Bug 190350

Summary: mappy.fr crashes khtml in InlineBox::root()
Product: [Applications] konqueror Reporter: David Faure <faure>
Component: khtml rendererAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: davide.bettio
Priority: NOR    
Version: SVN   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description David Faure 2009-04-22 17:18:34 UTC 
konqueror www.mappy.fr, immediate crash.

valgrind and gdb say the same:
==21032== Jump to the invalid address stated on the next line                                                                                                                            
==21032==    at 0x0: ???                                                                                                                                                                 
==21032==    by 0x1867B7D2: khtml::InlineBox::root() (render_line.cpp:174)                                                                                                               
==21032==    by 0x1867B859: khtml::InlineFlowBox::removeFromLine(khtml::InlineBox*) (render_line.cpp:226)                                                                                
==21032==    by 0x1867B941: khtml::InlineBox::remove() (render_line.cpp:76)                                                                                                              
==21032==    by 0x18626498: khtml::RenderText::detach() (render_text.cpp:722)                                                                                                            
==21032==    by 0x1851265C: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:973)                                                                                                               
==21032==    by 0x185126CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                                                                          
==21032==    by 0x1852282E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                                                                         
==21032==    by 0x185126CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                                                                          
==21032==    by 0x1852282E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                                                                         
==21032==    by 0x185126CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                                                                          
==21032==    by 0x1852282E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                                                                         
==21032==    by 0x185126CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                                                                          
==21032==    by 0x1852282E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                                                                         
==21032==    by 0x185126CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                                                                          
==21032==    by 0x1852282E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                                                                         
==21032==    by 0x18522494: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:936)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x185225C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                                                                          
==21032==    by 0x18583558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                                                                     
==21032==    by 0x184FA4E7: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1445)                                                                            
==21032==    by 0x184F2571: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1474)                                                                                                  
==21032==    by 0x18508264: DOM::DocumentImpl::updateLayout() (dom_docimpl.cpp:1503)                                                                                                     
==21032==    by 0x186D6C62: khtml::RenderStyleDeclarationImpl::getPropertyCSSValue(int) const (css_renderstyledeclarationimpl.cpp:398)                                                   
==21032==  Address 0x0 is not stack'd, malloc'd or (recently) free'd                                                                                                                     

khtml trunk rev 957483
Comment 1 David Faure 2009-04-22 17:39:09 UTC 
new log after disabling the arena allocator.


==23006== 
==23006== Invalid read of size 1
==23006==    at 0x1A5B3A52: khtml::InlineBox::isDirty() const (render_line.h:129)
==23006==    by 0x1A650657: khtml::InlineBox::dirtyInlineBoxes() (render_line.cpp:247)
==23006==    by 0x1A65476C: khtml::InlineFlowBox::removeFromLine(khtml::InlineBox*) (render_line.cpp:224)
==23006==    by 0x1A65485D: khtml::InlineBox::remove() (render_line.cpp:76)                              
==23006==    by 0x1A5FF482: khtml::RenderText::detach() (render_text.cpp:722)                            
==23006==    by 0x1A4EB65C: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:973)                               
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                          
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                          
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                          
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                          
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                          
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4FB494: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:936)
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)     
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)
==23006==    by 0x1A4D34E7: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1445)       
==23006==    by 0x1A4CB571: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1474)                             
==23006==    by 0x1A4E1264: DOM::DocumentImpl::updateLayout() (dom_docimpl.cpp:1503)                                
==23006==    by 0x1A6AFB76: khtml::RenderStyleDeclarationImpl::getPropertyCSSValue(int) const (css_renderstyledeclarationimpl.cpp:398)
==23006==  Address 0x22090588 is 48 bytes inside a block of size 120 free'd                                                           
==23006==    at 0x4C2564F: free (vg_replace_malloc.c:293)                                                                             
==23006==    by 0x1A6023B2: khtml::RenderArena::free(unsigned long, void*) (render_arena.cpp:122)                                     
==23006==    by 0x1A654E43: khtml::InlineBox::detach(khtml::RenderArena*, bool) (render_line.cpp:92)                                  
==23006==    by 0x1A5FA3D7: khtml::RenderFlow::deleteInlineBoxes(khtml::RenderArena*) (render_flow.cpp:185)                           
==23006==    by 0x1A5FA335: khtml::RenderFlow::detach() (render_flow.cpp:360)                                                         
==23006==    by 0x1A5C3096: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:675)                              
==23006==    by 0x1A5E7E0E: khtml::RenderObject::remove() (render_object.h:847)                                                       
==23006==    by 0x1A62D2FD: khtml::RenderWidget::detach() (render_replaced.cpp:205)                                                   
==23006==    by 0x1A4EB65C: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:973)                                                            
==23006==    by 0x1A4EB6DE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1737)                                                       
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                      
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                       
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                      
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                       
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                      
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                       
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                      
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735)                                                       
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                                                      
==23006==    by 0x1A4FB494: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:936)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4FB5C8: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:967)                       
==23006==    by 0x1A55C558: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:269)                  
==23006==    by 0x1A4D34E7: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1445)                         
==23006==
Comment 2 Maksim Orlovich 2009-04-22 17:46:08 UTC 
From the first difference (lines 1735 vs. 1737):
==23006== 
==23006== Invalid read of size 1
==23006==    at 0x1A5B3A52: khtml::InlineBox::isDirty() const (render_line.h:129)
==23006==    by 0x1A650657: khtml::InlineBox::dirtyInlineBoxes() (render_line.cpp:247)
==23006==    by 0x1A65476C:
khtml::InlineFlowBox::removeFromLine(khtml::InlineBox*) (render_line.cpp:224)
==23006==    by 0x1A65485D: khtml::InlineBox::remove() (render_line.cpp:76)     
==23006==    by 0x1A5FF482: khtml::RenderText::detach() (render_text.cpp:722)   
==23006==    by 0x1A4EB65C: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:973)      
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735) 
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==    by 0x1A4EB6CE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1735) 
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)                         
==23006==  Address 0x22090588 is 48 bytes inside a block of size 120 free'd     
==23006==    at 0x4C2564F: free (vg_replace_malloc.c:293)                       
==23006==    by 0x1A6023B2: khtml::RenderArena::free(unsigned long, void*) (render_arena.cpp:122)                                     
==23006==    by 0x1A654E43: khtml::InlineBox::detach(khtml::RenderArena*, bool) (render_line.cpp:92)                                  
==23006==    by 0x1A5FA3D7: khtml::RenderFlow::deleteInlineBoxes(khtml::RenderArena*) (render_flow.cpp:185) 
==23006==    by 0x1A5FA335: khtml::RenderFlow::detach() (render_flow.cpp:360)   
==23006==    by 0x1A5C3096: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:675)    
==23006==    by 0x1A5E7E0E: khtml::RenderObject::remove() (render_object.h:847) 
==23006==    by 0x1A62D2FD: khtml::RenderWidget::detach() (render_replaced.cpp:205)                                                   
==23006==    by 0x1A4EB65C: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:973)      
==23006==    by 0x1A4EB6DE: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1737) 
==23006==    by 0x1A4FB82E: DOM::ElementImpl::detach() (dom_elementimpl.cpp:862)
Comment 3 A. Spehr 2009-05-22 02:55:44 UTC 
*** Bug 193564 has been marked as a duplicate of this bug. ***
Comment 4 Viacheslav Tokarev 2009-05-22 19:04:12 UTC 
SVN commit 971542 by vtokarev:

Invalidate and delete line box subtree of the flow when taking out
inline flow objectf rom the rendering tree. We may insert it somewhere afterwards
but still would need to recalculate inline boxes for it.
In theory, we should now better support rendering tree modifications
which was triggered lately by better continuation merge.

Thanks to Maks and Germain for the assistance!

BUG:192380
BUG:190350
BUG:191027
BUG:192105

 M  +31 -0     render_container.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=971542