Bug 207237

Summary: NULL deref in DOMElementProtoFunc::callAsFunction()
Product: [Applications] konqueror Reporter: Rolf Eike Beer <kde>
Component: kjsAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: justin.zobel
Priority: NOR    
Version First Reported In: 4.3.1   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Rolf Eike Beer 2009-09-13 11:07:19 UTC 
Application that crashed: konqueror
Version of the application: 4.3.1 (KDE 4.3.1) "release 163"
KDE Version: 4.3.1 (KDE 4.3.1) "release 163"
Qt Version: 4.5.2
Operating System: Linux 2.6.31-rc9-git i686
Distribution: "openSUSE 11.1 (i586)"

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[Current thread is 1 (Thread 0xb5fd1700 (LWP 4454))]

Thread 2 (Thread 0xaca6eb90 (LWP 31587)):
#0  0xb80d0424 in __kernel_vsyscall ()
#1  0xb7e58f62 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb7eb855c in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQtCore.so.4
#3  0xb7eadb96 in ?? () from /usr/lib/libQtCore.so.4
#4  0xb7eb7572 in ?? () from /usr/lib/libQtCore.so.4
#5  0xb7e551b5 in start_thread () from /lib/libpthread.so.0
#6  0xb66993be in clone () from /lib/libc.so.6

Thread 1 (Thread 0xb5fd1700 (LWP 4454)):
[KCrash Handler]
#6  0xb2a2abc2 in KJS::JSValue::toString (this=0x0, exec=0xbfa2e35c) at /usr/src/debug/kdelibs-4.3.1/kjs/value.h:490
#7  0xb2a2660f in DOMElementProtoFunc::callAsFunction (this=0xaef30b20, exec=0xbfa2e35c, thisObj=0xaea7db20, args=@0xbfa2e2e4) at /usr/src/debug/kdelibs-4.3.1/khtml/ecma/kjs_dom.cpp:1344
#8  0xb2688dbd in KJS::JSObject::call (this=0x0, exec=0xbfa2e35c, thisObj=0xaea7db20, args=@0xbfa2e2e4) at /usr/src/debug/kdelibs-4.3.1/kjs/object.cpp:69
#9  0xb26a659b in KJS::Machine::runBlock (exec=0xbfa2e35c, codeBlock=@0xbfa2dc7c, parentExec=0xa25d440) at codes.def:1192
#10 0xb2684ff3 in KJS::FunctionImp::callAsFunction (this=0xaf9a0f60, exec=0xa25d440, thisObj=0xaf9a00e0, args=@0xbfa2e4a8) at /usr/src/debug/kdelibs-4.3.1/kjs/function.cpp:144
#11 0xb2688dbd in KJS::JSObject::call (this=0x0, exec=0xa25d440, thisObj=0xaf9a00e0, args=@0xbfa2e4a8) at /usr/src/debug/kdelibs-4.3.1/kjs/object.cpp:69
#12 0xb2a8a4cd in KJS::JSEventListener::handleEvent (this=0x935d4e0, evt=@0xbfa2e4f0) at /usr/src/debug/kdelibs-4.3.1/khtml/ecma/kjs_events.cpp:106
#13 0xb2869e4d in DOM::NodeImpl::handleLocalEvents (this=0x987472c, evt=0xafe49f8, useCapture=false) at /usr/src/debug/kdelibs-4.3.1/khtml/xml/dom_nodeimpl.cpp:718
#14 0xb286a31c in DOM::NodeImpl::dispatchGenericEvent (this=0x987472c, evt=0xafe49f8) at /usr/src/debug/kdelibs-4.3.1/khtml/xml/dom_nodeimpl.cpp:501
#15 0xb286bce5 in DOM::NodeImpl::dispatchWindowEvent (this=0x987472c, _id=36, canBubbleArg=<value optimized out>, cancelableArg=<value optimized out>)
    at /usr/src/debug/kdelibs-4.3.1/khtml/xml/dom_nodeimpl.cpp:566
#16 0xb27e6426 in KHTMLPart::slotFinishedParsing (this=0xbfd6790) at /usr/src/debug/kdelibs-4.3.1/khtml/khtml_part.cpp:2217
#17 0xb2813010 in KHTMLPart::qt_metacall (this=0xbfd6790, _c=QMetaObject::InvokeMetaMethod, _id=22, _a=0xbfa2e698) at /usr/src/debug/kdelibs-4.3.1/build/khtml/khtml_part.moc:274
#18 0xb7fc1788 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQtCore.so.4
#19 0xb7fc2412 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#20 0xb284f5e7 in DOM::DocumentImpl::finishedParsing (this=0x9874720) at /usr/src/debug/kdelibs-4.3.1/build/khtml/dom_docimpl.moc:79
#21 0xb284f645 in DOM::DocumentImpl::qt_metacall (this=0x9874720, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0xbfa2e7a8) at /usr/src/debug/kdelibs-4.3.1/build/khtml/dom_docimpl.moc:68
#22 0xb28c5967 in DOM::HTMLDocumentImpl::qt_metacall (this=0x9874720, _c=QMetaObject::InvokeMetaMethod, _id=4, _a=0xbfa2e7a8) at /usr/src/debug/kdelibs-4.3.1/build/khtml/html_documentimpl.moc:63
#23 0xb7fc1788 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQtCore.so.4
#24 0xb7fc2412 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#25 0xb28883b7 in khtml::Tokenizer::finishedParsing (this=0x9bd4b60) at /usr/src/debug/kdelibs-4.3.1/build/khtml/xml_tokenizer.moc:77
#26 0xb28a9af9 in khtml::HTMLTokenizer::end (this=0x9bd4b60) at /usr/src/debug/kdelibs-4.3.1/khtml/html/htmltokenizer.cpp:1946
#27 0xb28b2575 in khtml::HTMLTokenizer::write (this=0x9bd4b60, str=@0xbfa2e9a8, appendData=false) at /usr/src/debug/kdelibs-4.3.1/khtml/html/htmltokenizer.cpp:1905
#28 0xb28b3fd8 in khtml::HTMLTokenizer::notifyFinished (this=0x9bd4b60) at /usr/src/debug/kdelibs-4.3.1/khtml/html/htmltokenizer.cpp:2135
#29 0xb29e0f5d in khtml::CachedScript::checkNotify (this=0xb332b18) at /usr/src/debug/kdelibs-4.3.1/khtml/misc/loader.cpp:390
#30 0xb29e48ac in khtml::CachedScript::data (this=0xb332b18, buffer=@0xc06bf74, eof=true) at /usr/src/debug/kdelibs-4.3.1/khtml/misc/loader.cpp:382
#31 0xb29e44d2 in khtml::Loader::slotFinished (this=0x901ef68, job=0xbf982e0) at /usr/src/debug/kdelibs-4.3.1/khtml/misc/loader.cpp:1461
#32 0xb29ea8e7 in khtml::Loader::qt_metacall (this=0x901ef68, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfa2ec3c) at /usr/src/debug/kdelibs-4.3.1/build/khtml/loader.moc:131
#33 0xb7fc1788 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQtCore.so.4
#34 0xb7fc2412 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#35 0xb7cb57a3 in KJob::result (this=0xbf982e0, _t1=0xbf982e0) at /usr/src/debug/kdelibs-4.3.1/build/kdecore/kjob.moc:188
#36 0xb7cb5c49 in KJob::emitResult (this=0xbf982e0) at /usr/src/debug/kdelibs-4.3.1/kdecore/jobs/kjob.cpp:304
#37 0xb788cbf5 in KIO::SimpleJob::slotFinished (this=0xbf982e0) at /usr/src/debug/kdelibs-4.3.1/kio/kio/job.cpp:477
#38 0xb788d533 in KIO::TransferJob::slotFinished (this=0xbf982e0) at /usr/src/debug/kdelibs-4.3.1/kio/kio/job.cpp:948
#39 0xb7889adb in KIO::TransferJob::qt_metacall (this=0xbf982e0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfa2ee78) at /usr/src/debug/kdelibs-4.3.1/build/kio/jobclasses.moc:343
#40 0xb7fc1788 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQtCore.so.4
#41 0xb7fc2412 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#42 0xb79541b7 in KIO::SlaveInterface::finished (this=0x8ed1670) at /usr/src/debug/kdelibs-4.3.1/build/kio/slaveinterface.moc:165
#43 0xb7957ef7 in KIO::SlaveInterface::dispatch (this=0x8ed1670, _cmd=104, rawdata=@0xbfa2f044) at /usr/src/debug/kdelibs-4.3.1/kio/kio/slaveinterface.cpp:175
#44 0xb7954697 in KIO::SlaveInterface::dispatch (this=0x8ed1670) at /usr/src/debug/kdelibs-4.3.1/kio/kio/slaveinterface.cpp:91
#45 0xb794640d in KIO::Slave::gotInput (this=0x8ed1670) at /usr/src/debug/kdelibs-4.3.1/kio/kio/slave.cpp:322
#46 0xb79488a3 in KIO::Slave::qt_metacall (this=0x8ed1670, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfa2f158) at /usr/src/debug/kdelibs-4.3.1/build/kio/slave.moc:76
#47 0xb7fc1788 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQtCore.so.4
#48 0xb7fc2412 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#49 0xb7850927 in KIO::Connection::readyRead (this=0x99a9ac8) at /usr/src/debug/kdelibs-4.3.1/build/kio/connection.moc:86
#50 0xb7852293 in KIO::ConnectionPrivate::dequeue (this=0xbf4d160) at /usr/src/debug/kdelibs-4.3.1/kio/kio/connection.cpp:82
#51 0xb7852676 in KIO::Connection::qt_metacall (this=0x99a9ac8, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xc4320d8) at /usr/src/debug/kdelibs-4.3.1/build/kio/connection.moc:73
#52 0xb7fbaeab in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/lib/libQtCore.so.4
#53 0xb7fbc970 in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4
#54 0xb69707fc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#55 0xb6978aee in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#56 0xb746372d in KApplication::notify (this=0xbfa2fab8, receiver=0x99a9ac8, event=0xa2b60b0) at /usr/src/debug/kdelibs-4.3.1/kdeui/kernel/kapplication.cpp:302
#57 0xb7fac16b in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4
#58 0xb7facdb5 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4
#59 0xb7facfad in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/lib/libQtCore.so.4
#60 0xb7fd7c8f in ?? () from /usr/lib/libQtCore.so.4
#61 0xb65169c8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#62 0xb651a083 in ?? () from /usr/lib/libglib-2.0.so.0
#63 0xb651a241 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#64 0xb7fd78d8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#65 0xb6a10ce5 in ?? () from /usr/lib/libQtGui.so.4
#66 0xb7faa78a in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#67 0xb7faabd2 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#68 0xb7fad079 in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#69 0xb6970677 in QApplication::exec() () from /usr/lib/libQtGui.so.4
#70 0xb4a1ebff in kdemain (argc=3, argv=0x8c86358) at /usr/src/debug/kdebase-4.3.1/apps/konqueror/src/konqmain.cpp:257
#71 0x0804e505 in launch (argc=3, _name=0x8c85acc "konqueror", args=0x8c85b16 "", cwd=0x0, envc=0, envs=0x8c85b1b "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x8051639 "0")
    at /usr/src/debug/kdelibs-4.3.1/kinit/kinit.cpp:706
#72 0x0804ecdd in handle_launcher_request (sock=7, who=<value optimized out>) at /usr/src/debug/kdelibs-4.3.1/kinit/kinit.cpp:1198
#73 0x0804f173 in handle_requests (waitForPid=0) at /usr/src/debug/kdelibs-4.3.1/kinit/kinit.cpp:1391
#74 0x0804feb2 in main (argc=4, argv=0xbfa30674, envp=0xbfa30688) at /usr/src/debug/kdelibs-4.3.1/kinit/kinit.cpp:1830

Reported using DrKonqi
Comment 1 Maksim Orlovich 2009-09-13 16:59:38 UTC 
Do you have a way of reproducing this? I doubt the backtrace is correct.
Comment 2 Rolf Eike Beer 2009-09-13 17:39:13 UTC 
> Do you have a way of reproducing this? I doubt the backtrace is
>  correct.

No, I was just opening some pages to read later so I don't know exactly which 
of them triggered the bug. I tried a bit but I can't get it anymore.
Comment 3 Justin Zobel 2020-12-09 02:13:34 UTC 
Thank you for the crash report.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Comment 4 Bug Janitor Service 2020-12-24 04:34:26 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 5 Bug Janitor Service 2021-01-08 04:33:57 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!