Bug 170165

Summary: [testcase] crash on javascript on http://news.aol.ca/article/north-mapping/324605/
Product: [Applications] konqueror Reporter: Oliver Putz <Regnaron>
Component: khtmlAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: finex, frank78ac, maksim, steffen_moeller
Priority: NOR    
Version First Reported In: SVN   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Reduced testcase

Description Oliver Putz 2008-09-01 08:43:03 UTC 
Version:           4.1.00 (KDE 4.1.0) (using 4.1.00 (KDE 4.1.0), Gentoo)
Compiler:          i686-pc-linux-gnu-gcc
OS:                Linux (i686) release 2.6.25-gentoo-r7

I was reading http://news.aol.ca/article/north-mapping/324605/ 
When I scrolled down konqueror all of a sudden crashed with the backtrace below. As I just double clicked on the address bar in order to copy and paste the URL, konqueror crashed again with the same backtrace.

Application: Konqueror (konqueror), signal SIGSEGV
[Thread debugging using libthread_db enabled]
[New Thread 0xb61c0700 (LWP 2350)]
[KCrash handler]
#6  0xb3043bcd in khtml::RenderBlock::nodeAtPoint (this=0xa8ba160, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=1692, 
    hitTestAction=HitTestAll, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2660
#7  0xb3043c88 in khtml::RenderBlock::nodeAtPoint (this=0xa8ba0dc, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestAll, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2663
#8  0xb305a572 in khtml::RenderObject::nodeAtPoint (this=0xa89d794, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestChildrenOnly, inside=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_object.cpp:2076
#9  0xb3043cfb in khtml::RenderBlock::nodeAtPoint (this=0xa89d794, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestChildrenOnly, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2667
#10 0xb307822a in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88fa08, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1194
#11 0xb3078143 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88fa6c, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1187
#12 0xb3078143 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88f748, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1187
#13 0xb30780f7 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88f660, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1176
#14 0xb3078834 in khtml::RenderLayer::nodeAtPoint (this=0xa88f660, 
    info=@0xbfc5182c, x=591, y=1666)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1137
#15 0xb2fd5f86 in DOM::MouseEventImpl::computeLayerPos (this=0xb3e7aa8)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/xml/dom2_eventsimpl.cpp:299
#16 0xb2fd86c8 in MouseEventImpl (this=0xb3e7aa8, 
    _id=DOM::EventImpl::MOUSEOVER_EVENT, canBubbleArg=true, 
    cancelableArg=true, viewArg=0xa111d58, detailArg=0, screenXArg=591, 
    screenYArg=646, clientXArg=591, clientYArg=526, pageXArg=591, 
    pageYArg=1666, ctrlKeyArg=false, altKeyArg=false, shiftKeyArg=false, 
    metaKeyArg=false, buttonArg=65535, relatedTargetArg=0xb3966f0, qe=0x0, 
    isDoubleClick=false, orient=DOM::MouseEventImpl::ONone)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/xml/dom2_eventsimpl.cpp:279
#17 0xb2f31930 in KHTMLView::dispatchMouseEvent (this=0xac4c380, eventId=7, 
    targetNode=0xb395c48, targetNodeNonShared=0xb395c18, cancelable=false, 
    detail=0, _mouse=0xbfc523d0, setUnder=true, mouseEventType=4, orient=0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:3590
#18 0xb2f39233 in KHTMLView::mouseMoveEvent (this=0xac4c380, 
    _mouse=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:1316
#19 0xb684cbe2 in QWidget::event (this=0xac4c380, event=0xbfc523d0)
    at kernel/qwidget.cpp:6912
#20 0xb6ba14b9 in QFrame::event (this=0xac4c380, e=0xbfc523d0)
    at widgets/qframe.cpp:657
#21 0xb2f37c3c in KHTMLView::widgetEvent (this=0xac4c380, e=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:2303
#22 0xb2f3acb4 in KHTMLView::eventFilter (this=0xac4c380, o=0x9f80658, 
    e=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:2167
#23 0xb74a7192 in QCoreApplicationPrivate::sendThroughObjectEventFilters (
    this=0x8057c38, receiver=0x9f80658, event=0xbfc523d0)
    at kernel/qcoreapplication.cpp:694
#24 0xb67f3884 in QApplicationPrivate::notify_helper (this=0x8057c38, 
    receiver=0x9f80658, e=0xbfc523d0) at kernel/qapplication.cpp:3768
#25 0xb67f7b60 in QApplication::notify (this=0xbfc52b7c, receiver=0x9f80658, 
    e=0xbfc523d0) at kernel/qapplication.cpp:3501
#26 0xb7a776c3 in KApplication::notify (this=0xbfc52b7c, receiver=0x9f80658, 
    event=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/kdeui/kernel/kapplication.cpp:311
#27 0xb74a6d59 in QCoreApplication::notifyInternal (this=0xbfc52b7c, 
    receiver=0x9f80658, event=0xbfc523d0) at kernel/qcoreapplication.cpp:587
#28 0xb67f967f in QApplicationPrivate::sendMouseEvent (receiver=0x9f80658, 
    event=0xbfc523d0, alienWidget=0x9f80658, nativeWidget=0x8133138, 
    buttonDown=0xb6fdac40, lastMouseReceiver=@0xb6fdac44)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#29 0xb685e91e in QETWidget::translateMouseEvent (this=0x8133138, 
    event=0xbfc527c8) at kernel/qapplication_x11.cpp:4133
#30 0xb685d48d in QApplication::x11ProcessEvent (this=0xbfc52b7c, 
    event=0xbfc527c8) at kernel/qapplication_x11.cpp:3133
#31 0xb6883ed8 in QEventDispatcherX11::processEvents (this=0x80576f8, 
    flags=@0xbfc528b8) at kernel/qeventdispatcher_x11.cpp:134
#32 0xb74a60d3 in QEventLoop::processEvents (this=0xbfc52930, 
    flags=@0xbfc528f8) at kernel/qeventloop.cpp:149
#33 0xb74a6246 in QEventLoop::exec (this=0xbfc52930, flags=@0xbfc52938)
    at kernel/qeventloop.cpp:200
#34 0xb74a8401 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:845
#35 0xb67f323f in QApplication::exec () at kernel/qapplication.cpp:3304
#36 0xb7f1ecf1 in kdemain (argc=4, argv=0xbfc52e94)
    at /var/tmp/portage/kde-base/konqueror-4.1.0/work/konqueror-4.1.0/apps/konqueror/src/konqmain.cpp:227
#37 0x080488a2 in main (argc=-1288708056, argv=0xb076cb0)
    at /var/tmp/portage/kde-base/konqueror-4.1.0/work/konqueror_build/apps/konqueror/src/konqueror_dummy.cpp:3
#0  0xffffe424 in __kernel_vsyscall ()
Comment 1 Oliver Putz 2008-09-01 08:49:58 UTC 
I just found out what seems to make konqueror crash on this particular page:
At the end of the article you can find two buttons to rate the article (directly above the comments ("must read")). As soon as you hover over one of the buttons, konqueror crashes with the already posted backtrace.
Comment 2 Frank Reininghaus 2008-09-01 23:39:00 UTC 
Created attachment 27181 [details]
Reduced testcase

This reduced test case still crashes 4.1, 3.5.10, and trunk rev. 855891 for me when you move the mouse over the link and back. Note that the odd structure of 3 nested <div>'s with the "float:left" CSS attribute is needed to get a crash.
Comment 3 Oliver Putz 2008-11-28 13:36:09 UTC 
Testcase still crashes in KDE-4.1.80
Comment 4 Oliver Putz 2009-06-30 20:13:53 UTC 
Testcase still crashes in KDE-4.2.4
Comment 5 Tommi Tervo 2009-08-06 19:01:01 UTC 
*** Bug 202832 has been marked as a duplicate of this bug. ***
Comment 6 Tommi Tervo 2009-08-06 19:12:19 UTC 
svn r1006846 (without arena_allocator)

==15618== Invalid read of size 4
==15618==    at 0xB02A9CD:
khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int,
int, HitTestAction, bool) (render_block.cpp:2757)
==15618==    by 0xB073A18:
khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*,
khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1227)
==15618==    by 0xB073882:
khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*,
khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1209)
==15618==    by 0xB074185:
khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int)
(render_layer.cpp:1170)
==15618==    by 0xAF92A35: DOM::MouseEventImpl::computeLayerPos()
(dom2_eventsimpl.cpp:299)
==15618==    by 0xAF96F2B:
DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool,
DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool,
bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool,
DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:279)
==15618==    by 0xAE9F0C3: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*,
DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3654)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*)
(khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in
/usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in
/usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*)
(khtmlview.cpp:2189)
==15618==    by 0x4D98899:
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in
/usr/lib/libQtCore.so.4.5.3)
Comment 7 Tommi Tervo 2009-08-06 19:21:37 UTC 
=15618== Invalid read of size 4
==15618==    at 0xB02A9CD: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2757)
==15618==    by 0xB073A18: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1227)
==15618==    by 0xB073882: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1209)
==15618==    by 0xB074185: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:1170)
==15618==    by 0xAF92A35: DOM::MouseEventImpl::computeLayerPos() (dom2_eventsimpl.cpp:299)
==15618==    by 0xAF96F2B: DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool, DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool, bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool, DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:279)
==15618==    by 0xAE9F0C3: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3654)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2189)
==15618==    by 0x4D98899: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7689: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4FD0340: QApplication::notify(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x479A964: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)
==15618==    by 0x4D9968A: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FCF3AD: QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x503F805: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x503EBDC: QApplication::x11ProcessEvent(_XEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x50686EB: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x5DB92F8: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x5DBC87A: (within /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x5DBC9F7: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x4DC4FC7: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x5067DB4: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4D97CC9: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4D98111: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4D9A598: QCoreApplication::exec() (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7526: QApplication::exec() (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x40F3282: kdemain (konqmain.cpp:257)
==15618==    by 0x8048745: main (konqueror_dummy.cpp:3)
==15618==  Address 0xa4b11d8 is 8 bytes inside a block of size 140 free'd
==15618==    at 0x4023B7A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==15618==    by 0xB07056D: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122)
==15618==    by 0xB049521: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:2387)
==15618==    by 0xB0495FC: khtml::RenderObject::detach() (render_object.cpp:2372)
==15618==    by 0xB0655CE: khtml::RenderBox::detach() (render_box.cpp:224)
==15618==    by 0xB0685CF: khtml::RenderFlow::detach() (render_flow.cpp:362)
==15618==    by 0xAF61FAD: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:975)
==15618==    by 0xAF6202B: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1838)
==15618==    by 0xAF733AF: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)
==15618==    by 0xAF72F80: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:958)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF4BB99: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1436)
==15618==    by 0xAF43FEA: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1465)
==15618==    by 0xAF4B6B9: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1478)
==15618==    by 0xB1CFDC4: KJS::Window::afterScriptExecution() (kjs_window.cpp:1269)
==15618==    by 0xB20385D: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119)
==15618==    by 0xB2038DF: KJS::JSLazyEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:159)
==15618==    by 0xAF66B66: DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) (dom_nodeimpl.cpp:718)
==15618==    by 0xAF68C3D: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:501)
==15618==    by 0xAF66D2A: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:453)
==15618==    by 0xAE9EF52: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3645)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2189)
==15618==    by 0x4D98899: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7689: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4FD0340: QApplication::notify(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x479A964: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)
==15618==    by 0x4D9968A: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FCF3AD: QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&) (in /usr/lib/libQtGui.so.4.5.3)
==15618==
Comment 8 FiNeX 2010-08-15 16:40:03 UTC 
Crash confirmed in KDE 4.4.4, 4.4.5 and KDE 4.5.0
Comment 9 Maksim Orlovich 2010-08-15 18:08:26 UTC 
Updated line numbers:
==2962== Invalid read of size 4
==2962==    at 0xCB7AA3E: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2790)
==2962==    by 0xCBB9CC1: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1232)
==2962==    by 0xCBB9B80: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1214)
==2962==    by 0xCBBA323: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:1175)
==2962==    by 0xCAF85A4: DOM::MouseEventImpl::computeLayerPos() (dom2_eventsimpl.cpp:523)
==2962==    by 0xCAFB226: DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool, DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool, bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool, DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:503)
==2962==    by 0xCA17330: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3699)
==2962==    by 0xCA205D8: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1363)
==2962==    by 0x59A7F96: QWidget::event(QEvent*) (qwidget.cpp:8029)
==2962==    by 0x5DD8F89: QFrame::event(QEvent*) (qframe.cpp:557)
==2962==    by 0xCA1E9BB: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2363)
==2962==  Address 0x7952b30 is 8 bytes inside a block of size 140 free'd
==2962==    at 0x4023996: free (vg_replace_malloc.c:325)
==2962==    by 0xCBB6E45: khtml::RenderArena::free(unsigned int, void*) (render_arena.cpp:122)
==2962==    by 0xCB951A2: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:2399)
==2962==    by 0xCB95267: khtml::RenderObject::detach() (render_object.cpp:2384)
==2962==    by 0xCBAD50A: khtml::RenderBox::detach() (render_box.cpp:223)
==2962==    by 0xCBAFE8A: khtml::RenderFlow::detach() (render_flow.cpp:361)
==2962==    by 0xCACDEAB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:901)
==2962==    by 0xCACDF2F: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1891)
==2962==    by 0xCADC7E1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:913)
==2962==    by 0xCADC45D: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:987)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCABBF76: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1439)
==2962==    by 0xCAB5388: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1468)
==2962==    by 0xCABBB54: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1481)
==2962==    by 0xCCE566B: KJS::Window::afterScriptExecution() (kjs_window.cpp:1282)
==2962==    by 0xCD121E5: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119)
==2962==    by 0xCD122AF: KJS::JSLazyEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:159)
==2962==    by 0xCAFC466: DOM::EventTargetImpl::handleLocalEvents(DOM::EventImpl*, bool) (dom2_eventsimpl.cpp:61)
==2962==    by 0xCAD26BC: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:469)
==2962==    by 0xCAD0EEA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:401)
==2962==    by 0xCA17228: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3690)
==2962==    by 0xCA205D8: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1363)
Comment 10 Maksim Orlovich 2010-08-15 18:27:02 UTC 
OK... So we have a dangling pointer on the float list; but what I am confused about is how the list is supposed to be kept up-to-date; it only seems to be done by layout(BlockChildren), but I don't see how that would be forced..
Comment 11 Maksim Orlovich 2010-08-15 19:55:37 UTC 
SVN commit 1164054 by orlovich:

Go ahead and be far more strict about keeping the special child object lists up-to-date.

BUG: 170165


 M  +9 -0      render_object.cpp  
 M  +1 -1      render_object.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1164054
Comment 12 Maksim Orlovich 2010-08-15 19:56:17 UTC 
SVN commit 1164055 by orlovich:

Merged revision:r1164054 | orlovich | 2010-08-15 13:58:58 -0400 (Sun, 15 Aug 2010) | 4 lines

Go ahead and be far more strict about keeping the special child object lists up-to-date.

BUG: 170165

 M  +9 -0      render_object.cpp  
 M  +1 -1      render_object.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1164055