Bug 155434

Summary:	facebook: clicking on a button in the "requests" section causes crash
Product:	[Applications] konqueror	Reporter:	A. Spehr <zahl>
Component:	khtml	Assignee:	Konqueror Developers <konq-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	maksim
Priority:	NOR
Version:	4.0
Target Milestone:	---
Platform:	Compiled Sources
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:

Description A. Spehr 2008-01-11 03:02:41 UTC

Version:           4.0.80 >= 20080104 (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc version 4.2.3 
OS:                Linux

To reproduce: 
1) From your facebook homepage, look to the grey box on the right below the blue bar at the top. This is the box with "Requests", "Status Update", "Birthdays", etc. I mention this because I don't think you'll have "Requests" show up if you haven't had anyone try to friend you lately or invite you to some silly application.

2) Click on "Requests" (if you need some, ask! :)

3) On that page, hit the "ignore" button 

4) Crash

Note: Apparently /accepting/ doesn't crash it, instead it sends you to the "do you want to install ---?" page. Once I get more requests, I guess I can test to make sure.

Valgrind says:

==11511==
==11511== Invalid read of size 4
==11511==    at 0xA8B1C05: khtml::RenderBox::repaintRectangle(int, int, int,int, Priority, bool) (render_box.cpp:892)
==11511==    by 0xA8CC540: khtml::RenderTableCell::repaintRectangle(int, int, int, int, Priority, bool) (render_table.cpp:2405)
==11511==    by 0xA8B1D30: khtml::RenderBox::repaintRectangle(int, int, int,int, Priority, bool) (render_box.cpp:898)
==11511==    by 0xA8B21FF: khtml::RenderBox::repaint(Priority) (render_box.cpp:871)
==11511==    by 0xA8B6B30: khtml::RenderFlow::repaint(Priority) (render_flow.cpp:476)
==11511==    by 0xA8AAEA8: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_container.cpp:151)
==11511==    by 0xA8B4431: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:248)
==11511==    by 0xA8899D5: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:570)
==11511==    by 0xA8A7788: khtml::RenderObject::remove() (render_object.h:795)
==11511==    by 0xA89F421: khtml::RenderObject::detach() (render_object.cpp:1678)
==11511==    by 0xA8B4476: khtml::RenderBox::detach() (render_box.cpp:218)
==11511==    by 0xA8B71BE: khtml::RenderFlow::detach() (render_flow.cpp:361)
==11511==  Address 0x2c is not stack'd, malloc'd or (recently) free'd

Backtrace says:

#6  0x00000000 in ?? ()
#7  0xb41d0c0f in khtml::RenderBox::repaintRectangle (this=0x8454e70, x=112, 
    y=85, w=316, h=41, p=NormalPriority, f=false)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_box.cpp:892
#8  0xb41eb541 in khtml::RenderTableCell::repaintRectangle (this=0x8454e70, 
    x=10, y=85, w=316, h=41, p=NormalPriority, f=false)

With the rest at:  http://pastebin.ca/850207
btw: 
print o
$1 = (class khtml::RenderObject *) 0x842fb60

Comment 1 Maksim Orlovich 2008-01-31 19:10:18 UTC

==14130== Invalid read of size 1
==14130==    at 0xC5F5D2E: khtml::RenderObject::setMinMaxKnown(bool) (render_object.h:337)
==14130==    by 0xC5FE8C9: khtml::RenderObject::setNeedsLayoutAndMinMaxRecalc() (render_object.h:345)
==14130==    by 0xC715B85: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_container.cpp:146)
==14130==    by 0xC71DA23: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:248)
==14130==    by 0xC6F8B43: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:570)
==14130==    by 0xC71290B: khtml::RenderObject::remove() (render_object.h:795)
==14130==    by 0xC70BF35: khtml::RenderObject::detach() (render_object.cpp:1678)
==14130==    by 0xC71DA7A: khtml::RenderBox::detach() (render_box.cpp:218)
==14130==    by 0xC72000F: khtml::RenderFlow::detach() (render_flow.cpp:361)
==14130==    by 0xC672BDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:957)
==14130==    by 0xC672C57: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1548)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672C44: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1546)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC672F38: DOM::NodeBaseImpl::removeChildren() (dom_nodeimpl.cpp:1371)
==14130==    by 0xC6ABE6B: DOM::HTMLElementImpl::setInnerHTML(DOM::DOMString const&, int&) (html_elementimpl.cpp:578)
==14130==    by 0xC7D83FD: KJS::HTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) (kjs_html.cpp:2597)
==14130==    by 0xC7ED450: bool KJS::lookupPut<KJS::HTMLElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, KJS::HTMLElement*) (lookup.h:249)
==14130==    by 0xC7ED4A7: void KJS::lookupPut<KJS::HTMLElement, KJS::DOMElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int,KJS::HashTable const*, KJS::HTMLElement*) (lookup.h:265)
==14130==    by 0xC7D8955: KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) (kjs_html.cpp:2373)
==14130==    by 0xC2E3A50: KJS::AssignDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1830)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==    by 0xC2DA936: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2973)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC318420: KJS::DeclaredFunctionImp::execute(KJS::ExecState*) (function.cpp:373)
==14130==    by 0xC319A3E: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:161)
==14130==    by 0xC320CCC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:99)
==14130==    by 0xC2DDC5F: KJS::FunctionCallReferenceNode::evaluate(KJS::ExecState*) (nodes.cpp:1038)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DA936: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2973)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC31B3CF: KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:953)
==14130==    by 0xC320CCC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:99)
==14130==    by 0xC2DDC5F: KJS::FunctionCallReferenceNode::evaluate(KJS::ExecState*) (nodes.cpp:1038)
==14130==    by 0xC2DB40A: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:2168)
==14130==    by 0xC2DAA25: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:2979)
==14130==    by 0xC2D740B: KJS::BlockNode::execute(KJS::ExecState*) (nodes.cpp:2145)
==14130==    by 0xC2E046F: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:2200)
==14130==  Address 0x7031013 is 35 bytes inside a block of size 92 free'd
==14130==    at 0x40213CC: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==14130==    by 0xC726440: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122)
==14130==    by 0xC70BEC2: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:1700)
==14130==    by 0xC70BF87: khtml::RenderObject::detach() (render_object.cpp:1685)
==14130==    by 0xC734C05: khtml::RenderTableRow::detach() (render_table.cpp:2083)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71DA72: khtml::RenderBox::detach() (render_box.cpp:217)
==14130==    by 0xC7324FD: khtml::RenderTableSection::detach() (render_table.cpp:1026)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71FF0D: khtml::RenderFlow::detach() (render_flow.cpp:326)
==14130==    by 0xC7164FE: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:236)
==14130==    by 0xC71FF0D: khtml::RenderFlow::detach() (render_flow.cpp:326)
==14130==    by 0xC672BDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:957)
==14130==    by 0xC672C57: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1548)
==14130==    by 0xC67D71D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:725)
==14130==    by 0xC67D359: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:794)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC67D446: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:825)
==14130==    by 0xC6ACD48: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:277)
==14130==    by 0xC661611: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1196)
==14130==    by 0xC65AF48: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1225)
==14130==    by 0xC6612B5: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1238)
==14130==    by 0xC677C28: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:510)
==14130==    by 0xC6764AA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:421)
==14130==    by 0xC678419: DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) (dom_nodeimpl.cpp:519)
==14130==    by 0xC65E6D8: DOM::DocumentImpl::setFocusNode(DOM::NodeImpl*) (dom_docimpl.cpp:2311)
==14130==    by 0xC5EE53E: KHTMLView::focusNextPrevNode(bool) (khtmlview.cpp:2365)
==14130==    by 0xC5EECCF: KHTMLView::focusNextPrevChild(bool) (khtmlview.cpp:1919)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x545F3AC: QWidget::focusNextPrevChild(bool) (qwidget.cpp:4614)
==14130==    by 0x546226F: QWidgetPrivate::hide_helper() (qwidget.cpp:5494)

Comment 2 Maksim Orlovich 2008-01-31 20:02:19 UTC

SVN commit 769176 by orlovich:

Instead of trying to figure out whether to do a silent focus clear
when a previously-focus widget is getting destroyed in both
the document and the view (and getting them out-of-sync), have a
special quietResetFocus() method, and call it from the view's
focusNextPrevNode as appropriate. Fixes a crash when ignoring
requests on FaceBook
BUG: 155434

 M  +4 -5      khtmlview.cpp  
 M  +21 -12    xml/dom_docimpl.cpp  
 M  +3 -2      xml/dom_docimpl.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=769176