Bug 262763

Summary: fuzzing under openSUSE11.4 MS5
Product: [Applications] konqueror Reporter: maninred
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: maninred
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: New crash information added by DrKonqi
New crash information added by DrKonqi

Description maninred 2011-01-10 16:06:29 UTC 
Application: konqueror (4.5.85 (4.6 Beta2))
KDE Platform Version: 4.5.85 (4.6 Beta2)
Qt Version: 4.7.1
Operating System: Linux 2.6.37-rc5-12-default i686
Distribution: "openSUSE 11.4 Milestone 5 of 6 (i586)"

-- Information about the crash:
- What I was doing when the application crashed:
I´ve runned the fuzzer:

http://lcamtuf.coredump.cx/cross_fuzz/

-- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[Current thread is 1 (Thread 0xb584d710 (LWP 4614))]

Thread 2 (Thread 0xab779b70 (LWP 4666)):
#0  0xb5b6722b in clock_gettime (clock_id=1, tp=0xab779020) at ../sysdeps/unix/clock_gettime.c:100
#1  0xb6d5fac5 in do_gettime () at tools/qelapsedtimer_unix.cpp:123
#2  qt_gettime () at tools/qelapsedtimer_unix.cpp:140
#3  0xb6e326f6 in updateCurrentTime (this=0x86c2bbc, tm=...) at kernel/qeventdispatcher_unix.cpp:339
#4  QTimerInfoList::timerWait (this=0x86c2bbc, tm=...) at kernel/qeventdispatcher_unix.cpp:442
#5  0xb6e30f3b in timerSourcePrepareHelper (src=<value optimized out>, timeout=0xab77911c) at kernel/qeventdispatcher_glib.cpp:136
#6  0xb6e30fdd in timerSourcePrepare (source=0x86c2b88, timeout=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:169
#7  0xb5ab6210 in g_main_context_prepare (context=0x86c0a90, priority=0xab77918c) at gmain.c:2588
#8  0xb5ab7082 in g_main_context_iterate (context=0x86c0a90, block=1, dispatch=1, self=0x86bf578) at gmain.c:2882
#9  0xb5ab776e in g_main_context_iteration (context=0x86c0a90, may_block=1) at gmain.c:2965
#10 0xb6e31787 in QEventDispatcherGlib::processEvents (this=0x86c05f8, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#11 0xb6e0229d in QEventLoop::processEvents (this=0xab7792b0, flags=...) at kernel/qeventloop.cpp:149
#12 0xb6e024c9 in QEventLoop::exec (this=0xab7792b0, flags=...) at kernel/qeventloop.cpp:201
#13 0xb6d037b9 in QThread::exec (this=0x86bf4e0) at thread/qthread.cpp:490
#14 0xb6de222d in QInotifyFileSystemWatcherEngine::run (this=0x86bf4e0) at io/qfilesystemwatcher_inotify.cpp:248
#15 0xb6d063aa in QThreadPrivate::start (arg=0x86bf4e0) at thread/qthread_unix.cpp:285
#16 0xb6c8ab25 in start_thread (arg=0xab779b70) at pthread_create.c:297
#17 0xb6047c5e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 1 (Thread 0xb584d710 (LWP 4614)):
[KCrash Handler]
#7  0xaf85d458 in DOM::RangeImpl::insertNode (this=0x8aac238, newNode=0x0, exceptioncode=@0xbfb173ec) at /usr/src/debug/kdelibs-4.5.85/khtml/xml/dom2_rangeimpl.cpp:747
#8  0xafa557b5 in KJS::DOMRangeProtoFunc::callAsFunction (this=0x8125494, exec=0xbfb177bc, thisObj=0x4, args=...) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_range.cpp:163
#9  0xaf617a4b in call (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#10 KJS::Machine::runBlock (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at codes.def:1204
#11 0xaf5cc05c in KJS::FunctionBodyNode::execute (this=0x88ba208, exec=0xbfb177bc) at /usr/src/debug/kdelibs-4.5.85/kjs/nodes.cpp:927
#12 0xaf5f6e9c in KJS::GlobalFuncImp::callAsFunction (this=0xab98e960, exec=0xbfb17b5c, args=...) at /usr/src/debug/kdelibs-4.5.85/kjs/function.cpp:945
#13 0xaf617a4b in call (exec=0xbfb17b5c, codeBlock=..., parentExec=0xbfb17efc) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#14 KJS::Machine::runBlock (exec=0xbfb17b5c, codeBlock=..., parentExec=0xbfb17efc) at codes.def:1204
#15 0xaf5f66e6 in KJS::FunctionImp::callAsFunction (this=0xab98f6a0, exec=0xbfb17efc, thisObj=0xab990000, args=...) at /usr/src/debug/kdelibs-4.5.85/kjs/function.cpp:172
#16 0xaf617a4b in call (exec=0xbfb17efc, codeBlock=..., parentExec=0xbfb1829c) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#17 KJS::Machine::runBlock (exec=0xbfb17efc, codeBlock=..., parentExec=0xbfb1829c) at codes.def:1204
#18 0xaf5f66e6 in KJS::FunctionImp::callAsFunction (this=0xab98f6a0, exec=0xbfb1829c, thisObj=0xab990000, args=...) at /usr/src/debug/kdelibs-4.5.85/kjs/function.cpp:172
#19 0xaf617a4b in call (exec=0xbfb1829c, codeBlock=..., parentExec=0xbfb1863c) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#20 KJS::Machine::runBlock (exec=0xbfb1829c, codeBlock=..., parentExec=0xbfb1863c) at codes.def:1204
#21 0xaf5f66e6 in KJS::FunctionImp::callAsFunction (this=0xab98f6a0, exec=0xbfb1863c, thisObj=0xab990000, args=...) at /usr/src/debug/kdelibs-4.5.85/kjs/function.cpp:172
#22 0xaf617a4b in call (exec=0xbfb1863c, codeBlock=..., parentExec=0xbfb18a6c) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#23 KJS::Machine::runBlock (exec=0xbfb1863c, codeBlock=..., parentExec=0xbfb18a6c) at codes.def:1204
#24 0xaf5f66e6 in KJS::FunctionImp::callAsFunction (this=0xab98f660, exec=0xbfb18a6c, thisObj=0xab990000, args=...) at /usr/src/debug/kdelibs-4.5.85/kjs/function.cpp:172
#25 0xaf617a4b in call (exec=0xbfb18a6c, codeBlock=..., parentExec=0x0) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#26 KJS::Machine::runBlock (exec=0xbfb18a6c, codeBlock=..., parentExec=0x0) at codes.def:1204
#27 0xaf5cc05c in KJS::FunctionBodyNode::execute (this=0x860e9a8, exec=0xbfb18a6c) at /usr/src/debug/kdelibs-4.5.85/kjs/nodes.cpp:927
#28 0xaf5ff1c0 in KJS::Interpreter::evaluate (this=0x82ffd90, sourceURL=..., startingLineNumber=1, code=0x8779940, codeLength=44, thisV=0xab990000) at /usr/src/debug/kdelibs-4.5.85/kjs/interpreter.cpp:564
#29 0xaf5ff37a in KJS::Interpreter::evaluate (this=0x82ffd90, sourceURL=..., startingLineNumber=1, code=..., thisV=0xab990000) at /usr/src/debug/kdelibs-4.5.85/kjs/interpreter.cpp:504
#30 0xafa45293 in KJSProxy::evaluate (this=0x8346450, filename=..., baseLine=135419016, str=..., n=..., completion=0xbfb18c78) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_proxy.cpp:126
#31 0xaf7cbdb4 in KHTMLPart::executeScript (this=0x83961c8, n=..., script=...) at /usr/src/debug/kdelibs-4.5.85/khtml/khtml_part.cpp:1327
#32 0xafa2cea3 in KJS::ScheduledAction::execute (this=0xbfb18d10, window=0xbfb18d04) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_window.cpp:2293
#33 0xafa3be57 in KJS::WindowQObject::timerEvent (this=0x8291380) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_window.cpp:2458
#34 0xb6e183c4 in QObject::event (this=0x8291380, e=0xbfb192ac) at kernel/qobject.cpp:1175
#35 0xb630f434 in QApplicationPrivate::notify_helper (this=0x80e3280, receiver=0x8291380, e=0xbfb192ac) at kernel/qapplication.cpp:4445
#36 0xb63180d7 in QApplication::notify (this=0xbfb19720, receiver=0x8291380, e=0xbfb192ac) at kernel/qapplication.cpp:3845
#37 0xb745b351 in KApplication::notify (this=0xbfb19720, receiver=0x8291380, event=0xbfb192ac) at /usr/src/debug/kdelibs-4.5.85/kdeui/kernel/kapplication.cpp:311
#38 0xb6e02fbe in QCoreApplication::notifyInternal (this=0xbfb19720, receiver=0x8291380, event=0xbfb192ac) at kernel/qcoreapplication.cpp:732
#39 0xb6e34349 in sendEvent (this=0x80e5c84) at kernel/qcoreapplication.h:215
#40 QTimerInfoList::activateTimers (this=0x80e5c84) at kernel/qeventdispatcher_unix.cpp:618
#41 0xb6e31012 in timerSourceDispatch (source=0x80e5c50) at kernel/qeventdispatcher_glib.cpp:184
#42 0xb5ab6ca9 in g_main_dispatch (context=0x80e5498) at gmain.c:2267
#43 g_main_context_dispatch (context=0x80e5498) at gmain.c:2824
#44 0xb5ab74b0 in g_main_context_iterate (context=0x80e5498, block=1, dispatch=1, self=0x80e3418) at gmain.c:2902
#45 0xb5ab776e in g_main_context_iteration (context=0x80e5498, may_block=1) at gmain.c:2965
#46 0xb6e3173b in QEventDispatcherGlib::processEvents (this=0x80c2848, flags=...) at kernel/qeventdispatcher_glib.cpp:422
#47 0xb63c553a in QGuiEventDispatcherGlib::processEvents (this=0x80c2848, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#48 0xb6e0229d in QEventLoop::processEvents (this=0xbfb19554, flags=...) at kernel/qeventloop.cpp:149
#49 0xb6e024c9 in QEventLoop::exec (this=0xbfb19554, flags=...) at kernel/qeventloop.cpp:201
#50 0xb6e06f70 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#51 0xb630d124 in QApplication::exec () at kernel/qapplication.cpp:3719
#52 0xb247924f in kdemain (argc=2, argv=0x80c6ee0) at /usr/src/debug/kdebase-4.5.85/apps/konqueror/src/konqmain.cpp:219
#53 0x0804e531 in launch (argc=2, _name=0x80a153c "/usr/bin/konqueror", args=<value optimized out>, cwd=0x0, envc=0, envs=<value optimized out>, reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x80a1560 "linux-ym78;1294670885;231866;2633_TIME363222") at /usr/src/debug/kdelibs-4.5.85/kinit/kinit.cpp:730
#54 0x0804f04f in handle_launcher_request (sock=8, who=<value optimized out>) at /usr/src/debug/kdelibs-4.5.85/kinit/kinit.cpp:1222
#55 0x0804f6fc in handle_requests (waitForPid=<value optimized out>) at /usr/src/debug/kdelibs-4.5.85/kinit/kinit.cpp:1415
#56 0x08050579 in main (argc=6903652, argv=0x0, envp=0x0) at /usr/src/debug/kdelibs-4.5.85/kinit/kinit.cpp:1901

Reported using DrKonqi
Comment 1 maninred 2011-01-10 16:14:59 UTC 
Created attachment 55828 [details]
New crash information added by DrKonqi

konqueror (4.5.85 (4.6 Beta2)) on KDE Platform 4.5.85 (4.6 Beta2) using Qt 4.7.1

- What I was doing when the application crashed:

Also the fuzzer:

http://lcamtuf.coredump.cx/cross_fuzz/

It´s the same crash.

-- Backtrace (Reduced):
#7  0xaf85d458 in DOM::RangeImpl::insertNode (this=0x8a91138, newNode=0x0, exceptioncode=@0xbfb173ec) at /usr/src/debug/kdelibs-4.5.85/khtml/xml/dom2_rangeimpl.cpp:747
#8  0xafa557b5 in KJS::DOMRangeProtoFunc::callAsFunction (this=0x88fd0cc, exec=0xbfb177bc, thisObj=0x4, args=...) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_range.cpp:163
#9  0xaf617a4b in call (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#10 KJS::Machine::runBlock (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at codes.def:1204
#11 0xaf5cc05c in KJS::FunctionBodyNode::execute (this=0x891abe0, exec=0xbfb177bc) at /usr/src/debug/kdelibs-4.5.85/kjs/nodes.cpp:927
Comment 2 maninred 2011-01-10 16:22:38 UTC 
Created attachment 55829 [details]
New crash information added by DrKonqi

konqueror (4.5.85 (4.6 Beta2)) on KDE Platform 4.5.85 (4.6 Beta2) using Qt 4.7.1

- What I was doing when the application crashed:
fuzzing:

http://lcamtuf.coredump.cx/cross_fuzz/

It crashed every time because of the same.

-- Backtrace (Reduced):
#7  0xaf85f458 in DOM::RangeImpl::insertNode (this=0x8b90638, newNode=0x0, exceptioncode=@0xbfb173ec) at /usr/src/debug/kdelibs-4.5.85/khtml/xml/dom2_rangeimpl.cpp:747
#8  0xafa577b5 in KJS::DOMRangeProtoFunc::callAsFunction (this=0x8b70af4, exec=0xbfb177bc, thisObj=0x4, args=...) at /usr/src/debug/kdelibs-4.5.85/khtml/ecma/kjs_range.cpp:163
#9  0xaf619a4b in call (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at /usr/src/debug/kdelibs-4.5.85/kjs/object.h:626
#10 KJS::Machine::runBlock (exec=0xbfb177bc, codeBlock=..., parentExec=0x0) at codes.def:1204
#11 0xaf5ce05c in KJS::FunctionBodyNode::execute (this=0x8d25c58, exec=0xbfb177bc) at /usr/src/debug/kdelibs-4.5.85/kjs/nodes.cpp:927
Comment 3 Tommi Tervo 2011-01-10 19:53:25 UTC 

*** This bug has been marked as a duplicate of bug 262040 ***