Bug 262040

Summary: cross_fuzz crashes konqueror
Product: [Applications] konqueror Reporter: ancow <bugs>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED WAITINGFORINFO    
Severity: crash CC: kollix, maninred
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description ancow 2011-01-04 08:54:29 UTC 
Application: konqueror (4.5.4 (KDE 4.5.4))
KDE Platform Version: 4.5.4 (KDE 4.5.4)
Qt Version: 4.7.0
Operating System: Linux 2.6.35-24-generic x86_64
Distribution: Ubuntu 10.10

-- Information about the crash:
- What I was doing when the application crashed:

Visiting the website http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20100729_seed.html

- Custom settings of the application:

The popup blocker needs to be disabled for this crash to occur.

-- Backtrace:
Application: Konqueror (konqueror), signal: Segmentation fault
[KCrash Handler]
#6  0x00007f6e7e1563d4 in DOM::NamedAttrMapImpl::setNamedItem (this=0x341bbc0, arg=0x0, prefix=..., nsAware=true, exceptioncode=@0x7fff8abdf0c8) at ../../khtml/xml/dom_elementimpl.cpp:1496
#7  0x00007f6e7e1478ce in DOM::NamedNodeMapImpl::setNamedItemNS (this=0x341bbc0, arg=<value optimized out>, exceptioncode=@0x7fff8abdf0c8) at ../../khtml/xml/dom_nodeimpl.cpp:2168
#8  0x00007f6e7e2f4da0 in DOMNamedNodeMapProtoFunc::callAsFunction (this=<value optimized out>, exec=0x7fff8abdfa70, thisObj=<value optimized out>, args=<value optimized out>) at ../../khtml/ecma/kjs_dom.cpp:1637
#9  0x00007f6e7d7c85d8 in call (exec=0x7fff8abdfa70, codeBlock=..., parentExec=0x0) at ../../kjs/object.h:626
#10 KJS::Machine::runBlock (exec=0x7fff8abdfa70, codeBlock=..., parentExec=0x0) at codes.def:1204
#11 0x00007f6e7d77dea3 in KJS::FunctionBodyNode::execute (this=0x31e06c0, exec=0x7fff8abdfa70) at ../../kjs/nodes.cpp:927
#12 0x00007f6e7d7a840b in KJS::GlobalFuncImp::callAsFunction (this=<value optimized out>, exec=0x7fff8abe02e0, args=<value optimized out>) at ../../kjs/function.cpp:945
#13 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe02e0, codeBlock=..., parentExec=0x7fff8abe0b50) at ../../kjs/object.h:626
#14 KJS::Machine::runBlock (exec=0x7fff8abe02e0, codeBlock=..., parentExec=0x7fff8abe0b50) at codes.def:1204
#15 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af2c0, exec=0x7fff8abe0b50, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#16 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe0b50, codeBlock=..., parentExec=0x7fff8abe13c0) at ../../kjs/object.h:626
#17 KJS::Machine::runBlock (exec=0x7fff8abe0b50, codeBlock=..., parentExec=0x7fff8abe13c0) at codes.def:1204
#18 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af2c0, exec=0x7fff8abe13c0, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#19 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe13c0, codeBlock=..., parentExec=0x7fff8abe1c30) at ../../kjs/object.h:626
#20 KJS::Machine::runBlock (exec=0x7fff8abe13c0, codeBlock=..., parentExec=0x7fff8abe1c30) at codes.def:1204
#21 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af2c0, exec=0x7fff8abe1c30, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#22 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe1c30, codeBlock=..., parentExec=0x7fff8abe24a0) at ../../kjs/object.h:626
#23 KJS::Machine::runBlock (exec=0x7fff8abe1c30, codeBlock=..., parentExec=0x7fff8abe24a0) at codes.def:1204
#24 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af2c0, exec=0x7fff8abe24a0, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#25 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe24a0, codeBlock=..., parentExec=0x7fff8abe2d10) at ../../kjs/object.h:626
#26 KJS::Machine::runBlock (exec=0x7fff8abe24a0, codeBlock=..., parentExec=0x7fff8abe2d10) at codes.def:1204
#27 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af2c0, exec=0x7fff8abe2d10, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#28 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe2d10, codeBlock=..., parentExec=0x7fff8abe3720) at ../../kjs/object.h:626
#29 KJS::Machine::runBlock (exec=0x7fff8abe2d10, codeBlock=..., parentExec=0x7fff8abe3720) at codes.def:1204
#30 0x00007f6e7d7a6b44 in KJS::FunctionImp::callAsFunction (this=0x7f6e7c1af240, exec=0x7fff8abe3720, thisObj=<value optimized out>, args=<value optimized out>) at ../../kjs/function.cpp:172
#31 0x00007f6e7d7c85d8 in call (exec=0x7fff8abe3720, codeBlock=..., parentExec=0x0) at ../../kjs/object.h:626
#32 KJS::Machine::runBlock (exec=0x7fff8abe3720, codeBlock=..., parentExec=0x0) at codes.def:1204
#33 0x00007f6e7d77dea3 in KJS::FunctionBodyNode::execute (this=0x2aca1a0, exec=0x7fff8abe3720) at ../../kjs/nodes.cpp:927
#34 0x00007f6e7d7af6bb in KJS::Interpreter::evaluate (this=0x3a14850, sourceURL=..., startingLineNumber=1, code=<value optimized out>, codeLength=<value optimized out>, thisV=0x7f6e7c1b0000) at ../../kjs/interpreter.cpp:564
#35 0x00007f6e7d7af803 in KJS::Interpreter::evaluate (this=0x341bbc0, sourceURL=..., startingLineNumber=2122625762, code=<value optimized out>, thisV=<value optimized out>) at ../../kjs/interpreter.cpp:504
#36 0x00007f6e7e33e253 in KJSProxy::evaluate (this=0x3b76ad0, filename=) at ../../khtml/ecma/kjs_proxy.cpp:126
#37 0x00007f6e7e0d025a in KHTMLPart::executeScript (this=0x2beb380, n=..., script=<value optimized out>) at ../../khtml/khtml_part.cpp:1330
#38 0x00007f6e7e326585 in KJS::ScheduledAction::execute (this=0x3c919b0, window=<value optimized out>) at ../../khtml/ecma/kjs_window.cpp:2210
#39 0x00007f6e7e328143 in KJS::WindowQObject::timerEvent (this=0x2bcc2a0) at ../../khtml/ecma/kjs_window.cpp:2376
#40 0x00007f6e93a5d8f9 in QObject::event (this=0x2bcc2a0, e=0x341bbc0) at kernel/qobject.cpp:1183
#41 0x00007f6e92b37fdc in QApplicationPrivate::notify_helper (this=0x22ce6a0, receiver=0x2bcc2a0, e=0x7fff8abe42e0) at kernel/qapplication.cpp:4396
#42 0x00007f6e92b3daed in QApplication::notify (this=0x7fff8abe47b0, receiver=0x2bcc2a0, e=0x7fff8abe42e0) at kernel/qapplication.cpp:4277
#43 0x00007f6e9446e576 in KApplication::notify (this=0x7fff8abe47b0, receiver=0x2bcc2a0, event=0x7fff8abe42e0) at ../../kdeui/kernel/kapplication.cpp:310
#44 0x00007f6e93a4bcdc in QCoreApplication::notifyInternal (this=0x7fff8abe47b0, receiver=0x2bcc2a0, event=0x7fff8abe42e0) at kernel/qcoreapplication.cpp:732
#45 0x00007f6e93a7b6f2 in sendEvent (this=0x22d2450) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#46 QTimerInfoList::activateTimers (this=0x22d2450) at kernel/qeventdispatcher_unix.cpp:602
#47 0x00007f6e93a784c8 in timerSourceDispatch (source=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:184
#48 idleTimerSourceDispatch (source=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:231
#49 0x00007f6e8e188342 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#50 0x00007f6e8e18c2a8 in ?? () from /lib/libglib-2.0.so.0
#51 0x00007f6e8e18c45c in g_main_context_iteration () from /lib/libglib-2.0.so.0
#52 0x00007f6e93a78193 in QEventDispatcherGlib::processEvents (this=0x22b1e60, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:415
#53 0x00007f6e92beaa4e in QGuiEventDispatcherGlib::processEvents (this=0x341bbc0, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#54 0x00007f6e93a4aa02 in QEventLoop::processEvents (this=<value optimized out>, flags=) at kernel/qeventloop.cpp:149
#55 0x00007f6e93a4adec in QEventLoop::exec (this=0x7fff8abe4580, flags=) at kernel/qeventloop.cpp:201
#56 0x00007f6e93a4eebb in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#57 0x00007f6e962a714e in kdemain (argc=<value optimized out>, argv=<value optimized out>) at ../../../../apps/konqueror/src/konqmain.cpp:234
#58 0x00007f6e95e7ed8e in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff8abe50b8) at libc-start.c:226
#59 0x0000000000400659 in _start ()

Reported using DrKonqi
Comment 1 Tommi Tervo 2011-01-04 18:13:19 UTC 

==1929== Invalid read of size 4
==1929==    at 0xCB1EED2: khtml::DocPtr<DOM::DocumentImpl>::get() const (shared.h:104)
==1929==    by 0xCB1D035: DOM::NodeImpl::document() const (dom_nodeimpl.h:288)
==1929==    by 0xCBD3083: DOM::NamedAttrMapImpl::setNamedItem(DOM::NodeImpl*, khtml::IDString<khtml::PrefixFactory> const&, bool, int&) (dom_elementimpl.cpp:1496)
==1929==    by 0xCBC626A: DOM::NamedNodeMapImpl::setNamedItemNS(DOM::Node const&, int&) (dom_nodeimpl.cpp:2175)
==1929==    by 0xCDA562B: DOMNamedNodeMapProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (kjs_dom.cpp:1637)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2CBA05: KJS::FunctionBodyNode::execute(KJS::ExecState*) (nodes.cpp:927)
==1929==    by 0xD2FD280: KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:945)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2FACE1: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:172)
==1929==    by 0xCDDEFFC: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.h:626)
==1929==    by 0xD326675: KJS::Machine::runBlock(KJS::ExecState*, WTF::Vector<unsigned char, 0u> const&, KJS::ExecState*) (codes.def:1204)
==1929==    by 0xD2CBA05: KJS::FunctionBodyNode::execute(KJS::ExecState*) (nodes.cpp:927)
==1929==    by 0xD3060DB: KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) (interpreter.cpp:564)
==1929==    by 0xD305C40: KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UString const&, KJS::JSValue*) (interpreter.cpp:504)
==1929==    by 0xCDE82F8: KJSProxy::evaluate(QString, int, QString const&, DOM::Node const&, KJS::Completion*) (kjs_proxy.cpp:126)
==1929==    by 0xCB30638: KHTMLPart::executeScript(DOM::Node const&, QString const&) (khtml_part.cpp:1327)
==1929==    by 0xCDDB5B2: KJS::ScheduledAction::execute(KJS::Window*) (kjs_window.cpp:2293)
==1929==    by 0xCDDC200: KJS::WindowQObject::timerEvent(QTimerEvent*) (kjs_window.cpp:2458)
==1929==    by 0x507B9C3: QObject::event(QEvent*) (qobject.cpp:1175)
==1929==    by 0x5379413: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4445)
==1929==    by 0x5382136: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3845)
==1929==    by 0x4A3955D: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)
==1929==    by 0x50665BD: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:732)
==1929==    by 0x50979A7: QTimerInfoList::activateTimers() (qcoreapplication.h:215)
==1929==    by 0x5094631: timerSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:184)
==1929==    by 0x6619B48: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.2400.1)
==1929==    by 0x661A34F: ??? (in /usr/lib/libglib-2.0.so.0.2400.1)
==1929==    by 0x661A60D: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.2400.1)
==1929==    by 0x5094D5A: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:422)
==1929==    by 0x542F9A9: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)
==1929==    by 0x506589C: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)
==1929==    by 0x5065AC8: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:201)
==1929==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
Comment 2 Tommi Tervo 2011-01-10 19:53:25 UTC 
*** Bug 262763 has been marked as a duplicate of this bug. ***
Comment 3 Maksim Orlovich 2011-02-19 23:44:30 UTC 
Git commit 34a28720abd48b5029067af4aaa9bcfbcd6df4e2 by Maks Orlovich.
Committed on 06/02/2011 at 16:52.
Pushed by orlovich into branch 'master'.

Add some missing null pointer checks spotted by crossfuzz

CCBUG: 262040

M  +1    -1    khtml/ecma/kjs_dom.cpp     
M  +2    -2    khtml/ecma/kjs_range.cpp     
M  +1    -1    khtml/ecma/kjs_traversal.cpp     
M  +5    -0    khtml/xml/dom2_rangeimpl.cpp     
M  +1    -1    khtml/xml/dom_elementimpl.cpp     

http://commits.kde.org/kdelibs/34a28720abd48b5029067af4aaa9bcfbcd6df4e2
Comment 4 Maksim Orlovich 2011-02-19 23:44:30 UTC 
Git commit fefb64c565115a645629eac8a154554314d42677 by Maks Orlovich.
Committed on 06/02/2011 at 17:07.
Pushed by orlovich into branch 'master'.

Don't go through C++ wrappers here, they throw exceptions.

CCBUG: 262040

M  +15   -6    khtml/ecma/kjs_range.cpp     

http://commits.kde.org/kdelibs/fefb64c565115a645629eac8a154554314d42677
Comment 5 Martin Koller 2011-06-05 15:01:00 UTC 
@Maksim: is this now fixed and can be closed ?