Bug 220360

Summary: Trying to visit http://processorfinder.intel.com/Default.aspx using konqueror will lead to the crash
Product: [Applications] konqueror Reporter: Marcel Schmidt <Marcel_Schmidt>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: ruchir.brahmbhatt, valtsu71
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Marcel Schmidt 2009-12-28 10:24:53 UTC 
Application that crashed: konqueror
Version of the application: 4.3.3 (KDE 4.3.3)
KDE Version: 4.3.3 (KDE 4.3.3)
Qt Version: 4.5.3
Operating System: Linux 2.6.31.9-174.fc12.x86_64 x86_64

What I was doing when the application crashed:
Problem is reproducible. Part of the website is rendered and then the crash happens. 

 -- Backtrace:
Application: Konqueror (konqueror), signal: Segmentation fault
82	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
The current source language is "auto; currently asm".
[Current thread is 1 (Thread 0x7ff4b49aa840 (LWP 2454))]

Thread 2 (Thread 0x7ff49f7a3710 (LWP 2865)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:211
#1  0x000000346cc5ad42 in wait (time=30000, this=<value optimized out>) at thread/qwaitcondition_unix.cpp:85
#2  QWaitCondition::wait (time=30000, this=<value optimized out>) at thread/qwaitcondition_unix.cpp:159
#3  0x000000346cc50dda in QThreadPoolThread::run (this=<value optimized out>) at concurrent/qthreadpool.cpp:140
#4  0x000000346cc59d25 in QThreadPrivate::start (arg=0x26035d0) at thread/qthread_unix.cpp:188
#5  0x0000003322c06a3a in start_thread (arg=<value optimized out>) at pthread_create.c:297
#6  0x00000033224ddf3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#7  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7ff4b49aa840 (LWP 2454)):
[KCrash Handler]
#5  0x0000000000000000 in ?? ()
#6  0x0000003477b20e21 in khtml::RenderFlow::repaint (this=0x2c7a2b8, prior=NormalPriority) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_flow.cpp:446
#7  0x0000003477b0a869 in khtml::RenderObject::repaintDuringLayout (this=0x2c7a2b8) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_object.cpp:2193
#8  0x0000003477af2c20 in khtml::RenderBlock::layoutInlineChildren (this=0x2c79ec0, relayoutChildren=<value optimized out>, breakBeforeLine=<value optimized out>)
    at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/bidi.cpp:1393
#9  0x0000003477afe54d in khtml::RenderBlock::layoutBlock (this=0x2c79ec0, relayoutChildren=false) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_block.cpp:833
#10 0x0000003477af252a in layoutIfNeeded (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_object.h:477
#11 khtml::RenderBlock::layoutInlineChildren (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/bidi.cpp:1410
#12 0x0000003477afe54d in khtml::RenderBlock::layoutBlock (this=0x2c6f9d0, relayoutChildren=false) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_block.cpp:833
#13 0x0000003477af252a in layoutIfNeeded (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_object.h:477
#14 khtml::RenderBlock::layoutInlineChildren (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/bidi.cpp:1410
#15 0x0000003477afe54d in khtml::RenderBlock::layoutBlock (this=0x2c6f850, relayoutChildren=false) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_block.cpp:833
#16 0x0000003477af72ac in layoutIfNeeded (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_object.h:477
#17 khtml::RenderBlock::layoutPositionedObjects (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_block.cpp:1739
#18 0x0000003477afe4f4 in khtml::RenderBlock::layoutBlock (this=0x1638820, relayoutChildren=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_block.cpp:900
#19 0x0000003477b57452 in khtml::RenderCanvas::layout (this=0x1638820) at /usr/src/debug/kdelibs-4.3.3/khtml/rendering/render_canvas.cpp:187
#20 0x00000034779ca9e6 in KHTMLView::layout (this=0x1325b70) at /usr/src/debug/kdelibs-4.3.3/khtml/khtmlview.cpp:1010
#21 0x00000034779caffe in KHTMLView::timerEvent (this=0x1325b70, e=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/khtmlview.cpp:4160
#22 0x000000346cd4e08e in QObject::event (this=0x1325b70, e=0x7ffff8b03e30) at kernel/qobject.cpp:1074
#23 0x000000346dfdd47f in QWidget::event (this=0x1325b70, event=0x7ffff8b03e30) at kernel/qwidget.cpp:7951
#24 0x000000346e335a16 in QFrame::event (this=0x1325b70, e=0x7ffff8b03e30) at widgets/qframe.cpp:559
#25 0x000000346e3c4211 in QAbstractScrollArea::event (this=0x1325b70, e=0x7ffff8b03e30) at widgets/qabstractscrollarea.cpp:918
#26 0x00000034779cd243 in KHTMLView::event (this=0x1325b70, e=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/khtmlview.cpp:546
#27 0x000000346df8f65c in QApplicationPrivate::notify_helper (this=0xbe5ea0, receiver=0x1325b70, e=0x7ffff8b03e30) at kernel/qapplication.cpp:4065
#28 0x000000346df968ce in QApplication::notify (this=<value optimized out>, receiver=0x1325b70, e=0x7ffff8b03e30) at kernel/qapplication.cpp:4030
#29 0x000000346f211a76 in KApplication::notify (this=0x7ffff8b042c0, receiver=0x1325b70, event=0x7ffff8b03e30) at /usr/src/debug/kdelibs-4.3.3/kdeui/kernel/kapplication.cpp:302
#30 0x000000346cd3ee6c in QCoreApplication::notifyInternal (this=0x7ffff8b042c0, receiver=0x1325b70, event=0x7ffff8b03e30) at kernel/qcoreapplication.cpp:610
#31 0x000000346cd698d2 in sendEvent (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.h:213
#32 QTimerInfoList::activateTimers (event=<value optimized out>, receiver=<value optimized out>) at kernel/qeventdispatcher_unix.cpp:580
#33 0x000000346cd6729d in timerSourceDispatch (source=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:165
#34 0x000000346b03922e in g_main_dispatch (context=<value optimized out>) at gmain.c:1960
#35 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2513
#36 0x000000346b03cc18 in g_main_context_iterate (context=0xbe8920, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2591
#37 0x000000346b03cd3a in IA__g_main_context_iteration (context=0xbe8920, may_block=1) at gmain.c:2654
#38 0x000000346cd671e6 in QEventDispatcherGlib::processEvents (this=0xbc87b0, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:327
#39 0x000000346e021ffe in QGuiEventDispatcherGlib::processEvents (this=<value optimized out>, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:202
#40 0x000000346cd3d772 in QEventLoop::processEvents (this=<value optimized out>, flags=...) at kernel/qeventloop.cpp:149
#41 0x000000346cd3db44 in QEventLoop::exec (this=0x7ffff8b040d0, flags=...) at kernel/qeventloop.cpp:201
#42 0x000000346cd3fcd9 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888
#43 0x0000003470ecf583 in kdemain (argc=1896875624, argv=0x1) at /usr/src/debug/kdebase-4.3.3/apps/konqueror/src/konqmain.cpp:257
#44 0x000000332241eb1d in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=<value optimized out>) at libc-start.c:220
#45 0x0000000000400759 in _start ()

Reported using DrKonqi
Comment 1 Maksim Orlovich 2009-12-28 18:07:00 UTC 
==3083== Invalid read of size 4                                                                                                                
==3083==    at 0xC4779E2: khtml::InlineBox::root() (render_line.cpp:173)                                                                       
==3083==    by 0xC42866C: khtml::RenderFlow::repaint(Priority) (render_flow.cpp:446)                                                           
==3083==    by 0xC40E71C: khtml::RenderObject::repaintDuringLayout() (render_object.cpp:2206)                                                  
==3083==    by 0xC3ECB37: khtml::RenderBlock::layoutInlineChildren(bool, int) (bidi.cpp:1393)                                                  
==3083==    by 0xC3F8E72: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:833)                                                         
==3083==    by 0xC3F9384: khtml::RenderBlock::layout() (render_block.cpp:736)                                                                  
==3083==    by 0xC2BEDC0: khtml::RenderObject::layoutIfNeeded() (render_object.h:480)                                                          
==3083==    by 0xC3F4A65: khtml::RenderBlock::insertFloatingObject(khtml::RenderObject*) (render_block.cpp:1954)                               
==3083==    by 0xC3F6111: khtml::RenderBlock::handleFloatingChild(khtml::RenderObject*, khtml::RenderBlock::MarginInfo const&, bool&) (render_block.cpp:998)                                                                                                                                  
==3083==    by 0xC3F81B8: khtml::RenderBlock::handleSpecialChild(khtml::RenderObject*, khtml::RenderBlock::MarginInfo const&, khtml::RenderBlock::CompactInfo&, bool&) (render_block.cpp:971)                                                                                                 
==3083==    by 0xC3F8507: khtml::RenderBlock::layoutBlockChildren(bool) (render_block.cpp:1518)                                                
==3083==    by 0xC3F8E83: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:835)                                                         
==3083==  Address 0x7756cf4 is 44 bytes inside a block of size 100 free'd                                                                      
==3083==    at 0x4024836: free (vg_replace_malloc.c:325)                                                                                       
==3083==    by 0xC430085: khtml::RenderArena::free(unsigned int, void*) (render_arena.cpp:122)                                                 
==3083==    by 0xC4788E6: khtml::InlineBox::detach(khtml::RenderArena*, bool) (render_line.cpp:92)                                             
==3083==    by 0xC47895C: khtml::RootInlineBox::detach(khtml::RenderArena*, bool) (render_line.cpp:1115)                                       
==3083==    by 0xC429034: khtml::RenderFlow::deleteInlineBoxes(khtml::RenderArena*) (render_flow.cpp:185)                                      
==3083==    by 0xC3ECA6D: khtml::RenderBlock::layoutInlineChildren(bool, int) (bidi.cpp:1377)                                                  
==3083==    by 0xC3F8E72: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:833)                                                         
==3083==    by 0xC3F9384: khtml::RenderBlock::layout() (render_block.cpp:736)                                                                  
==3083==    by 0xC2BEDC0: khtml::RenderObject::layoutIfNeeded() (render_object.h:480)                                                          
==3083==    by 0xC3F4A65: khtml::RenderBlock::insertFloatingObject(khtml::RenderObject*) (render_block.cpp:1954)                               
==3083==    by 0xC3F6111: khtml::RenderBlock::handleFloatingChild(khtml::RenderObject*, khtml::RenderBlock::MarginInfo const&, bool&) (render_block.cpp:998)                                                                                                                                  
==3083==    by 0xC3F81B8: khtml::RenderBlock::handleSpecialChild(khtml::RenderObject*, khtml::RenderBlock::MarginInfo const&, khtml::RenderBlock::CompactInfo&, bool&) (render_block.cpp:971)
Comment 2 Ruchir Brahmbhatt 2009-12-29 15:19:46 UTC 
This appears to be fixed in recent version. Can not reproduce on 4.3.85.

Qt: 4.6.1
KDE Development Platform: 4.3.85 (KDE 4.3.85 (KDE 4.4 Beta2)) "release 8"
Konqueror: 4.3.85 (KDE 4.3.85 (KDE 4.4 Beta2)) "release 8"
Comment 3 Maksim Orlovich 2009-12-29 17:28:45 UTC 
I appreciate you trying to help out,  but would you please not close bug reports I confirm (with a valgrind trace, even)?
Comment 4 Ruchir Brahmbhatt 2009-12-29 17:34:11 UTC 
(In reply to comment #3)
> I appreciate you trying to help out,  but would you please not close bug
> reports I confirm (with a valgrind trace, even)?

You are using older version of kde(4.3.3) latest in 4.3 branch is 4.3.4. I'm not sure if 4.3.5 is going to be released and this is not reproducible in 4.4 so I thought of closing it.
Comment 5 Maksim Orlovich 2009-12-29 17:42:00 UTC 
I am not the reporter, and I am using latest trunk. Also see my e-mail address ---  I am one of KHTML developers. Again, I greatly appreciate you trying to help out, but please do remember that many not-100%-reproducible bugs are valid.
Comment 6 Ruchir Brahmbhatt 2009-12-29 17:46:04 UTC 
(In reply to comment #5)
> I am not the reporter, and I am using latest trunk. Also see my e-mail address
> ---  I am one of KHTML developers. Again, I greatly appreciate you trying to
> help out, but please do remember that many not-100%-reproducible bugs are
> valid.

Oops, sorry I didn't notice it. J
I just processed it as per my experience in few bugdays I participated in.
Comment 7 Germain Garand 2010-02-12 05:20:57 UTC 
SVN commit 1088983 by ggarand:

fix occasional crash when laying out inline flow children as
repaintDuringLayout() would access inline boxes we just deleted.

BUG: 220360

 M  +5 -3      bidi.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1088983
Comment 8 Markku Valtonen 2010-03-03 10:07:20 UTC 
*** Bug 229217 has been marked as a duplicate of this bug. ***