Bug 227900

Summary:	Konqueror crashes on validating a dialog box on www.leroymerlin.fr
Product:	[Applications] konqueror	Reporter:	lpoujoulat
Component:	khtml	Assignee:	Konqueror Bugs <konqueror-bugs-null>
Status:	RESOLVED FIXED
Severity:	crash	CC:	laviddichterman, maksim, sujith.s
Priority:	NOR
Version First Reported In:	unspecified
Target Milestone:	---
Platform:	Ubuntu
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Valgrind log

Description lpoujoulat 2010-02-21 09:02:19 UTC

Application: konqueror (4.4.00 (KDE 4.4.0))
KDE Platform Version: 4.4.00 (KDE 4.4.0)
Qt Version: 4.6.1
Operating System: Linux 2.6.31-19-generic x86_64
Distribution: Ubuntu 9.10

-- Information about the crash:
Konqueror always crashes when doing the following:
- open www.leroymerlin.fr
- Enter zip code '93140' in the 'code postal' field and click on the search button
- A new page loads and a dialog box is raised asking (in french) whether to close the window or not
- Either choice you take, konqueror segfaults

Kubuntu 9.10 AMD64, with KDE 4.4 from backports

The crash can be reproduced every time.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#5  0x00007fdaa9fe4862 in ?? () from /usr/lib/libkhtml.so.5
#6  0x00007fdac0e4c993 in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4
#7  0x00007fdabffdbfac in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#8  0x00007fdabffe259b in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#9  0x00007fdac1384d16 in KApplication::notify(QObject*, QEvent*) () from /usr/lib/libkdeui.so.5
#10 0x00007fdac0e3cf3c in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4
#11 0x00007fdac0e69b92 in ?? () from /usr/lib/libQtCore.so.4
#12 0x00007fdac0e66798 in ?? () from /usr/lib/libQtCore.so.4
#13 0x00007fdabc04bbce in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#14 0x00007fdabc04f598 in ?? () from /lib/libglib-2.0.so.0
#15 0x00007fdabc04f6c0 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#16 0x00007fdac0e66463 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#17 0x00007fdac008b7ee in ?? () from /usr/lib/libQtGui.so.4
#18 0x00007fdac0e3b862 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#19 0x00007fdac0e3bc3c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#20 0x00007fdac0e3f97b in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#21 0x00007fdab5ac37b6 in kdemain () from /usr/lib/libkdeinit4_konqueror.so
#22 0x0000000000406fb8 in _start ()

Possible duplicates by query: bug 227886, bug 227860, bug 227848, bug 227838, bug 227825.

Reported using DrKonqi

Comment 1 Tommi Tervo 2010-02-21 14:21:03 UTC

[KCrash Handler]
#6  0xb30056f7 in KJS::List::deref (this=0x980967c) at /home/teve/kde/kdelibs/kjs/list.h:134
#7  0xb30056bf in KJS::List::reset (this=0x980967c) at /home/teve/kde/kdelibs/kjs/list.h:74
#8  0xb30019a4 in KJS::ScheduledAction::~ScheduledAction (this=0x9809678, __in_chrg=<value optimized out>) at /home/teve/kde/kdelibs/khtml/ecma/kjs_window.cpp:2216
#9  0xb3002967 in KJS::WindowQObject::timerEvent (this=0xc7cd1d0) at /home/teve/kde/kdelibs/khtml/ecma/kjs_window.cpp:2378
#10 0xb6857ab4 in QObject::event (this=0xc7cd1d0, e=0x964caa8) at kernel/qobject.cpp:1212
#11 0xb5cdb3fc in QApplicationPrivate::notify_helper (this=0x8068e68, receiver=0xc7cd1d0, e=0xbfcc5e44) at kernel/qapplication.cpp:4300
#12 0xb5ce2248 in QApplication::notify (this=0xbfcc61f0, receiver=0xc7cd1d0, e=0xbfcc5e44) at kernel/qapplication.cpp:4183
#13 0xb6e39c68 in KApplication::notify (this=0xbfcc61f0, receiver=0xc7cd1d0, event=0xbfcc5e44) at /home/teve/kde/kdelibs/kdeui/kernel/kapplication.cpp:302
#14 0xb6846dde in QCoreApplication::notifyInternal (this=0xbfcc61f0, receiver=0xc7cd1d0, event=0xbfcc5e44) at kernel/qcoreapplication.cpp:704
#15 0xb6876ffe in sendEvent (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.h:215
#16 QTimerInfoList::activateTimers (event=<value optimized out>, receiver=<value optimized out>) at kernel/qeventdispatcher_unix.cpp:617
#17 0xb6873c95 in timerSourceDispatch (source=0x806c000) at kernel/qeventdispatcher_glib.cpp:184
#18 idleTimerSourceDispatch (source=0x806c000) at kernel/qeventdispatcher_glib.cpp:231
#19 0xb54434c2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#20 0xb5446d98 in ?? () from /usr/lib/libglib-2.0.so.0
#21 0xb5446ebe in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#22 0xb6873931 in QEventDispatcherGlib::processEvents (this=0x8051e08, flags=...) at kernel/qeventdispatcher_glib.cpp:412
#23 0xb5d9be0a in QGuiEventDispatcherGlib::processEvents (this=0x8051e08, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#24 0xb684544d in QEventLoop::processEvents (this=0xbfcc60f4, flags=) at kernel/qeventloop.cpp:149
#25 0xb6845899 in QEventLoop::exec (this=0xbfcc60f4, flags=...) at kernel/qeventloop.cpp:201
#26 0xb6849a10 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:981
#27 0xb5cdb4a4 in QApplication::exec () at kernel/qapplication.cpp:3579
#28 0xb77994c3 in kdemain (argc=1, argv=0xbfcc64b4) at /home/teve/kde/kdebase/apps/konqueror/src/konqmain.cpp:232
#29 0x080487a9 in main (argc=1, argv=0xbfcc64b4) at /home/teve/kde/kbb/apps/konqueror/src/konqueror_dummy.cpp:3

Comment 2 Tommi Tervo 2010-02-21 14:28:30 UTC

*** Bug 212464 has been marked as a duplicate of this bug. ***

Comment 3 Tommi Tervo 2010-02-21 14:28:49 UTC

*** Bug 212869 has been marked as a duplicate of this bug. ***

Comment 4 Maksim Orlovich 2010-02-21 15:39:07 UTC

Reproducible? Thanks!

Comment 5 Tommi Tervo 2010-02-21 16:41:28 UTC

Created attachment 40984 [details]
Valgrind log

Comment 6 Maksim Orlovich 2010-02-21 18:43:01 UTC

WindowQObject gets destroyed in clear while dispatching a timer due to event loop recursion:

==1529== Invalid read of size 1                                                                                                                
==1529==    at 0xD81F74B: KJS::WindowQObject::timerEvent(QTimerEvent*) (kjs_window.cpp:2367)                                                   
==1529==    by 0x5238F89: QObject::event(QEvent*) (qobject.cpp:1224)                                                                           
==1529==    by 0x5723E65: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4242)                                        
==1529==    by 0x5721AD6: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3661)                                                      
==1529==    by 0x4A23C52: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)                                                       
==1529==    by 0x522391B: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:704)                                       
==1529==    by 0x40BD07D: QCoreApplication::sendEvent(QObject*, QEvent*) (qcoreapplication.h:215)                                              
==1529==    by 0x5259A36: QTimerInfoList::activateTimers() (qeventdispatcher_unix.cpp:603)                                                     
==1529==    by 0x5255DB2: timerSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:184)                                
==1529==    by 0x5255E6B: idleTimerSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:231)                            
==1529==    by 0x66E0E87: g_main_context_dispatch (in /lib/libglib-2.0.so.0.2200.3)                                                            
==1529==    by 0x66E472F: ??? (in /lib/libglib-2.0.so.0.2200.3)                                                                                
==1529==    by 0x66E4862: g_main_context_iteration (in /lib/libglib-2.0.so.0.2200.3)                                                           
==1529==    by 0x5256D7B: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:407)           
==1529==    by 0x57E990D: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:202)     
==1529==    by 0x52212EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                                
==1529==    by 0x5221432: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:197)                                         
==1529==    by 0x5223FC1: QCoreApplication::exec() (qcoreapplication.cpp:981)                                                                  
==1529==    by 0x5721745: QApplication::exec() (qapplication.cpp:3570)                                                                         
==1529==    by 0x4143992: kdemain (konqmain.cpp:257)                                                                                           
==1529==    by 0x80487EA: main (konqueror_dummy.cpp:3)                                                                                         
==1529==  Address 0x9e05605 is 13 bytes inside a block of size 36 free'd                                                                       
==1529==    at 0x402454D: operator delete(void*) (vg_replace_malloc.c:346)                                                                     
==1529==    by 0xD81F129: KJS::WindowQObject::parentDestroyed() (kjs_window.cpp:2242)                                                          
==1529==    by 0xD81F17F: KJS::WindowQObject::~WindowQObject() (kjs_window.cpp:2234)                                                           
==1529==    by 0xD820B65: KJS::Window::clear(KJS::ExecState*) (kjs_window.cpp:1409)                                                            
==1529==    by 0xD8358B8: KJS::KJSProxyImpl::clear() (kjs_proxy.cpp:213)                                                                       
==1529==    by 0xD5A6F50: KHTMLPart::clear() (khtml_part.cpp:1569)                                                                             
==1529==    by 0xD5A7E5D: KHTMLPart::begin(KUrl const&, int, int) (khtml_part.cpp:2019)                                                        
==1529==    by 0xD5A5FE1: KHTMLPart::slotData(KIO::Job*, QByteArray const&) (khtml_part.cpp:1710)                                              
==1529==    by 0xD5AEA86: KHTMLPart::qt_metacall(QMetaObject::Call, int, void**) (khtml_part.moc:277)                                          
==1529==    by 0x522A7B5: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)                                
==1529==    by 0x523C979: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3291)                                  
==1529==    by 0x4419878: KIO::TransferJob::data(KIO::Job*, QByteArray const&) (jobclasses.moc:388)                                            
==1529==    by 0x441CE2A: KIO::TransferJob::slotData(QByteArray const&) (job.cpp:953)                                                          
==1529==    by 0x44253EF: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:368)                                   
==1529==    by 0x522A7B5: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)                                
==1529==    by 0x523C979: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3291)                                  
==1529==    by 0x44DF992: KIO::SlaveInterface::data(QByteArray const&) (slaveinterface.moc:146)                                                
==1529==    by 0x44E14EE: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:163)                                       
==1529==    by 0x44E2119: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:91)                                                              
==1529==    by 0x44D4FC3: KIO::Slave::gotInput() (slave.cpp:324)                                                                               
==1529==    by 0x44D64FA: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:82)                                               
==1529==    by 0x522A7B5: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)                                
==1529==    by 0x523C979: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3291)                                  
==1529==    by 0x43EA5B6: KIO::Connection::readyRead() (connection.moc:92)                                                                     
==1529==    by 0x43EB5D5: KIO::ConnectionPrivate::dequeue() (connection.cpp:82)                                                                
==1529==    by 0x43EC455: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:79)                                     
==1529==    by 0x522A7B5: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)                                
==1529==    by 0x523739E: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:574)                                                            
==1529==    by 0x523904C: QObject::event(QEvent*) (qobject.cpp:1257)                                                                           
==1529==    by 0x5723E65: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4242)                                        
==1529==    by 0x5721AD6: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3661)                                                      
==1529==    by 0x4A23C52: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)                                                       
==1529==    by 0x522391B: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:704)                                       
==1529==    by 0x40BD07D: QCoreApplication::sendEvent(QObject*, QEvent*) (qcoreapplication.h:215)                                              
==1529==    by 0x522494F: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1342)                   
==1529==    by 0x5224608: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1238)                                        
==1529==    by 0x4AEBDD5: QCoreApplication::sendPostedEvents() (qcoreapplication.h:220)                                                        
==1529==    by 0x5255F52: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:276)                            
==1529==    by 0x66E0E87: g_main_context_dispatch (in /lib/libglib-2.0.so.0.2200.3)                                                            
==1529==    by 0x66E472F: ??? (in /lib/libglib-2.0.so.0.2200.3)                                                                                
==1529==    by 0x66E4862: g_main_context_iteration (in /lib/libglib-2.0.so.0.2200.3)                                                           
==1529==    by 0x5256D7B: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:407)           
==1529==    by 0x57E990D: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:202)     
==1529==    by 0x52212EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                                
==1529==    by 0x5221432: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:197)                                         
==1529==    by 0x5C9D928: QDialog::exec() (qdialog.cpp:530)                                                                                    
==1529==    by 0x499A0E5: KMessageBox::createKMessageBox(KDialog*, QIcon const&, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon) (kmessagebox.cpp:333)                                                             
==1529==    by 0x499A755: KMessageBox::createKMessageBox(KDialog*, QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&) (kmessagebox.cpp:151)                                                                           
==1529==    by 0x499D627: KMessageBox::questionYesNoListWId(unsigned long, QString const&, QStringList const&, QString const&, KGuiItem const&, KGuiItem const&, QString const&, QFlags<KMessageBox::Option>) (kmessagebox.cpp:475)                                                           
==1529==    by 0x499D702: KMessageBox::questionYesNoList(QWidget*, QString const&, QStringList const&, QString const&, KGuiItem const&, KGuiItem const&, QString const&, QFlags<KMessageBox::Option>) (kmessagebox.cpp:435)                                                                   

one option for fix may be to set a flag WindowQObject in Window::clear if it's dispatching events but not delete it, and have it suicide after returning from the dispatch.

Comment 7 lpoujoulat 2013-08-17 06:20:59 UTC

Cannot reproduce it in latest version (4.11) so it's probably fixed