Bug 207217

Summary: [testcase] Konqueror crashes running a javascript snippet (QList<khtml::CachedScript*>::isEmpty, khtml::HTMLTokenizer::notifyFinished, khtml::CachedScript::checkNotify)
Product: [Applications] konqueror Reporter: Pedro Celestino Reis Rodrigues <reis>
Component: kjsAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED WORKSFORME    
Severity: crash CC: andresbajotierra, finex, rasasi78
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Bug Depends on: 189426    
Bug Blocks:    
Attachments: Merged html+javascript file that triggers the crash
Valgrind output

Description Pedro Celestino Reis Rodrigues 2009-09-13 01:02:50 UTC 
Application that crashed: konqueror
Version of the application: 4.3.1 (KDE 4.3.1)
KDE Version: 4.3.1 (KDE 4.3.1)
Qt Version: 4.5.2
Operating System: Linux 2.6.30-1-686 i686
Distribution: Debian GNU/Linux unstable (sid)

What I was doing when the application crashed:
This is not the (very extense) original document. It is instead the smallest document I was able to produce that triggers the crash.

The main document follows:

<html><head>
</head>
<body>
<script type="text/javascript" src="bum" charset="iso-8859-1"></script>
</body>
</html>

The scipt bum follows

//<script>
document.write("<style type=\"text/css\">#Vt_Ma_s17018_c0 img{height:auto;width:auto;border:none;margin:0px;}#Vt_Ma_s17018_c0{width:170px;border-style:solid; border-width:1px; border-color:#000000;background-color:#FFFFFF; background-image:URL('');}#Vt_Ma_Contenido_s17018_c0 table td input{border:none;}#vt_ma_cargando_img_s17018_c0{width:78px;height:41px;border:none;z-index:2;left:47px;margin:0px;padding:0px;}#vt_ma_cargando_layer_s17018_c0{border:0;background:#dddddd;z-index:1;position:absolute;width:170px;padding:0px;margin:0px;filter:alpha(opacity=80);opacity:0.8;-moz-opacity:0.8;-khtml-opacity:0.8;text-align:right}#Vt_Ma_Powered_s17018_c0{width:170px;}#Vt_Ma_Contenido_s17018_c0 table td{font-style:normal; font-weight:normal; font-size:11px; font-family:verdana; color:#000000;text-align:left}#Vt_Ma_Cb_Cl_s17018_c0{color:#000000;font-family:verdana;padding:2px 10px 0px 10px;}#Vt_Ma_Contenido_s17018_c0 table  #boton_votacion input{background:#ECEFE0;border:outset 1px #DFDFDF; font-size:11px; font-style:bolder; font-weight:bolder; font-family:Verdana; color:#101010 }#Vt_Ma_Contenido_s17018_c0 table td a{font-style:normal; font-weight:normal; font-size:11px; font-family:verdana; color:#000000}#Vt_Ma_Contenido_s17018_c0 table td a:hover{font-style:normal; font-weight:normal; font-size:11px; font-family:verdana; color:#000000}#Vt_Ma_Contenido_s17018_c0 table td a:link{font-style:normal; font-weight:normal; font-size:11px; font-family:verdana; color:#000000}#Vt_Ma_Contenido_s17018_c0 table td a:visited{font-style:normal; font-weight:normal; font-size:11px; font-family:verdana; color:#000000}#Vt_Ma_Contenido_s17018_c0 table td a:hover{text-decoration:underline}#Vt_Ma_Contenido_s17018_c0 table td .celderesvoid{background-color:transparent;font-size:8px;padding:0px;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes1{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres1{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes2{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres2{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes3{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres3{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes4{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres4{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes5{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres5{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes6{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres6{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes7{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres7{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes8{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres8{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes9{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres9{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes10{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres10{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes11{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres11{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes12{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres12{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes13{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres13{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes14{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres14{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes15{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres15{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes16{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres16{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes17{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres17{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes18{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres18{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes19{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres19{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ma_Contenido_s17018_c0 table td .celderes20{background-color:#3F3F3F;font-size:8px;padding:0px;}#Vt_Ma_Contenido_s17018_c0 table td .tabladeres20{border:1px solid #3F3F3F;cursor:help;width:100%;}#Vt_Ca_Ma_Cont_s17018_c0 {width:100%;}</style><table border=0 cellpadding=0 cellspacing=0 style=\"border:0;padding:0;\"><tr><td><div id=\"vt_ma_cargando_layer_s17018_c0\"><a href=\"javascript:vt_ma_cargadatos_s17018_c0('http://votaciones.miarroba.com/carga.php?id=17018&amp;idc=0&amp;votid=28&amp;act=votacion')\">[X]</a>&nbsp;<center><img src=\"http://miarroba.st/votaciones/cargando.gif\"  id=\"vt_ma_cargando_img_s17018_c0\" style=\"positon:relative\"></center></div><table border=0 cellpadding=0 cellspacing=0 Id=\"Vt_Ma_s17018_c0\"  style=\"z-index:0px;position:relative;\"><tr><td style=\"font-size:1px;padding:0px;display:none\"><a name=\"vt_ma_anchor_s17018_c0\" style=\"margin:0px;padding:0px;\">&nbsp</a></td></tr><tr><td Id=\"Vt_Ma_Cb_Cl_s17018_c0\" valign=top><form name=\"Vt_Ma_Form_s17018_c0\" method=\"get\" style=\"margin:0px;padding:0px;\"><table border=0 width=100% align=center cellpadding=0 cellspacing=0 Id=\"Vt_Ca_Ma_s17018_c0\"><tr><td Id=\"Vt_Ma_Contenido_s17018_c0\" style=\"padding:2px;width=100%\"></td></tr></table></form></td></tr><tr  style=\"display:none\"><td colspan=2><iframe name=\"Vt_Ma_Escondido_s17018_c0\" id=\"Vt_Ma_Escondido_s17018_c0\" frameborder=0 scrolling=0 scroll=0 width=0 height=0></iframe></td></tr></table><table border=0 cellpadding=0 cellspacing=0 id=\"Vt_Ma_Powered_s17018_c0\" ><tr><td style=\"text-align:center;font-size:9px\"><a href=\"http://miarroba.com\" target=\"_BLANK\">powered by miarroba.com.</a></td></tr></table></td></tr></table>");

function vt_ma_cambiadatos_s17018_c0(vt_ma_accion)
{
	document.getElementById('Vt_Ma_Escondido_s17018_c0').src="about:blank";
}
		
function vt_ma_cargadatos_s17018_c0(vt_ma_donde)
{
	document.getElementById('vt_ma_cargando_img_s17018_c0').src=document.getElementById('vt_ma_cargando_img_s17018_c0').src;
	window['Vt_Ma_Escondido_s17018_c0'].document.write("<sc"+"ript type=\"text/javascript\" src='"+vt_ma_donde+"' charset=\"iso-8859-1\"></scrip"+"t>");
}

setTimeout("vt_ma_cargadatos_s17018_c0('http://votaciones.miarroba.com/carga.php?id=17018&amp;idc=0&amp;votid=28&amp;act=votacion');",100);

 -- Backtrace:
Application: Konqueror (konqueror), signal: Segmentation fault
[KCrash Handler]
#6  0xb3cb6c8d in QListData::isEmpty (this=0x8add3a8) at /usr/include/qt4/QtCore/qlist.h:88
#7  QList<khtml::CachedScript*>::isEmpty (this=0x8add3a8) at /usr/include/qt4/QtCore/qlist.h:123
#8  khtml::HTMLTokenizer::notifyFinished (this=0x8add3a8) at ../../khtml/html/htmltokenizer.cpp:2124
#9  0xb3de5a0d in khtml::CachedScript::checkNotify (this=0x8ac5360) at ../../khtml/misc/loader.cpp:390
#10 0xb3de928c in khtml::CachedScript::data (this=0x8ac5360, buffer=..., eof=true) at ../../khtml/misc/loader.cpp:382
#11 0xb3de8ee2 in khtml::Loader::slotFinished (this=0x89bdd00, job=0x8b55d18) at ../../khtml/misc/loader.cpp:1461
#12 0xb3def0c7 in khtml::Loader::qt_metacall (this=0x89bdd00, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfcfb32c) at ./loader.moc:131
#13 0xb7141b33 in QMetaObject::activate (sender=0x8b55d18, from_signal_index=7, to_signal_index=7, argv=0xbfcfb32c) at kernel/qobject.cpp:3112
#14 0xb7142782 in QMetaObject::activate (sender=0x8b55d18, m=0xb74c8b48, local_signal_index=3, argv=0xbfcfb32c) at kernel/qobject.cpp:3186
#15 0xb736c3d3 in KJob::result (this=0x8b55d18, _t1=0x8b55d18) at ./kjob.moc:188
#16 0xb736c879 in KJob::emitResult (this=0x8b55d18) at ../../kdecore/jobs/kjob.cpp:304
#17 0xb79697b5 in KIO::SimpleJob::slotFinished (this=0x8b55d18) at ../../kio/kio/job.cpp:477
#18 0xb796a113 in KIO::TransferJob::slotFinished (this=0x8b55d18) at ../../kio/kio/job.cpp:948
#19 0xb79666a3 in KIO::TransferJob::qt_metacall (this=0x8b55d18, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfcfb568) at ./jobclasses.moc:343
#20 0xb7141b33 in QMetaObject::activate (sender=0x8b27140, from_signal_index=8, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3112
#21 0xb7142782 in QMetaObject::activate (sender=0x8b27140, m=0xb7b10b84, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3186
#22 0xb7a2f437 in KIO::SlaveInterface::finished (this=0x8b27140) at ./slaveinterface.moc:165
#23 0xb7a331e7 in KIO::SlaveInterface::dispatch (this=0x8b27140, _cmd=104, rawdata=...) at ../../kio/kio/slaveinterface.cpp:175
#24 0xb7a2f917 in KIO::SlaveInterface::dispatch (this=0x8b27140) at ../../kio/kio/slaveinterface.cpp:91
#25 0xb7a218fd in KIO::Slave::gotInput (this=0x8b27140) at ../../kio/kio/slave.cpp:322
#26 0xb7a23de3 in KIO::Slave::qt_metacall (this=0x8b27140, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfcfb838) at ./slave.moc:76
#27 0xb7141b33 in QMetaObject::activate (sender=0x8a3f4b0, from_signal_index=4, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3112
#28 0xb7142782 in QMetaObject::activate (sender=0x8a3f4b0, m=0xb7b0d4c0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3186
#29 0xb792d937 in KIO::Connection::readyRead (this=0x8a3f4b0) at ./connection.moc:86
#30 0xb792f243 in KIO::ConnectionPrivate::dequeue (this=0x8b111b0) at ../../kio/kio/connection.cpp:82
#31 0xb792f626 in KIO::Connection::qt_metacall (this=0x8a3f4b0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x8ac6d70) at ./connection.moc:73
#32 0xb713b33b in QMetaCallEvent::placeMetaCall (this=0x8ac6d40, object=0x8a3f4b0) at kernel/qobject.cpp:477
#33 0xb713ce10 in QObject::event (this=0x8a3f4b0, e=0x8ac6d40) at kernel/qobject.cpp:1110
#34 0xb676c814 in QApplicationPrivate::notify_helper (this=0x851e5d0, receiver=0x8a3f4b0, e=0x8ac6d40) at kernel/qapplication.cpp:4056
#35 0xb677497e in QApplication::notify (this=0xbfcfc188, receiver=0x8a3f4b0, e=0x8ac6d40) at kernel/qapplication.cpp:3603
#36 0xb76a14ad in KApplication::notify (this=0xbfcfc188, receiver=0x8a3f4b0, event=0x8ac6d40) at ../../kdeui/kernel/kapplication.cpp:302
#37 0xb712c9cb in QCoreApplication::notifyInternal (this=0xbfcfc188, receiver=0x8a3f4b0, event=0x8ac6d40) at kernel/qcoreapplication.cpp:610
#38 0xb712d60e in QCoreApplication::sendEvent (receiver=0x0, event_type=0, data=0x85064e8) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:213
#39 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x85064e8) at kernel/qcoreapplication.cpp:1247
#40 0xb712d7ed in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1140
#41 0xb7157c0f in QCoreApplication::sendPostedEvents (s=0x85212c0) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#42 postEventSourceDispatch (s=0x85212c0) at kernel/qeventdispatcher_glib.cpp:210
#43 0xb617d368 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#44 0xb61808c3 in ?? () from /usr/lib/libglib-2.0.so.0
#45 0xb6180a48 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#46 0xb7157858 in QEventDispatcherGlib::processEvents (this=0x851e590, flags=...) at kernel/qeventdispatcher_glib.cpp:327
#47 0xb680bfd5 in QGuiEventDispatcherGlib::processEvents (this=0x851e590, flags=...) at kernel/qguieventdispatcher_glib.cpp:202
#48 0xb712b01a in QEventLoop::processEvents (this=0xbfcfbf70, flags=...) at kernel/qeventloop.cpp:149
#49 0xb712b462 in QEventLoop::exec (this=0xbfcfbf70, flags=...) at kernel/qeventloop.cpp:201
#50 0xb712d8b9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#51 0xb676c697 in QApplication::exec () at kernel/qapplication.cpp:3525
#52 0xb7f1b3df in kdemain (argc=2, argv=0xbfcfc504) at ../../../../apps/konqueror/src/konqmain.cpp:257
#53 0x080485b2 in main (argc=) at konqueror_dummy.cpp:3

This bug may be a duplicate of or related to bug 204834

Reported using DrKonqi
Comment 1 Pedro Celestino Reis Rodrigues 2009-09-13 01:11:17 UTC 
In the report the last line of the script bum was truncated during copy and paste. Here follows the complete line.

setTimeout("vt_ma_cargadatos_s17018_c0('http://votaciones.miarroba.com/carga.php?id=17018&amp;idc=0&amp;votid=28&amp;act=votacion');",100);
Comment 2 Pedro Celestino Reis Rodrigues 2009-09-13 01:42:59 UTC 
Please ignore the correction note. I simply missed the cursor bar in the bottom of the report text.
Comment 3 Dario Andres 2009-11-11 23:10:39 UTC 
Could you please attach the html snippet as a file ? (https://bugs.kde.org/attachment.cgi?bugid=207217&action=enter) 

I couldn't reproduce the crash with the html+js code, here using:

Qt: 4.6.0 (Qt git branch 4.6 commit 52aef13521af2137db15ee878893f5c5150471e5
        Date:   Mon Oct 12 14:18:51 2009 +1000)
KDE: 4.3.74 (KDE 4.3.74 (KDE 4.4 >= 20091102))
kdelibs svn rev. 1047120 / kdebase svn rev. 1047120
on ArchLinux i686 - Kernel 2.6.31.5

Regards
Comment 4 Pedro Celestino Reis Rodrigues 2009-11-15 20:36:30 UTC 
Created attachment 38358 [details]
Merged html+javascript file that triggers the crash

Opening the file using Open->File on the menu does not produce a crash.
However, a crash appens when we click on the X in the opened page.
When opening the page in the comand line giving the file as argument, or navigating in file manager mode, the crash is immediate.

The merged html+javascript file is attached.

Thank you for your effort.
Comment 5 Dario Andres 2009-11-16 01:48:12 UTC 
Thanks for the testcase:
I can reproduce this crash now running "konqueror https://bugs.kde.org/attachment.cgi?id=38358" from Konsole. Here using:

Qt: 4.6.0 (Qt git branch 4.6 commit 52aef13521af2137db15ee878893f5c5150471e5
        Date:   Mon Oct 12 14:18:51 2009 +1000)
KDE: 4.3.75 (KDE 4.3.75 (KDE 4.4 >= 20091113))
kdelibs svn rev. 1048844 / kdebase svn rev. 1048570
on ArchLinux i686 - Kernel 2.6.31.6
Comment 6 Dario Andres 2009-11-16 01:49:03 UTC 
Created attachment 38367 [details]
Valgrind output
Comment 7 FiNeX 2010-08-15 17:30:41 UTC 
Crash confirmed using KDE 4.4.5 and KDE 4.5.0
Comment 8 Raúl 2012-07-03 20:52:52 UTC 
Hello. I'm not getting the crash on KDE 4.8.4 (GNU/Debian sid). Confirmation of this would be appreciated.
Comment 9 Pedro Celestino Reis Rodrigues 2012-07-04 10:37:05 UTC 
Hi, I'm not getting tha crash anymore also.

Thanks
Comment 10 Myriam Schweingruber 2012-07-05 08:47:26 UTC 
Thank you all for the feedback.