Bug 166056

Summary: crash (SEGV) in khtml TreeShared<DOM::NodeImpl>
Product: [Applications] konqueror Reporter: Matthew Woehlke <mwoehlke.floss>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: jakob.bugs, maksim, Regnaron, StormByte
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Matthew Woehlke 2008-07-08 17:05:21 UTC 
Version:            (using Devel)
Installed from:    Compiled sources
OS:                Linux

konq consistently blows up trying to visit http://vivapinkfloyd.blogspot.com/2008/07/apricot-open-source-blender-game.html, with the following:

Application: Konqueror (konqueror), signal SIGSEGV
Using host libthread_db library "/lib64/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 140003400451840 (LWP 30940)]
[KCrash handler]
#5  0x00007f550ba8f87c in khtml::TreeShared<DOM::NodeImpl>::ref (this=0x0)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/misc/shared.h:61
#6  0x00007f550bb2132f in NodeListImpl (this=0x7fff20267ea0, n=0x0, type=15, 
    factory=0x7f550bb91546 <CollectionCache::make()>)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/xml/dom_nodeimpl.cpp:2021
#7  0x00007f550bb90a18 in HTMLCollectionImpl (this=0x7fff20267ea0, _base=0x0, 
    _type=15)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/html/html_miscimpl.cpp:70
#8  0x00007f550bd21444 in KJS::FrameArray::getOwnPropertySlot (
    this=0x7f55086d6700, exec=0x7fff2026a6b0, propertyName=@0x7fff20267f60, 
    slot=@0x7fff20268000)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/ecma/kjs_window.cpp:2565
#9  0x00007f550b435c40 in KJS::JSObject::getOwnPropertySlot (
    this=0x7f55086d6700, exec=0x7fff2026a6b0, propertyName=0, 
    slot=@0x7fff20268000)
    at /usr/local/src/kde/svn/trunk/kdelibs/kjs/object.cpp:200
#10 0x00007f550b4349a2 in KJS::JSObject::getPropertySlot (this=0x7f55086d6700, 
    exec=0x7fff2026a6b0, propertyName=0, slot=@0x7fff20268000)
    at /usr/local/src/kde/svn/trunk/kdelibs/kjs/object.cpp:185
#11 0x00007f550b433a98 in KJS::JSValue::getByIndex (this=0x7f55086d6700, 
    exec=0x7fff2026a6b0, propertyName=0)
    at /usr/local/src/kde/svn/trunk/kdelibs/kjs/value.cpp:227
#12 0x00007f550b4532ef in KJS::Machine::runBlock (exec=0x7fff2026a6b0, 
    codeBlock=@0x28826c8, parentExec=0x1690710) at codes.def:727
#13 0x00007f550b4309c8 in KJS::FunctionImp::callAsFunction (
    this=0x7f5508657ac0, exec=0x1690710, thisObj=0x7f550c3c0000, 
    args=@0x28a73b8)
    at /usr/local/src/kde/svn/trunk/kdelibs/kjs/function.cpp:143
#14 0x00007f550b434f8b in KJS::JSObject::call (this=0x7f5508657ac0, 
    exec=0x1690710, thisObj=0x7f550c3c0000, args=@0x28a73b8)
    at /usr/local/src/kde/svn/trunk/kdelibs/kjs/object.cpp:99
#15 0x00007f550bd22708 in KJS::ScheduledAction::execute (this=0x28a73b0, 
    window=0x7f550c3c0000)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/ecma/kjs_window.cpp:2174
#16 0x00007f550bd229cf in KJS::WindowQObject::timerEvent (this=0x12c1f10)
    at /usr/local/src/kde/svn/trunk/kdelibs/khtml/ecma/kjs_window.cpp:2350
#17 0x00007f55168a078e in QObject::event (this=0x12c1f10, e=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qobject.cpp:1105
#18 0x00007f5515abb469 in QApplicationPrivate::notify_helper (this=0x10f9560, 
    receiver=0x12c1f10, e=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3772
#19 0x00007f5515abb78b in QApplication::notify (this=0x7fff2026b6e0, 
    receiver=0x12c1f10, e=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3366
#20 0x00007f551754eba4 in KApplication::notify (this=0x7fff2026b6e0, 
    receiver=0x12c1f10, event=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/kdelibs/kdeui/kernel/kapplication.cpp:311
#21 0x00007f551688d93e in QCoreApplication::notifyInternal (
    this=0x7fff2026b6e0, receiver=0x12c1f10, event=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:583
#22 0x00007f55168911db in QCoreApplication::sendEvent (receiver=0x12c1f10, 
    event=0x7fff2026b2c0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qcoreapplication.h:215
#23 0x00007f55168bde51 in QTimerInfoList::activateTimers (this=0x10fc950)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_unix.cpp:563
#24 0x00007f55168baf09 in timerSourceDispatch (source=0x10fc8f0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:166
#25 0x0000003159a2ef53 in g_main_context_dispatch ()
   from /lib64/libglib-2.0.so.0
#26 0x0000003159a3224d in ?? () from /lib64/libglib-2.0.so.0
#27 0x0000003159a3277e in g_main_context_iteration ()
   from /lib64/libglib-2.0.so.0
#28 0x00007f55168ba8f0 in QEventDispatcherGlib::processEvents (this=0x10f4720, 
    flags=@0x7fff2026b4e0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:325
#29 0x00007f5515b5a093 in QGuiEventDispatcherGlib::processEvents (
    this=0x10f4720, flags=@0x7fff2026b540)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:204
#30 0x00007f551688a8bc in QEventLoop::processEvents (this=0x7fff2026b5f0, 
    flags=@0x7fff2026b5a0)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:149
#31 0x00007f551688aab8 in QEventLoop::exec (this=0x7fff2026b5f0, 
    flags=@0x7fff2026b600)
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:196
#32 0x00007f551688e1ca in QCoreApplication::exec ()
    at /usr/local/src/kde/svn/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:845
#33 0x00007f5515abb1ca in QApplication::exec ()
    at /usr/local/src/kde/svn/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3304
#34 0x00000000006d7e19 in kdemain (argc=2, argv=0x7fff2026c1a8)
    at /usr/local/src/kde/svn/trunk/kdebase/apps/konqueror/src/konqmain.cpp:227
#35 0x0000000000400933 in main (argc=2, argv=0x7fff2026c1a8)
    at /var/local/build/kde/svn/trunk/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3
#0  0x000000313389ac61 in nanosleep () from /lib64/libc.so.6


This is with r829290. Caveat: my nsplugin installation is hosed (likely due to 'yum remove'ing the i386 version), though I'm unconvinced that would directly cause this. (I'll likely try a complete rebuild of libs+base later, after I manage to submit this amidst konq crashing on me :-).)
Comment 1 Matthew Woehlke 2008-07-08 17:06:13 UTC 
...silly karma :-), unconfirming until someone else can reproduce
Comment 2 Christophe Marin 2008-07-08 18:00:06 UTC 
I can't reproduce using Konqueror from trunk (kdelibs rev. 829304).
Comment 3 Christophe Marin 2008-07-08 18:07:51 UTC 
Note : the bt is the same as the one in bug 164348.
Comment 4 Christophe Marin 2008-07-08 18:13:34 UTC 

*** This bug has been marked as a duplicate of 127147 ***
Comment 5 Maksim Orlovich 2008-07-08 18:23:14 UTC 
This one may be slightly different, actually, since it doesn't have to do with backwards navigation. They just share a crash point...
Comment 6 Maksim Orlovich 2008-07-08 18:24:50 UTC 
as above..
Comment 7 Matthew Woehlke 2008-07-08 22:28:24 UTC 
still reproducible in r829547 after clean builds of libs and base (which seems to have fixed the nsplugin problem also). Note: I don't get the crash *every* time, but it feels like it dies more often than not.

I can reproduce with a clean session, i.e. launch konq (don't restore session if asked), paste the address and hit 'enter' to load the site, usually but not always -> SEGV.

I'm on Fedora 8 on an x64 (KDE4 built from sources as in the report headers)

http://www.sagemath.org (from bug 164384) doesn't crash for me
Comment 8 Christophe Marin 2008-08-09 19:44:06 UTC 
*** Bug 168819 has been marked as a duplicate of this bug. ***
Comment 9 Oliver Putz 2008-08-12 07:59:47 UTC 
Not really reproducible, but I managed to crash konqueror on this page at least once. (I clicked on the title (to go to the page itself) and then hit the back button which made konqueror-4.1.0 crash for me). At least for me, the page from bug #168954 crashes with the same backtrace, but far more reliably.
Comment 10 Oliver Putz 2008-08-12 08:00:28 UTC 
*** Bug 168954 has been marked as a duplicate of this bug. ***
Comment 11 Maksim Orlovich 2008-08-13 19:05:19 UTC 

*** This bug has been marked as a duplicate of 164384 ***
Comment 12 Maksim Orlovich 2008-08-13 19:07:01 UTC 
Err, wrong number.
Comment 13 Maksim Orlovich 2008-08-13 19:07:15 UTC 

*** This bug has been marked as a duplicate of 164348 ***