Bug 167318

Summary: [testcase] konqueror crashes when loading www.snowboardclub.co.uk
Product: [Applications] konqueror Reporter: mccope
Component: khtml parsingAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: bou.gui, christophe, daniel.dumitrache, dglent, emmanuel.surleau, germain, mail, msp, rap, schnitzelkuchen, shentey
Priority: NOR Keywords: testcase
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: HTML file testcase
style sheet which causes konqueror to crash
terminal log of Konqueror running testcase in Valgrind
Proposed patch for bug 167318
the modified patch I intend to commit

Description mccope 2008-07-23 19:52:50 UTC
Version:            (using Devel)
Installed from:    Compiled sources
Compiler:          g++ (Debian 4.3.1-6) 4.3.1 
OS:                Linux

Konqueror crashes when visiting www.snowboardclub.co.uk.

Below is a backtrace:

Application: Konqueror (konqueror), signal SIGABRT
[Current thread is 0 (LWP 32293)]

Thread 4 (Thread 0xb0d25b90 (LWP 514)):
#0  0xb7f70424 in __kernel_vsyscall ()
#1  0xb7261342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/i686/cmov/libpthread.so.0
#2  0xb72f2da2 in QWaitConditionPrivate::wait (this=0x9d5bbf0, time=30000) at thread/qwaitcondition_unix.cpp:86
#3  0xb72f28bb in QWaitCondition::wait (this=0x9d5c088, mutex=0x9d5c084, time=30000) at thread/qwaitcondition_unix.cpp:265
#4  0xb72e619a in QThreadPoolThread::run (this=0x988b8b0) at concurrent/qthreadpool.cpp:179
#5  0xb72f2497 in QThreadPrivate::start (arg=0x988b8b0) at thread/qthread_unix.cpp:190
#6  0xb725d4b0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#7  0xb651938e in clone () from /lib/i686/cmov/libc.so.6

Thread 3 (Thread 0xb1d52b90 (LWP 521)):
#0  0xb7f70424 in __kernel_vsyscall ()
#1  0xb6511771 in select () from /lib/i686/cmov/libc.so.6
#2  0xb73c4abb in QProcessManager::run (this=0x96edf30) at io/qprocess_unix.cpp:307
#3  0xb72f2497 in QThreadPrivate::start (arg=0x96edf30) at thread/qthread_unix.cpp:190
#4  0xb725d4b0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#5  0xb651938e in clone () from /lib/i686/cmov/libc.so.6

Thread 2 (Thread 0xb2553b90 (LWP 530)):
#0  0xb7f70424 in __kernel_vsyscall ()
#1  0xb650eb27 in poll () from /lib/i686/cmov/libc.so.6
#2  0xb6f398da in ?? () from /lib/i686/cmov/libresolv.so.2
#3  0xb2551574 in ?? ()
#4  0x00000001 in ?? ()
#5  0x00001388 in ?? ()
#6  0x00004000 in ?? ()
#7  0xb2551550 in ?? ()
#8  0xb2551580 in ?? ()
#9  0xb2551593 in ?? ()
#10 0xb2551588 in ?? ()
#11 0xb2551550 in ?? ()
#12 0x00000000 in ?? ()

Thread 1 (Thread 0xb60fa700 (LWP 32293)):
[KCrash Handler]
#6  0xb7f70424 in __kernel_vsyscall ()
#7  0xb64645e0 in raise () from /lib/i686/cmov/libc.so.6
#8  0xb6465fb8 in abort () from /lib/i686/cmov/libc.so.6
#9  0xb64a7643 in ?? () from /lib/i686/cmov/libc.so.6
#10 0x00006f88 in ?? ()
#11 0xbfc88564 in ?? ()
#12 0xb658fff4 in ?? () from /lib/i686/cmov/libc.so.6
#13 0x0a6a1500 in ?? ()
#14 0x0a6a1500 in ?? ()
#15 0xb65741c4 in ?? () from /lib/i686/cmov/libc.so.6
#16 0xb64a9919 in ?? () from /lib/i686/cmov/libc.so.6
#17 0xb6591160 in ?? () from /lib/i686/cmov/libc.so.6
#18 0x09f78048 in ?? ()
#19 0xb658fff4 in ?? () from /lib/i686/cmov/libc.so.6
#20 0x00000001 in ?? ()
#21 0x0a6a1500 in ?? ()
#22 0xbfc88518 in ?? ()
#23 0xb64a97b5 in free () from /lib/i686/cmov/libc.so.6
Backtrace stopped: frame did not save the PC
Comment 1 Christophe Marin 2008-07-23 20:01:18 UTC
Confirmed but I don't get any useful bt.

0xffffe424 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb65de5e0 in raise () from /lib/i686/cmov/libc.so.6
#2  0xb65dffb8 in abort () from /lib/i686/cmov/libc.so.6
#3  0xb6621643 in ?? () from /lib/i686/cmov/libc.so.6
#4  0x00009b66 in ?? ()
#5  0xb670b160 in ?? () from /lib/i686/cmov/libc.so.6
#6  0xb6709ff4 in ?? () from /lib/i686/cmov/libc.so.6
#7  0x090617c8 in ?? ()
#8  0x090617c8 in ?? ()
#9  0xb66ee1c4 in ?? () from /lib/i686/cmov/libc.so.6
#10 0xb6623919 in ?? () from /lib/i686/cmov/libc.so.6
#11 0xb670b160 in ?? () from /lib/i686/cmov/libc.so.6
#12 0x08cc7bb8 in ?? ()
#13 0xb6709ff4 in ?? () from /lib/i686/cmov/libc.so.6
#14 0x00000000 in ?? ()
(gdb) thread 2
[Switching to thread 2 (Thread 0xb1f63b90 (LWP 26642))]#0  0xffffe424 in __kernel_vsyscall ()
(gdb) list
1       extern "C" int kdemain(int argc, char* argv[]);
2       extern "C" int kdeinitmain(int argc, char* argv[]) { return kdemain(argc,argv); }
3       int main(int argc, char* argv[]) { return kdemain(argc,argv); }
Comment 2 Christophe Marin 2008-07-23 20:39:53 UTC
ok, I got something better after install the libc6-dbg package :

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6114700 (LWP 28407)]
0xffffe424 in __kernel_vsyscall ()          
(gdb) bt                                    
#0  0xffffe424 in __kernel_vsyscall ()      
#1  0xb64e15e0 in raise () from /lib/i686/cmov/libc.so.6
#2  0xb64e2fb8 in abort () from /lib/i686/cmov/libc.so.6
#3  0xb6524643 in malloc_printerr () from /lib/i686/cmov/libc.so.6
#4  0xb65267b5 in free () from /lib/i686/cmov/libc.so.6           
#5  0xb40c4759 in ~CSSParser (this=0xbfd5c104) at /media/kde/src/KDE/kdelibs/khtml/css/cssparser.cpp:134
#6  0xb40ac7a4 in DOM::CSSStyleSheetImpl::parseString (this=0x98e3238, string=@0xbfd5c1b4, strict=<value optimized out>)
    at /media/kde/src/KDE/kdelibs/khtml/css/css_stylesheetimpl.cpp:288                                                  
#7  0xb3fe3037 in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x98714b8, url=@0x9871a10, sheetStr=@0x9871a4c, charset=@0xbfd5c228, 
    mimetype=@0xbfd5c220) at /media/kde/src/KDE/kdelibs/khtml/html/html_headimpl.cpp:258                                             
#8  0xb40ea460 in khtml::CachedCSSStyleSheet::checkNotify (this=0x9871a08) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:302   
#9  0xb40ef4b0 in khtml::CachedCSSStyleSheet::data (this=0x9871a08, buffer=@0x99f158c, eof=true) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:292
#10 0xb40ec065 in khtml::Loader::slotFinished (this=0x9684f38, job=0x98f2ae0) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:1397                  
#11 0xb40ec387 in khtml::Loader::qt_metacall (this=0x9684f38, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfd5c43c)                                   
    at /media/kde/build/KDE/kdelibs/khtml/loader.moc:129                                                                                                
#12 0xb744788c in QMetaObject::activate (sender=0x98f2ae0, from_signal_index=7, to_signal_index=7, argv=0xbfd5c43c) at kernel/qobject.cpp:3007          
#13 0xb7447d19 in QMetaObject::activate (sender=0x98f2ae0, m=0xb7707928, local_signal_index=3, argv=0xbfd5c43c) at kernel/qobject.cpp:3080              
#14 0xb760e7b3 in KJob::result (this=0x98f2ae0, _t1=0x98f2ae0) at /media/kde/build/KDE/kdelibs/kdecore/kjob.moc:186                                     
#15 0xb760ecb2 in KJob::emitResult (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kdecore/jobs/kjob.cpp:290                                             
#16 0xb7c83d9f in KIO::SimpleJob::slotFinished (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kio/kio/job.cpp:498                                       
#17 0xb7c84123 in KIO::TransferJob::slotFinished (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kio/kio/job.cpp:967                                     
#18 0xb7c8a99b in KIO::TransferJob::qt_metacall (this=0x98f2ae0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfd5c674)                                
    at /media/kde/build/KDE/kdelibs/kio/jobclasses.moc:336                                                                                              
#19 0xb744788c in QMetaObject::activate (sender=0x98e6620, from_signal_index=8, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3007                 
#20 0xb7447d19 in QMetaObject::activate (sender=0x98e6620, m=0xb7df1684, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3080                     
#21 0xb7d26b37 in KIO::SlaveInterface::finished (this=0x98e6620) at /media/kde/build/KDE/kdelibs/kio/slaveinterface.moc:163                             
#22 0xb7d2885f in KIO::SlaveInterface::dispatch (this=0x98e6620, _cmd=104, rawdata=@0xbfd5c844)                                                         
    at /media/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:176                                                                                        
#23 0xb7d29358 in KIO::SlaveInterface::dispatch (this=0x98e6620) at /media/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:91                            
#24 0xb7d1b6d7 in KIO::Slave::gotInput (this=0x98e6620) at /media/kde/src/KDE/kdelibs/kio/kio/slave.cpp:319                                             
#25 0xb7d1caa3 in KIO::Slave::qt_metacall (this=0x98e6620, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfd5c944)                                      
    at /media/kde/build/KDE/kdelibs/kio/slave.moc:75                                                                                                    
---Type <return> to continue, or q <return> to quit---                                                                                                  
#26 0xb744788c in QMetaObject::activate (sender=0x98e6b90, from_signal_index=4, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3007                 
#27 0xb7447d19 in QMetaObject::activate (sender=0x98e6b90, m=0xb7dee2e0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3080                     
#28 0xb7c56ee7 in KIO::Connection::readyRead (this=0x98e6b90) at /media/kde/build/KDE/kdelibs/kio/connection.moc:84                                     
#29 0xb7c57d46 in KIO::ConnectionPrivate::dequeue (this=0x987daf0) at /media/kde/src/KDE/kdelibs/kio/kio/connection.cpp:82
#30 0xb7c58b96 in KIO::Connection::qt_metacall (this=0x98e6b90, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x99a44f0)
    at /media/kde/build/KDE/kdelibs/kio/connection.moc:72
#31 0xb74419ca in QMetaCallEvent::placeMetaCall (this=0x9d4acb0, object=0x98e6b90) at kernel/qobject.cpp:535
#32 0xb7445c36 in QObject::event (this=0x98e6b90, e=0x9d4acb0) at kernel/qobject.cpp:1137
#33 0xb68b6289 in QApplicationPrivate::notify_helper (this=0x91ac538, receiver=0x98e6b90, e=0x9d4acb0) at kernel/qapplication.cpp:3772
#34 0xb68b659e in QApplication::notify (this=0xbfd5d42c, receiver=0x98e6b90, e=0x9d4acb0) at kernel/qapplication.cpp:3366
#35 0xb7a5ad81 in KApplication::notify (this=0xbfd5d42c, receiver=0x98e6b90, event=0x9d4acb0)
    at /media/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:311
#36 0xb743328b in QCoreApplication::notifyInternal (this=0xbfd5d42c, receiver=0x98e6b90, event=0x9d4acb0) at kernel/qcoreapplication.cpp:583
#37 0xb7436dd3 in QCoreApplication::sendEvent (receiver=0x98e6b90, event=0x9d4acb0) at kernel/qcoreapplication.h:215
#38 0xb74337ab in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x919ecc0) at kernel/qcoreapplication.cpp:1195
#39 0xb7433967 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1091
#40 0xb74628aa in QCoreApplication::sendPostedEvents () at kernel/qcoreapplication.h:220
#41 0xb7461abc in postEventSourceDispatch (s=0x91ae8e8) at kernel/qeventdispatcher_glib.cpp:211
#42 0xb635a2f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#43 0xb635d983 in ?? () from /usr/lib/libglib-2.0.so.0
#44 0x091ae860 in ?? ()
#45 0x00000000 in ?? ()
(gdb) thread 2
[Switching to thread 2 (Thread 0xb1e67b90 (LWP 28483))]#0  0xffffe424 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb72dc342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/i686/cmov/libpthread.so.0
#2  0xb7344d4e in QWaitConditionPrivate::wait (this=0x97a96f8, time=30000) at thread/qwaitcondition_unix.cpp:86
#3  0xb7344867 in QWaitCondition::wait (this=0x9792870, mutex=0x979286c, time=30000) at thread/qwaitcondition_unix.cpp:265
#4  0xb733814a in QThreadPoolThread::run (this=0x9636908) at concurrent/qthreadpool.cpp:179
#5  0xb7344443 in QThreadPrivate::start (arg=0x9636908) at thread/qthread_unix.cpp:190
#6  0xb72d84b0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#7  0xb659638e in clone () from /lib/i686/cmov/libc.so.6
(gdb) thread 3
Comment 3 Ramon Antonio Parada (brainsqueezer) 2008-07-24 12:43:19 UTC
Confirm in 4.0.98 (debian experimental)
Comment 4 Michael 2008-07-24 12:58:24 UTC
confirmed with konqueror svn r836919

(gdb) bt
#0  0x00007fa1842f8235 in raise () from /lib64/libc.so.6
#1  0x00007fa1842f9753 in abort () from /lib64/libc.so.6
#2  0x00007fa18433abf0 in ?? () from /lib64/libc.so.6
#3  0x00007fa17719b480 in DOM::CSSStyleSheetImpl::parseString () from /usr/kde/svn/lib64/libkhtml.so.5
#4  0x00007fa1771a15bb in DOM::CSSImportRuleImpl::setStyleSheet () from /usr/kde/svn/lib64/libkhtml.so.5
#5  0x00007fa1771e326f in khtml::CachedCSSStyleSheet::checkNotify () from /usr/kde/svn/lib64/libkhtml.so.5
#6  0x00007fa1771e34dd in khtml::CachedCSSStyleSheet::data () from /usr/kde/svn/lib64/libkhtml.so.5
#7  0x00007fa1771e2ced in khtml::Loader::slotFinished () from /usr/kde/svn/lib64/libkhtml.so.5
#8  0x00007fa1771e3077 in khtml::Loader::qt_metacall () from /usr/kde/svn/lib64/libkhtml.so.5
#9  0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4
#10 0x00007fa1836a6a32 in KJob::result () from /usr/kde/svn/lib64/libkdecore.so.5
#11 0x00007fa1836a6da7 in KJob::emitResult () from /usr/kde/svn/lib64/libkdecore.so.5
#12 0x00007fa182bd8898 in KIO::SimpleJob::slotFinished () from /usr/kde/svn/lib64/libkio.so.5
#13 0x00007fa182bda483 in KIO::TransferJob::slotFinished () from /usr/kde/svn/lib64/libkio.so.5
#14 0x00007fa182bdb2d5 in KIO::TransferJob::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5
#15 0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4
#16 0x00007fa182c8a5d0 in KIO::SlaveInterface::dispatch () from /usr/kde/svn/lib64/libkio.so.5
#17 0x00007fa182c87981 in KIO::SlaveInterface::dispatch () from /usr/kde/svn/lib64/libkio.so.5
#18 0x00007fa182c77b4e in KIO::Slave::gotInput () from /usr/kde/svn/lib64/libkio.so.5
#19 0x00007fa182c77e58 in KIO::Slave::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5
#20 0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4
#21 0x00007fa182ba87c6 in KIO::ConnectionPrivate::dequeue () from /usr/kde/svn/lib64/libkio.so.5
#22 0x00007fa182ba98ca in KIO::Connection::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5
#23 0x00007fa183b97a65 in QObject::event () from /usr/lib64/qt4/libQtCore.so.4
#24 0x00007fa1816acffd in QApplicationPrivate::notify_helper () from /usr/lib64/qt4/libQtGui.so.4
#25 0x00007fa1816ae53a in QApplication::notify () from /usr/lib64/qt4/libQtGui.so.4
#26 0x00007fa1831c829b in KApplication::notify () from /usr/kde/svn/lib64/libkdeui.so.5
#27 0x00007fa183b85bd0 in QCoreApplication::notifyInternal () from /usr/lib64/qt4/libQtCore.so.4
#28 0x00007fa183b8a0a7 in QCoreApplicationPrivate::sendPostedEvents () from /usr/lib64/qt4/libQtCore.so.4
#29 0x00007fa183bb83f0 in QEventDispatcherUNIX::processEvents () from /usr/lib64/qt4/libQtCore.so.4
#30 0x00007fa18174ed4a in QEventDispatcherX11::processEvents () from /usr/lib64/qt4/libQtGui.so.4
#31 0x00007fa183b84812 in QEventLoop::processEvents () from /usr/lib64/qt4/libQtCore.so.4
#32 0x00007fa183b84cad in QEventLoop::exec () from /usr/lib64/qt4/libQtCore.so.4
#33 0x00007fa183b8a3ef in QCoreApplication::exec () from /usr/lib64/qt4/libQtCore.so.4
#34 0x00007fa1846e7a22 in kdemain () from /usr/kde/svn/lib64/libkdeinit4_konqueror.so
#35 0x00007fa1842e4486 in __libc_start_main () from /lib64/libc.so.6
#36 0x00000000004006d9 in _start ()
Comment 5 Christophe Marin 2008-07-24 13:02:49 UTC
Note: the bug 156646 may be related.
Comment 6 Ramon Antonio Parada (brainsqueezer) 2008-07-24 13:21:10 UTC
Backtrace

Application: Konqueror (konqueror), signal SIGABRT
[Thread debugging using libthread_db enabled]
[New Thread 0xb6006700 (LWP 19542)]
[KCrash handler]
#6  0xffffe424 in __kernel_vsyscall ()
#7  0xb7d7a5e0 in raise () from /lib/i686/cmov/libc.so.6
#8  0xb7d7bfb8 in abort () from /lib/i686/cmov/libc.so.6
#9  0xb7dbd643 in malloc_printerr () from /lib/i686/cmov/libc.so.6
#10 0xb7dbf7b5 in free () from /lib/i686/cmov/libc.so.6
#11 0xb41fb421 in ~CSSParser (this=0xbfcc13d4)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/css/cssparser.cpp:134
#12 0xb41e4d84 in DOM::CSSStyleSheetImpl::parseString (this=0x84d8b88, 
    string=@0xbfcc1474, strict=<value optimized out>)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/css/css_stylesheetimpl.cpp:288
#13 0xb411912c in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x84f2338, 
    url=@0x84f9ff0, sheetStr=@0x84fa02c, charset=@0xbfcc14e4, 
    mimetype=@0xbfcc14dc)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/html/html_headimpl.cpp:258
#14 0xb423521c in khtml::CachedCSSStyleSheet::checkNotify (this=0x84f9fe8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:302
#15 0xb4235596 in khtml::CachedCSSStyleSheet::data (this=0x84f9fe8, 
    buffer=@0x84ecad4, eof=true)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:292
#16 0xb423009a in khtml::Loader::slotFinished (this=0x8429ef0, job=0x850c7c8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:1397
#17 0xb4235be7 in khtml::Loader::qt_metacall (this=0x8429ef0, 
    _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfcc16cc)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/khtml/loader.moc:129
#18 0xb69230c0 in QMetaObject::activate (sender=0x850c7c8, 
    from_signal_index=7, to_signal_index=7, argv=0xbfcc16cc)
    at kernel/qobject.cpp:3010
#19 0xb6923e42 in QMetaObject::activate (sender=0x850c7c8, m=0xb771f8e8, 
    local_signal_index=3, argv=0xbfcc16cc) at kernel/qobject.cpp:3080
#20 0xb75e7483 in KJob::result (this=0x850c7c8, _t1=0x850c7c8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kdecore/kjob.moc:186
#21 0xb75e7992 in KJob::emitResult (this=0x850c7c8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kdecore/jobs/kjob.cpp:290
#22 0xb7b4dfe5 in KIO::SimpleJob::slotFinished (this=0x850c7c8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/job.cpp:498
#23 0xb7b51693 in KIO::TransferJob::slotFinished (this=0x850c7c8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/job.cpp:967
#24 0xb7b5246b in KIO::TransferJob::qt_metacall (this=0x850c7c8, 
    _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfcc1908)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/jobclasses.moc:336
#25 0xb69230c0 in QMetaObject::activate (sender=0x84eef28, 
    from_signal_index=8, to_signal_index=8, argv=0x0)
    at kernel/qobject.cpp:3010
#26 0xb6923e42 in QMetaObject::activate (sender=0x84eef28, m=0xb7cff184, 
    local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3080
#27 0xb7c12f77 in KIO::SlaveInterface::finished (this=0x84eef28)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/slaveinterface.moc:161
#28 0xb7c16be7 in KIO::SlaveInterface::dispatch (this=0x84eef28, _cmd=104, 
    rawdata=@0xbfcc1ad4)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slaveinterface.cpp:175
#29 0xb7c136f7 in KIO::SlaveInterface::dispatch (this=0x84eef28)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slaveinterface.cpp:90
#30 0xb7c036cd in KIO::Slave::gotInput (this=0x84eef28)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slave.cpp:319
#31 0xb7c06113 in KIO::Slave::qt_metacall (this=0x84eef28, 
    _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfcc1be8)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/slave.moc:75
#32 0xb69230c0 in QMetaObject::activate (sender=0x84ec308, 
    from_signal_index=4, to_signal_index=4, argv=0x0)
    at kernel/qobject.cpp:3010
#33 0xb6923e42 in QMetaObject::activate (sender=0x84ec308, m=0xb7cfbde0, 
    local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3080
#34 0xb7b155c7 in KIO::Connection::readyRead (this=0x84ec308)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/connection.moc:84
#35 0xb7b17689 in KIO::ConnectionPrivate::dequeue (this=0x848c848)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/connection.cpp:82
#36 0xb7b17816 in KIO::Connection::qt_metacall (this=0x84ec308, 
    _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x84a9078)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/connection.moc:72
#37 0xb691c23b in QMetaCallEvent::placeMetaCall (this=0x857bf20, 
    object=0x84ec308) at kernel/qobject.cpp:535
#38 0xb691ddf9 in QObject::event (this=0x84ec308, e=0x857bf20)
    at kernel/qobject.cpp:1140
#39 0xb6b9b66c in QApplicationPrivate::notify_helper (this=0x8057db0, 
    receiver=0x84ec308, e=0x857bf20) at kernel/qapplication.cpp:3772
#40 0xb6ba343e in QApplication::notify (this=0xbfcc2584, receiver=0x84ec308, 
    e=0x857bf20) at kernel/qapplication.cpp:3366
#41 0xb78f363d in KApplication::notify (this=0xbfcc2584, receiver=0x84ec308, 
    event=0x857bf20)
    at /tmp/buildd/kde4libs-4.0.98+svn833207/kdeui/kernel/kapplication.cpp:311
#42 0xb690e571 in QCoreApplication::notifyInternal (this=0xbfcc2584, 
    receiver=0x84ec308, event=0x857bf20) at kernel/qcoreapplication.cpp:587
#43 0xb690f1e5 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, 
    event_type=0, data=0x804b848)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#44 0xb690f3fd in QCoreApplication::sendPostedEvents (receiver=0x0, 
    event_type=0) at kernel/qcoreapplication.cpp:1091
#45 0xb6938f2f in postEventSourceDispatch (s=0x805a520)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:220
#46 0xb63372f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#47 0xb633a983 in ?? () from /usr/lib/libglib-2.0.so.0
#48 0x0805a498 in ?? ()
#49 0x00000000 in ?? ()
#0  0xffffe424 in __kernel_vsyscall ()
Comment 7 mccope 2008-07-24 23:45:43 UTC
Created attachment 26387 [details]
HTML file testcase
Comment 8 mccope 2008-07-24 23:46:19 UTC
Created attachment 26388 [details]
style sheet which causes konqueror to crash
Comment 9 mccope 2008-07-24 23:52:14 UTC
I've attached a HTML file and a CSS file which in combination cause Konqueror to crash.  The testcase files are based on similar code from the www.snowboardclub.co.uk webpage.

AIUI the css file isn't valid as it doesn't properly terminate the various blocks.
Comment 10 mccope 2008-08-25 17:36:05 UTC
Running Konqueror with Valgrind and loading the test HTML & CSS files posted earlier gives the following error message (repeated several times):

==30085== Invalid read of size 2                                                                                                               
==30085==    at 0x9E27F88: DOM::CSSParser::lex() (tokenizer.cpp:673)                                                                           
==30085==    by 0x9E28784: DOM::CSSParser::lex(void*) (cssparser.cpp:2397)                                                                     
==30085==    by 0x9E4D36D: _ZL8cssyylexP7YYSTYPE (parser.cpp:355)                                                                              
==30085==    by 0x9E4D87A: cssyyparse(void*) (parser.cpp:1936)                                                                                 
==30085==    by 0x9E302A9: DOM::CSSParser::runParser(int) (cssparser.cpp:165)                                                                  
==30085==    by 0x9E30960: DOM::CSSParser::parseSheet(DOM::CSSStyleSheetImpl*, DOM::DOMString const&) (cssparser.cpp:182)                      
==30085==    by 0x9E113D4: DOM::CSSStyleSheetImpl::parseString(DOM::DOMString const&, bool) (css_stylesheetimpl.cpp:287)                       
==30085==    by 0x9D194CD: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:258)                                                                                                        
==30085==    by 0x9E632DD: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:302)                                                          
==30085==    by 0x9E69A27: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:292)                                                   
==30085==    by 0x9E657AB: khtml::Loader::slotFinished(KJob*) (loader.cpp:1400)                                                                
==30085==    by 0x9E65B56: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:129)                                         
==30085==  Address 0x6151a1e is 0 bytes after a block of size 182 alloc'd                                                                      
==30085==    at 0x4023D6E: malloc (vg_replace_malloc.c:207)                                                                                    
==30085==    by 0x9E30915: DOM::CSSParser::parseSheet(DOM::CSSStyleSheetImpl*, DOM::DOMString const&) (cssparser.cpp:176)                      
==30085==    by 0x9E113D4: DOM::CSSStyleSheetImpl::parseString(DOM::DOMString const&, bool) (css_stylesheetimpl.cpp:287)                       
==30085==    by 0x9D194CD: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:258)                                                                                                        
==30085==    by 0x9E632DD: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:302)                                                          
==30085==    by 0x9E69A27: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:292)                                                   
==30085==    by 0x9E657AB: khtml::Loader::slotFinished(KJob*) (loader.cpp:1400)                                                                
==30085==    by 0x9E65B56: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:129)                                         
==30085==    by 0x4ADFEF8: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3013)                                                
==30085==    by 0x4AE0386: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3086)                                 
==30085==    by 0x47F9903: KJob::result(KJob*) (kjob.moc:186)                                                                                  
==30085==    by 0x47F9E41: KJob::emitResult() (kjob.cpp:290)                                                                                   

Interestingly, the testcase doesn't cause Konqueror to crash when it is running in Valgrind.

Full log from Valgrind & Konqueror attached below.
Comment 11 mccope 2008-08-25 17:37:51 UTC
Created attachment 27036 [details]
terminal log of Konqueror running testcase in Valgrind
Comment 12 mccope 2008-11-04 23:19:48 UTC
Created attachment 28331 [details]
Proposed patch for bug 167318

The attached patch stops Konqueror from crashing when parsing the malformed CSS of the testcase and a local saved copy of the www.snowboardclub.co.uk webpage that led to the original bug report.  (Note that the website mentioned has been changed since the initial bug report.)

The patch is based on CSSParser.cpp from the qt-copy version of Webkit.

Please can someone familiar with this section of code check that this is an appropriate patch as I don't want to inadvertently cause further problems!

Note that valgrind still reports some problems when run with --leak-check=full however Konqueror no longer crashes.
Comment 13 Tommi Tervo 2009-01-16 09:19:19 UTC
*** Bug 180929 has been marked as a duplicate of this bug. ***
Comment 14 Tommi Tervo 2009-02-01 22:37:53 UTC
*** Bug 182793 has been marked as a duplicate of this bug. ***
Comment 15 mccope 2009-02-04 14:25:41 UTC
Who would be a good person to speak with to arrange getting this patch (or a similar one) committed?
Comment 16 Tommi Tervo 2009-02-09 09:32:12 UTC
*** Bug 183544 has been marked as a duplicate of this bug. ***
Comment 17 Tommi Tervo 2009-02-13 18:52:53 UTC
*** Bug 184231 has been marked as a duplicate of this bug. ***
Comment 18 mccope 2009-02-15 18:37:57 UTC
I can confirm that the sites mentioned in bug 180929 and bug 184231 do not cause crashes with the patch above applied to khtml.
Comment 19 Dario Andres 2009-03-07 14:05:51 UTC
*** Bug 186426 has been marked as a duplicate of this bug. ***
Comment 20 Germain Garand 2009-04-01 04:22:39 UTC
Hi,
sorry for the late reply, I didn't quite notice this bug before.

First, I can't reproduce this (or any of the duplicates thereof) crash in trunk, and I read a comment to the same effect at #183544#c2. I think the recent changes in  CSS grammar may have changed the error conditions triggering such crashes.

Nevertheless, the patch -even if a bit of voodoo-merging, as it doesn't really change the logic, and even regresses the security padding to 2 bytes- is still a nice factoring, so I'll check it in, with an additional factoring of the repetitive cssyparse invocation code inside a runParser() method, and fixing the padding.

As there are still some visible out-of-bound read/write detectable through Valgrind on e.g. http://shop1auto.rtrk.com.au, I'll raise our security padding from five to eight bytes. This seems to appease Valgrind on all available testcases.
Comment 21 Germain Garand 2009-04-01 04:28:39 UTC
Created attachment 32510 [details]
the modified patch I intend to commit
Comment 22 Maksim Orlovich 2009-04-01 04:46:21 UTC
Any chance you could move the strlen(prefix) call out of the loop? I know it's short, but the quadratic bugs me, and, well, there is always inline style..
Comment 23 Germain Garand 2009-04-01 06:00:19 UTC
sure, I'll factor all those, if only to save a kitten.
Comment 24 Tommi Tervo 2009-04-01 16:00:27 UTC
*** Bug 188601 has been marked as a duplicate of this bug. ***
Comment 25 Germain Garand 2009-04-02 01:57:49 UTC
SVN commit 948014 by ggarand:

.factor out some CSS parser code (initial patch from mccope@googlemail.com,
 derived from code found in webcore)
.increase CSS buffer's security padding to 8 bytes to prevent buggy flex
 from reading/writing past the end in some situations.

BUG: 167318


 M  +49 -64    cssparser.cpp  
 M  +2 -1      cssparser.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=948014
Comment 26 Germain Garand 2009-04-02 22:17:27 UTC
SVN commit 948352 by ggarand:

automatically merged revision 948014:
.factor out some CSS parser code (initial patch from mccope@googlemail.com,
 derived from code found in webcore)
.increase CSS buffer's security padding to 8 bytes to prevent buggy flex
 from reading/writing past the end in some situations.

BUG: 167318

 M  +49 -64    cssparser.cpp  
 M  +2 -1      cssparser.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=948352
Comment 27 Dimitrios Glentadakis 2009-04-03 07:29:57 UTC
the same bug, konqueror crash in this site : http://fr.wikipedia.org/wiki/Pays_de_Galles
Comment 28 Dimitrios Glentadakis 2009-04-03 07:31:43 UTC
the same bug, konqueror crash in this site : http://fr.wikipedia.org/wiki/Pays_de_Galles