Bug 203477

Summary: (steps) Konqueror crashes : segmentation fault when clicking on a web site link (khtml::RenderObject::scheduleRelayout, khtml::RenderObject::markContainingBlocksForLayout)
Product: [Applications] konqueror Reporter: bou.gui
Component: khtml rendererAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: aiacovitti, andresbajotierra, cpeople, m1k0, sreejiththulaseedharan, tom2357
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description bou.gui 2009-08-11 22:33:59 UTC 
Application that crashed: konqueror
Version of the application: 4.3.00 (KDE 4.3.0)
KDE Version: 4.3.00 (KDE 4.3.0)
Qt Version: 4.5.2
Operating System: Linux 2.6.30-1-686 i686

What I was doing when the application crashed:
On this web site : http://www.playbac.fr/boutique.52.les-numeros-speciaux-du-petit-quotidien.php, choose some book, click on "add to cart", then click on "Purchase again" : konqueror crashes at every try.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#6  0xb2b4ac8f in khtml::RenderObject::scheduleRelayout (this=0xa4677a0, clippedObj=0x0) at ../../khtml/rendering/render_object.cpp:2699
#7  0xb2b4ad4b in khtml::RenderObject::markContainingBlocksForLayout (this=0xa46788c) at ../../khtml/rendering/render_object.cpp:755
#8  0xb2b569eb in khtml::RenderObject::setNeedsLayoutAndMinMaxRecalc (this=0xa4677f4, oldChild=0x0) at ../../khtml/rendering/render_object.h:375
#9  khtml::RenderContainer::removeChildNode (this=0xa4677f4, oldChild=0x0) at ../../khtml/rendering/render_container.cpp:153
#10 0xb2b59e34 in khtml::RenderBox::removeChild (this=0xa4677f4, oldChild=0xa46788c) at ../../khtml/rendering/render_box.cpp:254
#11 0xb2b3ab98 in khtml::RenderBlock::removeChild (this=0xa4677f4, oldChild=0xa46788c) at ../../khtml/rendering/render_block.cpp:640
#12 0xb2b4d5c5 in khtml::RenderObject::remove (this=0xa46788c) at ../../khtml/rendering/render_object.h:847
#13 khtml::RenderObject::detach (this=0xa46788c) at ../../khtml/rendering/render_object.cpp:2365
#14 0xb2b59e8b in khtml::RenderBox::detach (this=0xa46788c) at ../../khtml/rendering/render_box.cpp:224
#15 0xb2a9308c in DOM::NodeImpl::detach (this=0xa0e4cc8) at ../../khtml/xml/dom_nodeimpl.cpp:975
#16 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xa0e4cc8) at ../../khtml/xml/dom_elementimpl.cpp:884
#17 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xb0b19f0) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#18 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xb0b19f0) at ../../khtml/xml/dom_elementimpl.cpp:884
#19 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xb48a328) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#20 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xb48a328) at ../../khtml/xml/dom_elementimpl.cpp:884
#21 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xaf81900) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#22 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xaf81900) at ../../khtml/xml/dom_elementimpl.cpp:884
#23 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xb1a50c8) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#24 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xb1a50c8) at ../../khtml/xml/dom_elementimpl.cpp:884
#25 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xb168520) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#26 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xb168520) at ../../khtml/xml/dom_elementimpl.cpp:884
#27 0xb2a93868 in DOM::NodeBaseImpl::detach (this=0xb165da0) at ../../khtml/xml/dom_nodeimpl.cpp:1836
#28 0xb2aa0a0b in DOM::ElementImpl::detach (this=0xb165da0) at ../../khtml/xml/dom_elementimpl.cpp:884
#29 0xb2a936e3 in DOM::NodeBaseImpl::removeChildren (this=0xb4a19c0) at ../../khtml/xml/dom_nodeimpl.cpp:1659
#30 0xb2aef8d3 in DOM::HTMLElementImpl::setInnerHTML (this=0xb4a19c0, html=..., exceptioncode=@0xbfd81be8) at ../../khtml/html/html_elementimpl.cpp:526
#31 0xb2c5d0a7 in KJS::HTMLElement::putValueProperty (this=0xb0db0f60, exec=0xbfd82330, token=348, value=0xb0dcc680) at ../../khtml/ecma/kjs_html.cpp:2596
#32 0xb2c5ea9f in lookupPut<KJS::HTMLElement> (this=0xb0db0f60, exec=0xbfd82330, propertyName=..., value=0xb0dcc680, attr=0) at ../../kjs/lookup.h:249
#33 lookupPut<KJS::HTMLElement, KJS::DOMElement> (this=0xb0db0f60, exec=0xbfd82330, propertyName=..., value=0xb0dcc680, attr=0) at ../../kjs/lookup.h:265
#34 KJS::HTMLElement::put (this=0xb0db0f60, exec=0xbfd82330, propertyName=..., value=0xb0dcc680, attr=0) at ../../khtml/ecma/kjs_html.cpp:2368
#35 0xb28abcf4 in KJS::Machine::runBlock (exec=0xbfd82330, codeBlock=..., parentExec=0xbfd82b60) at codes.def:660
#36 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xad4d1de0, exec=0xbfd82b60, thisObj=0xb1370000, args=...) at ../../kjs/function.cpp:144
#37 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd82b60, thisObj=0xb1370000, args=...) at ../../kjs/object.cpp:69
#38 0xb2876d0c in KJS::FunctionProtoFunc::callAsFunction (this=0xb0dd62a0, exec=0xbfd82b60, thisObj=0xad4d1de0, args=...) at ../../kjs/function_object.cpp:123
#39 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd82b60, thisObj=0xad4d1de0, args=...) at ../../kjs/object.cpp:69
#40 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd82b60, codeBlock=..., parentExec=0xbfd83300) at codes.def:1192
#41 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xb0dd85c0, exec=0xbfd83300, thisObj=0xb0db0f60, args=...) at ../../kjs/function.cpp:144
#42 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd83300, thisObj=0xb0db0f60, args=...) at ../../kjs/object.cpp:69
#43 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd83300, codeBlock=..., parentExec=0xbfd83b30) at codes.def:1192
#44 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xb0dd0260, exec=0xbfd83b30, thisObj=0xb1363640, args=...) at ../../kjs/function.cpp:144
#45 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd83b30, thisObj=0xb1363640, args=...) at ../../kjs/object.cpp:69
#46 0xb2876d0c in KJS::FunctionProtoFunc::callAsFunction (this=0xb0dd62a0, exec=0xbfd83b30, thisObj=0xb0dd0260, args=...) at ../../kjs/function_object.cpp:123
#47 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd83b30, thisObj=0xb0dd0260, args=...) at ../../kjs/object.cpp:69
#48 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd83b30, codeBlock=..., parentExec=0xbfd842d0) at codes.def:1192
#49 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xb0dd01a0, exec=0xbfd842d0, thisObj=0xb0dcf3c0, args=...) at ../../kjs/function.cpp:144
#50 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd842d0, thisObj=0xb0dcf3c0, args=...) at ../../kjs/object.cpp:69
#51 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd842d0, codeBlock=..., parentExec=0xbfd84a70) at codes.def:1192
#52 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xad4da500, exec=0xbfd84a70, thisObj=0xb0dcf8a0, args=...) at ../../kjs/function.cpp:144
#53 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd84a70, thisObj=0xb0dcf8a0, args=...) at ../../kjs/object.cpp:69
#54 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd84a70, codeBlock=..., parentExec=0xbfd85210) at codes.def:1192
#55 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xad4da580, exec=0xbfd85210, thisObj=0xb0dcf8a0, args=...) at ../../kjs/function.cpp:144
#56 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd85210, thisObj=0xb0dcf8a0, args=...) at ../../kjs/object.cpp:69
#57 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd85210, codeBlock=..., parentExec=0xbfd85a40) at codes.def:1192
#58 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xad4db060, exec=0xbfd85a40, thisObj=0xb136d240, args=...) at ../../kjs/function.cpp:144
#59 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd85a40, thisObj=0xb136d240, args=...) at ../../kjs/object.cpp:69
#60 0xb2876d0c in KJS::FunctionProtoFunc::callAsFunction (this=0xb0dd62a0, exec=0xbfd85a40, thisObj=0xad4db060, args=...) at ../../kjs/function_object.cpp:123
#61 0xb2896add in KJS::JSObject::call (this=0x1, exec=0xbfd85a40, thisObj=0xad4db060, args=...) at ../../kjs/object.cpp:69
#62 0xb28b3f85 in KJS::Machine::runBlock (exec=0xbfd85a40, codeBlock=..., parentExec=0x9c78dd0) at codes.def:1192
#63 0xb2892db2 in KJS::FunctionImp::callAsFunction (this=0xb0dd06a0, exec=0x9c78dd0, thisObj=0xb1370000, args=...) at ../../kjs/function.cpp:144
#64 0xb2896add in KJS::JSObject::call (this=0x1, exec=0x9c78dd0, thisObj=0xb1370000, args=...) at ../../kjs/object.cpp:69
#65 0xb2c7cc1c in KJS::ScheduledAction::execute (this=0xaee8218, window=0xb1370000) at ../../khtml/ecma/kjs_window.cpp:2180
#66 0xb2c7e741 in KJS::WindowQObject::timerEvent (this=0xa03e298) at ../../khtml/ecma/kjs_window.cpp:2356
#67 0xb7ed1b6f in QObject::event (this=0xa03e298, e=0xbfd8602c) at kernel/qobject.cpp:1074
#68 0xb6b6d7d4 in QApplicationPrivate::notify_helper (this=0x99d54c8, receiver=0xa03e298, e=0xbfd8602c) at kernel/qapplication.cpp:4056
#69 0xb6b7593e in QApplication::notify (this=0xbfd86468, receiver=0xa03e298, e=0xbfd8602c) at kernel/qapplication.cpp:3603
#70 0xb75b600d in KApplication::notify (this=0xbfd86468, receiver=0xa03e298, event=0xbfd8602c) at ../../kdeui/kernel/kapplication.cpp:302
#71 0xb7ec196b in QCoreApplication::notifyInternal (this=0xbfd86468, receiver=0xa03e298, event=0xbfd8602c) at kernel/qcoreapplication.cpp:610
#72 0xb7ef0301 in QCoreApplication::sendEvent (this=0x99d8534) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:213
#73 QTimerInfoList::activateTimers (this=0x99d8534) at kernel/qeventdispatcher_unix.cpp:572
#74 0xb7eec8a0 in timerSourceDispatch (source=0x99d8500) at kernel/qeventdispatcher_glib.cpp:165
#75 0xb673c368 in g_main_dispatch (context=0x99d7690) at /build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmain.c:1824
#76 IA__g_main_context_dispatch (context=0x99d7690) at /build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmain.c:2377
#77 0xb673f8c3 in g_main_context_iterate (context=0x99d7690, block=1, dispatch=1, self=0x99555f0) at /build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmain.c:2455
#78 0xb673fa48 in IA__g_main_context_iteration (context=0x99d7690, may_block=1) at /build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmain.c:2518
#79 0xb7eec7f8 in QEventDispatcherGlib::processEvents (this=0x9955500, flags=...) at kernel/qeventdispatcher_glib.cpp:327
#80 0xb6c0cf85 in QGuiEventDispatcherGlib::processEvents (this=0x9955500, flags=...) at kernel/qguieventdispatcher_glib.cpp:202
#81 0xb7ebffba in QEventLoop::processEvents (this=0xbfd86250, flags=...) at kernel/qeventloop.cpp:149
#82 0xb7ec0402 in QEventLoop::exec (this=0xbfd86250, flags=...) at kernel/qeventloop.cpp:201
#83 0xb7ec2859 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#84 0xb6b6d657 in QApplication::exec () at kernel/qapplication.cpp:3525
#85 0xb4aecc1f in kdemain () from /usr/lib/libkdeinit4_konqueror.so
#86 0x0804e291 in launch (argc=2, _name=0x998a884 "/usr/bin/konqueror", args=0x998a89f "", cwd=0x0, envc=0, envs=0x998a8a4 "", reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x998a8a8 "debian;1250021413;901890;3938_TIME13857096") at ../../kinit/kinit.cpp:676
#87 0x0804ea15 in handle_launcher_request (sock=7, who=<value optimized out>) at ../../kinit/kinit.cpp:1168
#88 0x0804ef3f in handle_requests (waitForPid=0) at ../../kinit/kinit.cpp:1361
#89 0x0804f6c9 in main (argc=2, argv=0xbfd86eb4, envp=0xbfd86ec0) at ../../kinit/kinit.cpp:1788

Reported using DrKonqi
Comment 1 Dario Andres 2009-08-12 18:59:59 UTC 
I could reproduce this bug (guessing a bit of french) here using:

Qt: 4.5.2 (KDE-Qt git commit 5b7a2eb42acfdea07c6075556cb43e2c95852145
        Date:   Tue Jul 28 14:10:47 2009 -0300)
KDE: 4.3.63 (KDE 4.3.63 (KDE 4.4 >= 20090805))
kdelibs svn rev. 1009010 / kdebase svn rev. 1009010
on ArchLinux i686 - Kernel 2.6.30.4

Steps to reproduce:

- Open Konqueror and show the site: http://www.playbac.fr/boutique.52.les-numeros-speciaux-du-petit-quotidien.php
- Click on the combobox of the first book and select "1"
The message "Vous pouvez Ajouter au panier" should appear above the books covers
- Click the link "Ajouter au panier"
Another screen should appear
- Select the second option: "Continuer mes achats"

Konqueror crashes

-Valgrind output:

==2968==                                                                                                              
==2968== Invalid read of size 1                                                                                       
==2968==    at 0xA2A556D: khtml::RenderObject::container() const (render_style.h:1095)                                
==2968==    by 0xA2A63E1: khtml::RenderObject::markContainingBlocksForLayout() (render_object.cpp:752)                
==2968==    by 0xA2B257A: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_object.h:375)         
==2968==    by 0xA2B5863: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:254)                    
==2968==    by 0xA298526: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:640)                
==2968==    by 0xA2A8D24: khtml::RenderObject::detach() (render_object.h:847)                                         
==2968==    by 0xA2B58BA: khtml::RenderBox::detach() (render_box.cpp:224)                                             
==2968==    by 0xA1EDDDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:975)                                              
==2968==    by 0xA1FBC6A: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)                                        
==2968==    by 0xA1EE537: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1836)                                         
==2968==    by 0xA1FBC6A: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)                                        
==2968==    by 0xA1EE537: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1836)                                         
==2968==  Address 0x9b3663f is 15 bytes inside a block of size 64 free'd                                              
==2968==    at 0x4023A5A: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)               
==2968==    by 0xA2A89CD: khtml::RenderObject::~RenderObject() (shared.h:41)                                          
==2968==    by 0xA2B5987: khtml::RenderBox::~RenderBox() (render_container.h:39)                                      
==2968==    by 0xA2D8859: khtml::RenderTableRow::~RenderTableRow() (render_table.h:302)                               
==2968==    by 0xA2A71B8: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:2381)       
==2968==    by 0xA2A8D49: khtml::RenderObject::detach() (render_object.cpp:2372)                                      
==2968==    by 0xA2CEDB1: khtml::RenderTableRow::detach() (render_table.cpp:2225)                                     
==2968==    by 0xA2B36D1: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:242)                            
==2968==    by 0xA2B58B2: khtml::RenderBox::detach() (render_box.cpp:223)                                             
==2968==    by 0xA2CD24A: khtml::RenderTableSection::detach() (render_table.cpp:1053)                                 
==2968==    by 0xA2B36D1: khtml::RenderBox::detachRemainingChildren() (render_box.cpp:242)                            
==2968==    by 0xA2BD924: khtml::RenderFlow::detach() (render_flow.cpp:327)                                           
==2968==                                                                                                              
==2968== Invalid read of size 4                                                                                       
==2968==    at 0xA2A636F: khtml::RenderObject::scheduleRelayout(khtml::RenderObject*) (render_object.cpp:2699)        
==2968==    by 0xA2A642A: khtml::RenderObject::markContainingBlocksForLayout() (render_object.cpp:755)                
==2968==    by 0xA2B257A: khtml::RenderContainer::removeChildNode(khtml::RenderObject*) (render_object.h:375)         
==2968==    by 0xA2B5863: khtml::RenderBox::removeChild(khtml::RenderObject*) (render_box.cpp:254)                    
==2968==    by 0xA298526: khtml::RenderBlock::removeChild(khtml::RenderObject*) (render_block.cpp:640)                
==2968==    by 0xA2A8D24: khtml::RenderObject::detach() (render_object.h:847)                                         
==2968==    by 0xA2B58BA: khtml::RenderBox::detach() (render_box.cpp:224)                                             
==2968==    by 0xA1EDDDB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:975)                                              
==2968==    by 0xA1FBC6A: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)                                        
==2968==    by 0xA1EE537: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1836)                                         
==2968==    by 0xA1FBC6A: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)                                        
==2968==    by 0xA1EE537: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1836)
==2968==  Address 0x9c is not stack'd, malloc'd or (recently) free'd
QLocalSocket::waitForDisconnected() is not allowed in UnconnectedState
KCrash: Application 'konqueror' crashing...
sock_file=/home/kde-devel/.kde4/socket-emiDell/kdeinit4__0

[1]+  Detenido                valgrind konqueror http://www.playbac.fr/boutique.52.les-numeros-speciaux-du-petit-quotidien.php
bash-4.0$ ==2968==
==2968== ERROR SUMMARY: 99983 errors from 10 contexts (suppressed: 257 from 3)
==2968== malloc/free: in use at exit: 15,995,227 bytes in 200,158 blocks.
==2968== malloc/free: 1,205,380 allocs, 1,005,222 frees, 166,817,545 bytes allocated.
==2968== For counts of detected errors, rerun with: -v
==2968== Use --track-origins=yes to see where uninitialised values come from
==2968== searching for pointers to 200,158 not-freed blocks.
==2968== checked 56,985,392 bytes.
==2968==
==2968== LEAK SUMMARY:
==2968==    definitely lost: 75,200 bytes in 3,136 blocks.
==2968==      possibly lost: 147,802 bytes in 4,364 blocks.
==2968==    still reachable: 15,772,225 bytes in 192,658 blocks.
==2968==         suppressed: 0 bytes in 0 blocks.
Comment 2 Jonathan Thomas 2009-11-10 02:04:37 UTC 
*** Bug 213516 has been marked as a duplicate of this bug. ***
Comment 3 Nicolas L. 2010-09-08 23:31:47 UTC 
*** Bug 249698 has been marked as a duplicate of this bug. ***
Comment 4 Jekyll Wu 2012-03-12 12:45:47 UTC 
*** Bug 295829 has been marked as a duplicate of this bug. ***
Comment 5 Andrea Iacovitti 2014-05-19 20:25:45 UTC 
I can not reproduce using 4.13.1, closing...