Bug 219491

Summary: [steps] Reliable way to segfault Konqueror [khtml::RenderObject::isAnonymousBlock, khtml::RenderFlow::addChildWithContinuation, DOM::NodeImpl::createRendererIfNeeded]
Product: [Applications] konqueror Reporter: Richard Hartmann <richih-kde>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: andresbajotierra, germain, groszdanielpub, Regnaron, sreejiththulaseedharan
Priority: NOR    
Version: SVN   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Compressed and non-reduced testcase page (web save)
Valgrind output
more reduced testcase
minimal reduction
New crash information added by DrKonqi

Description Richard Hartmann 2009-12-21 00:14:07 UTC 
Application that crashed: konqueror
Version of the application: 4.3.4 (KDE 4.3.4)
KDE Version: 4.3.4 (KDE 4.3.4)
Qt Version: 4.5.3
Operating System: Linux 2.6.31-1-686 i686
Distribution: Debian GNU/Linux unstable (sid)

What I was doing when the application crashed:
* Go to http://www.fiskars.com/webapp/wcs/stores/servlet/ProductDisplay?storeId=10001&langId=-3&catalogId=13451&categoryId=17902&productId=11152&page=products
* Click on the second tab "Auszeichnungen"
* Click on the first one "Eigenschaften"
* Segfault

Confirmed on trunk via IRC by toma.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#6  khtml::RenderObject::isAnonymousBlock (this=0x9cbc3c0, newChild=0x9cc875c, beforeChild=0x0) at ../../khtml/rendering/render_object.h:318
#7  khtml::RenderFlow::addChildWithContinuation (this=0x9cbc3c0, newChild=0x9cc875c, beforeChild=0x0) at ../../khtml/rendering/render_flow.cpp:90
#8  0xb2255c42 in DOM::NodeImpl::createRendererIfNeeded (this=0x9b03860) at ../../khtml/xml/dom_nodeimpl.cpp:1084
#9  0xb22611d2 in DOM::ElementImpl::attach (this=0x9b03860) at ../../khtml/xml/dom_elementimpl.cpp:863
#10 0xb2262924 in DOM::ElementImpl::recalcStyle (this=0x9b03860, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:961
#11 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9b03860, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#12 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x9afdbe0, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#13 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9afdbe0, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#14 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x9ac5920, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#15 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9ac5920, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#16 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x97bc988, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#17 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x97bc988, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#18 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x93d9958, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#19 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x93d9958, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#20 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x9a67fe8, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#21 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9a67fe8, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#22 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x9929fb8, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#23 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9929fb8, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#24 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x9a68a68, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#25 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x9a68a68, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#26 0xb226282f in DOM::ElementImpl::recalcStyle (this=0x93db1d0, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_elementimpl.cpp:990
#27 0xb22ae179 in DOM::HTMLElementImpl::recalcStyle (this=0x93db1d0, ch=DOM::NodeImpl::NoChange) at ../../khtml/html/html_elementimpl.cpp:242
#28 0xb2251002 in DOM::DocumentImpl::recalcStyle (this=0x8faec78, change=DOM::NodeImpl::NoChange) at ../../khtml/xml/dom_docimpl.cpp:1436
#29 0xb223d5a8 in DOM::DocumentImpl::updateRendering (this=0x0) at ../../khtml/xml/dom_docimpl.cpp:1465
#30 0xb2248bb0 in DOM::DocumentImpl::updateDocumentsRendering () at ../../khtml/xml/dom_docimpl.cpp:1478
#31 0xb244550c in KJS::Window::afterScriptExecution (this=0xb0420000) at ../../khtml/ecma/kjs_window.cpp:1269
#32 0xb245bfbd in KJS::KJSProxyImpl::evaluate (this=0x93db300, filename=..., baseLine=1, str=..., n=..., completion=0xbfdeea24) at ../../khtml/ecma/kjs_proxy.cpp:170
#33 0xb21f1833 in KHTMLPart::executeScript (this=0x93a4268, n=..., script=...) at ../../khtml/khtml_part.cpp:1377
#34 0xb21f1d50 in KHTMLPart::crossFrameExecuteScript (this=0x93a4268, target=..., script=...) at ../../khtml/khtml_part.cpp:1225
#35 0xb22029bd in KHTMLPart::urlSelected (this=0x93a4268, url=..., button=1, state=0, _target=..., _args=..., _browserArgs=...) at ../../khtml/khtml_part.cpp:3698
#36 0xb22b1916 in DOM::HTMLAnchorElementImpl::defaultEventHandler (this=0x9b02a80, evt=0xa299750) at ../../khtml/html/html_inlineimpl.cpp:157
#37 0xb22583a2 in DOM::NodeImpl::dispatchGenericEvent (this=0x9b02a80, evt=0xa299750) at ../../khtml/xml/dom_nodeimpl.cpp:526
#38 0xb2258576 in DOM::NodeImpl::dispatchEvent (this=0x9b02a80, evt=0xa299750, exceptioncode=@0xbfdeee78, tempEvent=true) at ../../khtml/xml/dom_nodeimpl.cpp:453
#39 0xb21b248d in KHTMLView::dispatchMouseEvent (this=0x93c7a20, eventId=3, targetNode=0x9b02a80, targetNodeNonShared=0x9b02b48, cancelable=<value optimized out>, detail=1, _mouse=0xbfdeef24, 
    setUnder=true, mouseEventType=1, orient=0) at ../../khtml/khtmlview.cpp:3717
#40 0xb21bce9e in KHTMLView::mouseReleaseEvent (this=0x93c7a20, _mouse=0xbfdef66c) at ../../khtml/khtmlview.cpp:1578
#41 0xb62ec9fb in QWidget::event (this=0x93c7a20, event=0xbfdef66c) at kernel/qwidget.cpp:7554
#42 0xb6692543 in QFrame::event (this=0x93c7a20, e=0xbfdef66c) at widgets/qframe.cpp:559
#43 0xb21bb54f in KHTMLView::widgetEvent (this=0x93c7a20, e=0x0) at ../../khtml/khtmlview.cpp:2338
#44 0xb21bb84d in KHTMLView::eventFilter (this=0x93c7a20, o=0x957d1f8, e=0xbfdef66c) at ../../khtml/khtmlview.cpp:2191
#45 0xb75f641a in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=0x8eae7b8, receiver=0x957d1f8, event=0xbfdef66c) at kernel/qcoreapplication.cpp:726
#46 0xb6296a6c in QApplicationPrivate::notify_helper (this=0x8eae7b8, receiver=0x957d1f8, e=0xbfdef66c) at kernel/qapplication.cpp:4061
#47 0xb629f551 in QApplication::notify (this=0xbfdf0f9c, receiver=0x957d1f8, e=0xbfdef66c) at kernel/qapplication.cpp:3767
#48 0xb6ce062d in KApplication::notify (this=0xbfdf0f9c, receiver=0x957d1f8, event=0xbfdef66c) at ../../kdeui/kernel/kapplication.cpp:302
#49 0xb75f71eb in QCoreApplication::notifyInternal (this=0xbfdf0f9c, receiver=0x957d1f8, event=0xbfdef66c) at kernel/qcoreapplication.cpp:610
#50 0xb629e5de in QCoreApplication::sendSpontaneousEvent (receiver=0x957d1f8, event=0xbfdef66c, alienWidget=0x957d1f8, nativeWidget=0x8fca6e0, buttonDown=0xb6b0d580, lastMouseReceiver=...)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:216
#51 QApplicationPrivate::sendMouseEvent (receiver=0x957d1f8, event=0xbfdef66c, alienWidget=0x957d1f8, nativeWidget=0x8fca6e0, buttonDown=0xb6b0d580, lastMouseReceiver=...)
    at kernel/qapplication.cpp:2924
#52 0xb630d175 in QETWidget::translateMouseEvent (this=0x8fca6e0, event=0xbfdf0c1c) at kernel/qapplication_x11.cpp:4411
#53 0xb630c646 in QApplication::x11ProcessEvent (this=0xbfdf0f9c, event=0xbfdf0c1c) at kernel/qapplication_x11.cpp:3430
#54 0xb6336bc2 in x11EventSourceDispatch (s=0x8ecdff0, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#55 0xb5e7bf28 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#56 0xb5e7f6b3 in ?? () from /lib/libglib-2.0.so.0
#57 0xb5e7f838 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#58 0xb7622041 in QEventDispatcherGlib::processEvents (this=0x8e5d220, flags=...) at kernel/qeventdispatcher_glib.cpp:407
#59 0xb6336305 in QGuiEventDispatcherGlib::processEvents (this=0x8e5d220, flags=...) at kernel/qguieventdispatcher_glib.cpp:202
#60 0xb75f583a in QEventLoop::processEvents (this=0xbfdf0e80, flags=...) at kernel/qeventloop.cpp:149
#61 0xb75f5c82 in QEventLoop::exec (this=0xbfdf0e80, flags=...) at kernel/qeventloop.cpp:201
#62 0xb75f80d9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#63 0xb6296917 in QApplication::exec () at kernel/qapplication.cpp:3525
#64 0xb4206639 in kdemain () from /usr/lib/libkdeinit4_konqueror.so
#65 0x0804e291 in launch (argc=2, _name=0x8ec3014 "/usr/bin/konqueror", args=0x8ec302f "", cwd=0x0, envc=0, envs=0x8ec3034 "", reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x8ec3038 "roadwarrior;1261350547;888358;2420_TIME3003900") at ../../kinit/kinit.cpp:677
#66 0x0804ea15 in handle_launcher_request (sock=7, who=<value optimized out>) at ../../kinit/kinit.cpp:1169
#67 0x0804ee5b in handle_requests (waitForPid=0) at ../../kinit/kinit.cpp:1362
#68 0x0804f689 in main (argc=1, argv=0xbfdf19e4, envp=0xbfdf19ec) at ../../kinit/kinit.cpp:1793

Reported using DrKonqi
Comment 1 Richard Hartmann 2009-12-21 00:15:05 UTC 
Setting version to svn.
Comment 2 Dario Andres 2009-12-23 14:29:41 UTC 
Created attachment 39285 [details]
Compressed and non-reduced testcase page (web save)
Comment 3 Dario Andres 2009-12-23 14:40:43 UTC 
Here using:

Qt: 4.6.0 (kde-qt master commit 747ff8e6ef6f5a1163dfa75bc9ac4755ce7083d1
        Date:   Tue Dec 15 11:58:13 2009 +0100)
KDE Development Platform: 4.3.82 (KDE 4.3.82 (KDE 4.4 >= 20091211))
kdelibs svn rev. 1063229 / kdebase svn rev. 1063229
on ArchLinux i686 - Kernel 2.6.31.6

I can reproduce the crash with the provided steps and the URL. I have also attached the webpage.
Comment 4 Dario Andres 2009-12-23 14:42:19 UTC 
Created attachment 39286 [details]
Valgrind output
Comment 5 Richard Hartmann 2009-12-23 14:47:33 UTC 
Thanks Dario :)

Will this one be squashed prior to 4.4?
Comment 6 Dario Andres 2009-12-23 14:50:40 UTC 
That depends on the Konqueror/KHTML devs :) (I'm not one of them yet, btw)
Comment 7 Oliver Putz 2010-02-02 23:39:16 UTC 
Created attachment 40482 [details]
more reduced testcase

This is a more reduced testcase derived from attachment #39285 [details]. (Only reduced the HTML page, no reduction in the java script stuff)
Comment 8 Germain Garand 2010-02-03 12:38:12 UTC 
Created attachment 40493 [details]
minimal reduction
Comment 9 Germain Garand 2010-02-03 13:10:52 UTC 
awww, please disregard comment #8, wrong bug report.
Comment 10 Grósz Dániel 2010-05-01 03:34:08 UTC 
Created attachment 43134 [details]
New crash information added by DrKonqi

I viewed http://groups.google.com/group/brescia2010/browse_thread/thread/87ee1cf00d2dee88 without being logged in and clicked on "Forward". Konqueror crashed.
Comment 11 Tommi Tervo 2011-05-14 08:30:36 UTC 

*** This bug has been marked as a duplicate of bug 204241 ***