Bug 173870

I can repro this this svn rev 876722.  From quick prodding with Valgrind,
I suspect this is could be an uninitialised value error, which leads later
to an invalid memory access.

A tiny fraction of a second after I click the back button, as in the
repro instructions, I get the following two errors from V.  I think
the second is likely to be caused by the first, viz, the first is a
possible root cause.

Conditional jump or move depends on uninitialised value(s)
   at 0x4E6F3DD: KonqView::restoreHistory() (konqview.cpp:859)
   by 0x4E6F773: KonqView::go(int) (konqview.cpp:835)
   by 0x4EAC1BD: KonqMainWindow::slotGoHistoryDelayed() (konqmainwindow.cpp:2819)
   by 0x4EB12F4: KonqMainWindow::qt_metacall(QMetaObject::Call, int, void**) (konqmainwindow.moc:437)
   by 0x679F3E2: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3022)
   by 0x67A069C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3092)
   by 0x67A53DD: QSingleShotTimer::timeout() (qtimer.moc:74)
   by 0x67A549A: QSingleShotTimer::timerEvent(QTimerEvent*) (qtimer.cpp:294)
   by 0x679AA07: QObject::event(QEvent*) (qobject.cpp:1111)
   by 0x75E0C52: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3803)
   by 0x75E80DB: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3393)
   by 0x5BD8803: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:307)
 Uninitialised value was created by a heap allocation
   at 0x4C2530C: operator new(unsigned long) (vg_replace_malloc.c:230)
   by 0x4E6D838: KonqView::createHistoryEntry() (konqview.cpp:737)
   by 0x4E6FD88: KonqView::openUrl(KUrl const&, QString const&, QString const&, bool) (konqview.cpp:195)
   by 0x4EAB60D: KonqMainWindow::openView(QString, KUrl const&, KonqView*, KonqOpenURLRequest const&) (konqmainwindow.cpp:932)
   by 0x4E69B27: KonqRun::tryOpenView(QString const&, bool) (konqrun.cpp:158)
   by 0x4E69CAB: KonqRun::foundMimeType(QString const&) (konqrun.cpp:93)
   by 0x56991BB: KRun::mimeTypeDetermined(QString const&) (krun.cpp:1125)
   by 0x7F3C15B: KParts::BrowserRun::slotBrowserMimetype(KIO::Job*, QString const&) (browserrun.cpp:222)
   by 0x7F3C3BE: KParts::BrowserRun::qt_metacall(QMetaObject::Call, int, void**) (browserrun.moc:73)
   by 0x4E69735: KonqRun::qt_metacall(QMetaObject::Call, int, void**) (konqrun.moc:62)
   by 0x679F3E2: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3022)
   by 0x67A069C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3092)

Invalid read of size 4
   at 0x66F74D8: QString::operator==(QString const&) const (qstring.cpp:1768)
   by 0x15280666: QString::operator!=(QString const&) const (qstring.h:372)
   by 0x15276244: KHTMLPart::restoreState(QDataStream&) (khtml_part.cpp:5677)
   by 0x15290A36: KHTMLPartBrowserExtension::restoreState(QDataStream&) (khtml_ext.cpp:104)
   by 0x4E6F41C: KonqView::restoreHistory() (konqview.cpp:864)
   by 0x4E6F773: KonqView::go(int) (konqview.cpp:835)
   by 0x4EAC1BD: KonqMainWindow::slotGoHistoryDelayed() (konqmainwindow.cpp:2819)
   by 0x4EB12F4: KonqMainWindow::qt_metacall(QMetaObject::Call, int, void**) (konqmainwindow.moc:437)
   by 0x679F3E2: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3022)
   by 0x67A069C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3092)
   by 0x67A53DD: QSingleShotTimer::timeout() (qtimer.moc:74)
   by 0x67A549A: QSingleShotTimer::timerEvent(QTimerEvent*) (qtimer.cpp:294)
 Address 0x8 is not stack'd, malloc'd or (recently) free'd

Just to record another finding:

changing konqview.cpp:737 as follows stops it crashing, and also gets rid of the uninit var warning

{ HistoryEntry* hh = new HistoryEntry; hh->reload = true; appendHistoryEntry(hh); }

(previously line 737 was: appendHistoryEntry( new HistoryEntry ); )

I am sure this is merely treating the symptoms, and not a proper fix.

The actual problem seems to be, that fNameIt goes frameNames.constEnd() and we deref it without checking for it. Following patch shows the prob (it asserts for me at the theird assert);

Index: khtml_part.cpp
===================================================================
--- khtml_part.cpp      (revision 879699)
+++ khtml_part.cpp      (working copy)
@@ -5667,12 +5667,15 @@
     KUrl::List::ConstIterator fURLIt = frameURLs.constBegin();
     QList<QByteArray>::ConstIterator fBufferIt = frameStateBuffers.constBegin();
     QList<int>::ConstIterator fFrameTypeIt = frameTypes.constBegin();
-
+Q_ASSERT(fNameIt != frameNames.constEnd());
+Q_ASSERT(fServiceTypeIt != frameServiceTypes.constEnd());
     for (; fIt != fEnd; ++fIt, ++fNameIt, ++fServiceTypeIt, ++fServiceNameIt, ++fURLIt, ++fBufferIt, ++fFrameTypeIt )
     {
       khtml::ChildFrame* const child = *fIt;

 //      kDebug( 6050 ) <<  *fNameIt  << " ---- " <<  *fServiceTypeIt;
+Q_ASSERT(fNameIt != frameNames.constEnd());
+Q_ASSERT(fServiceTypeIt != frameServiceTypes.constEnd());

       if ( child->m_name != *fNameIt || child->m_serviceType != *fServiceTypeIt )
       {

The question is, why this happens and how to fix it. The "if ( !(*it)->m_part ) continue;" in KHTMLPart::saveState is not the reason :-/

Interesting case; once on the "Google Translate" page, 2 histroy-items got added (in trunk as well as in 3.5). Those that triggers the crash is actually the same page while those one before is the one someone would expect to go to by clicking back. Going direct back to those second one does not trigger a crash, only going back to the same page does.

When I put a word or phrase in portuguese
on the box's translating, it is not translated. Nothing happen when I clik on the button "translate".

re: comment #5: see: https://bugs.kde.org/show_bug.cgi?id=184166

*** Bug 186993 has been marked as a duplicate of this bug. ***

*** Bug 191709 has been marked as a duplicate of this bug. ***

*** Bug 193396 has been marked as a duplicate of this bug. ***

*** Bug 193915 has been marked as a duplicate of this bug. ***

*** Bug 193054 has been marked as a duplicate of this bug. ***

193054 has a (non-reduced) testcase.

May this be a dupe of https://bugs.kde.org/show_bug.cgi?id=158794 ?

SVN commit 998473 by orlovich:

Do full restore on going back when frame count doesn't match. Should fix the restoreState/QString::operator==
crash. I am not at all happy with full restore path, but its flaws should be considerably less, uhm, crashy.
CCBUG: 170185
BUG: 158794
BUG: 173870
BUG: 183733
BUG: 193828
BUG: 196724
BUG: 196795
BUG: 197435
BUG: 198646
BUG: 199806
BUG: 200425
(Not dup'ing those to avoid sending a whole bunch of people 10 e-mails. Plus, it's more fun this way!)


 M  +1 -1      khtml_part.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=998473

SVN commit 998543 by orlovich:

Merged revision:r998473 | orlovich | 2009-07-17 14:29:18 -0400 (Fri, 17 Jul 2009) | 15 lines

Do full restore on going back when frame count doesn't match. Should fix the restoreState/QString::operator==
crash. I am not at all happy with full restore path, but its flaws should be considerably less, uhm, crashy.
CCBUG: 170185
BUG: 158794
BUG: 173870
BUG: 183733
BUG: 193828
BUG: 196724
BUG: 196795
BUG: 197435
BUG: 198646
BUG: 199806
BUG: 200425
(Not dup'ing those to avoid sending a whole bunch of people 10 e-mails. Plus, it's more fun this way!)

 M  +1 -1      khtml_part.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=998543