| Summary: | Konqueror crashes each time opening a special page | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Richard Hartmann <rick4711> |
| Component: | general | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | CC: | frank78ac, maksim |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | unspecified | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: | Test case (not minimal) | ||
|
Description
Richard Hartmann
2008-09-11 21:25:03 UTC
[KCrash handler] #6 0x00000000 in ?? () #7 0xb3196015 in khtml::Marquee::timerEvent () from /opt/kde4/lib/libkhtml.so.5 #8 0xb74a2164 in QObject::event () from /opt/kde4/lib/libQtCore.so.4 #9 0xb6a16f7c in QApplicationPrivate::notify_helper () from /opt/kde4/lib/libQtGui.so.4 #10 0xb6a1e049 in QApplication::notify () from /opt/kde4/lib/libQtGui.so.4 #11 0xb7a579dd in KApplication::notify () from /opt/kde4/lib/libkdeui.so.5 #12 0xb74942a9 in QCoreApplication::notifyInternal () from /opt/kde4/lib/libQtCore.so.4 #13 0xb74bd031 in ?? () from /opt/kde4/lib/libQtCore.so.4 #14 0xb74bab30 in ?? () from /opt/kde4/lib/libQtCore.so.4 #15 0xb64fbdd6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #16 0xb64ff193 in ?? () from /usr/lib/libglib-2.0.so.0 #17 0xb64ff74e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0 #18 0xb74bb268 in QEventDispatcherGlib::processEvents () from /opt/kde4/lib/libQtCore.so.4 #19 0xb6a9d305 in ?? () from /opt/kde4/lib/libQtGui.so.4 #20 0xb749352d in QEventLoop::processEvents () from /opt/kde4/lib/libQtCore.so.4 #21 0xb74936c1 in QEventLoop::exec () from /opt/kde4/lib/libQtCore.so.4 #22 0xb749595a in QCoreApplication::exec () from /opt/kde4/lib/libQtCore.so.4 #23 0xb6a16687 in QApplication::exec () from /opt/kde4/lib/libQtGui.so.4 #24 0xb7f35fce in kdemain () from /opt/kde4/lib/libkdeinit4_konqueror.so #25 0x08048772 in main () #0 0xb7f4d410 in __kernel_vsyscall () Created attachment 27376 [details]
Test case (not minimal)
I reduced the page a bit, but my test case still depends on two external JS files which looked a bit ugly to me ;-). I could try to fight my way through them if you think it helps...
Note that
QObject: Do not delete object, 'unnamed', during its event handler!
is shown in Konsole.
The crash is because RenderLayer::scrollToOffset, triggered by a marquee, runs some JavaScript which detaches the layer on after-the-execution CSS recomputation. Seeing this many bugs of this class makes me wonder if we should only be doing updateRendering off the main event loop or such? ==7959== Invalid read of size 4 ==7959== at 0xB980900: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:723) ==7959== by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184) ==7959== by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957) ==7959== by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105) ==7959== by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800) ==7959== by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392) ==7959== by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311) ==7959== by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587) ==7959== by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215) ==7959== by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166) ==7959== by 0x5E25799: g_main_context_dispatch (gmain.c:2142) ==7959== by 0x5E28EB7: g_main_context_iterate (gmain.c:2775) ==7959== by 0x5E29077: g_main_context_iteration (gmain.c:2838) ==7959== by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325) ==7959== by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) ==7959== by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) ==7959== by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196) ==7959== by 0x4E008CC: QCoreApplication::exec() (qcoreapplication.cpp:849) ==7959== by 0x541EA56: QApplication::exec() (qapplication.cpp:3330) ==7959== by 0x4127BBA: kdemain (konqmain.cpp:227) ==7959== by 0x80487A1: main (konqueror_dummy.cpp:3) ==7959== Address 0xdec0988 is 8 bytes inside a block of size 108 free'd ==7959== at 0x40218FA: free (vg_replace_malloc.c:323) ==7959== by 0xB97A445: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122) ==7959== by 0xB97ED58: khtml::RenderLayer::detach(khtml::RenderArena*) (render_layer.cpp:500) ==7959== by 0xB97100D: khtml::RenderBox::detach() (render_box.cpp:221) ==7959== by 0xB97383A: khtml::RenderFlow::detach() (render_flow.cpp:361) ==7959== by 0xB8A4BCB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:985) ==7959== by 0xB8A4C4A: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1747) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745) ==7959== by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863) ==7959== by 0xB8B1422: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:937) ==7959== by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280) ==7959== by 0xB8B1526: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:968) ==7959== by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280) ==7959== by 0xB8946A9: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1266) ==7959== by 0xB88AF78: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1295) ==7959== by 0xB894295: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1308) ==7959== by 0xBA6F26B: KJS::Window::afterScriptExecution() (kjs_window.cpp:1270) ==7959== by 0xBA9949A: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119) ==7959== by 0xB88D9A6: DOM::DocumentImpl::defaultEventHandler(DOM::EventImpl*) (dom_docimpl.cpp:2699) ==7959== by 0xB8AA974: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:524) ==7959== by 0xB8A8FCA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:451) ==7959== by 0xB8AB0B9: DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) (dom_nodeimpl.cpp:550) ==7959== by 0xB9808F6: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:719) ==7959== by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184) ==7959== by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957) ==7959== by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105) ==7959== by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800) ==7959== by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392) ==7959== by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311) ==7959== by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587) ==7959== by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215) ==7959== by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166) ==7959== by 0x5E25799: g_main_context_dispatch (gmain.c:2142) ==7959== by 0x5E28EB7: g_main_context_iterate (gmain.c:2775) ==7959== by 0x5E29077: g_main_context_iteration (gmain.c:2838) ==7959== by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325) ==7959== by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) ==7959== by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) ==7959== by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196) OK, have a fix. Now just need to figure out how to make the test standalone.. Also, the original idea doesn't really help since event handlers can handle a detach or a restyle in other ways anyway. Fixed in r860095 I gave up on making a standalone reduction since the lighbox JS file registers a whole bunch of hooks. It'd probably be easier to figure out how to trigger an appropriately heavy detach... Shame, since it's the very sort of bug a regression test would be highly useful on.. |