Bug 264985

Summary: [CSS 2.1 Conformance] [testcase] Containing block and absolutely positioned element in @media print page triggers an application crash when attempting to print
Product: [Applications] konqueror Reporter: Gérard Talbot (no longer involved) <browserbugs2>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: VERIFIED FIXED    
Severity: crash CC: aiacovitti, fischer, grasagrautur, info, maksim, volodya
Priority: NOR Keywords: reproducible, testcase
Version: 4.5.5   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In: 4.6.1
Attachments: patch
updated patch

Description Gérard Talbot (no longer involved) 2011-01-31 18:49:35 UTC
Version:           4.5.5 (using KDE 4.5.5) 
OS:                Linux

Testcase URL
------------

http://test.csswg.org/suites/css2.1/20110111/html4/containing-block-024.htm

Relevant code
-------------

       <style type="text/css">
            @media print
            {
                #print
                {
                    display: none;
                }
                p
                {
                    margin-top: 1.1in;
                    page-break-after: always;
                }
                div
                {
                    border: solid black;
                    height: 1in;
                    left: 0;
                    position: absolute;
                    top: 0;
                    width: 1in;
                }
            }
        </style>
    </head>
    <body>
        <p id="print">PREREQUISITE: Switch to paged media view.</p>
        <p>Test passes if there is a black box above.</p>
        <div></div>

Reproducible: Always

Steps to Reproduce:
Load provided reduced self-explanatory testcase and try to print it

Actual Results:  
Konqueror 4.5.5 crashes

Expected Results:  
Konqueror 4.5.5 should print one single page.
Approximate expected page rendering is:

"
------------
|          |
|          |
|          |
|          |
------------

Test passes if there is a black box above.
"

I will paste a backtrace just as described in
http://techbase.kde.org/User:DarioAndres/Basic_Guide_about_Crash_Reporting#Backtraces

Konqueror 4.5.5, Linux 2.6.35-25-generic-pae, i686 (32bits), Qt 4.7.0 here.
Comment 1 Gérard Talbot (no longer involved) 2011-01-31 18:53:30 UTC
Backtrace of crash
------------------

Application: Konqueror (konqueror), signal: Segmentation fault
[Current thread is 1 (Thread 0xb524e9e0 (LWP 5355))]

Thread 5 (Thread 0xb2bcab70 (LWP 5356)):
#0  0xb78c8424 in __kernel_vsyscall ()
#1  0xb7748371 in select () from /lib/libc.so.6
#2  0xb69a3bb8 in QProcessManager::run (this=0xb6afc888) at io/qprocess_unix.cpp:245
#3  0xb68c6df9 in QThreadPrivate::start (arg=0xb6afc888) at thread/qthread_unix.cpp:266
#4  0xb58e6cc9 in start_thread () from /lib/libpthread.so.0
#5  0xb774f69e in clone () from /lib/libc.so.6

Thread 4 (Thread 0xadcedb70 (LWP 5366)):
#0  0xb5681e36 in clock_gettime () from /lib/librt.so.1
#1  0xb692250b in do_gettime () at tools/qelapsedtimer_unix.cpp:105
#2  qt_gettime () at tools/qelapsedtimer_unix.cpp:119
#3  0xb69f96e5 in QTimerInfoList::updateCurrentTime (this=0xa3ee0b4) at kernel/qeventdispatcher_unix.cpp:339
#4  0xb69f972a in QTimerInfoList::timerWait (this=0xa3ee0b4, tm=...) at kernel/qeventdispatcher_unix.cpp:442
#5  0xb69f77a8 in timerSourcePrepareHelper (src=<value optimized out>, timeout=0xadced0bc) at kernel/qeventdispatcher_glib.cpp:136
#6  0xb69f783d in timerSourcePrepare (source=0x0, timeout=0xb5685ff4) at kernel/qeventdispatcher_glib.cpp:169
#7  0xb55efe6a in g_main_context_prepare () from /lib/libglib-2.0.so.0
#8  0xb55f0279 in ?? () from /lib/libglib-2.0.so.0
#9  0xb55f0848 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#10 0xb69f759f in QEventDispatcherGlib::processEvents (this=0xa0b09e8, flags=...) at kernel/qeventdispatcher_glib.cpp:417
#11 0xb69c7609 in QEventLoop::processEvents (this=0xadced290, flags=) at kernel/qeventloop.cpp:149
#12 0xb69c7a8a in QEventLoop::exec (this=0xadced290, flags=...) at kernel/qeventloop.cpp:201
#13 0xb68c3b7e in QThread::exec (this=0xa238ff8) at thread/qthread.cpp:490
#14 0xb69a635b in QInotifyFileSystemWatcherEngine::run (this=0xa238ff8) at io/qfilesystemwatcher_inotify.cpp:248
#15 0xb68c6df9 in QThreadPrivate::start (arg=0xa238ff8) at thread/qthread_unix.cpp:266
#16 0xb58e6cc9 in start_thread () from /lib/libpthread.so.0
#17 0xb774f69e in clone () from /lib/libc.so.6

Thread 3 (Thread 0xacc9ab70 (LWP 5807)):
#0  0xb78c8424 in __kernel_vsyscall ()
#1  0xb58eb4dc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb775cd9d in pthread_cond_wait () from /lib/libc.so.6
#3  0xb68c79c7 in wait (this=0xc27eeb8, mutex=0xc27eeb4, time=4294967295) at thread/qwaitcondition_unix.cpp:88
#4  QWaitCondition::wait (this=0xc27eeb8, mutex=0xc27eeb4, time=4294967295) at thread/qwaitcondition_unix.cpp:160
#5  0xb63f9eaa in QFileInfoGatherer::run (this=0xc27eeac) at dialogs/qfileinfogatherer.cpp:214
#6  0xb68c6df9 in QThreadPrivate::start (arg=0xc27eeac) at thread/qthread_unix.cpp:266
#7  0xb58e6cc9 in start_thread () from /lib/libpthread.so.0
#8  0xb774f69e in clone () from /lib/libc.so.6

Thread 2 (Thread 0xad49bb70 (LWP 5808)):
#0  0xb5681e36 in clock_gettime () from /lib/librt.so.1
#1  0xb692250b in do_gettime () at tools/qelapsedtimer_unix.cpp:105
#2  qt_gettime () at tools/qelapsedtimer_unix.cpp:119
#3  0xb69f96e5 in QTimerInfoList::updateCurrentTime (this=0xac306e34) at kernel/qeventdispatcher_unix.cpp:339
#4  0xb69f972a in QTimerInfoList::timerWait (this=0xac306e34, tm=...) at kernel/qeventdispatcher_unix.cpp:442
#5  0xb69f77a8 in timerSourcePrepareHelper (src=<value optimized out>, timeout=0xad49b0bc) at kernel/qeventdispatcher_glib.cpp:136
#6  0xb69f783d in timerSourcePrepare (source=0x0, timeout=0xb5685ff4) at kernel/qeventdispatcher_glib.cpp:169
#7  0xb55efe6a in g_main_context_prepare () from /lib/libglib-2.0.so.0
#8  0xb55f0279 in ?? () from /lib/libglib-2.0.so.0
#9  0xb55f0848 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#10 0xb69f759f in QEventDispatcherGlib::processEvents (this=0xc22d578, flags=...) at kernel/qeventdispatcher_glib.cpp:417
#11 0xb69c7609 in QEventLoop::processEvents (this=0xad49b290, flags=) at kernel/qeventloop.cpp:149
#12 0xb69c7a8a in QEventLoop::exec (this=0xad49b290, flags=...) at kernel/qeventloop.cpp:201
#13 0xb68c3b7e in QThread::exec (this=0xc1489d8) at thread/qthread.cpp:490
#14 0xb69a635b in QInotifyFileSystemWatcherEngine::run (this=0xc1489d8) at io/qfilesystemwatcher_inotify.cpp:248
#15 0xb68c6df9 in QThreadPrivate::start (arg=0xc1489d8) at thread/qthread_unix.cpp:266
#16 0xb58e6cc9 in start_thread () from /lib/libpthread.so.0
#17 0xb774f69e in clone () from /lib/libc.so.6

Thread 1 (Thread 0xb524e9e0 (LWP 5355)):
[KCrash Handler]
#7  0xb1c9329f in khtml::RenderBlock::clearChildOfPageBreaks (this=0xa99ea18, child=0xa99eb60, pageBreakInfo=..., marginInfo=...) at ../../khtml/rendering/render_block.cpp:1670
#8  0xb1c950ba in khtml::RenderBlock::layoutBlockChildren (this=0xa99ea18, relayoutChildren=<value optimized out>) at ../../khtml/rendering/render_block.cpp:1607
#9  0xb1c95425 in khtml::RenderBlock::layoutBlock (this=0xa99ea18, relayoutChildren=true) at ../../khtml/rendering/render_block.cpp:837
#10 0xb1cf549d in khtml::RenderCanvas::layout (this=0xa99ea18) at ../../khtml/rendering/render_canvas.cpp:191
#11 0xb1b3350f in layoutIfNeeded (this=0xaa7afe0, quick=false) at ../../khtml/rendering/render_object.h:480
#12 KHTMLView::print (this=0xaa7afe0, quick=false) at ../../khtml/khtmlview.cpp:3284
#13 0xb1b91e60 in KHTMLPartBrowserExtension::print (this=0xac04198) at ../../khtml/khtml_ext.cpp:363
#14 0xb1b94933 in KHTMLPartBrowserExtension::qt_metacall (this=0xac04198, _c=QMetaObject::InvokeMetaMethod, _id=56, _a=0xbfe0cab8) at ./khtml_ext.moc:103
#15 0xb69ce8ca in QMetaObject::metacall (object=0xac04198, cl=QMetaObject::InvokeMetaMethod, idx=56, argv=0xbfe0cab8) at kernel/qmetaobject.cpp:237
#16 0xb69e16ad in QMetaObject::activate (sender=0x9e69980, m=0xb67ca370, local_signal_index=1, argv=0x0) at kernel/qobject.cpp:3280
#17 0xb5e43f99 in QAction::triggered (this=0x9e69980, _t1=false) at .moc/release-shared/moc_qaction.cpp:263
#18 0xb5e458dc in QAction::activate (this=0x9e69980, event=QAction::Trigger) at kernel/qaction.cpp:1256
#19 0xb63117ef in QMenuPrivate::activateCausedStack (this=0xa0ba7c8, causedStack=..., action=0x9e69980, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:993
#20 0xb6317a4b in QMenuPrivate::activateAction (this=0xa0ba7c8, action=0x9e69980, action_e=QAction::Trigger, self=<value optimized out>) at widgets/qmenu.cpp:1085
#21 0xb63185e0 in QMenu::mouseReleaseEvent (this=0xa0a6810, e=0xbfe0d360) at widgets/qmenu.cpp:2301
#22 0xb70588a5 in KMenu::mouseReleaseEvent (this=0xa0a6810, e=0xbfe0d360) at ../../kdeui/widgets/kmenu.cpp:471
#23 0xb5ea9e08 in QWidget::event (this=0xa0a6810, event=0xbfe0d360) at kernel/qwidget.cpp:8187
#24 0xb631a02f in QMenu::event (this=0xa0a6810, e=0xbfe0d360) at widgets/qmenu.cpp:2410
#25 0xb5e4bfdc in QApplicationPrivate::notify_helper (this=0x9c35a20, receiver=0xa0a6810, e=0xbfe0d360) at kernel/qapplication.cpp:4396
#26 0xb5e52c2e in QApplication::notify (this=0xbfe0dd30, receiver=0xa0a6810, e=0xbfe0d360) at kernel/qapplication.cpp:3959
#27 0xb6f5cd8a in KApplication::notify (this=0xbfe0dd30, receiver=0xa0a6810, event=0xbfe0d360) at ../../kdeui/kernel/kapplication.cpp:310
#28 0xb69c8b3b in QCoreApplication::notifyInternal (this=0xbfe0dd30, receiver=0xa0a6810, event=0xbfe0d360) at kernel/qcoreapplication.cpp:732
#29 0xb5e51094 in sendEvent (receiver=0xa0a6810, event=0xbfe0d360, alienWidget=0x0, nativeWidget=0xa0a6810, buttonDown=0xb67e63c0, lastMouseReceiver=..., spontaneous=true) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#30 QApplicationPrivate::sendMouseEvent (receiver=0xa0a6810, event=0xbfe0d360, alienWidget=0x0, nativeWidget=0xa0a6810, buttonDown=0xb67e63c0, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3058
#31 0xb5ee0261 in QETWidget::translateMouseEvent (this=0xa0a6810, event=0xbfe0d87c) at kernel/qapplication_x11.cpp:4337
#32 0xb5edf151 in QApplication::x11ProcessEvent (this=0xbfe0dd30, event=0xbfe0d87c) at kernel/qapplication_x11.cpp:3414
#33 0xb5f0e36a in x11EventSourceDispatch (s=0x9c38c00, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#34 0xb55ec855 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#35 0xb55f0668 in ?? () from /lib/libglib-2.0.so.0
#36 0xb55f0848 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#37 0xb69f7565 in QEventDispatcherGlib::processEvents (this=0x9c1db70, flags=...) at kernel/qeventdispatcher_glib.cpp:415
#38 0xb5f0dbe5 in QGuiEventDispatcherGlib::processEvents (this=0x9c1db70, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#39 0xb69c7609 in QEventLoop::processEvents (this=0xbfe0db74, flags=) at kernel/qeventloop.cpp:149
#40 0xb69c7a8a in QEventLoop::exec (this=0xbfe0db74, flags=...) at kernel/qeventloop.cpp:201
#41 0xb69cc00f in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#42 0xb5e4ae07 in QApplication::exec () at kernel/qapplication.cpp:3672
#43 0xb78ad592 in kdemain (argc=2, argv=0xbfe0e014) at ../../../../apps/konqueror/src/konqmain.cpp:234
#44 0x080485ab in main (argc=2, argv=0xbfe0e014) at konqueror_dummy.cpp:3
Comment 2 Tommi Tervo 2011-01-31 21:45:24 UTC
Possible related bug: 221331b

==24819== Invalid read of size 4
==24819==    at 0xE189D3B: khtml::RenderBlock::clearChildOfPageBreaks(khtml::RenderObject*, khtml::RenderBlock::PageBreakInfo&, khtml::RenderBlock::MarginInfo&) (render_block.cpp:1670)
==24819==    by 0xE1899B8: khtml::RenderBlock::layoutBlockChildren(bool) (render_block.cpp:1607)
==24819==    by 0xE1864F8: khtml::RenderBlock::layoutBlock(bool) (render_block.cpp:837)
==24819==    by 0xE2032AC: khtml::RenderCanvas::layout() (render_canvas.cpp:191)
==24819==    by 0xE03976C: khtml::RenderObject::layoutIfNeeded() (in /opt/kde46trnk/lib/libkhtml.so.5.6.0)
==24819==    by 0xE0304D0: KHTMLView::print(bool) (khtmlview.cpp:3142)
==24819==    by 0xE093897: KHTMLPartBrowserExtension::print() (khtml_ext.cpp:364)
==24819==    by 0xE09B45C: KHTMLPartBrowserExtension::qt_metacall(QMetaObject::Call, int, void**) (khtml_ext.moc:103)
==24819==    by 0x5071E5C: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)
==24819==    by 0x5081FFB: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3272)
==24819==    by 0x53772BC: QAction::triggered(bool) (moc_qaction.cpp:263)
==24819==    by 0x537755A: QAction::activate(QAction::ActionEvent) (qaction.cpp:1257)
==24819==    by 0x53776FF: QAction::event(QEvent*) (qaction.cpp:1183)
==24819==    by 0x494E04E: KAction::event(QEvent*) (kaction.cpp:131)
==24819==    by 0x537E413: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4445)
==24819==    by 0x5387136: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3845)
==24819==    by 0x4A3E55D: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)
==24819==    by 0x506B5BD: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:732)
==24819==    by 0x53B713E: QShortcutMap::dispatchEvent(QKeyEvent*) (qcoreapplication.h:215)
==24819==    by 0x53B86B4: QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*) (qshortcutmap.cpp:364)
==24819==    by 0x5388E37: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3887)
==24819==    by 0x4A3E55D: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)
==24819==    by 0x506B5BD: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:732)
==24819==    by 0x537C37C: qt_sendSpontaneousEvent(QObject*, QEvent*) (qcoreapplication.h:218)
==24819==    by 0x5430532: QKeyMapper::sendKeyEvent(QWidget*, bool, QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int, unsigned int, unsigned int, unsigned int, bool*) (qkeymapper_x11.cpp:1867)
==24819==    by 0x5430A00: QKeyMapperPrivate::translateKeyEvent(QWidget*, _XEvent const*, bool) (qkeymapper_x11.cpp:1837)
==24819==    by 0x5409641: QApplication::x11ProcessEvent(_XEvent*) (qapplication_x11.cpp:3457)
==24819==    by 0x5434DAF: x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qguieventdispatcher_glib.cpp:146)
==24819==    by 0x65F6B48: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.2400.1)
==24819==    by 0x65F734F: ??? (in /usr/lib/libglib-2.0.so.0.2400.1)
==24819==    by 0x65F760D: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.2400.1)
==24819==    by 0x5099D5A: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:422)
==24819==    by 0x54349A9: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)
==24819==    by 0x506A89C: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)
==24819==    by 0x506AAC8: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:201)
==24819==    by 0x506F56F: QCoreApplication::exec() (qcoreapplication.cpp:1009)
==24819==    by 0x537C113: QApplication::exec() (qapplication.cpp:3719)
==24819==    by 0x40E154E: kdemain (konqmain.cpp:219)
==24819==    by 0x80487D8: main (konqueror_dummy.cpp:3)
==24819==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 3 Andrea Iacovitti 2011-02-04 00:35:23 UTC
Created attachment 56841 [details]
patch

The attached diff fixes the crash for me, but two pages are printed
Comment 4 Gérard Talbot (no longer involved) 2011-02-04 01:48:34 UTC
> two pages are printed

That could well be possible since, after the 
<p>Test passes if there is a black box above.</p>
, there should be a page-break. So, the 2nd page should be blank.

Andrea, Thank you for your assistance on this bug report,

Gérard
Comment 5 Maksim Orlovich 2011-02-06 16:40:57 UTC
@Andrea: I have just made exactly the same patch and queued it. The change is correct, so feel free to commit it if you want/can.
Comment 6 Maksim Orlovich 2011-02-06 17:06:36 UTC
*** Bug 221331 has been marked as a duplicate of this bug. ***
Comment 7 Maksim Orlovich 2011-02-06 17:11:24 UTC
*** Bug 176772 has been marked as a duplicate of this bug. ***
Comment 8 Maksim Orlovich 2011-02-06 17:12:42 UTC
*** Bug 213882 has been marked as a duplicate of this bug. ***
Comment 9 Andrea Iacovitti 2011-02-06 18:07:23 UTC
Created attachment 56926 [details]
updated patch

@Maksim: Sorry, i can't commit at the moment (and for the next few days). Please, if you want, feel free to do it.

Just one hint/question: it's worth to duplicate the same check some lines later (see the updated patch) in your opinion?

thanks
Comment 10 Andrea Iacovitti 2011-02-08 00:19:42 UTC
Git commit 0126c4bf738229fedb1a5a1c05abf565b3131dce by Andrea Iacovitti.
Committed on 07/02/11 at 21:57.
Pushed by aiacovitti into branch 'KDE/4.6'.

Check for parent() to avoid crash

BUG: 264985

M  +2    -2    khtml/rendering/render_block.cpp     

http://commits.kde.org/kdelibs/0126c4bf738229fedb1a5a1c05abf565b3131dce
Comment 11 Raphael Kubo da Costa 2011-02-08 01:11:08 UTC
SVN commit 1219297 by rkcosta:

Mention bug khtml bug 264985 in the changelog.

CCBUG: 264985
CCMAIL: aiacovitti@libero.it


 M  +5 -0      changelog_branch_4_6.xml  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1219297
Comment 12 Gérard Talbot (no longer involved) 2011-03-28 01:17:06 UTC
I get expected results (2 pages printed; the second one being blank) while using Konqueror 4.6.1 (KDE 4.6, Qt 4.7.0, Linux 2.6.35-28-generic-pae).

Marking VERIFIED as FIXED

Gérard
Comment 13 Christoph Feck 2011-08-12 18:09:10 UTC
*** Bug 279984 has been marked as a duplicate of this bug. ***