Bug 195501

Summary: Crash when opening appleinsider.com-feed item
Product: [Applications] konqueror Reporter: industrie13 <industrie13>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: andresbajotierra, andrew.dorrell, anselmolsm, christophe, florian, frank78ac, kde, len, maksim, salvalemany, sgh, txwikinger
Priority: NOR    
Version: SVN   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: CSS part of reduced test case
HTML part of test case

Description industrie13 2009-06-06 22:01:14 UTC 
Version:            (using KDE 4.2.4)
OS:                Linux
Installed from:    Unspecified Linux

When I open an RSS-feed-item of the RSS-feed of appleinsider.com, Akregator crashes every time. I have "Load whole website" enabled.
All other feeds work without problems.
System: Arch-Linux, KDEmod 4.2.4

Debug-output:

Anwendung: Akregator (akregator), Signal SIGABRT
[Current thread is 0 (LWP 8778)]

Thread 2 (Thread 0xb13c4b70 (LWP 9230)):
#0  0xb7f8e424 in __kernel_vsyscall ()
#1  0xb66a3f82 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb670136f in QWaitCondition::wait () from /usr/lib/libQtCore.so.4
#3  0xb66f6946 in ?? () from /usr/lib/libQtCore.so.4
#4  0xb67003be in ?? () from /usr/lib/libQtCore.so.4
#5  0xb669f6bc in start_thread () from /lib/libpthread.so.0
#6  0xb59ccffe in clone () from /lib/libc.so.6

Thread 1 (Thread 0xb451f710 (LWP 8778)):
[KCrash Handler]
#6  0xb7f8e424 in __kernel_vsyscall ()
#7  0xb59287a1 in raise () from /lib/libc.so.6
#8  0xb5929fd4 in abort () from /lib/libc.so.6
#9  0xb66f7f34 in qt_message_output () from /usr/lib/libQtCore.so.4
#10 0xb66f801e in qFatal () from /usr/lib/libQtCore.so.4
#11 0xb6724e96 in QListData::detach2 () from /usr/lib/libQtCore.so.4
#12 0xb76d35ed in QList<khtml::CSSOrderedRule*>::detach_helper () from /usr/lib/libkhtml.so.5
#13 0xb76c11c4 in khtml::CSSStyleSelectorList::collect () from /usr/lib/libkhtml.so.5
#14 0xb76c1916 in khtml::CSSStyleSelector::buildLists () from /usr/lib/libkhtml.so.5
#15 0xb76cffbb in khtml::CSSStyleSelector::CSSStyleSelector () from /usr/lib/libkhtml.so.5
#16 0xb7557b5f in DOM::DocumentImpl::rebuildStyleSelector () from /usr/lib/libkhtml.so.5
#17 0xb7557cb4 in DOM::DocumentImpl::updateStyleSelector () from /usr/lib/libkhtml.so.5
#18 0xb75580f8 in DOM::DocumentImpl::styleSheetLoaded () from /usr/lib/libkhtml.so.5
#19 0xb75b9157 in DOM::HTMLLinkElementImpl::finished () from /usr/lib/libkhtml.so.5
#20 0xb75b9a13 in DOM::HTMLLinkElementImpl::setStyleSheet () from /usr/lib/libkhtml.so.5
#21 0xb76faab1 in khtml::CachedCSSStyleSheet::checkNotify () from /usr/lib/libkhtml.so.5
#22 0xb76fae93 in khtml::CachedCSSStyleSheet::data () from /usr/lib/libkhtml.so.5
#23 0xb76f405d in khtml::Loader::slotFinished () from /usr/lib/libkhtml.so.5
#24 0xb76fb4d7 in khtml::Loader::qt_metacall () from /usr/lib/libkhtml.so.5
#25 0xb6807831 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#26 0xb68084a2 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#27 0xb6a32d13 in KJob::result () from /usr/lib/libkdecore.so.5
#28 0xb6a33229 in KJob::emitResult () from /usr/lib/libkdecore.so.5
#29 0xb70f5f80 in KIO::SimpleJob::slotFinished () from /usr/lib/libkio.so.5
#30 0xb70f71fa in KIO::TransferJob::slotFinished () from /usr/lib/libkio.so.5
#31 0xb70f4043 in KIO::TransferJob::qt_metacall () from /usr/lib/libkio.so.5
#32 0xb6807831 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#33 0xb68084a2 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#34 0xb71c6187 in KIO::SlaveInterface::finished () from /usr/lib/libkio.so.5
#35 0xb71ca515 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.5
#36 0xb71c6669 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.5
#37 0xb71b612a in KIO::Slave::gotInput () from /usr/lib/libkio.so.5
#38 0xb71b8b13 in KIO::Slave::qt_metacall () from /usr/lib/libkio.so.5
#39 0xb6807831 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#40 0xb68084a2 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#41 0xb70bbb27 in KIO::Connection::readyRead () from /usr/lib/libkio.so.5
#42 0xb70be40c in KIO::ConnectionPrivate::dequeue () from /usr/lib/libkio.so.5
#43 0xb70be58e in KIO::Connection::qt_metacall () from /usr/lib/libkio.so.5
#44 0xb68002db in QMetaCallEvent::placeMetaCall () from /usr/lib/libQtCore.so.4
#45 0xb68019de in QObject::event () from /usr/lib/libQtCore.so.4
#46 0xb5c9c6ac in QApplicationPrivate::notify_helper () from /usr/lib/libQtGui.so.4
#47 0xb5ca3e44 in QApplication::notify () from /usr/lib/libQtGui.so.4
#48 0xb6e044aa in KApplication::notify () from /usr/lib/libkdeui.so.5
#49 0xb67f174b in QCoreApplication::notifyInternal () from /usr/lib/libQtCore.so.4
#50 0xb67f2208 in QCoreApplicationPrivate::sendPostedEvents () from /usr/lib/libQtCore.so.4
#51 0xb67f23dd in QCoreApplication::sendPostedEvents () from /usr/lib/libQtCore.so.4
#52 0xb681cdef in ?? () from /usr/lib/libQtCore.so.4
#53 0xb4a7d288 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#54 0xb4a80878 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#55 0xb4a809ea in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#56 0xb681ca1c in QEventDispatcherGlib::processEvents () from /usr/lib/libQtCore.so.4
#57 0xb5d3b5c5 in ?? () from /usr/lib/libQtGui.so.4
#58 0xb67efcd9 in QEventLoop::processEvents () from /usr/lib/libQtCore.so.4
#59 0xb67f0122 in QEventLoop::exec () from /usr/lib/libQtCore.so.4
#60 0xb67f249f in QCoreApplication::exec () from /usr/lib/libQtCore.so.4
#61 0xb5c9c527 in QApplication::exec () from /usr/lib/libQtGui.so.4
#62 0x0804ed71 in main (argc=5, argv=0xbfeac3a4) at /home/jan/kdemod/core/kdepim/src/kdepim-4.2.4/akregator/src/main.cpp:115
Comment 1 Christophe Marin 2009-06-06 22:20:52 UTC 
Reassign. http://www.appleinsider.com/rss/ also crashes in Konqueror.

Application: Konqueror (kdeinit), signal: Segmentation fault
[KCrash Handler]
#6  khtml::CSSStyleSelectorList::collect (this=0x85a0000, selectorsCache=0xbfd28790, selectorList=0xbfd287d8, propList=0xbfd287d4, regular=khtml::Default, important=khtml::Default)
    at /usr/include/QtCore/qatomic_i386.h:120
#7  0xb02c4dc3 in khtml::CSSStyleSelector::buildLists (this=0x8596848) at /usr/src/debug/kdelibs-4.2.90/khtml/css/cssstyleselector.cpp:1910
#8  0xb02d5b8b in CSSStyleSelector (this=0x8596848, doc=0x88c6f28, userStyleSheet=
      {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 20711}, alloc = 0, size = 0, data = 0x80532da, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = {_q_value = 187}, alloc = 0, size = 0, data = 0xb800b48e, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, d = 0xbfd28910, static codecForCStrings = 0x0}, styleSheets=0x8947f58, url=@0x88c6f7c, _strictParsing=true) at /usr/src/debug/kdelibs-4.2.90/khtml/css/cssstyleselector.cpp:287
#9  0xb01781d6 in DOM::DocumentImpl::rebuildStyleSelector (this=0x88c6f28) at /usr/src/debug/kdelibs-4.2.90/khtml/xml/dom_docimpl.cpp:2388
#10 0xb0178334 in DOM::DocumentImpl::updateStyleSelector (this=0x88c6f28, shallow=false) at /usr/src/debug/kdelibs-4.2.90/khtml/xml/dom_docimpl.cpp:2207
#11 0xb0178790 in DOM::DocumentImpl::styleSheetLoaded (this=0x88c6f28) at /usr/src/debug/kdelibs-4.2.90/khtml/xml/dom_docimpl.cpp:2123
#12 0xb01d3f8f in DOM::HTMLLinkElementImpl::finished (this=0x8768d20) at /usr/src/debug/kdelibs-4.2.90/khtml/html/html_headimpl.cpp:273
#13 0xb01d4700 in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x8768d20, url=@0x855ef38, sheetStr=@0x855ef74, charset=@0xbfd28a24, mimetype=@0xbfd28a1c)
    at /usr/src/debug/kdelibs-4.2.90/khtml/html/html_headimpl.cpp:264
#14 0xb02fec8c in khtml::CachedCSSStyleSheet::checkNotify (this=0x855ef30) at /usr/src/debug/kdelibs-4.2.90/khtml/misc/loader.cpp:306
#15 0xb02ff054 in khtml::CachedCSSStyleSheet::data (this=0x855ef30, buffer=@0x893065c, eof=true) at /usr/src/debug/kdelibs-4.2.90/khtml/misc/loader.cpp:296
#16 0xb02f8f62 in khtml::Loader::slotFinished (this=0x84cdb18, job=0x8964ef8) at /usr/src/debug/kdelibs-4.2.90/khtml/misc/loader.cpp:1461
#17 0xb02ff6a7 in khtml::Loader::qt_metacall (this=0x84cdb18, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfd28c0c) at /usr/src/debug/kdelibs-4.2.90/build/khtml/loader.moc:131
#18 0xb7f29dc8 in QMetaObject::activate (sender=0x8964ef8, from_signal_index=7, to_signal_index=7, argv=0xbfd28c0c) at kernel/qobject.cpp:3120
#19 0xb7f2b552 in QMetaObject::activate (sender=0x8964ef8, m=0xb7dafda8, local_signal_index=3, argv=0xbfd28c0c) at kernel/qobject.cpp:3194
#20 0xb7c20e23 in KJob::result (this=0x8964ef8, _t1=0x8964ef8) at /usr/src/debug/kdelibs-4.2.90/build/kdecore/kjob.moc:188
#21 0xb7c212c9 in KJob::emitResult (this=0x8964ef8) at /usr/src/debug/kdelibs-4.2.90/kdecore/jobs/kjob.cpp:304
#22 0xb77fa4a5 in KIO::SimpleJob::slotFinished (this=0x8964ef8) at /usr/src/debug/kdelibs-4.2.90/kio/kio/job.cpp:477
#23 0xb77fade3 in KIO::TransferJob::slotFinished (this=0x8964ef8) at /usr/src/debug/kdelibs-4.2.90/kio/kio/job.cpp:948
#24 0xb77f738b in KIO::TransferJob::qt_metacall (this=0x8964ef8, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfd28e48) at /usr/src/debug/kdelibs-4.2.90/build/kio/jobclasses.moc:343
#25 0xb7f29dc8 in QMetaObject::activate (sender=0x8892f38, from_signal_index=8, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3120
#26 0xb7f2b552 in QMetaObject::activate (sender=0x8892f38, m=0xb79d4f24, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3194
#27 0xb78c1957 in KIO::SlaveInterface::finished (this=0x8892f38) at /usr/src/debug/kdelibs-4.2.90/build/kio/slaveinterface.moc:165
#28 0xb78c5697 in KIO::SlaveInterface::dispatch (this=0x8892f38, _cmd=104, rawdata=@0xbfd29014) at /usr/src/debug/kdelibs-4.2.90/kio/kio/slaveinterface.cpp:175
#29 0xb78c1e37 in KIO::SlaveInterface::dispatch (this=0x8892f38) at /usr/src/debug/kdelibs-4.2.90/kio/kio/slaveinterface.cpp:91
#30 0xb78b3bad in KIO::Slave::gotInput (this=0x8892f38) at /usr/src/debug/kdelibs-4.2.90/kio/kio/slave.cpp:322
#31 0xb78b6043 in KIO::Slave::qt_metacall (this=0x8892f38, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfd29128) at /usr/src/debug/kdelibs-4.2.90/build/kio/slave.moc:76
#32 0xb7f29dc8 in QMetaObject::activate (sender=0x88a8568, from_signal_index=4, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3120
#33 0xb7f2b552 in QMetaObject::activate (sender=0x88a8568, m=0xb79d1860, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3194
#34 0xb77bf087 in KIO::Connection::readyRead (this=0x88a8568) at /usr/src/debug/kdelibs-4.2.90/build/kio/connection.moc:86
#35 0xb77c09f3 in KIO::ConnectionPrivate::dequeue (this=0x87527f8) at /usr/src/debug/kdelibs-4.2.90/kio/kio/connection.cpp:82
#36 0xb77c0dd6 in KIO::Connection::qt_metacall (this=0x88a8568, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x84cdad8) at /usr/src/debug/kdelibs-4.2.90/build/kio/connection.moc:73
#37 0xb7f22a1b in QMetaCallEvent::placeMetaCall (this=0x8a26f48, object=0x88a8568) at kernel/qobject.cpp:489
#38 0xb7f244b0 in QObject::event (this=0x88a8568, e=0x8a26f48) at kernel/qobject.cpp:1118
#39 0xb68b369c in QApplicationPrivate::notify_helper (this=0x8181858, receiver=0x88a8568, e=0x8a26f48) at kernel/qapplication.cpp:4057
#40 0xb68bb99e in QApplication::notify (this=0xbfd29a88, receiver=0x88a8568, e=0x8a26f48) at kernel/qapplication.cpp:3604
#41 0xb73d1b9d in KApplication::notify (this=0xbfd29a88, receiver=0x88a8568, event=0x8a26f48) at /usr/src/debug/kdelibs-4.2.90/kdeui/kernel/kapplication.cpp:302
#42 0xb7f13adb in QCoreApplication::notifyInternal (this=0xbfd29a88, receiver=0x88a8568, event=0x8a26f48) at kernel/qcoreapplication.cpp:610
#43 0xb7f14725 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x80ec990) at kernel/qcoreapplication.h:213
#44 0xb7f1491d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1140
#45 0xb7f3f90f in postEventSourceDispatch (s=0x8183b20) at kernel/qcoreapplication.h:218
#46 0xb644c9c8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#47 0xb6450083 in ?? () from /usr/lib/libglib-2.0.so.0
#48 0xb6450241 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#49 0xb7f3f558 in QEventDispatcherGlib::processEvents (this=0x8181818, flags={i = -1076717640}) at kernel/qeventdispatcher_glib.cpp:324
#50 0xb6953975 in QGuiEventDispatcherGlib::processEvents (this=0x8181818, flags={i = -1076717592}) at kernel/qguieventdispatcher_glib.cpp:202
#51 0xb7f120fa in QEventLoop::processEvents (this=0xbfd29860, flags={i = -1076717528}) at kernel/qeventloop.cpp:149
#52 0xb7f1253a in QEventLoop::exec (this=0xbfd29860, flags={i = -1076717464}) at kernel/qeventloop.cpp:200
#53 0xb7f149e9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#54 0xb68b3517 in QApplication::exec () at kernel/qapplication.cpp:3526
#55 0xb39694bf in kdemain () from /usr/lib/libkdeinit4_konqueror.so
#56 0x0804e2b0 in launch (argc=2, _name=0x815b224 "konqueror", args=0x815b241 "", cwd=0x815b242 "/home/krop/Documents", envc=111, envs=0x815b25b "LESSKEY=/etc/lesskey.bin", reset_env=true, tty=0x0, 
    avoid_loops=false, startup_id_str=0x815d157 "0") at /usr/src/debug/kdelibs-4.2.90/kinit/kinit.cpp:671
#57 0x0804ea8d in handle_launcher_request (sock=13, who=<value optimized out>) at /usr/src/debug/kdelibs-4.2.90/kinit/kinit.cpp:1163
#58 0x0804eed8 in handle_requests (waitForPid=0) at /usr/src/debug/kdelibs-4.2.90/kinit/kinit.cpp:1347
#59 0x0804fbca in main (argc=1, argv=0xbfd2a434, envp=0xbfd2a43c) at /usr/src/debug/kdelibs-4.2.90/kinit/kinit.cpp:1783
Comment 2 Frank Reininghaus 2009-06-14 12:48:26 UTC 
*** Bug 196429 has been marked as a duplicate of this bug. ***
Comment 3 Anselmo L. S. Melo (anselmolsm) 2009-06-20 23:29:58 UTC 
I can reproduce this bug, using akregator or not.

The problem also happens when I try to access http://www.appleinsider.com/rss/ directly on konqueror.

My setup:
Konqueror Version 4.2.92 (KDE 4.2.92 (KDE 4.3 >= 20090617))
Using KDE 4.2.92 (KDE 4.2.92 (KDE 4.3 >= 20090617)) - svn r984201
qt-copy r978427
Comment 4 Frank Reininghaus 2009-06-30 23:05:45 UTC 
*** Bug 198458 has been marked as a duplicate of this bug. ***
Comment 5 Søren Holm 2009-07-03 23:03:08 UTC 
Still happenens in 4.3rc1
Comment 6 Tommi Tervo 2009-07-04 08:55:54 UTC 
*** Bug 198858 has been marked as a duplicate of this bug. ***
Comment 7 Christophe Marin 2009-07-09 00:28:35 UTC 
*** Bug 198824 has been marked as a duplicate of this bug. ***
Comment 8 Christophe Marin 2009-07-09 00:29:18 UTC 
*** Bug 199489 has been marked as a duplicate of this bug. ***
Comment 9 Dario Andres 2009-07-10 00:36:54 UTC 
*** Bug 199606 has been marked as a duplicate of this bug. ***
Comment 10 Dario Andres 2009-07-10 00:48:23 UTC 
Bug has another testcase URL:

http://www.appleinsider.com/articles/09/07/08/apple_launches_http_live_streaming_standard_in_iphone_3_0.html

Valgrind log:

==15340== Invalid read of size 4                                                                                     
==15340==    at 0xA2D937A: khtml::CSSStyleSelectorList::collect(WTF::HashMap<DOM::CSSSelector*, int, DOM::SelectorHash, WTF::HashTraits<DOM::CSSSelector*>, WTF::HashTraits<int> >*, QList<DOM::CSSSelector*>*, khtml::CSSOrderedPropertyList*, khtml::Source, khtml::Source) (qlist.h:111)                                                                    
==15340==    by 0xA2D9F34: khtml::CSSStyleSelector::buildLists() (cssstyleselector.cpp:1910)                         
==15340==    by 0xA2EA662: khtml::CSSStyleSelector::CSSStyleSelector(DOM::DocumentImpl*, QString, DOM::StyleSheetListImpl*, KUrl const&, bool) (cssstyleselector.cpp:287)                                                                 
==15340==    by 0xA18E54C: DOM::DocumentImpl::rebuildStyleSelector() (dom_docimpl.cpp:2393)                          
==15340==    by 0xA18E683: DOM::DocumentImpl::updateStyleSelector(bool) (dom_docimpl.cpp:2212)                       
==15340==    by 0xA18EAAF: DOM::DocumentImpl::styleSheetLoaded() (dom_docimpl.cpp:2128)                              
==15340==    by 0xA1EBB96: DOM::HTMLLinkElementImpl::finished() (html_headimpl.cpp:273)                              
==15340==    by 0xA1EC452: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:264)                                                    
==15340==    by 0xA3135B0: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:306)                                
==15340==    by 0xA313992: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:296)                         
==15340==    by 0xA30D664: khtml::Loader::slotFinished(KJob*) (loader.cpp:1461)                                      
==15340==    by 0xA313FD6: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)               
==15340==  Address 0x6540004 is not stack'd, malloc'd or (recently) free'd                                           
==15340==                                                                                                            
==15340== Invalid read of size 4                                                                                     
==15340==    at 0xA2D9380: khtml::CSSStyleSelectorList::collect(WTF::HashMap<DOM::CSSSelector*, int, DOM::SelectorHash, WTF::HashTraits<DOM::CSSSelector*>, WTF::HashTraits<int> >*, QList<DOM::CSSSelector*>*, khtml::CSSOrderedPropertyList*, khtml::Source, khtml::Source) (qatomic_i386.h:120)                                                             
==15340==    by 0xA2D9F34: khtml::CSSStyleSelector::buildLists() (cssstyleselector.cpp:1910)                         
==15340==    by 0xA2EA662: khtml::CSSStyleSelector::CSSStyleSelector(DOM::DocumentImpl*, QString, DOM::StyleSheetListImpl*, KUrl const&, bool) (cssstyleselector.cpp:287)                                                                 
==15340==    by 0xA18E54C: DOM::DocumentImpl::rebuildStyleSelector() (dom_docimpl.cpp:2393)                          
==15340==    by 0xA18E683: DOM::DocumentImpl::updateStyleSelector(bool) (dom_docimpl.cpp:2212)                       
==15340==    by 0xA18EAAF: DOM::DocumentImpl::styleSheetLoaded() (dom_docimpl.cpp:2128)                              
==15340==    by 0xA1EBB96: DOM::HTMLLinkElementImpl::finished() (html_headimpl.cpp:273)                              
==15340==    by 0xA1EC452: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:264)
==15340==    by 0xA3135B0: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:306)
==15340==    by 0xA313992: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:296)
==15340==    by 0xA30D664: khtml::Loader::slotFinished(KJob*) (loader.cpp:1461)
==15340==    by 0xA313FD6: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)
==15340==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
KCrash: Application 'konqueror' crashing...
sock_file=/home/kde-devel/.kde4/socket-emiDell/kdeinit4__0
==15340==
==15340== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 252 from 4)
==15340== malloc/free: in use at exit: 5,306,041 bytes in 70,060 blocks.
==15340== malloc/free: 424,080 allocs, 354,020 frees, 56,217,819 bytes allocated.
==15340== For counts of detected errors, rerun with: -v
==15340== searching for pointers to 70,060 not-freed blocks.
==15340== checked 55,321,032 bytes.
==15340==
==15340== LEAK SUMMARY:
==15340==    definitely lost: 13,472 bytes in 643 blocks.
==15340==      possibly lost: 147,186 bytes in 5,306 blocks.
==15340==    still reachable: 5,145,383 bytes in 64,111 blocks.
==15340==         suppressed: 0 bytes in 0 blocks.
Comment 11 Maksim Orlovich 2009-07-10 00:53:41 UTC 
better vg trace:
==27162== Invalid read of size 4                                                                                                  
==27162==    at 0xADA68BD: QList<khtml::CSSOrderedRule*>::QList(QList<khtml::CSSOrderedRule*> const&) (qlist.h:111)               
==27162==    by 0xADA8828: QListIterator<khtml::CSSOrderedRule*>::QListIterator(QList<khtml::CSSOrderedRule*> const&) (qlist.h:684)                                                                                                                                 
==27162==    by 0xAD99ECB: khtml::CSSStyleSelectorList::collect(WTF::HashMap<DOM::CSSSelector*, int, DOM::SelectorHash, WTF::HashTraits<DOM::CSSSelector*>, WTF::HashTraits<int> >*, QList<DOM::CSSSelector*>*, khtml::CSSOrderedPropertyList*, khtml::Source, khtml::Source) (cssstyleselector.cpp:2119)                                                                                             
==27162==    by 0xAD9A5A0: khtml::CSSStyleSelector::buildLists() (cssstyleselector.cpp:1910)                                      
==27162==    by 0xADA1CF8: khtml::CSSStyleSelector::CSSStyleSelector(DOM::DocumentImpl*, QString, DOM::StyleSheetListImpl*, KUrl const&, bool) (cssstyleselector.cpp:287)                                                                                           
==27162==    by 0xAC2A4A0: DOM::DocumentImpl::rebuildStyleSelector() (dom_docimpl.cpp:2393)                                       
==27162==    by 0xAC340C9: DOM::DocumentImpl::updateStyleSelector(bool) (dom_docimpl.cpp:2212)                                    
==27162==    by 0xAC34468: DOM::DocumentImpl::styleSheetLoaded() (dom_docimpl.cpp:2128)                                           
==27162==    by 0xAC92D7C: DOM::HTMLLinkElementImpl::finished() (html_headimpl.cpp:273)                                           
==27162==    by 0xAC947C6: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:264)                                                                              
==27162==    by 0xADC5D7F: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:306)                                             
==27162==    by 0xADCB897: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:296)
Comment 12 Maksim Orlovich 2009-07-10 00:54:58 UTC 
Erk. Let's try this again. Sorry for the noise (I wish bugzilla had a way of leaving developers' notes w/o spamming all the reporters :( ). 

==27162== Invalid read of size 4                                                                                                  
==27162==    at 0xADA68BD: QList<khtml::CSSOrderedRule*>::QList(QList<khtml::CSSOrderedRule*> const&) (qlist.h:111)               
==27162==    by 0xADA8828: QListIterator<khtml::CSSOrderedRule*>::QListIterator(QList<khtml::CSSOrderedRule*> const&) (qlist.h:684)                                                                                                                                 
==27162==    by 0xAD99ECB: khtml::CSSStyleSelectorList::collect(WTF::HashMap<DOM::CSSSelector*, int, DOM::SelectorHash, WTF::HashTraits<DOM::CSSSelector*>, WTF::HashTraits<int> >*, QList<DOM::CSSSelector*>*, khtml::CSSOrderedPropertyList*, khtml::Source, khtml::Source) (cssstyleselector.cpp:2119)                                                                                             
==27162==    by 0xAD9A5A0: khtml::CSSStyleSelector::buildLists() (cssstyleselector.cpp:1910)                                      
==27162==    by 0xADA1CF8: khtml::CSSStyleSelector::CSSStyleSelector(DOM::DocumentImpl*, QString, DOM::StyleSheetListImpl*, KUrl const&, bool) (cssstyleselector.cpp:287)                                                                                           
==27162==    by 0xAC2A4A0: DOM::DocumentImpl::rebuildStyleSelector() (dom_docimpl.cpp:2393)                                       
==27162==    by 0xAC340C9: DOM::DocumentImpl::updateStyleSelector(bool) (dom_docimpl.cpp:2212)                                    
==27162==    by 0xAC34468: DOM::DocumentImpl::styleSheetLoaded() (dom_docimpl.cpp:2128)                                           
==27162==    by 0xAC92D7C: DOM::HTMLLinkElementImpl::finished() (html_headimpl.cpp:273)                                           
==27162==    by 0xAC947C6: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:264)                                                                              
==27162==    by 0xADC5D7F: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:306)                                             
==27162==    by 0xADCB897: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:296)                                      
==27162==    by 0xADC7C84: khtml::Loader::slotFinished(KJob*) (loader.cpp:1461)                                                   
==27162==    by 0xADC7FA6: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:131)                            
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x4CBAFD2: KJob::result(KJob*) (kjob.moc:188)                                                                     
==27162==    by 0x4CBB52D: KJob::emitResult() (kjob.cpp:304)                                                                      
==27162==    by 0x43A9F7E: KIO::SimpleJob::slotFinished() (job.cpp:477)                                                           
==27162==    by 0x43AA302: KIO::TransferJob::slotFinished() (job.cpp:948)                                                         
==27162==    by 0x43B0DD2: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:343)                     
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x4462586: KIO::SlaveInterface::finished() (slaveinterface.moc:165)                                               
==27162==    by 0x446418E: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:175)                         
==27162==    by 0x4464C97: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:91)                                                
==27162==    by 0x4457FE6: KIO::Slave::gotInput() (slave.cpp:322)                                                                 
==27162==    by 0x44593C2: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:76)                                 
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x4379C26: KIO::Connection::readyRead() (connection.moc:86)                                                       
==27162==    by 0x437AB45: KIO::ConnectionPrivate::dequeue() (connection.cpp:82)                                                  
==27162==    by 0x437B9A5: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:73)                       
==27162==    by 0x4FF355A: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:489)                                              
==27162==    by 0x4FF57DF: QObject::event(QEvent*) (qobject.cpp:1115)                                                             
==27162==    by 0x52BA77B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4084)                          
==27162==    by 0x52C338E: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3631)                                        
==27162==    by 0x492BD30: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)                                         
==27162==    by 0x4FE476A: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:598)                         
==27162==    by 0x4FE8112: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:213)        
==27162==    by 0x4FE831C: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1132)                          
==27162==    by 0x500F6DE: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qcoreapplication.h:218)                     
==27162==    by 0x60C4C09: g_main_context_dispatch (gmain.c:1814)                                                                 
==27162==    by 0x60C8273: g_main_context_iterate (gmain.c:2448)                                                                  
==27162==    by 0x60C83FE: g_main_context_iteration (gmain.c:2511)                                                                
==27162==    by 0x500F3C7: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:323)                                                                                                                               
==27162==    by 0x5353CA4: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:202)                                                                                                                         
==27162==    by 0x4FE31A9: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                  
==27162==    by 0x4FE3369: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196)                           
==27162==    by 0x4FE83E0: QCoreApplication::exec() (qcoreapplication.cpp:880)                                                    
==27162==  Address 0x15370004 is 10 bytes after a block of size 10 free'd                                                         
==27162==    at 0x402318A: operator delete[](void*) (vg_replace_malloc.c:364)                                                     
==27162==    by 0xAC5849F: DOM::DOMStringImpl::~DOMStringImpl() (dom_stringimpl.cpp:101)                                          
==27162==    by 0xAC4B727: khtml::Shared<DOM::DOMStringImpl>::deref() (shared.h:41)                                               
==27162==    by 0xAEAEEBE: DOM::DOMString::~DOMString() (dom_string.cpp:82)                                                       
==27162==    by 0xADB0211: cssyyparse(void*) (parser.cpp:2631)                                                                    
==27162==    by 0xAD8DED4: DOM::CSSParser::runParser() (cssparser.cpp:151)                                                        
==27162==    by 0xAD8E1A4: DOM::CSSParser::parseSheet(DOM::CSSStyleSheetImpl*, DOM::DOMString const&) (cssparser.cpp:203)         
==27162==    by 0xAD72C4B: DOM::CSSStyleSheetImpl::parseString(DOM::DOMString const&, bool) (css_stylesheetimpl.cpp:286)          
==27162==    by 0xADA02C3: khtml::CSSStyleSelector::loadDefaultStyle(KHTMLSettings const*, DOM::DocumentImpl*) (cssstyleselector.cpp:417)                                                                                                                           
==27162==    by 0xADA0B54: khtml::CSSStyleSelector::init(KHTMLSettings const*, DOM::DocumentImpl*) (cssstyleselector.cpp:338)     
==27162==    by 0xADA1848: khtml::CSSStyleSelector::CSSStyleSelector(DOM::DocumentImpl*, QString, DOM::StyleSheetListImpl*, KUrl const&, bool) (cssstyleselector.cpp:237)                                                                                           
==27162==    by 0xAC2C4E6: DOM::DocumentImpl::attach() (dom_docimpl.cpp:1516)                                                     
==27162==    by 0xABDA4BD: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2058)                                          
==27162==    by 0xABD8154: KHTMLPart::slotData(KIO::Job*, QByteArray const&) (khtml_part.cpp:1703)                                
==27162==    by 0xABE090F: KHTMLPart::qt_metacall(QMetaObject::Call, int, void**) (khtml_part.moc:271)                            
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x43A5D88: KIO::TransferJob::data(KIO::Job*, QByteArray const&) (jobclasses.moc:364)                              
==27162==    by 0x43A688A: KIO::TransferJob::slotData(QByteArray const&) (job.cpp:903)                                            
==27162==    by 0x43B0DF1: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:344)                     
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x44626A2: KIO::SlaveInterface::data(QByteArray const&) (slaveinterface.moc:140)                                  
==27162==    by 0x4464123: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:163)                         
==27162==    by 0x4464C97: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:91)                                                
==27162==    by 0x4457FE6: KIO::Slave::gotInput() (slave.cpp:322)                                                                 
==27162==    by 0x44593C2: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:76)                                 
==27162==    by 0x4FFAC07: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3066)                                   
==27162==    by 0x4FFB241: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3143)                    
==27162==    by 0x4379C26: KIO::Connection::readyRead() (connection.moc:86)                                                       
==27162==    by 0x437AB45: KIO::ConnectionPrivate::dequeue() (connection.cpp:82)                                                  
==27162==    by 0x437B9A5: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:73)                       
==27162==    by 0x4FF355A: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:489)                                              
==27162==    by 0x4FF57DF: QObject::event(QEvent*) (qobject.cpp:1115)                                                             
==27162==    by 0x52BA77B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4084)                          
==27162==    by 0x52C338E: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3631)                                        
==27162==    by 0x492BD30: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)                                         
==27162==    by 0x4FE476A: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:598)                         
==27162==    by 0x4FE8112: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:213)        
==27162==    by 0x4FE831C: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1132)                          
==27162==    by 0x500F6DE: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qcoreapplication.h:218)                     
==27162==    by 0x60C4C09: g_main_context_dispatch (gmain.c:1814)                                                                 
==27162==    by 0x60C8273: g_main_context_iterate (gmain.c:2448)                                                                  
==27162==    by 0x60C83FE: g_main_context_iteration (gmain.c:2511)                                                                
==27162==    by 0x500F3C7: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:323)                                                                                                                               
==27162==    by 0x5353CA4: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:202)                                                                                                                         
==27162==    by 0x4FE31A9: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                  
==27162==    by 0x4FE3369: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196)                           
==27162==    by 0x4FE83E0: QCoreApplication::exec() (qcoreapplication.cpp:880)                                                    
==27162==    by 0x52BA4A6: QApplication::exec() (qapplication.cpp:3553)
Comment 13 Frank Reininghaus 2009-07-11 00:29:34 UTC 
@Maksim: The thing that causes the crash seems to be an invalid character in the color code in the "span.dealnnblue" section at the very end of the CSS file

http://www.appleinsider.com/interface/main.css
Comment 14 Maksim Orlovich 2009-07-11 02:46:19 UTC 
Invalid character? Thanks for the good eyes. I've figured out it was a problem with management of the post-end-of-file buffer in the yacc stuff, but couldn't trace down due to exactly what... Maybe I can reduce it now, which will help immensely with the logging.
Comment 15 Frank Reininghaus 2009-07-11 10:08:24 UTC 
Created attachment 35232 [details]
CSS part of reduced test case
Comment 16 Frank Reininghaus 2009-07-11 10:12:35 UTC 
Created attachment 35233 [details]
HTML part of test case

It does crash if I have both these files on my hard drive (but not if I try to put the CSS inside the HTML file). After replacing the link to my local CSS file by the file on the server which I've just uploaded, it doesn't crash anymore though. I hope it helps anyway.
Comment 17 Maksim Orlovich 2009-07-12 20:11:59 UTC 
SVN commit 995431 by orlovich:

Fix a bug in switching to post-EOF buffer when CSS has embedded nulls.
Fixes crashes on appleinsider.cpp (why do so many KDE users read THAT?)

Mucho credit to Frank Reininghaus for yet another phenomenal testcasing job,
which was an enormous help in sorting this out.

BUG: 195501


 M  +3 -1      cssparser.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=995431
Comment 18 Maksim Orlovich 2009-07-13 18:14:09 UTC 
SVN commit 995967 by orlovich:

Merged revision:r995431 | orlovich | 2009-07-12 14:11:57 -0400 (Sun, 12 Jul 2009) | 8 lines

Fix a bug in switching to post-EOF buffer when CSS has embedded nulls.
Fixes crashes on appleinsider.cpp (why do so many KDE users read THAT?)

Mucho credit to Frank Reininghaus for yet another phenomenal testcasing job,
which was an enormous help in sorting this out.

BUG: 195501

 M  +3 -1      cssparser.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=995967
Comment 19 Frank Reininghaus 2009-07-19 17:01:53 UTC 
*** Bug 200772 has been marked as a duplicate of this bug. ***