Bug 224018

Summary: testkhtml crashes on websites with text input fields
Product: [Applications] konqueror Reporter: Michael G. Hansen <mike>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: johann-nikolaus, maksim
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: New crash information added by DrKonqi

Description Michael G. Hansen 2010-01-24 12:23:12 UTC 
Version:           current svn (using Devel)
OS:                Linux
Installed from:    Compiled sources

Application: testkhtml (1.0)
KDE Platform Version: 4.4.60 (KDE 4.4.60 (KDE 4.5 >= 20100120)) (Compiled from sources)
Qt Version: 4.6.1
Operating System: Linux 2.6.32-trunk-amd64 x86_64
Distribution (Platform): Debian unstable

-- Information about the crash:
run testkhtml http://www.google.de
close testkhtml -> crash. The crash occurs only when the site has a text input. The crash does not occur for me in konqueror, but in kipi-plugins which also embeds KHTML to display Google Maps. The crash also occurs in the 4.4 branch, but not in the 4.3 branch.

The crash can be reproduced every time.

 -- Backtrace:
Application: Testkhtml (testkhtml), signal: Segmentation fault
The current source language is "auto; currently c".
[Current thread is 1 (Thread 0x7fb1e25357f0 (LWP 2628))]

Thread 2 (Thread 0x7fb1cf5c8910 (LWP 2630)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:220
#1  0x00007fb1de6f25a2 in QWaitConditionPrivate::wait (this=<value optimized out>, mutex=0x1350280, time=30000) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/thread/qwaitcondition_unix.cpp:85
#2  QWaitCondition::wait (this=<value optimized out>, mutex=0x1350280, time=30000) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/thread/qwaitcondition_unix.cpp:159
#3  0x00007fb1de6e9523 in QThreadPoolThread::run (this=0x1320830) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/concurrent/qthreadpool.cpp:140
#4  0x00007fb1de6f1656 in QThreadPrivate::start (arg=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/thread/qthread_unix.cpp:244
#5  0x00007fb1de45773a in start_thread (arg=<value optimized out>) at pthread_create.c:300
#6  0x00007fb1dda2069d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#7  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7fb1e25357f0 (LWP 2628)):
[KCrash Handler]
#5  QWidgetPrivate::reparentFocusWidgets (this=0x109f830, oldtlw=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:6508
#6  0x00007fb1def70de7 in QWidget::setParent (this=0x10a0560, parent=0x14d6bd0, f=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:9787
#7  0x00007fb1def71769 in QWidgetPrivate::init (this=0x109f830, parentWidget=0x14d6bd0, f=) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:1179
#8  0x00007fb1def71e5f in QWidget (this=0x10a0560, parent=0x14d6bd0, f=...) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:1007
#9  0x00007fb1d6b18fc6 in TransitionWidget (this=0x10a0560, parent=0x14d6bd0, duration=150) at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/transitions/oxygentransitionwidget.cpp:48
#10 0x00007fb1d6b179b8 in TransitionData (this=0x14cb620, parent=0x104c2b0, target=0x14d6bd0, duration=150)
    at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/transitions/oxygentransitiondata.cpp:40
#11 0x00007fb1d6b13194 in LineEditData (this=0x14cb620, parent=0x104c2b0, target=0x14d6bd0, duration=150) at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/transitions/oxygenlineeditdata.cpp:43
#12 0x00007fb1d6b14201 in Oxygen::LineEditEngine::registerWidget (this=0x104c2b0, widget=0x14d6bd0) at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/transitions/oxygenlineeditengine.cpp:44
#13 0x00007fb1d6b18287 in Oxygen::Transitions::registerWidget (this=0x1049f70, widget=0x14d6bd0) at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/transitions/oxygentransitions.cpp:85
#14 0x00007fb1d6b2f1d1 in OxygenStyle::polish (this=0x104e240, widget=0x14d6bd0) at /c/temp/kde/trunk-svn/kdebase/runtime/kstyles/oxygen/oxygen.cpp:3350
#15 0x00007fb1def68d0e in QWidgetPrivate::setStyle_helper (this=0x14db330, newStyle=0x0, propagate=false) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:2489
#16 0x00007fb1def6f083 in QWidget::setStyle (this=<value optimized out>, style=0x0) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:2450
#17 0x00007fb1e165d8af in ~RenderFormElement (this=0x14cfa08, __in_chrg=<value optimized out>) at /c/temp/kde/trunk-svn/kdelibs/khtml/rendering/render_form.cpp:183
#18 0x00007fb1e166e94f in khtml::RenderLineEdit::~RenderLineEdit() () from /c/temp/kdebuild/kdelibs/lib/libkhtml.so.5
#19 0x00007fb1e160d81c in khtml::RenderObject::arenaDelete (this=0x14cfa18, arena=0x136d000, base=0x14cfa08) at /c/temp/kde/trunk-svn/kdelibs/khtml/rendering/render_object.cpp:2394
#20 0x00007fb1e160d88b in khtml::RenderObject::arenaDelete (this=0x14cfa18, arena=0x136d000) at /c/temp/kde/trunk-svn/kdelibs/khtml/rendering/render_object.cpp:2407
#21 0x00007fb1e165ca97 in khtml::RenderWidget::deref (this=0x14cfa08) at /c/temp/kde/trunk-svn/kdelibs/khtml/rendering/render_replaced.cpp:1187
#22 0x00007fb1e1656951 in khtml::RenderWidget::detach (this=0x14cfa08) at /c/temp/kde/trunk-svn/kdelibs/khtml/rendering/render_replaced.cpp:225
#23 0x00007fb1e151c978 in DOM::NodeImpl::detach (this=0x14d7780) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:975
#24 0x00007fb1e151f751 in DOM::NodeBaseImpl::detach (this=0x14d7780) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1838
#25 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14d7780) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#26 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x14ce100) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#27 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14ce100) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#28 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x14cdc70) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#29 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14cdc70) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#30 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x14cdd80) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#31 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14cdd80) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#32 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x14cd5b0) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#33 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14cd5b0) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#34 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x14ccf90) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#35 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x14ccf90) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#36 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x1454b00) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#37 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x1454b00) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#38 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x1380780) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#39 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x1380780) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#40 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x13813f0) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#41 0x00007fb1e152cf5a in DOM::ElementImpl::detach (this=0x13813f0) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_elementimpl.cpp:910
#42 0x00007fb1e151f739 in DOM::NodeBaseImpl::detach (this=0x1363cf8) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_nodeimpl.cpp:1836
#43 0x00007fb1e1507070 in DOM::DocumentImpl::detach (this=0x1363ce0) at /c/temp/kde/trunk-svn/kdelibs/khtml/xml/dom_docimpl.cpp:1540
#44 0x00007fb1e148e1f0 in KHTMLPart::clear (this=0x10a01f0) at /c/temp/kde/trunk-svn/kdelibs/khtml/khtml_part.cpp:1560
#45 0x00007fb1e14878c2 in ~KHTMLPart (this=0x10a01f0, __in_chrg=<value optimized out>, __vtt_parm=<value optimized out>) at /c/temp/kde/trunk-svn/kdelibs/khtml/khtml_part.cpp:610
#46 0x00007fb1de7de0ec in QObjectPrivate::deleteChildren (this=0x109ed30) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qobject.cpp:1997
#47 0x00007fb1def74cc4 in ~QWidget (this=0x109ebd0, __in_chrg=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:1459
#48 0x00007fb1dfeac8ad in ~KMainWindow (this=0x109ebd0, __in_chrg=<value optimized out>) at /c/temp/kde/trunk-svn/kdelibs/kdeui/widgets/kmainwindow.cpp:476
#49 0x00007fb1dfef6401 in ~KXmlGuiWindow (this=0x109ebd0, __in_chrg=<value optimized out>, __vtt_parm=<value optimized out>) at /c/temp/kde/trunk-svn/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:127
#50 0x00007fb1de7df58d in QObject::event (this=0x109ebd0, e=0x10a0560) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qobject.cpp:1242
#51 0x00007fb1def754c8 in QWidget::event (this=0x109ebd0, event=0x15335c0) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qwidget.cpp:8431
#52 0x00007fb1df2e478b in QMainWindow::event (this=0x109ebd0, event=0x15335c0) at /c/temp/kde/trunk-svn/qt-copy/src/gui/widgets/qmainwindow.cpp:1435
#53 0x00007fb1dfeaf738 in KMainWindow::event (this=0x109ebd0, ev=0x15335c0) at /c/temp/kde/trunk-svn/kdelibs/kdeui/widgets/kmainwindow.cpp:1103
#54 0x00007fb1dfef6464 in KXmlGuiWindow::event (this=0x109ebd0, ev=0x15335c0) at /c/temp/kde/trunk-svn/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:131
#55 0x00007fb1def20a6c in QApplicationPrivate::notify_helper (this=0xfc9690, receiver=0x109ebd0, e=0x15335c0) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qapplication.cpp:4253
#56 0x00007fb1def2805a in QApplication::notify (this=0x7fffb810a9f0, receiver=<value optimized out>, e=0x15335c0) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qapplication.cpp:4136
#57 0x00007fb1dfdab0db in KApplication::notify (this=0x7fffb810a9f0, receiver=0x109ebd0, event=0x15335c0) at /c/temp/kde/trunk-svn/kdelibs/kdeui/kernel/kapplication.cpp:302
#58 0x00007fb1de7d0d7c in QCoreApplication::notifyInternal (this=0x7fffb810a9f0, receiver=0x109ebd0, event=0x15335c0) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qcoreapplication.cpp:704
#59 0x00007fb1de7d15a9 in QCoreApplication::sendEvent (receiver=0x0, event_type=0, data=0xfb6850) at ../../include/QtCore/../../../../kde/trunk-svn/qt-copy/src/corelib/kernel/qcoreapplication.h:215
#60 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0xfb6850) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qcoreapplication.cpp:1342
#61 0x00007fb1de7f6423 in QCoreApplication::sendPostedEvents (s=<value optimized out>) at ../../include/QtCore/../../../../kde/trunk-svn/qt-copy/src/corelib/kernel/qcoreapplication.h:220
#62 postEventSourceDispatch (s=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:276
#63 0x00007fb1d94fc13a in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#64 0x00007fb1d94ff998 in ?? () from /lib/libglib-2.0.so.0
#65 0x00007fb1d94ffb4c in g_main_context_iteration () from /lib/libglib-2.0.so.0
#66 0x00007fb1de7f5f73 in QEventDispatcherGlib::processEvents (this=0xfc9620, flags=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:407
#67 0x00007fb1defbe01e in QGuiEventDispatcherGlib::processEvents (this=0x10a0560, flags=<value optimized out>) at /c/temp/kde/trunk-svn/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:202
#68 0x00007fb1de7cf8b2 in QEventLoop::processEvents (this=<value optimized out>, flags=) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qeventloop.cpp:149
#69 0x00007fb1de7cfa55 in QEventLoop::exec (this=0x7fffb810a930, flags=) at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qeventloop.cpp:197
#70 0x00007fb1de7d181b in QCoreApplication::exec () at /c/temp/kde/trunk-svn/qt-copy/src/corelib/kernel/qcoreapplication.cpp:981
#71 0x0000000000406c6f in main (argc=2, argv=0x7fffb810b188) at /c/temp/kde/trunk-svn/kdelibs/khtml/testkhtml.cpp:138
The current source language is "auto; currently asm".
The current source language is "auto; currently c".

Report to https://bugs.kde.org
Comment 1 Michael G. Hansen 2010-01-24 12:26:19 UTC 
*** Bug 223969 has been marked as a duplicate of this bug. ***
Comment 2 Maksim Orlovich 2010-01-24 17:04:11 UTC 
Confirm after svn up'ing oxygen to trunk. Looking into it.
Comment 3 Maksim Orlovich 2010-01-24 17:56:31 UTC 
Rough analysis of crash:
1) Top-level window in testkhtml gets deleted, which inside its destructor 
destroys the part
2) The part starts cleaning things up, and gets to RenderFormElement
3) RenderFormElement resets the style to default, so it can delete its 
   own proxy style object. 
4) The default style, oxygen, creates a child widget for some fancy effects...
5) Qt tries to register that widget in the focus-handling data structures of 
the top-level --- which is mostly destroyed already, including its focus data structures.
Comment 4 Johann-Nikolaus Andreae 2010-01-27 08:05:39 UTC 
Created attachment 40281 [details]
New crash information added by DrKonqi

cencel the the gps-korrelator edit dialog
Comment 5 Maksim Orlovich 2010-01-27 14:40:11 UTC 
@ Comment #4: is that from rc2, as the directory name suggests?
Comment 6 Johann-Nikolaus Andreae 2010-01-27 14:58:48 UTC 
yes, openSUSE reposetory.
Comment 7 Maksim Orlovich 2010-01-28 04:40:22 UTC 
SVN commit 1081278 by orlovich:

Change how we manage the proxy styles' lifetime, in order to avoid a nasty 
interraction which can occur if we hand-reset the style to normal on detach:
if we're detaching in response to a top-levels' deletion and setStyle(0) throws 
oxygen back-in, it may try to create some helper widgets for effects, which will 
access memory of the half-destroyed top-level.

Instead, make the proxy the child of the widget --- it's deleted very late, 
so wouldn't be accessed (famous last words, I know) --- and this avoid style 
re-set. 

Will backport for rc3 despite the trickiness since it affects 
kipi-plugins, making it high-priority.

BUG: 224018

(This might also have fixed a bug with padding customization when the 
type of a listview changes. )


 M  +13 -8     render_form.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1081278
Comment 8 Maksim Orlovich 2010-01-28 04:52:37 UTC 
SVN commit 1081282 by orlovich:

Backport:
SVN commit 1081278 by orlovich:

Change how we manage the proxy styles' lifetime, in order to avoid a nasty 
interraction which can occur if we hand-reset the style to normal on detach:
if we're detaching in response to a top-levels' deletion and setStyle(0) throws 
oxygen back-in, it may try to create some helper widgets for effects, which
will 
access memory of the half-destroyed top-level.

Instead, make the proxy the child of the widget --- it's deleted very late, 
so wouldn't be accessed (famous last words, I know) --- and this avoid style 
re-set. 

Will backport for rc3 despite the trickiness since it affects 
kipi-plugins, making it high-priority.

BUG: 224018



 M  +11 -6     render_form.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1081282