| Summary: | [reproduceable] [testcase] multiple firing of alert dialog cause reproduceable application crashes | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Jiří Keller, MD <keller.public+kde> |
| Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | crash | CC: | browserbugs2, justin.zobel, keller.public+kde, kollix |
| Priority: | NOR | Keywords: | testcase, triaged |
| Version: | 4.4.5 | ||
| Target Milestone: | --- | ||
| Platform: | Ubuntu | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
can you reproduce the crash if you comment out the alert(traZF); call ?
I can reproduce a crash with the following html page when resizing the konq window (I'm getting 2 alert dialogs) and closing the last alert dialog.
I'd like to know if my crash is the same as yours or if I need to create a new report.
<html>
<head>
<script type="text/javascript">
function setZF(){ alert("test"); }
window.onresize = setZF;
</script>
</head>
<body>
</body>
</html>
Hi, after alert() removal, it does not crash. Your code crashes the browser exactly the same way as my code did. I do not believe many people call alert() on window resize event anyway, but I think it should be fixed anyway. Thanks George ok, here is also a valgrind log from a test with my simple code from comment #1 ==26415== Invalid read of size 4 ==26415== at 0x4F5B014: QVariantAnimationPrivate::setCurrentValueForProgress(double) (qobject_p.h:221) ==26415== by 0x4F5B719: QVariantAnimationPrivate::recalculateCurrentInterval(bool) (qvariantanimation.cpp:278) ==26415== by 0x4F5EA56: QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) (qpropertyanimation.cpp:285) ==26415== by 0x4F593AE: QAbstractAnimationPrivate::setState(QAbstractAnimation::State) (qabstractanimation.cpp:411) ==26415== by 0x588AC54: QWidgetAnimator::animate(QWidget*, QRect const&, bool) (qwidgetanimator.cpp:102) ==26415== by 0x57D56C7: QDockAreaLayout::apply(bool) (qdockarealayout.cpp:3082) ==26415== by 0x5801A83: QMainWindowLayoutState::apply(bool) (qmainwindowlayout.cpp:235) ==26415== by 0x58062EC: QMainWindowLayout::applyState(QMainWindowLayoutState&, bool) (qmainwindowlayout.cpp:1928) ==26415== by 0x5806A2E: QMainWindowLayout::setGeometry(QRect const&) (qmainwindowlayout.cpp:1473) ==26415== by 0x539DD31: QLayoutPrivate::doResize(QSize const&) (qlayout.cpp:681) ==26415== by 0x539F6FA: QLayout::widgetEvent(QEvent*) (qlayout.cpp:705) ==26415== by 0x536E6A3: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4453) ==26415== Address 0xaf5d9c4 is 52 bytes inside a block of size 216 free'd ==26415== at 0x40266AD: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==26415== by 0x4F5F2E0: QPropertyAnimationPrivate::~QPropertyAnimationPrivate() (qpropertyanimation_p.h:65) ==26415== by 0x508D9D1: QObject::~QObject() (qscopedpointer.h:62) ==26415== by 0x4F5926A: QAbstractAnimation::~QAbstractAnimation() (qabstractanimation.cpp:480) ==26415== by 0x4F5ABD5: QVariantAnimation::~QVariantAnimation() (qvariantanimation.cpp:361) ==26415== by 0x4F5DEF4: QPropertyAnimation::~QPropertyAnimation() (qpropertyanimation.cpp:171) ==26415== by 0x4F5DF41: QPropertyAnimation::~QPropertyAnimation() (qpropertyanimation.cpp:174) ==26415== by 0x5087CA2: qDeleteInEventHandler(QObject*) (qobject.cpp:3986) ==26415== by 0x508A3A7: QObject::event(QEvent*) (qobject.cpp:1200) ==26415== by 0x4F57E32: QAbstractAnimation::event(QEvent*) (qabstractanimation.cpp:857) ==26415== by 0x4F5ABA2: QVariantAnimation::event(QEvent*) (qvariantanimation.cpp:646) ==26415== by 0x4F5DEB2: QPropertyAnimation::event(QEvent*) (qpropertyanimation.cpp:233) Martin and Jiří, I believe it would help (QA people, KDE developers, searching for DUPLICATES) if the bug summary was reedited to mention firing of multiple alert dialogs and if a reduced testcase was created. Bug 278067: multiple firing of alert dialog cause reproducible application crashes http://www.gtalbot.org/BrowserBugsSection/Konqueror4Bugs/Bug278067-multiple-alert-cause-crash.html Also, there are several variations of such code which also may cause application crashes: - with window.addEventListener("resize", setZF, true); - window.onscroll = setZF; // too - with window.addEventListener("scroll", setZF, false); - with document.onmousemove = setZF; // too - window.addEventListener("mousemove", setZF, false); This bug report is another nth example of very bad usage of alert() on the web. I am using KDE Platform Version: 4.7.0 Konqueror version: 4.7.0 (KHTML rendering engine) Qt Version: 4.7.2 Operating System: Linux 2.6.38-11-generic-pae i686 (32bits) Distribution: Kubuntu 11.04 here. regards, Gérard No crash with
window.onscroll = setZF;
or
window.addEventListener("scroll", setZF, false);
because there is no fast successive event handlers fired.
Eg
https://bug35011.bugzilla.mozilla.org/attachment.cgi?id=7344
For the system, pressing up|down arrow key once or pressing PgUp|PgDn key once or pressing Home|End key once fires the scroll event only one.
Therefore there should be no crash for
DOMMouseScroll
event type (mouse wheel roll event) as well.
Gérard
Reduced test case from comment #1 most definitely crashes khtml after resizing a couple of times on the latest KDE 4.7 branch. Jiří, Please add [testcase] at the beginning of the bug summary and please add the keywords reproduceable and testcase in the keywords list. This helps searching, finding bug reports. Gérard Thank you for the crash report. As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved. I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you. Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone! |
Application: konqueror (4.4.5 (KDE 4.4.5)) KDE Platform Version: 4.4.5 (KDE 4.4.5) Qt Version: 4.6.2 Operating System: Linux 2.6.32-33-generic i686 Distribution: Ubuntu 10.04.2 LTS -- Information about the crash: this piece of javascript craashes the browser: num_tra=60; num_cor=128; num_sag=128; zoom=6; traZF=1; corZF=1; sagZF=1; function setZF(){ traZF=(num_sag*zoom)/document['Tra'].width; alert(traZF); corZF=document['Cor'].width/(num_cor*zoom); sagZF=document['Sag'].width/(num_sag*zoom); } window.onresize =setZF; The crash can be reproduced every time. -- Backtrace: Application: Konqueror (kdeinit4), signal: Segmentation fault [KCrash Handler] #6 QVector<QPair<double, QVariant> >::end (this=0xa4c3260, step=0) at animation/qvariantanimation.cpp:308 #7 QVariantAnimationPrivate::valueAt (this=0xa4c3260, step=0) at animation/qvariantanimation.cpp:308 #8 0x0068ba53 in QVariantAnimation::keyValueAt (this=0xaea0fe8, step=0) at animation/qvariantanimation.cpp:562 #9 0x0068bacf in QVariantAnimation::startValue (this=0xaea0fe8) at animation/qvariantanimation.cpp:526 #10 0x0068f0ea in QPropertyAnimation::updateState (this=0xaea0fe8, newState=QAbstractAnimation::Running, oldState=QAbstractAnimation::Stopped) at animation/qpropertyanimation.cpp:283 #11 0x0068931e in QAbstractAnimationPrivate::setState (this=0xa5d7fc8, newState=QAbstractAnimation::Running) at animation/qabstractanimation.cpp:373 #12 0x089490dc in QWidgetAnimator::animate (this=0xa344788, widget=0xa43c830, _final_geometry=..., animate=false) at widgets/qwidgetanimator.cpp:102 #13 0x0888d36a in QDockAreaLayout::apply (this=0xa3443b4, animate=false) at widgets/qdockarealayout.cpp:3083 #14 0x088b9b52 in QMainWindowLayoutState::apply (this=0xa344308, animated=false) at widgets/qmainwindowlayout.cpp:235 #15 0x088baaf3 in QMainWindowLayout::applyState (this=0xa3442f8, newState=..., animate=false) at widgets/qmainwindowlayout.cpp:1925 #16 0x088bb2d8 in QMainWindowLayout::setGeometry (this=0xa3442f8, _r=...) at widgets/qmainwindowlayout.cpp:1473 #17 0x08474d2f in QLayoutPrivate::doResize (this=0xa22e520, r=...) at kernel/qlayout.cpp:681 #18 0x084763de in QLayout::widgetEvent (this=0xa3442f8, e=0xbfdaf608) at kernel/qlayout.cpp:705 #19 0x0843d4a6 in QApplicationPrivate::notify_helper (this=0xa081f40, receiver=0xa3a5680, e=0xbfdaf608) at kernel/qapplication.cpp:4291 #20 0x084440f9 in QApplication::notify (this=0xbfdb0154, receiver=0xa3a5680, e=0xbfdaf608) at kernel/qapplication.cpp:4265 #21 0x0109540a in KApplication::notify (this=0xbfdb0154, receiver=0xa3a5680, event=0xbfdaf608) at ../../kdeui/kernel/kapplication.cpp:302 #22 0x007a8a3b in QCoreApplication::notifyInternal (this=0xbfdb0154, receiver=0xa3a5680, event=0xbfdaf608) at kernel/qcoreapplication.cpp:704 #23 0x084c2163 in QCoreApplication::sendSpontaneousEvent (this=0xa3a5680, event=0xbfdafc3c) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218 #24 QETWidget::translateConfigEvent (this=0xa3a5680, event=0xbfdafc3c) at kernel/qapplication_x11.cpp:5241 #25 0x084cdcd6 in QApplication::x11ProcessEvent (this=0xbfdb0154, event=0xbfdafc3c) at kernel/qapplication_x11.cpp:3406 #26 0x084fd60a in x11EventSourceDispatch (s=0xa085040, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146 #27 0x012ae5e5 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #28 0x012b22d8 in ?? () from /lib/libglib-2.0.so.0 #29 0x012b24b8 in g_main_context_iteration () from /lib/libglib-2.0.so.0 #30 0x007d45d5 in QEventDispatcherGlib::processEvents (this=0xa03fb48, flags=...) at kernel/qeventdispatcher_glib.cpp:412 #31 0x084fd135 in QGuiEventDispatcherGlib::processEvents (this=0xa03fb48, flags=...) at kernel/qguieventdispatcher_glib.cpp:204 #32 0x007a7059 in QEventLoop::processEvents (this=0xbfdaff34, flags=) at kernel/qeventloop.cpp:149 #33 0x007a74aa in QEventLoop::exec (this=0xbfdaff34, flags=...) at kernel/qeventloop.cpp:201 #34 0x007ab69f in QCoreApplication::exec () at kernel/qcoreapplication.cpp:981 #35 0x0843d577 in QApplication::exec () at kernel/qapplication.cpp:3579 #36 0x099d023e in kdemain () from /usr/lib/libkdeinit4_konqueror.so #37 0x0804e133 in launch (argc=<value optimized out>, _name=<value optimized out>, args=<value optimized out>, cwd=0x0, envc=0, envs=0xa0a019c "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x8051465 "0") at ../../kinit/kinit.cpp:717 #38 0x0804ec6d in handle_launcher_request (sock=<value optimized out>, who=<value optimized out>) at ../../kinit/kinit.cpp:1209 #39 0x0804f190 in handle_requests (waitForPid=<value optimized out>) at ../../kinit/kinit.cpp:1402 #40 0x0804fe4f in main (argc=2, argv=0xbfdb0d34, envp=0xbfdb0d40) at ../../kinit/kinit.cpp:1845 Reported using DrKonqi