| Summary: | [testcase] Crash in khtml::HTMLTokenizer::notifyFinished | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | sombragris |
| Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | crash | CC: | aiacovitti, amantia, andresbajotierra, bobsbugs052, commodore.fancypants, croth3000, finex, frank78ac, justin.zobel, kde.bugs, maksim |
| Priority: | HI | ||
| Version: | 4.8.5 | ||
| Target Milestone: | --- | ||
| Platform: | Slackware | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Bug Depends on: | |||
| Bug Blocks: | 152461, 207217, 285573, 293598 | ||
| Attachments: |
Reduced test case (very odd use of JavaScript IMHO)
JS which is part of an improved test case - contains only "parent.f1()" Improved test case |
||
|
Description
sombragris
2009-04-12 03:10:04 UTC
*** BACKTRACE FROM A CRASH *** This backtrace appears to be of no use. This is probably because your packages are built in a way which prevents creation of proper backtraces, or the stack frame was seriously corrupted in the crash. (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 0xb5fc49d0 (LWP 20355)] [New Thread 0xb48fcb90 (LWP 20849)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) 0xb652b43c in nanosleep () from /lib/libc.so.6 [Current thread is 0 (LWP 20355)] Thread 2 (Thread 0xb48fcb90 (LWP 20849)): #0 0xb721da08 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 #1 0xb72a0fb6 in QWaitCondition::wait () from /usr/lib/libQtCore.so.4 #2 0xb72964c2 in ?? () from /usr/lib/libQtCore.so.4 #3 0xb72a04ca in ?? () from /usr/lib/libQtCore.so.4 #4 0xb7219369 in start_thread () from /lib/libpthread.so.0 #5 0xb656acfe in clone () from /lib/libc.so.6 Thread 1 (Thread 0xb5fc49d0 (LWP 20355)): #0 0xb652b43c in nanosleep () from /lib/libc.so.6 #1 0xb652b25a in sleep () from /lib/libc.so.6 #2 0xb7993807 in ?? () from /usr/lib/libkdeui.so.5 #3 0x00000001 in ?? () #4 0x00000000 in ?? () #0 0xb652b43c in nanosleep () from /lib/libc.so.6 Here using:
Qt: 4.5.0 + qt-copy-patches-936035
KDE: 4.2.69 (KDE 4.2.69 (KDE 4.3 >= 20090406))
kdelibs svn rev. 951854 / kdebase svn rev. 951854
on ArchLinux i686 - Kernel 2.6.28.8
I can reproduce the crash:
Backtrace:
Application: Konqueror (konqueror), signal Segmentation fault
[Current thread is 0 (LWP 3465)]
Thread 2 (Thread 0xb1b67b90 (LWP 3472)):
#0 0xb7fbd424 in __kernel_vsyscall ()
#1 0xb7208f82 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2 0xb726771c in QWaitCondition::wait (this=0x9e83318, mutex=0x9e83314, time=30000) at thread/qwaitcondition_unix.cpp:85
#3 0xb725cda6 in QThreadPoolThread::run (this=0x9c7c220) at concurrent/qthreadpool.cpp:140
#4 0xb7266b60 in QThreadPrivate::start (arg=0x9c7c220) at thread/qthread_unix.cpp:189
#5 0xb7205155 in start_thread () from /lib/libpthread.so.0
#6 0xb6645a5e in clone () from /lib/libc.so.6
Thread 1 (Thread 0xb5ec5700 (LWP 3465)):
[KCrash Handler]
#6 0xb3f006fd in khtml::HTMLTokenizer::notifyFinished (this=0xa79e430) at /usr/include/QtCore/qlist.h:88
#7 0xb402adcd in khtml::CachedScript::checkNotify (this=0xa7b3b68) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:391
#8 0xb402e52c in khtml::CachedScript::data (this=0xa7b3b68, buffer=@0xa7308d4, eof=true) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:383
#9 0xb402e152 in khtml::Loader::slotFinished (this=0x9d9d1a0, job=0xa5c7ca0) at /home/kde-devel/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:1409
#10 0xb4034397 in khtml::Loader::qt_metacall (this=0x9d9d1a0, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfeda15c) at /home/kde-devel/kde/build/KDE/kdelibs/khtml/loader.moc:131
#11 0xb736c4c1 in QMetaObject::activate (sender=0xa5c7ca0, from_signal_index=<value optimized out>, to_signal_index=7, argv=0xbfeda15c) at kernel/qobject.cpp:3066
#12 0xb736cad2 in QMetaObject::activate (sender=0xa5c7ca0, m=0xb76908a8, local_signal_index=3, argv=0xbfeda15c) at kernel/qobject.cpp:3143
#13 0xb753c343 in KJob::result (this=0xa5c7ca0, _t1=0xa5c7ca0) at /home/kde-devel/kde/build/KDE/kdelibs/kdecore/kjob.moc:188
#14 0xb753c7e9 in KJob::emitResult (this=0xa5c7ca0) at /home/kde-devel/kde/src/KDE/kdelibs/kdecore/jobs/kjob.cpp:294
#15 0xb7c60d15 in KIO::SimpleJob::slotFinished (this=0xa5c7ca0) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/job.cpp:485
#16 0xb7c61f83 in KIO::TransferJob::slotFinished (this=0xa5c7ca0) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/job.cpp:962
#17 0xb7c6306b in KIO::TransferJob::qt_metacall (this=0xa5c7ca0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfeda398) at /home/kde-devel/kde/build/KDE/kdelibs/kio/jobclasses.moc:343
#18 0xb736c4c1 in QMetaObject::activate (sender=0xa6d81c8, from_signal_index=<value optimized out>, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3066
#19 0xb736cad2 in QMetaObject::activate (sender=0xa6d81c8, m=0xb7e17a84, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3143
#20 0xb7d2a597 in KIO::SlaveInterface::finished (this=0xa6d81c8) at /home/kde-devel/kde/build/KDE/kdelibs/kio/slaveinterface.moc:165
#21 0xb7d2e2d7 in KIO::SlaveInterface::dispatch (this=0xa6d81c8, _cmd=104, rawdata=@0xbfeda564) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:175
#22 0xb7d2aa77 in KIO::SlaveInterface::dispatch (this=0xa6d81c8) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:91
#23 0xb7d1aecd in KIO::Slave::gotInput (this=0xa6d81c8) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/slave.cpp:322
#24 0xb7d1d363 in KIO::Slave::qt_metacall (this=0xa6d81c8, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfeda678) at /home/kde-devel/kde/build/KDE/kdelibs/kio/slave.moc:76
#25 0xb736c4c1 in QMetaObject::activate (sender=0xa6df2e8, from_signal_index=<value optimized out>, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3066
#26 0xb736cad2 in QMetaObject::activate (sender=0xa6df2e8, m=0xb7e143c0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3143
#27 0xb7c26c57 in KIO::Connection::readyRead (this=0xa6df2e8) at /home/kde-devel/kde/build/KDE/kdelibs/kio/connection.moc:86
#28 0xb7c285b3 in KIO::ConnectionPrivate::dequeue (this=0xa6d7be0) at /home/kde-devel/kde/src/KDE/kdelibs/kio/kio/connection.cpp:82
#29 0xb7c28996 in KIO::Connection::qt_metacall (this=0xa6df2e8, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xa824198) at /home/kde-devel/kde/build/KDE/kdelibs/kio/connection.moc:73
#30 0xb7364e6b in QMetaCallEvent::placeMetaCall (this=0xa410938, object=0xa6df2e8) at kernel/qobject.cpp:489
#31 0xb73670c0 in QObject::event (this=0xa6df2e8, e=0xa410938) at kernel/qobject.cpp:1115
#32 0xb6a8300c in QApplicationPrivate::notify_helper (this=0x99a49a0, receiver=0xa6df2e8, e=0xa410938) at kernel/qapplication.cpp:4084
#33 0xb6a8bbbf in QApplication::notify (this=0xbfedafc8, receiver=0xa6df2e8, e=0xa410938) at kernel/qapplication.cpp:3631
#34 0xb78ad4ad in KApplication::notify (this=0xbfedafc8, receiver=0xa6df2e8, event=0xa410938) at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:307
#35 0xb735611b in QCoreApplication::notifyInternal (this=0xbfedafc8, receiver=0xa6df2e8, event=0xa410938) at kernel/qcoreapplication.cpp:598
#36 0xb7359ad3 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x9972c60) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:213
#37 0xb7359cdd in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1132
#38 0xb7380d6f in postEventSourceDispatch (s=0x99a6d18) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#39 0xb61ff5e8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#40 0xb6202b4b in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#41 0xb6202cc8 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#42 0xb7380a58 in QEventDispatcherGlib::processEvents (this=0x99a4980, flags={i = -1074942712}) at kernel/qeventdispatcher_glib.cpp:323
#43 0xb6b1b535 in QGuiEventDispatcherGlib::processEvents (this=0x99a4980, flags={i = -1074942664}) at kernel/qguieventdispatcher_glib.cpp:202
#44 0xb7354b5a in QEventLoop::processEvents (this=0xbfedada0, flags={i = -1074942600}) at kernel/qeventloop.cpp:149
#45 0xb7354d1a in QEventLoop::exec (this=0xbfedada0, flags={i = -1074942552}) at kernel/qeventloop.cpp:196
#46 0xb7359da1 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:880
#47 0xb6a82d37 in QApplication::exec () at kernel/qapplication.cpp:3553
#48 0xb7fa3c7f in kdemain (argc=2, argv=0xbfedb344) at /home/kde-devel/kde/src/KDE/kdebase/apps/konqueror/src/konqmain.cpp:257
#49 0x08048732 in main (argc=6504, argv=0x120) at /home/kde-devel/kde/build/KDE/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3
Valgrind log: (the log was larger and it got chopped (and I have to chop it manually too) ):
=3497== Invalid read of size 4
==3497== at 0x4C4DAAA: QListData::detach2() (qlistdata.cpp:98)
==3497== by 0xAE9EF14: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (qlist.h:524)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== by 0x428EF82: KIO::TransferJob::slotFinished() (job.cpp:962)
==3497== Address 0xd703ce8 is 200 bytes inside a block of size 1,328 free'd
==3497== at 0x40239DA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0xAE9D946: khtml::HTMLTokenizer::~HTMLTokenizer() (htmltokenizer.cpp:2083)
==3497== by 0xAE44BB5: DOM::DocumentImpl::detach() (dom_docimpl.cpp:1544)
==3497== by 0xADE3461: KHTMLPart::clear() (khtml_part.cpp:1555)
==3497== by 0xADE620A: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2002)
==3497== by 0xADE285B: KHTMLPart::processObjectRequest(khtml::ChildFrame*, KUrl const&, QString const&) (khtml_part.cpp:4444)
==3497== by 0xAE03A2F: KHTMLPart::requestObject(khtml::ChildFrame*, KUrl const&, KParts::OpenUrlArguments const&, KParts::BrowserArguments const&) (khtml_part.cpp:4222)
==3497== by 0xAE067D9: KHTMLPart::requestFrame(DOM::HTMLPartContainerElementImpl*, QString const&, QString const&, QStringList const&, bool) (khtml_part.cpp:4140)
==3497== by 0xAEBC2CA: DOM::HTMLIFrameElementImpl::computeContent() (html_baseimpl.cpp:784)
==3497== by 0xAED7A33: DOM::HTMLPartContainerElementImpl::computeContentIfNeeded() (html_objectimpl.cpp:90)
==3497== by 0xAED7C64: DOM::HTMLPartContainerElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_objectimpl.cpp:73)
==3497== by 0xAE6546E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:961)
==3497==
==3497== Invalid read of size 1
==3497== at 0x4025CE0: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C4DAC2: QListData::detach2() (qlistdata.cpp:98)
==3497== by 0xAE9EF14: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (qlist.h:524)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== Address 0xa38c6b8 is 0 bytes inside a block of size 32 free'd
==3497== at 0x4023E3A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C2377C: qFree(void*) (qmalloc.cpp:60)
==3497== by 0xAEA58C1: QList<khtml::TokenizerString>::free(QListData::Data*) (qlist.h:562)
==3497== by 0xAE9D977: khtml::HTMLTokenizer::~HTMLTokenizer() (qlist.h:534)
==3497== by 0xAE44BB5: DOM::DocumentImpl::detach() (dom_docimpl.cpp:1544)
==3497== by 0xADE3461: KHTMLPart::clear() (khtml_part.cpp:1555)
==3497== by 0xADE620A: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2002)
==3497== by 0xADE285B: KHTMLPart::processObjectRequest(khtml::ChildFrame*, KUrl const&, QString const&) (khtml_part.cpp:4444)
==3497== by 0xAE03A2F: KHTMLPart::requestObject(khtml::ChildFrame*, KUrl const&, KParts::OpenUrlArguments const&, KParts::BrowserArguments const&) (khtml_part.cpp:4222)
==3497== by 0xAE067D9: KHTMLPart::requestFrame(DOM::HTMLPartContainerElementImpl*, QString const&, QString const&, QStringList const&, bool) (khtml_part.cpp:4140)
==3497== by 0xAEBC2CA: DOM::HTMLIFrameElementImpl::computeContent() (html_baseimpl.cpp:784)
==3497== by 0xAED7A33: DOM::HTMLPartContainerElementImpl::computeContentIfNeeded() (html_objectimpl.cpp:90)
==3497==
==3497== Invalid read of size 1
==3497== at 0x4025CEA: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C4DAC2: QListData::detach2() (qlistdata.cpp:98)
==3497== by 0xAE9EF14: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (qlist.h:524)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== Address 0xa38c6b9 is 1 bytes inside a block of size 32 free'd
==3497== at 0x4023E3A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C2377C: qFree(void*) (qmalloc.cpp:60)
==3497== by 0xAEA58C1: QList<khtml::TokenizerString>::free(QListData::Data*) (qlist.h:562)
==3497== by 0xAE9D977: khtml::HTMLTokenizer::~HTMLTokenizer() (qlist.h:534)
==3497== by 0xAE44BB5: DOM::DocumentImpl::detach() (dom_docimpl.cpp:1544)
==3497== by 0xADE3461: KHTMLPart::clear() (khtml_part.cpp:1555)
==3497== by 0xADE620A: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2002)
==3497== by 0xADE285B: KHTMLPart::processObjectRequest(khtml::ChildFrame*, KUrl const&, QString const&) (khtml_part.cpp:4444)
==3497== by 0xAE03A2F: KHTMLPart::requestObject(khtml::ChildFrame*, KUrl const&, KParts::OpenUrlArguments const&, KParts::BrowserArguments const&) (khtml_part.cpp:4222)
==3497== by 0xAE067D9: KHTMLPart::requestFrame(DOM::HTMLPartContainerElementImpl*, QString const&, QString const&, QStringList const&, bool) (khtml_part.cpp:4140)
==3497== by 0xAEBC2CA: DOM::HTMLIFrameElementImpl::computeContent() (html_baseimpl.cpp:784)
==3497== by 0xAED7A33: DOM::HTMLPartContainerElementImpl::computeContentIfNeeded() (html_objectimpl.cpp:90)
==3497==
==3497== Invalid read of size 1
==3497== at 0x4025CF3: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C4DAC2: QListData::detach2() (qlistdata.cpp:98)
==3497== by 0xAE9EF14: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (qlist.h:524)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== Address 0xa38c6ba is 2 bytes inside a block of size 32 free'd
==3497== at 0x4023E3A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C2377C: qFree(void*) (qmalloc.cpp:60)
==3497== by 0xAEA58C1: QList<khtml::TokenizerString>::free(QListData::Data*) (qlist.h:562)
==3497== by 0xAE9D977: khtml::HTMLTokenizer::~HTMLTokenizer() (qlist.h:534)
==3497== by 0xAE44BB5: DOM::DocumentImpl::detach() (dom_docimpl.cpp:1544)
==3497== by 0xADE3461: KHTMLPart::clear() (khtml_part.cpp:1555)
==3497== by 0xADE620A: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2002)
==3497== by 0xADE285B: KHTMLPart::processObjectRequest(khtml::ChildFrame*, KUrl const&, QString const&) (khtml_part.cpp:4444)
==3497== by 0xAE03A2F: KHTMLPart::requestObject(khtml::ChildFrame*, KUrl const&, KParts::OpenUrlArguments const&, KParts::BrowserArguments const&) (khtml_part.cpp:4222)
==3497== by 0xAE067D9: KHTMLPart::requestFrame(DOM::HTMLPartContainerElementImpl*, QString const&, QString const&, QStringList const&, bool) (khtml_part.cpp:4140)
==3497== by 0xAEBC2CA: DOM::HTMLIFrameElementImpl::computeContent() (html_baseimpl.cpp:784)
==3497== by 0xAED7A33: DOM::HTMLPartContainerElementImpl::computeContentIfNeeded() (html_objectimpl.cpp:90)
==3497==
==3497== Invalid read of size 1
==3497== at 0x4025CFC: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C4DAC2: QListData::detach2() (qlistdata.cpp:98)
==3497== by 0xAE9EF14: khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (qlist.h:524)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== Address 0xa38c6bb is 3 bytes inside a block of size 32 free'd
==3497== at 0x4023E3A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==3497== by 0x4C2377C: qFree(void*) (qmalloc.cpp:60)
==3497== by 0xAEA58C1: QList<khtml::TokenizerString>::free(QListData::Data*) (qlist.h:562)
==3497== by 0xAE9D977: khtml::HTMLTokenizer::~HTMLTokenizer() (qlist.h:534)
==3497== by 0xAE44BB5: DOM::DocumentImpl::detach() (dom_docimpl.cpp:1544)
==3497== by 0xADE3461: KHTMLPart::clear() (khtml_part.cpp:1555)
==3497== by 0xADE620A: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2002)
==3497== by 0xADE285B: KHTMLPart::processObjectRequest(khtml::ChildFrame*, KUrl const&, QString const&) (khtml_part.cpp:4444)
==3497== by 0xAE03A2F: KHTMLPart::requestObject(khtml::ChildFrame*, KUrl const&, KParts::OpenUrlArguments const&, KParts::BrowserArguments const&) (khtml_part.cpp:4222)
==3497== by 0xAE067D9: KHTMLPart::requestFrame(DOM::HTMLPartContainerElementImpl*, QString const&, QString const&, QStringList const&, bool) (khtml_part.cpp:4140)
==3497== by 0xAEBC2CA: DOM::HTMLIFrameElementImpl::computeContent() (html_baseimpl.cpp:784)
==3497== by 0xAED7A33: DOM::HTMLPartContainerElementImpl::computeContentIfNeeded() (html_objectimpl.cpp:90)
==3497==
...
==3497== Invalid read of size 4
==3497== at 0x4DCAF91: (within /usr/lib/libQtCore.so.4.5.0)
==3497== by 0xAFC8DCC: khtml::CachedScript::checkNotify() (loader.cpp:391)
==3497== by 0xAFCC52B: khtml::CachedScript::data(QBuffer&, bool) (loader.cpp:383)
==3497== by 0xAFCC151: khtml::Loader::slotFinished(KJob*) (loader.cpp:1409)
==3497== by 0xAFD2396: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==3497== by 0x4D2F4C0: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)
==3497== by 0x4D2FAD1: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)
==3497== by 0x4A21342: KJob::result(KJob*) (kjob.moc:188)
==3497== by 0x4A217E8: KJob::emitResult() (kjob.cpp:294)
==3497== by 0x428DD14: KIO::SimpleJob::slotFinished() (job.cpp:485)
==3497== by 0x428EF82: KIO::TransferJob::slotFinished() (job.cpp:962)
==3497== by 0x429006A: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:343)
==3497== Address 0xcae7da68 is not stack'd, malloc'd or (recently) free'd
Created attachment 32790 [details]
Reduced test case (very odd use of JavaScript IMHO)
The test case is not completely self-contained - it loads an external JS file with the content:
document.write("")
parent.vt_ma_cambiadatos_s46484_c(1)
Putting that into the test case file somehow didn't work for me. With 4.2.2 I get the same bt as Darío (segfault in khtml::HTMLTokenizer::notifyFinished ()). With recent trunk, all the frames up to that function appear in the bt as well, but it goes on and finally hits an assert (both with the original page and my test case):
konqueror: /home/kde-devel/kde/src/KDE/kdelibs/khtml/html/htmltokenizer.cpp:185: void khtml::HTMLTokenizer::reset(): Assertion `m_executingScript == 0' failed.
(In reply to comment #3) > document.write("") > parent.vt_ma_cambiadatos_s46484_c(1) Correction: that's not really the contents of the external script. I got fooled by the '&'s in the URL and passed the wrong parameters to the PHP file when loading it in Konqueror ;-). It should be possible to improve the test case then... Created attachment 32791 [details]
JS which is part of an improved test case - contains only "parent.f1()"
Created attachment 32792 [details]
Improved test case
That's about as small as I can get it, I think :-)
Thanks for the testcase Crash confirmed with the testcase on both KDE 4.4.5 and 4.5.0 *** Bug 301869 has been marked as a duplicate of this bug. *** *** Bug 307006 has been marked as a duplicate of this bug. *** *** Bug 307070 has been marked as a duplicate of this bug. *** *** Bug 307495 has been marked as a duplicate of this bug. *** *** Bug 264589 has been marked as a duplicate of this bug. *** Thank you for the crash reports. As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved. I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you. Hi Justin, thanks for the comment. Reverting back to REPORTED. Using the latest testcase files, using Konqueror 20.12 Konqueror crashes in both KHTML and WebEngine rendering engines. I'm using the following configuration: Operating System: Slackware64-current (post 14.2 development) KDE Plasma Version: 5.20.4 KDE Frameworks Version: 5.77.0 Qt Version: 5.15.2 Kernel Version: 5.4.83 OS Type: 64-bit Processors: 8 × Intel® Core™ i7-8550U CPU @ 1.80GHz Memory: 15,5 GiB of RAM Graphics Processor: Mesa Intel® UHD Graphics 620 It was nice to go back to Konqi. Brought back fond memories. If we could only manage to give it a good adblocker and some fixes like these it could be again my daily driver. It's a fantastic piece of software Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you! Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone! |