Bug 188229

Summary: Crash when loading http://blog.kagou.fr/post/2008/06/13/Cest-la-police in khtml::RenderFlow::addChildWithContinuation
Product: [Applications] konqueror Reporter: Sébastien Durand <sunseb>
Component: generalAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: andresbajotierra, kpiette, zahl
Priority: NOR    
Version First Reported In: 4.2.1   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Sébastien Durand 2009-03-27 08:22:49 UTC 
Version:            (using KDE 4.2.1)
OS:                Linux
Installed from:    Unlisted Binary Package

Application: Konqueror (konqueror), signal SIGSEGV
[Current thread is 0 (LWP 4984)]

Thread 3 (Thread 0xb2c1bb90 (LWP 4985)):
#0  0xb80a1424 in __kernel_vsyscall ()
#1  0xb739ff82 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb741450c in QWaitCondition::wait () from /usr/lib/libQtCore.so.4
#3  0xb740af16 in ?? () from /usr/lib/libQtCore.so.4
#4  0x0950a0d0 in ?? ()
#5  0x0950a0cc in ?? ()
#6  0x00007530 in ?? ()
#7  0xb74e8ee6 in QAbstractEventDispatcher::QAbstractEventDispatcher () from /usr/lib/libQtCore.so.4
#8  0xb74137a0 in ?? () from /usr/lib/libQtCore.so.4
#9  0x098680f0 in ?? ()
#10 0x00000000 in ?? ()

Thread 2 (Thread 0xb23f9b90 (LWP 4986)):
#0  0xb80a1424 in __kernel_vsyscall ()
#1  0xb739ff82 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb741450c in QWaitCondition::wait () from /usr/lib/libQtCore.so.4
#3  0xb740af16 in ?? () from /usr/lib/libQtCore.so.4
#4  0x0950a0d0 in ?? ()
#5  0x0950a0cc in ?? ()
#6  0x00007530 in ?? ()
#7  0xb74e8ee6 in QAbstractEventDispatcher::QAbstractEventDispatcher () from /usr/lib/libQtCore.so.4
#8  0xb74137a0 in ?? () from /usr/lib/libQtCore.so.4
#9  0x095cfd18 in ?? ()
#10 0x00000000 in ?? ()

Thread 1 (Thread 0xb60f6700 (LWP 4984)):
[KCrash Handler]
#6  0xb431a350 in khtml::RenderFlow::addChildWithContinuation () from /usr/lib/libkhtml.so.5
#7  0xb424e466 in DOM::NodeImpl::createRendererIfNeeded () from /usr/lib/libkhtml.so.5
#8  0xb4258f52 in DOM::ElementImpl::attach () from /usr/lib/libkhtml.so.5
#9  0xb42515ea in DOM::NodeBaseImpl::insertBefore () from /usr/lib/libkhtml.so.5
#10 0xb43f57d0 in DOMNodeProtoFunc::callAsFunction () from /usr/lib/libkhtml.so.5
#11 0xb408c6bd in KJS::JSObject::call () from /usr/lib/libkjs.so.4
#12 0xb40a8c13 in KJS::Machine::runBlock () from /usr/lib/libkjs.so.4
#13 0xb4088a12 in KJS::FunctionImp::callAsFunction () from /usr/lib/libkjs.so.4
#14 0xb408c6bd in KJS::JSObject::call () from /usr/lib/libkjs.so.4
#15 0xb4085d5f in KJS::FunctionImp::construct () from /usr/lib/libkjs.so.4
#16 0xb40a9366 in KJS::Machine::runBlock () from /usr/lib/libkjs.so.4
#17 0xb4088a12 in KJS::FunctionImp::callAsFunction () from /usr/lib/libkjs.so.4
#18 0xb408c6bd in KJS::JSObject::call () from /usr/lib/libkjs.so.4
#19 0xb4453a8d in KJS::JSEventListener::handleEvent () from /usr/lib/libkhtml.so.5
#20 0xb42399bb in DOM::DocumentImpl::defaultEventHandler () from /usr/lib/libkhtml.so.5
#21 0xb4251c8f in DOM::NodeImpl::dispatchWindowEvent () from /usr/lib/libkhtml.so.5
#22 0xb42ab413 in DOM::HTMLDocumentImpl::close () from /usr/lib/libkhtml.so.5
#23 0xb41cded1 in KHTMLPart::checkEmitLoadEvent () from /usr/lib/libkhtml.so.5
#24 0xb41d73c4 in KHTMLPart::checkCompleted () from /usr/lib/libkhtml.so.5
#25 0xb41d7870 in KHTMLPart::slotLoaderRequestDone () from /usr/lib/libkhtml.so.5
#26 0xb41fa902 in KHTMLPart::qt_metacall () from /usr/lib/libkhtml.so.5
#27 0xb75061a9 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#28 0xb7506752 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#29 0xb43b59c9 in khtml::Loader::requestDone () from /usr/lib/libkhtml.so.5
#30 0xb43bb123 in khtml::Loader::slotFinished () from /usr/lib/libkhtml.so.5
#31 0xb43bb467 in khtml::Loader::qt_metacall () from /usr/lib/libkhtml.so.5
#32 0xb75061a9 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#33 0xb7506752 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#34 0xb76c8c13 in KJob::result () from /usr/lib/libkdecore.so.5
#35 0xb76c90b9 in KJob::emitResult () from /usr/lib/libkdecore.so.5
#36 0xb7d86cb5 in KIO::SimpleJob::slotFinished () from /usr/lib/libkio.so.5
#37 0xb7d87f23 in KIO::TransferJob::slotFinished () from /usr/lib/libkio.so.5
#38 0xb7d88fab in KIO::TransferJob::qt_metacall () from /usr/lib/libkio.so.5
#39 0xb75061a9 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#40 0xb7506752 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#41 0xb7e36f77 in KIO::SlaveInterface::finished () from /usr/lib/libkio.so.5
#42 0xb7e39bcf in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.5
#43 0xb7e37587 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.5
#44 0xb7e29ec0 in KIO::Slave::gotInput () from /usr/lib/libkio.so.5
#45 0xb7e2a233 in KIO::Slave::qt_metacall () from /usr/lib/libkio.so.5
#46 0xb75061a9 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#47 0xb7506752 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#48 0xb7d54517 in KIO::Connection::readyRead () from /usr/lib/libkio.so.5
#49 0xb7d55f33 in KIO::ConnectionPrivate::dequeue () from /usr/lib/libkio.so.5
#50 0xb7d56586 in KIO::Connection::qt_metacall () from /usr/lib/libkio.so.5
#51 0xb750138b in QMetaCallEvent::placeMetaCall () from /usr/lib/libQtCore.so.4
#52 0xb7503120 in QObject::event () from /usr/lib/libQtCore.so.4
#53 0xb6ca101c in QApplicationPrivate::notify_helper () from /usr/lib/libQtGui.so.4
#54 0xb6ca8a9e in QApplication::notify () from /usr/lib/libQtGui.so.4
#55 0xb7a1b5ad in KApplication::notify () from /usr/lib/libkdeui.so.5
#56 0xb74f3c1b in QCoreApplication::notifyInternal () from /usr/lib/libQtCore.so.4
#57 0xb74f4543 in QCoreApplicationPrivate::sendPostedEvents () from /usr/lib/libQtCore.so.4
#58 0xb74f46dd in QCoreApplication::sendPostedEvents () from /usr/lib/libQtCore.so.4
#59 0xb751b83f in ?? () from /usr/lib/libQtCore.so.4
#60 0x00000000 in ?? ()
Comment 1 Dario Andres 2009-03-27 17:40:47 UTC 
Here using:

Qt: 4.5.0 + qt-copy-patches-936035
KDE: 4.2.67 (KDE 4.2.67 (KDE 4.3 >= 20090318))
kdelibs svn rev. 944348 / kdebase svn rev. 944348
on ArchLinux i686 - Kernel 2.6.28.7

Konqueror crashes. Valgrind log:

==3236==
==3236== Invalid read of size 1
==3236==    at 0xAAF28F0: khtml::RenderFlow::addChildWithContinuation(khtml::RenderObject*, khtml::RenderObject*) (render_object.h:318)
==3236==    by 0xAA258D5: DOM::NodeImpl::createRendererIfNeeded() (dom_nodeimpl.cpp:1081)
==3236==    by 0xAA2FC31: DOM::ElementImpl::attach() (dom_elementimpl.cpp:834)
==3236==    by 0xAA28A89: DOM::NodeBaseImpl::insertBefore(DOM::NodeImpl*, DOM::NodeImpl*, int&) (dom_nodeimpl.cpp:1399)
==3236==    by 0xABD5797: DOMNodeProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (kjs_dom.cpp:640)
==3236==    by 0xAF28BEC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:69)
==3236==    by 0xAF4525A: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1192)
==3236==    by 0xAF24E71: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:144)
==3236==    by 0xAF28BEC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:69)
==3236==    by 0xAF221AE: KJS::FunctionImp::construct(KJS::ExecState*, KJS::List const&) (function.cpp:320)
==3236==    by 0xAF459B5: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1213)
==3236==    by 0xAF24E71: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:144)
==3236==  Address 0x1b is not stack'd, malloc'd or (recently) free'd

Backtrace:

Application: Konqueror (konqueror), signal Segmentation fault

[KCrash Handler]
#6  khtml::RenderFlow::addChildWithContinuation (this=0x99710b0, newChild=0x997121c, beforeChild=0x0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/rendering/render_object.h:318
#7  0xb2f918d6 in DOM::NodeImpl::createRendererIfNeeded (this=0x9d04918) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_nodeimpl.cpp:1081
#8  0xb2f9bc32 in DOM::ElementImpl::attach (this=0x9d04918) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_elementimpl.cpp:834
#9  0xb2f94a8a in DOM::NodeBaseImpl::insertBefore (this=0x9b321a8, newChild=0x9d04918, refChild=0x9860478, exceptioncode=@0xbfed63b8)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_nodeimpl.cpp:1399
#10 0xb3141798 in DOMNodeProtoFunc::callAsFunction (this=0xb1866a60, exec=0xbfed6ad0, thisObj=0xb1850900, args=@0xbfed6a54) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_dom.cpp:640
#11 0xb2dc2bed in KJS::JSObject::call (this=0x9bd38c4, exec=0xbfed6ad0, thisObj=0xb1850900, args=@0xbfed6a54) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:69
#12 0xb2ddf25b in KJS::Machine::runBlock (exec=0xbfed6ad0, codeBlock=@0x99712a0, parentExec=0xbfed72a0) at codes.def:1192
#13 0xb2dbee72 in KJS::FunctionImp::callAsFunction (this=0xb1919c20, exec=0xbfed72a0, thisObj=0xb185b300, args=@0xbfed7224) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/function.cpp:144
#14 0xb2dc2bed in KJS::JSObject::call (this=0x9bd38c4, exec=0xbfed72a0, thisObj=0xb185b300, args=@0xbfed7224) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:69
#15 0xb2dbc1af in KJS::FunctionImp::construct (this=0xb1919c20, exec=0xbfed72a0, args=@0xbfed7224) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/function.cpp:320
#16 0xb2ddf9b6 in KJS::Machine::runBlock (exec=0xbfed72a0, codeBlock=@0x99712a0, parentExec=0x993bcf8) at codes.def:1213
#17 0xb2dbee72 in KJS::FunctionImp::callAsFunction (this=0xb191aae0, exec=0x993bcf8, thisObj=0xb1920000, args=@0xbfed73e8) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/function.cpp:144
#18 0xb2dc2bed in KJS::JSObject::call (this=0x9bd38c4, exec=0x993bcf8, thisObj=0xb1920000, args=@0xbfed73e8) at /home/kde-devel/kde/src/KDE/kdelibs/kjs/object.cpp:69
#19 0xb31a4a3d in KJS::JSEventListener::handleEvent (this=0x9951dd0, evt=@0xbfed7420) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/ecma/kjs_events.cpp:106
#20 0xb2f7c33d in DOM::DocumentImpl::defaultEventHandler (this=0x985df98, evt=0x9ceaa88) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_docimpl.cpp:2745
#21 0xb2f9513f in DOM::NodeImpl::dispatchWindowEvent (this=0x985dfa4, _id=16, canBubbleArg=<value optimized out>, cancelableArg=<value optimized out>)
    at /home/kde-devel/kde/src/KDE/kdelibs/khtml/xml/dom_nodeimpl.cpp:567
#22 0xb2fedf53 in DOM::HTMLDocumentImpl::close (this=0x985df98) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/html/html_documentimpl.cpp:249
#23 0xb2f08ff1 in KHTMLPart::checkEmitLoadEvent (this=0x979f0f0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:2471
#24 0xb2f10d24 in KHTMLPart::checkCompleted (this=0x979f0f0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:2392
#25 0xb2f11090 in KHTMLPart::slotLoaderRequestDone (this=0x979f0f0, dl=0x95f3ee8, obj=0x9bb1cb0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/khtml_part.cpp:2246
#26 0xb2f3d872 in KHTMLPart::qt_metacall (this=0x979f0f0, _c=QMetaObject::InvokeMetaMethod, _id=69, _a=0xbfed76a8) at /home/kde-devel/kde/build/KDE/kdelibs/khtml/khtml_part.moc:315
#27 0xb747a4c1 in QMetaObject::activate (sender=0x97a2d70, from_signal_index=<value optimized out>, to_signal_index=5, argv=0xbfed76a8) at kernel/qobject.cpp:3066
#28 0xb747aad2 in QMetaObject::activate (sender=0x97a2d70, m=0xb341f1dc, local_signal_index=1, argv=0xbfed76a8) at kernel/qobject.cpp:3143
#29 0xb30fc7e9 in khtml::Loader::requestDone (this=0x97a2d70, _t1=0x95f3ee8, _t2=0x9bb1cb0) at /home/kde-devel/kde/build/KDE/kdelibs/khtml/loader.moc:153
#30 0xb3101bdb in khtml::Loader::slotFinished (this=0x97a2d70, job=0x9bdd5d0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:1409
#31 0xb3107e07 in khtml::Loader::qt_metacall (this=0x97a2d70, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfed781c) at /home/kde-devel/kde/build/KDE/kdelibs/khtml/loader.moc:131
#32 0xb747a4c1 in QMetaObject::activate (sender=0x9bdd5d0, from_signal_index=<value optimized out>, to_signal_index=7, argv=0xbfed781c) at kernel/qobject.cpp:3066
#33 0xb747aad2 in QMetaObject::activate (sender=0x9bdd5d0, m=0xb779e8a8, local_signal_index=3, argv=0xbfed781c) at kernel/qobject.cpp:3143
#34 0xb764a733 in KJob::result (this=0x9bdd5d0, _t1=0x9bdd5d0) at /home/kde-devel/kde/build/KDE/kdelibs/kdecore/kjob.moc:188
#35 0xb764abd9 in KJob::emitResult (this=0x9bdd5d0) at /home/kde-devel/kde/src/KDE/kdelibs/kdecore/jobs/kjob.cpp:294
#36 0xb7d6bd55 in KIO::SimpleJob::slotFinished (this=0x9bdd5d0) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/job.cpp:485
#37 0xb7d6cfc3 in KIO::TransferJob::slotFinished (this=0x9bdd5d0) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/job.cpp:962
#38 0xb7d6e0ab in KIO::TransferJob::qt_metacall (this=0x9bdd5d0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfed7a58) at /home/kde-devel/kde/build/KDE/kdelibs/kio/jobclasses.moc:343
#39 0xb747a4c1 in QMetaObject::activate (sender=0x9892f38, from_signal_index=<value optimized out>, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3066
#40 0xb747aad2 in QMetaObject::activate (sender=0x9892f38, m=0xb7f21a24, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3143
#41 0xb7e34a67 in KIO::SlaveInterface::finished (this=0x9892f38) at /home/kde-devel/kde/build/KDE/kdelibs/kio/slaveinterface.moc:165
#42 0xb7e387a7 in KIO::SlaveInterface::dispatch (this=0x9892f38, _cmd=104, rawdata=@0xbfed7c24) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:175
#43 0xb7e34f47 in KIO::SlaveInterface::dispatch (this=0x9892f38) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:91
#44 0xb7e2539d in KIO::Slave::gotInput (this=0x9892f38) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slave.cpp:322
#45 0xb7e27833 in KIO::Slave::qt_metacall (this=0x9892f38, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfed7d38) at /home/kde-devel/kde/build/KDE/kdelibs/kio/slave.moc:76
#46 0xb747a4c1 in QMetaObject::activate (sender=0x985ed58, from_signal_index=<value optimized out>, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3066
#47 0xb747aad2 in QMetaObject::activate (sender=0x985ed58, m=0xb7f1e3c0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3143
#48 0xb7d324b7 in KIO::Connection::readyRead (this=0x985ed58) at /home/kde-devel/kde/build/KDE/kdelibs/kio/connection.moc:86
#49 0xb7d33e13 in KIO::ConnectionPrivate::dequeue (this=0x985e390) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/connection.cpp:82
#50 0xb7d341f6 in KIO::Connection::qt_metacall (this=0x985ed58, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x9a143b8) at /home/kde-devel/kde/build/KDE/kdelibs/kio/connection.moc:73
#51 0xb7472e6b in QMetaCallEvent::placeMetaCall (this=0x9b47f50, object=0x985ed58) at kernel/qobject.cpp:489
#52 0xb74750c0 in QObject::event (this=0x985ed58, e=0x9b47f50) at kernel/qobject.cpp:1115
#53 0xb6b9100c in QApplicationPrivate::notify_helper (this=0x94835e0, receiver=0x985ed58, e=0x9b47f50) at kernel/qapplication.cpp:4084
#54 0xb6b99bbf in QApplication::notify (this=0xbfed8688, receiver=0x985ed58, e=0x9b47f50) at kernel/qapplication.cpp:3631
#55 0xb79baacd in KApplication::notify (this=0xbfed8688, receiver=0x985ed58, event=0x9b47f50) at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:307
#56 0xb746411b in QCoreApplication::notifyInternal (this=0xbfed8688, receiver=0x985ed58, event=0x9b47f50) at kernel/qcoreapplication.cpp:598
#57 0xb7467ad3 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x9451c60) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:213
#58 0xb7467cdd in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1132
#59 0xb748ed6f in postEventSourceDispatch (s=0x9485918) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#60 0xb630e311 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#61 0xb63119a3 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#62 0xb6311b61 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#63 0xb748ea58 in QEventDispatcherGlib::processEvents (this=0x94835a0, flags={i = -1074953272}) at kernel/qeventdispatcher_glib.cpp:323
#64 0xb6c29535 in QGuiEventDispatcherGlib::processEvents (this=0x94835a0, flags={i = -1074953224}) at kernel/qguieventdispatcher_glib.cpp:202
#65 0xb7462b5a in QEventLoop::processEvents (this=0xbfed8460, flags={i = -1074953160}) at kernel/qeventloop.cpp:149
#66 0xb7462d1a in QEventLoop::exec (this=0xbfed8460, flags={i = -1074953112}) at kernel/qeventloop.cpp:196
#67 0xb7467da1 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:880
#68 0xb6b90d37 in QApplication::exec () at kernel/qapplication.cpp:3553
#69 0xb80a451f in kdemain (argc=2, argv=0xbfed8a04) at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmain.cpp:257
#70 0x08048732 in main (argc=-1287566232, argv=0x98f73a0) at /home/kde-devel/kde/build/KDE/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3
Comment 2 Jonathan Thomas 2009-04-23 02:54:25 UTC 
*** Bug 190387 has been marked as a duplicate of this bug. ***
Comment 3 A. Spehr 2009-06-10 11:04:48 UTC 
This works for me under 4.2.90....