib/libkio.so.4
#36 0xb7d7817d in KIO::Job::emitResult () from /opt/kde3/lib/libkio.so.4
#37 0xb7d785ee in KIO::SimpleJob::slotFinished ()
   from /opt/kde3/lib/libkio.so.4
#38 0xb7d78d0d in KIO::TransferJob::slotFinished ()
   from /opt/kde3/lib/libkio.so.4
#39 0xb7d77daa in KIO::TransferJob::qt_invoke () from /opt/kde3/lib/libkio.so.4
#40 0xb7559f4d in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#41 0xb755ab8d in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#42 0xb7d313bc in KIO::SlaveInterface::finished ()
   from /opt/kde3/lib/libkio.so.4
#43 0xb7da1cd0 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#44 0xb7d9189a in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#45 0xb7d46a1c in KIO::Slave::gotInput () from /opt/kde3/lib/libkio.so.4
#46 0xb7d92fc0 in KIO::Slave::qt_invoke () from /opt/kde3/lib/libkio.so.4
#47 0xb7559f4d in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#48 0xb755aa92 in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#49 0xb7895da0 in QSocketNotifier::activated ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#50 0xb7578170 in QSocketNotifier::event () from /usr/lib/qt3/lib/libqt-mt.so.3
#51 0xb74fac77 in QApplication::internalNotify ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#52 0xb74fbb29 in QApplication::notify () from /usr/lib/qt3/lib/libqt-mt.so.3
#53 0xb7b87202 in KApplication::notify () from /opt/kde3/lib/libkdecore.so.4
#54 0xb74ef431 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#55 0xb74a9ca4 in QEventLoop::processEvents ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#56 0xb7511710 in QEventLoop::enterLoop () from /usr/lib/qt3/lib/libqt-mt.so.3
#57 0xb75115a6 in QEventLoop::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#58 0xb74fa63f in QApplication::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#59 0xb6910c25 in kdemain () from /opt/kde3/lib/libkdeinit_konqueror.so
#60 0xb72d5524 in kdeinitmain () from /opt/kde3/lib/kde3/konqueror.so
#61 0x0804e33f in launch ()
#62 0x0804ebca in handle_launcher_request ()
#63 0x0804ef4f in handle_requests ()
#64 0x0805014c in main ()

Comment 1 Rolf Eike Beer 2007-09-19 18:49:56 UTC

Same package, same crash here.

Comment 2 Tommi Tervo 2007-10-08 09:15:05 UTC

*** Bug 150560 has been marked as a duplicate of this bug. ***

Comment 3 Tommi Tervo 2007-10-08 09:21:53 UTC

==20807== Invalid read of size 4
==20807==    at 0x7686F17: khtml::RenderBlock::addChildToFlow(khtml::RenderObject*, khtml::RenderObject*) (render_block.cpp:372)
==20807==    by 0x7661D75: khtml::RenderFlow::addChild(khtml::RenderObject*, khtml::RenderObject*) (render_flow.cpp:128)
==20807==    by 0x7686D9E: khtml::RenderBlock::addChildToFlow(khtml::RenderObject*, khtml::RenderObject*) (render_block.cpp:298)
==20807==    by 0x7661D75: khtml::RenderFlow::addChild(khtml::RenderObject*, khtml::RenderObject*) (render_flow.cpp:128)
==20807==    by 0x75CE298: DOM::NodeImpl::createRendererIfNeeded() (dom_nodeimpl.cpp:938)
==20807==    by 0x75CE2C1: DOM::ElementImpl::attach() (dom_elementimpl.cpp:536)
==20807==    by 0x75CE149: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:626)
==20807==    by 0x75F4A18: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:274)
==20807==    by 0x75CE09E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:654)
==20807==    by 0x75F4A18: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:274)
==20807==    by 0x75CE09E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:654)
==20807==    by 0x75F4A18: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:274)
==20807==    by 0x75D76C1: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1164)

Comment 4 Tommi Tervo 2007-10-13 16:44:20 UTC

*** Bug 150788 has been marked as a duplicate of this bug. ***

Comment 5 Ronny Standtke 2007-12-10 13:56:30 UTC

I just got a similar crash. Here is the backtrace:

Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 0xb6886b50 (LWP 7165)]
[KCrash handler]
#6  0xb5e21f0b in khtml::RenderBlock::addChildToFlow (this=0x8780dbc, 
    newChild=0x8460a68, beforeChild=0x8780af4)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/rendering/render_block.cpp:372
#7  0xb5dfba9f in khtml::RenderFlow::addChild (this=0x8780dbc, 
    newChild=0x8460a68, beforeChild=0x8780af4)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/rendering/render_flow.cpp:128
#8  0xb5e21e31 in khtml::RenderBlock::addChildToFlow (this=0x87801ac, 
    newChild=0x8460a68, beforeChild=0x8780af4)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/rendering/render_block.cpp:298
#9  0xb5dfba9f in khtml::RenderFlow::addChild (this=0x87801ac, 
    newChild=0x8460a68, beforeChild=0x8780af4)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/rendering/render_flow.cpp:128
#10 0xb5d6a89b in DOM::NodeImpl::createRendererIfNeeded (this=0x8a25830)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_nodeimpl.cpp:938
#11 0xb5d6a8c2 in DOM::ElementImpl::attach (this=0x8a25830)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_elementimpl.cpp:536
#12 0xb5d6a73c in DOM::ElementImpl::recalcStyle (this=0x8a25830, 
    change=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_elementimpl.cpp:626
#13 0xb5d8ffa9 in DOM::HTMLElementImpl::recalcStyle (this=0x8a25830, 
    ch=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/html/html_elementimpl.cpp:274
#14 0xb5d6a691 in DOM::ElementImpl::recalcStyle (this=0x8a4e860, 
    change=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_elementimpl.cpp:654
#15 0xb5d8ffa9 in DOM::HTMLElementImpl::recalcStyle (this=0x8a4e860, 
    ch=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/html/html_elementimpl.cpp:274
#16 0xb5d6a691 in DOM::ElementImpl::recalcStyle (this=0x82a6388, 
    change=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_elementimpl.cpp:654
#17 0xb5d8ffa9 in DOM::HTMLElementImpl::recalcStyle (this=0x82a6388, 
    ch=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/html/html_elementimpl.cpp:274
#18 0xb5d73b02 in DOM::DocumentImpl::recalcStyle (this=0x87885d8, 
    change=DOM::NodeImpl::Force)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_docimpl.cpp:1164
#19 0xb5d7a6af in DOM::DocumentImpl::updateStyleSelector (this=0x87885d8, 
    shallow=false)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_docimpl.cpp:2053
#20 0xb5d7adcc in DOM::DocumentImpl::styleSheetLoaded (this=0x87885d8)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/xml/dom_docimpl.cpp:1978
#21 0xb5d95063 in DOM::HTMLLinkElementImpl::finished (this=0x8a32790)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/html/html_headimpl.cpp:257
#22 0xb5d9902f in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x8a32790, 
    url=@0x866a060, sheetStr=@0x866a094, charset=@0xbfeb32a0)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/html/html_headimpl.cpp:248
#23 0xb5e74d34 in khtml::CachedCSSStyleSheet::checkNotify (this=0x866a040)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/misc/loader.cpp:283
#24 0xb5e74f2f in khtml::CachedCSSStyleSheet::data (this=0x866a040, 
    buffer=@0x8985c6c, eof=true)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/misc/loader.cpp:271
#25 0xb5e778e5 in khtml::Loader::slotFinished (this=0x8386ef8, job=0x88d1758)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./khtml/misc/loader.cpp:1205
#26 0xb5e780b2 in khtml::Loader::qt_invoke (this=0x8386ef8, _id=2, 
    _o=0xbfeb3404) at ./loader.moc:260
#27 0xb7292b10 in QObject::activate_signal (this=0x88d1758, clist=0x84784c8, 
    o=0xbfeb3404) at kernel/qobject.cpp:2356
#28 0xb7aece1e in KIO::Job::result (this=0x88d1758, t0=0x88d1758)
    at ./jobclasses.moc:162
#29 0xb7b2a19d in KIO::Job::emitResult (this=0x88d1758)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/job.cpp:235
#30 0xb7b3685e in KIO::SimpleJob::slotFinished (this=0x88d1758)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/job.cpp:601
#31 0xb7b36f48 in KIO::TransferJob::slotFinished (this=0x88d1758)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/job.cpp:971
#32 0xb7b29dfd in KIO::TransferJob::qt_invoke (this=0x88d1758, _id=17, 
    _o=0xbfeb372c) at ./jobclasses.moc:1071
#33 0xb7292b10 in QObject::activate_signal (this=0x80e8a68, clist=0x837f630, 
    o=0xbfeb372c) at kernel/qobject.cpp:2356
#34 0xb72935f5 in QObject::activate_signal (this=0x80e8a68, signal=6)
    at kernel/qobject.cpp:2325
#35 0xb7ae7c3c in KIO::SlaveInterface::finished (this=0x80e8a68)
    at ./slaveinterface.moc:226
#36 0xb7b4dce9 in KIO::SlaveInterface::dispatch (this=0x80e8a68, _cmd=104, 
    rawdata=@0xbfeb38f0)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/slaveinterface.cpp:243
#37 0xb7b439ba in KIO::SlaveInterface::dispatch (this=0x80e8a68)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/slaveinterface.cpp:173
#38 0xb7afcf8c in KIO::Slave::gotInput (this=0x80e8a68)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kio/kio/slave.cpp:300
#39 0xb7b45fd8 in KIO::Slave::qt_invoke (this=0x80e8a68, _id=4, _o=0xbfeb39f0)
    at ./slave.moc:113
#40 0xb7292b10 in QObject::activate_signal (this=0x8b2a5b0, clist=0x8b03288, 
    o=0xbfeb39f0) at kernel/qobject.cpp:2356
#41 0xb729345d in QObject::activate_signal (this=0x8b2a5b0, signal=2, 
    param=22) at kernel/qobject.cpp:2449
#42 0xb762340d in QSocketNotifier::activated (this=0x8b2a5b0, t0=22)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:85
#43 0xb72b4cda in QSocketNotifier::event (this=0x8b2a5b0, e=0xbfeb3d28)
    at kernel/qsocketnotifier.cpp:258
#44 0xb722736a in QApplication::internalNotify (this=0xbfeb401c, 
    receiver=0x8b2a5b0, e=0xbfeb3d28) at kernel/qapplication.cpp:2635
#45 0xb7229193 in QApplication::notify (this=0xbfeb401c, receiver=0x8b2a5b0, 
    e=0xbfeb3d28) at kernel/qapplication.cpp:2358
#46 0xb7937622 in KApplication::notify (this=0xbfeb401c, receiver=0x8b2a5b0, 
    event=0xbfeb3d28)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kdecore/kapplication.cpp:550
#47 0xb71b86c9 in QApplication::sendEvent (receiver=0x8b2a5b0, 
    event=0xbfeb3d28) at ../include/qapplication.h:520
#48 0xb72191e2 in QEventLoop::activateSocketNotifiers (this=0x80c0d90)
    at kernel/qeventloop_unix.cpp:578
#49 0xb71cd17f in QEventLoop::processEvents (this=0x80c0d90, flags=4)
    at kernel/qeventloop_x11.cpp:383
#50 0xb72426e4 in QEventLoop::enterLoop (this=0x80c0d90)
    at kernel/qeventloop.cpp:198
#51 0xb72423e2 in QEventLoop::exec (this=0x80c0d90)
    at kernel/qeventloop.cpp:145
#52 0xb7228f13 in QApplication::exec (this=0xbfeb401c)
    at kernel/qapplication.cpp:2758
#53 0xb6664d64 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#54 0xb7fcc454 in kdeinitmain () from /usr/lib/kde3/konqueror.so
#55 0x0804ed50 in launch (argc=2, _name=0x80789ec "konqueror", 
    args=0x80789fe "", cwd=0x0, envc=1, envs=0x8078a0f "", reset_env=false, 
    tty=0x0, avoid_loops=false, 
    startup_id_str=0x8078a14 "ronny;1197290707;787931;3732_TIME3289799432")
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kinit/kinit.cpp:673
#56 0x0804f471 in handle_launcher_request (sock=11)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kinit/kinit.cpp:1240
#57 0x0804f989 in handle_requests (waitForPid=0)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kinit/kinit.cpp:1443
#58 0x080504a4 in main (argc=5, argv=0xbfeb4ab4, envp=0xbfeb4acc)
    at /build/buildd/kdelibs-3.5.8.dfsg.1/./kinit/kinit.cpp:1908
#59 0xb7d19450 in __libc_start_main () from /lib/i686/cmov/libc.so.6
#60 0x0804bb51 in _start ()

Comment 6 Tommi Tervo 2008-01-31 08:51:04 UTC

*** Bug 154046 has been marked as a duplicate of this bug. ***

Comment 7 Tommi Tervo 2008-01-31 08:52:01 UTC

*** Bug 154634 has been marked as a duplicate of this bug. ***

Comment 8 Tommi Tervo 2008-01-31 08:53:01 UTC

*** Bug 156755 has been marked as a duplicate of this bug. ***

Comment 9 Tommi Tervo 2008-01-31 08:53:19 UTC

*** Bug 157008 has been marked as a duplicate of this bug. ***

Comment 10 ndeb 2008-02-25 05:43:25 UTC

It still crashes with kde-3.5.9.

Comment 11 Tommi Tervo 2008-03-11 08:52:08 UTC

*** Bug 159120 has been marked as a duplicate of this bug. ***

Comment 12 Tommi Tervo 2008-03-11 09:01:05 UTC

*** Bug 158383 has been marked as a duplicate of this bug. ***

Comment 13 Tommi Tervo 2008-03-11 09:02:22 UTC

*** Bug 158611 has been marked as a duplicate of this bug. ***

Comment 14 Tommi Tervo 2008-03-11 09:02:45 UTC

*** Bug 159076 has been marked as a duplicate of this bug. ***

Comment 15 Marcus Better 2008-03-11 09:48:01 UTC

And the last one was with KDE 4.0.2...

Comment 16 Allan Sandfeld 2008-03-11 10:43:38 UTC

The render-tree is corrupted somehow. The crash happens because m_first is null, but m_last is not null. 

They should either both be null, or both not null.

Now to figure out where the tree is corrupted..

Comment 17 Allan Sandfeld 2008-03-12 11:16:26 UTC

This crash is created by generated content with display: block.

A quick work-around is to force generated content to display:inline again. This is what WebKit does. 

The reason it crashes is that inserting a block into an inline can affect the render parents. In this case deleting the element that is current inserting the child. .

Comment 18 Allan Sandfeld 2008-03-12 11:20:01 UTC

The bug has become common after the frequent use of:

.clear::after {
  display:block;
  clear:both;
}

type of CSS.

Comment 19 Allan Sandfeld 2008-03-12 12:05:23 UTC

Created attachment 23874 [details]
Patch

This patch saves responsible parents from auto-deletion while they are
inserting children.

Comment 20 Allan Sandfeld 2008-03-12 12:10:18 UTC

Created attachment 23875 [details]
Corrected patch

Previous patch was missing a critical difference.

Comment 21 Germain Garand 2008-03-13 16:08:41 UTC

Hi Allan,

I comment not specifically the patch, but while in the vicinity of removeLeftoverAnonymousBoxes, I would like to know what you think of this analysis of the function (that regularly shows up in profiling tools here):

Here is how I understand the flow:

We have a block (b) that gets inserted inside a (a) block that is childrenInline:

[anon block (a)] ---> addChildToFlow( [block (b)] )
|
|_____il-1
|
|_____il-2


so makeChilrenNonInline runs, creating anon block (c) and we have (temporarily)

[anon block (a)]
|
|___[anon block (c)]
|    |
|    |_____il-1
|    |
|    |_____il-2
|
|____[block b]

but now [anon block (a)] realizes it is useless, because all its content is block level now, so it runs removeLeftoverAnonymousBoxes to fix that...

but it looks like its a really really big hammer for such a simple task.

It's going to walk all children and then climb back recursively to parents (!!!), attempting to sanitize the whole tree.

Now, [anon block (a)] will end up being removed and its content put back in parent, and that's all what should happen, because its children are already in a sane state (cf. [anon block (c)]), and its parent can't possibly be affected by the flatening ( as it is about an anonymous block that is being replaced by its block level children, so the end result is just more blocks in the parent).

So it seem to me we should have another, much more light weight function that would not try to sanitize the whole tree each time it is run.

The only other occasion of having leftover anon blocks I can think of, is when they are left empty by the removal of their last child (not sure if there is not some other code already handling that case - could not find it). So eventually we should be able to avoid competely this sanitizing by checking anon blocks for emptiness in ::removeChild* functions, no?

Does that analysis look correct to you or did I miss something?

Comment 22 Allan Sandfeld 2008-03-13 16:26:28 UTC

Yes, the function could be simplified. Personally I would prefer if anonymous blocks were never responsible for handling their children. They only exist as a layout mechanism. Inserting and removing children should be handled by non-anonymous parents that can create and destroy the anonymous helper-blocks as needed.

Comment 23 Maksim Orlovich 2008-03-13 16:46:02 UTC

By my testing, the patch fixes the crashes here, and nothing crashes on the dupes post-it (while most crashed for me beforehand). #156949 looks fixed, too.

Comment 24 Germain Garand 2008-03-13 17:06:12 UTC

>  Personally I would prefer if anonymous blocks were never responsible for
> handling their children. 

I can only agree... but the only possibility for this to happen, isn't it when we are making generated content and other before/after pseudo classes alike, anyway? I'm a bit fuzzy on that.

should not be too hard to fix in that case (I'm not volunteering just yet though :)

Comment 25 FiNeX 2008-03-14 15:20:39 UTC

http://www.laptopykomputery.pl make crash konqueror 4 compiled from revision 785508.

Comment 26 Allan Sandfeld 2008-03-16 17:11:16 UTC

Yes www.laptopykomputery.pl now crashes in Qt after an updateFromElement() call. I strongly suspect that this is a new bug.

Comment 27 Allan Sandfeld 2008-03-16 17:17:41 UTC

SVN commit 786289 by carewolf:

Protect anonymous blocks from being deleted while they are actively 
insterting a new child
BUG:150006


 M  +14 -6     render_container.cpp  
 M  +2 -1      render_object.cpp  
 M  +6 -1      render_object.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=786289

Comment 28 Maksim Orlovich 2008-03-23 17:18:45 UTC

*** Bug 159329 has been marked as a duplicate of this bug. ***

Comment 29 Ted Percival 2008-04-19 19:22:51 UTC

This bug was also triggered by viewing a forum post on debianhelp.org, eg. http://www.debianhelp.org/node/13223 . I can confirm that it was fixed by attachment #23875 [details].

Comment 30 Maksim Orlovich 2008-04-19 21:01:45 UTC

*** Bug 161031 has been marked as a duplicate of this bug. ***

Comment 31 Diederik van der Boor 2008-04-23 15:39:02 UTC

I just entered bug Bug 161197 for a crash in addChildToFlow(), but noticed the same issue is reported here too.

I'm using KDE 3.5.9 and get a crash at http://www.debianhelp.org/node/12618.

Comment 32 Peter Magdina 2008-04-30 13:31:55 UTC

Still not fixed in Mandriva distro.

Comment 33 Tommi Tervo 2008-05-06 20:38:06 UTC

*** Bug 161714 has been marked as a duplicate of this bug. ***

Comment 34 Tommi Tervo 2008-05-08 09:49:48 UTC

*** Bug 161771 has been marked as a duplicate of this bug. ***

Comment 35 Tommi Tervo 2008-05-14 14:12:29 UTC

*** Bug 162086 has been marked as a duplicate of this bug. ***

Comment 36 Maksim Orlovich 2008-05-21 19:44:05 UTC

*** Bug 162425 has been marked as a duplicate of this bug. ***