Bug 236666

Summary: [testcase] [patch] konqueror crashed
Product: [Applications] konqueror Reporter: anton <benderamp>
Component: khtml rendererAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: aiacovitti, dimichxp
Priority: NOR Keywords: testcase
Version: 4.10.97   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: http://commits.kde.org/kdelibs/bb170448b18e7c98bc0e3febf1082e3db28eef89 Version Fixed In: 4.11.3
Sentry Crash Report:
Attachments: draft patch to fix the bug
online testcase posted in comment #1

Description anton 2010-05-07 09:44:25 UTC 
Application: konqueror (4.4.2 (KDE 4.4.2) "release 234")
KDE Platform Version: 4.4.2 (KDE 4.4.2) "release 234"
Qt Version: 4.6.2
Operating System: Linux 2.6.31.5-0.1-desktop x86_64
Distribution: "openSUSE 11.2 (x86_64)"

-- Information about the crash:
I had many tabs opened in one konquror window, clicked on http://www.job.ru/law/1645746 link inside of one tabs and konqueror crashed. After restoring session/repeating situation the crash did not happen.

The crash does not seem to be reproducible.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#5  d_func (this=<value optimized out>) at ../../src/gui/kernel/qwidget.h:143
#6  QWidget::setEnabled (this=<value optimized out>) at kernel/qwidget.cpp:3063
#7  0x00007f0ae11e502d in khtml::RenderLayer::checkScrollbarsAfterLayout (this=0x3888950) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_layer.cpp:921
#8  0x00007f0ae11c6015 in khtml::RenderObject::attemptDirectLayerTranslation (this=0x3888888) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_object.cpp:2171
#9  0x00007f0ae11cf4e8 in khtml::RenderObject::setStyle (this=0x3888888, style=0xcee4800) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_object.cpp:2111
#10 0x00007f0ae11d082e in khtml::RenderContainer::setStyle (this=0x0, _style=0x0) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_container.cpp:264
#11 0x00007f0ae11d42de in khtml::RenderBox::setStyle (this=0x3888888, _style=0xcee4800) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_box.cpp:153
#12 0x00007f0ae11b560b in khtml::RenderBlock::setStyle (this=0x3888888, _style=0x0) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_block.cpp:123
#13 0x00007f0ae11217be in DOM::ElementImpl::recalcStyle (this=0xf57e1f0, change=NoInherit) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:995
#14 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#15 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0xd1d9e50, change=NoInherit) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#16 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#17 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0x968faf0, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#18 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#19 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0x5dc2430, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#20 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#21 0x00007f0ae1110aff in DOM::DocumentImpl::recalcStyle (this=0x9dc6c50, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:1435
#22 0x00007f0ae110c571 in DOM::DocumentImpl::updateLayout (this=0x9dc6c50) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:1493
#23 0x00007f0ae12b3501 in KJS::DOMNode::getValueProperty (this=0x7f0ae4fe90c0, exec=0x7fffbeabcc50, token=62) at /usr/src/debug/kdelibs-4.4.2/khtml/ecma/kjs_dom.cpp:374
#24 0x00007f0ae0a16fe0 in getValue (propertyName=<value optimized out>, originalObject=<value optimized out>, exec=<value optimized out>, this=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/property_slot.h:46
#25 KJS::JSObject::get (propertyName=<value optimized out>, originalObject=<value optimized out>, exec=<value optimized out>, this=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:133
#26 0x00007f0ae0a2f4b6 in KJS::Machine::runBlock (exec=0x7fffbeabcc50, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:715
#27 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fb5a00, exec=0x7fffbeabd640, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#28 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#29 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabd640, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#30 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ad63453c0, exec=0x7fffbeabe100, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#31 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#32 0x00007f0ae09fa0c5 in KJS::FunctionProtoFunc::callAsFunction (this=<value optimized out>, exec=0x7fffbeabe100, thisObj=0x7f0ad63453c0, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function_object.cpp:123
#33 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#34 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabe100, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#35 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fe6e40, exec=0x7fffbeabebc0, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#36 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#37 0x00007f0ae09fa0c5 in KJS::FunctionProtoFunc::callAsFunction (this=<value optimized out>, exec=0x7fffbeabebc0, thisObj=0x7f0ae4fe6e40, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function_object.cpp:123
#38 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#39 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabebc0, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#40 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fdb2c0, exec=0xe099d0, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#41 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#42 0x00007f0ae1315913 in KJS::JSEventListener::handleEvent (this=0x10ad0f20, evt=...) at /usr/src/debug/kdelibs-4.4.2/khtml/ecma/kjs_events.cpp:106
#43 0x00007f0ae1102b96 in DOM::DocumentImpl::defaultEventHandler (this=<value optimized out>, evt=0x1a2b0c90) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:2749
#44 0x00007f0ae1119578 in DOM::NodeImpl::dispatchWindowEvent (this=0x17abdb70, _id=26, canBubbleArg=<value optimized out>, cancelableArg=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_nodeimpl.cpp:568
#45 0x00007f0ae118fd0a in DOM::HTMLPartContainerElementImpl::event (this=<value optimized out>, e=0x15a42000) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_objectimpl.cpp:150
#46 0x00007f0af3291e1c in QApplicationPrivate::notify_helper (this=0x671bf0, receiver=0x17abdb60, e=0x15a42000) at kernel/qapplication.cpp:4300
#47 0x00007f0af32983fb in QApplication::notify (this=0x7fffbeabf8e0, receiver=0x17abdb60, e=0x15a42000) at kernel/qapplication.cpp:4183
#48 0x00007f0af45c4506 in KApplication::notify (this=0x7fffbeabf8e0, receiver=0x17abdb60, event=0x15a42000) at /usr/src/debug/kdelibs-4.4.2/kdeui/kernel/kapplication.cpp:302
#49 0x00007f0af40f198c in QCoreApplication::notifyInternal (this=0x7fffbeabf8e0, receiver=0x17abdb60, event=0x15a42000) at kernel/qcoreapplication.cpp:704
#50 0x00007f0af40f4107 in sendEvent (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.h:215
#51 QCoreApplicationPrivate::sendPostedEvents (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.cpp:1345
#52 0x00007f0af411b373 in sendPostedEvents () at kernel/qcoreapplication.h:220
#53 postEventSourceDispatch () at kernel/qeventdispatcher_glib.cpp:276
#54 0x00007f0aef352dde in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#55 0x00007f0aef3567a8 in ?? () from /usr/lib64/libglib-2.0.so.0
#56 0x00007f0aef3568d0 in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#57 0x00007f0af411aeb3 in QEventDispatcherGlib::processEvents (this=0x61a8e0, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:412
#58 0x00007f0af334051e in QGuiEventDispatcherGlib::processEvents (this=0x0, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#59 0x00007f0af40f02a2 in QEventLoop::processEvents (this=<value optimized out>, flags=) at kernel/qeventloop.cpp:149
#60 0x00007f0af40f067c in QEventLoop::exec (this=0x7fffbeabf6d0, flags=) at kernel/qeventloop.cpp:201
#61 0x00007f0af40f43cb in QCoreApplication::exec () at kernel/qcoreapplication.cpp:981
#62 0x00007f0ae770506b in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/kdebase-4.4.2/apps/konqueror/src/konqmain.cpp:257
#63 0x00000000004073b8 in launch (argc=3, _name=<value optimized out>, args=<value optimized out>, cwd=<value optimized out>, envc=24, envs=<value optimized out>, reset_env=false, tty=0x0, 
    avoid_loops=false, startup_id_str=0x409c52 "0") at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:717
#64 0x0000000000408070 in handle_launcher_request (sock=8, who=<value optimized out>) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1209
#65 0x0000000000408521 in handle_requests (waitForPid=0) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1402
#66 0x0000000000409202 in main (argc=4, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1845

Reported using DrKonqi
Comment 1 Dmitriy Taychenachev 2010-05-07 13:45:22 UTC 
Reduced to
<body>
<div id="base" style='height:100%; width:100%; position:absolute; background:#00ff00'/>
 <div class="popup" id="container" style="position:relative" >
 </div>
</div>
<script type="text/javascript">
 document.getElementById("base").style.overflowX = "scroll";
 document.getElementById("container").style.top = "0.0px";
</script>
</body>

As for me, it's 100% reproducible. Seems to be race, inserting alert (and waiting for some time) before `top' assignment prevents crash.
Comment 2 Dmitriy Taychenachev 2010-05-07 16:47:51 UTC 
I have tried to investigate this bug. Seems it happen when setStyle() of a RenderBlock tries to "fix" current layout due to position change, but the current layout have not been built yet. checkScrollbarsAfterLayout() which is called by attemptDirectLayerTranslation() relies on proper scrollbars state, so it fails because layouting was not yet done and scrollbars are not initialized.
I have tried to fix it by not reusing incomplete layouts (patch attached), but I can't really tell if it is correct, it would be very nice if someone who is really familiar with KHTML will review and explain all that stuff more correctly.
Comment 3 Dmitriy Taychenachev 2010-05-07 16:49:17 UTC 
Created attachment 43340 [details]
draft patch to fix the bug
Comment 4 Andrea Iacovitti 2013-08-01 16:43:02 UTC 
Created attachment 81510 [details]
online testcase posted in comment #1
Comment 5 Andrea Iacovitti 2013-10-26 23:52:04 UTC 
Git commit bb170448b18e7c98bc0e3febf1082e3db28eef89 by Andrea Iacovitti.
Committed on 26/10/2013 at 23:48.
Pushed by aiacovitti into branch 'KDE/4.11'.

Fix crash.
FIXED-IN: 4.11.3

M  +5    -5    khtml/rendering/render_layer.cpp

http://commits.kde.org/kdelibs/bb170448b18e7c98bc0e3febf1082e3db28eef89