Bug 302519

Summary: [testcase] Konqueror crashes with sigsegv
Product: [Applications] konqueror Reporter: Graeme Hewson <bugs>
Component: khtmlAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: aiacovitti, don-redhat-zxy, kde, rasasi78
Priority: NOR Keywords: testcase
Version First Reported In: 4.9.2   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: http://commits.kde.org/kdelibs/218cce8e53e378ab5f269636d768ac1c7aa1f70b Version Fixed/Implemented In: 4.11.4
Sentry Crash Report:
Attachments: text copy/pasted from ABRT
reduced testcase

Description Graeme Hewson 2012-06-25 17:01:20 UTC 
Application: konqueror (4.8.4 (4.8.4))
KDE Platform Version: 4.8.4 (4.8.4)
Qt Version: 4.8.1
Operating System: Linux 3.2.0-25-generic x86_64
Distribution: Ubuntu 12.04 LTS

-- Information about the crash:
Looking at http://smorgasbord.gavagai.nl/2010/09/wifi-regulatory-compliance-and-how-to-fix-it/
Sometimes Konqueror crashes after 10 seconds or so without me doing anything. Sometimes it crashes if I click on the link to http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd

The crash can be reproduced every time.

-- Backtrace:
Application: Konqueror (konqueror), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f092abcd780 (LWP 4911))]

Thread 2 (Thread 0x7f0903975700 (LWP 4924)):
#0  0x00007f092a427b03 in __GI___poll (fds=<optimized out>, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f0923347036 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f0923347164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f0927f16426 in QEventDispatcherGlib::processEvents (this=0x7f08fc0008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#4  0x00007f0927ee5c82 in QEventLoop::processEvents (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:149
#5  0x00007f0927ee5ed7 in QEventLoop::exec (this=0x7f0903974dd0, flags=...) at kernel/qeventloop.cpp:204
#6  0x00007f0927de4fa7 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#7  0x00007f0927ec59ff in QInotifyFileSystemWatcherEngine::run (this=0x32b60e0) at io/qfilesystemwatcher_inotify.cpp:248
#8  0x00007f0927de7fcb in QThreadPrivate::start (arg=0x32b60e0) at thread/qthread_unix.cpp:298
#9  0x00007f0923a07e9a in start_thread (arg=0x7f0903975700) at pthread_create.c:308
#10 0x00007f092a4334bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f092abcd780 (LWP 4911)):
[KCrash Handler]
#6  0x00007f09178add5a in khtml::RenderBlock::nodeAtPoint (this=0x2f10180, info=..., _x=318, _y=119, _tx=82, _ty=6, hitTestAction=HitTestAll, inBox=false) at ../../khtml/rendering/render_block.cpp:2802
#7  0x00007f09178ade2e in khtml::RenderBlock::nodeAtPoint (this=0x2f0f748, info=..., _x=318, _y=119, _tx=0, _ty=0, hitTestAction=HitTestAll, inBox=false) at ../../khtml/rendering/render_block.cpp:2805
#8  0x00007f09178bcd58 in khtml::RenderObject::nodeAtPoint (this=0x2f0f5b8, info=..., _x=318, _y=119, _tx=<optimized out>, _ty=0, hitTestAction=HitTestAll, inside=true) at ../../khtml/rendering/render_object.cpp:2547
#9  0x00007f09178adc8a in khtml::RenderBlock::nodeAtPoint (this=0x2f0f5b8, info=..., _x=318, _y=119, _tx=0, _ty=0, hitTestAction=HitTestAll, inBox=false) at ../../khtml/rendering/render_block.cpp:2808
#10 0x00007f09178bcd58 in khtml::RenderObject::nodeAtPoint (this=0x2f0f438, info=..., _x=318, _y=119, _tx=<optimized out>, _ty=0, hitTestAction=HitTestChildrenOnly, inside=false) at ../../khtml/rendering/render_object.cpp:2547
#11 0x00007f09178adc8a in khtml::RenderBlock::nodeAtPoint (this=0x2f0f438, info=..., _x=318, _y=119, _tx=0, _ty=0, hitTestAction=HitTestChildrenOnly, inBox=false) at ../../khtml/rendering/render_block.cpp:2808
#12 0x00007f09178dbf37 in khtml::RenderLayer::nodeAtPointForLayer (this=0x2f0f500, rootLayer=0x2f0f380, info=..., xMousePos=318, yMousePos=119, hitTestRect=...) at ../../khtml/rendering/render_layer.cpp:1254
#13 0x00007f09178dbd84 in khtml::RenderLayer::nodeAtPointForLayer (this=0x2f0f380, rootLayer=0x2f0f380, info=..., xMousePos=318, yMousePos=119, hitTestRect=...) at ../../khtml/rendering/render_layer.cpp:1232
#14 0x00007f09178dc0a0 in khtml::RenderLayer::nodeAtPoint (this=0x2f0f380, info=..., x=318, y=119) at ../../khtml/rendering/render_layer.cpp:1193
#15 0x00007f091783056f in DOM::MouseEventImpl::computeLayerPos (this=0x34b21e0) at ../../khtml/xml/dom2_eventsimpl.cpp:531
#16 0x00007f09178319b2 in DOM::MouseEventImpl::MouseEventImpl (this=0x34b21e0, _id=<optimized out>, canBubbleArg=<optimized out>, cancelableArg=<optimized out>, viewArg=<optimized out>, detailArg=<optimized out>, screenXArg=985, screenYArg=244, clientXArg=318, clientYArg=119, pageXArg=318, pageYArg=119, ctrlKeyArg=false, altKeyArg=false, shiftKeyArg=false, metaKeyArg=false, buttonArg=65535, relatedTargetArg=0x2f8a070, qe=0x0, isDoubleClick=false, orient=DOM::MouseEventImpl::ONone) at ../../khtml/xml/dom2_eventsimpl.cpp:511
#17 0x00007f091776576b in KHTMLView::dispatchMouseEvent (this=0x20e37b0, eventId=7, targetNode=0x2f8a8c0, targetNodeNonShared=<optimized out>, cancelable=false, detail=0, _mouse=0x7fff949a84d0, setUnder=true, mouseEventType=4, orient=0) at ../../khtml/khtmlview.cpp:3561
#18 0x00007f091776a349 in KHTMLView::mouseMoveEvent (this=0x20e37b0, _mouse=0x7fff949a84d0) at ../../khtml/khtmlview.cpp:1350
#19 0x00007f092703d178 in QWidget::event (this=0x20e37b0, event=0x7fff949a84d0) at kernel/qwidget.cpp:8347
#20 0x00007f09273fd3b6 in QFrame::event (this=0x20e37b0, e=0x7fff949a84d0) at widgets/qframe.cpp:557
#21 0x00007f091776e33d in KHTMLView::widgetEvent (this=0x20e37b0, e=<optimized out>) at ../../khtml/khtmlview.cpp:2209
#22 0x00007f091776dae4 in KHTMLView::eventFilter (this=0x20e37b0, o=0x20d0840, e=0x7fff949a84d0) at ../../khtml/khtmlview.cpp:2054
#23 0x00007f0927ee7028 in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=<optimized out>, receiver=0x20d0840, event=0x7fff949a84d0) at kernel/qcoreapplication.cpp:986
#24 0x00007f0926fec85f in notify_helper (e=0x7fff949a84d0, receiver=0x20d0840, this=0x1881bc0) at kernel/qapplication.cpp:4555
#25 QApplicationPrivate::notify_helper (this=0x1881bc0, receiver=0x20d0840, e=0x7fff949a84d0) at kernel/qapplication.cpp:4531
#26 0x00007f0926ff20bf in QApplication::notify (this=<optimized out>, receiver=0x20d0840, e=0x7fff949a84d0) at kernel/qapplication.cpp:4102
#27 0x00007f092894d9e6 in KApplication::notify (this=0x7fff949a9310, receiver=0x20d0840, event=0x7fff949a84d0) at ../../kdeui/kernel/kapplication.cpp:311
#28 0x00007f0927ee6e9c in QCoreApplication::notifyInternal (this=0x7fff949a9310, receiver=0x20d0840, event=0x7fff949a84d0) at kernel/qcoreapplication.cpp:876
#29 0x00007f0926fed862 in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#30 QApplicationPrivate::sendMouseEvent (receiver=0x20d0840, event=0x7fff949a84d0, alienWidget=0x20d0840, nativeWidget=0x2005060, buttonDown=0x0, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3170
#31 0x00007f092706cbf5 in QETWidget::translateMouseEvent (this=0x2005060, event=<optimized out>) at kernel/qapplication_x11.cpp:4617
#32 0x00007f092706bbae in QApplication::x11ProcessEvent (this=0x7fff949a9310, event=0x7fff949a8da0) at kernel/qapplication_x11.cpp:3732
#33 0x00007f09270950d2 in x11EventSourceDispatch (s=0x1872790, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#34 0x00007f0923346d53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#35 0x00007f09233470a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#36 0x00007f0923347164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00007f0927f163bf in QEventDispatcherGlib::processEvents (this=0x1850b30, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#38 0x00007f0927094d5e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#39 0x00007f0927ee5c82 in QEventLoop::processEvents (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:149
#40 0x00007f0927ee5ed7 in QEventLoop::exec (this=0x7fff949a9140, flags=...) at kernel/qeventloop.cpp:204
#41 0x00007f0927eeaf67 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1148
#42 0x00007f092a7b528a in kdemain () from /usr/lib/kde4/libkdeinit/libkdeinit4_konqueror.so
#43 0x00007f092a36276d in __libc_start_main (main=0x400640, argc=1, ubp_av=0x7fff949a9cc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff949a9cb8) at libc-start.c:226
#44 0x0000000000400671 in _start ()

This bug may be a duplicate of or related to bug 170165.

Possible duplicates by query: bug 236769, bug 202832.

Reported using DrKonqi
Comment 1 Andrea Iacovitti 2012-06-25 20:53:44 UTC 
Are you using khtml 4.8.4? You can check running the followin command in konsole:
dpkg -l | grep libkhtml5
Comment 2 Tommi Tervo 2012-06-25 21:11:28 UTC 
I can confirm, opensuse 4.8.4 and self built 4.8.4+ from yesterday crashes.
Comment 3 Graeme Hewson 2012-06-26 04:44:15 UTC 
Yes, dpkg shows 4:4.8.4a-0ubuntu0.1~ppa2
Comment 4 don-redhat-zxy 2012-10-03 20:28:11 UTC 
Created attachment 74326 [details]
text copy/pasted from ABRT
Comment 5 don-redhat-zxy 2012-10-03 20:29:50 UTC 
I don't know whether this is the same bug, but at least it's sigsegv killing konqueror.
This is using fedora 16, about says:Konqueror Version 4.8.5 (4.8.5) Using KDE Development Platform 4.8.5 (4.8.5)
It seems reproducible - I was trying to add members to a yahoo group.
The infuriating thing is that ABRT leads me through this long process that ends up refusing to file the bug cause "the backtrace is unusable".  I have lots of huge core files.
Anyhow, the attachment is what I see in the ABRT window, copy/pasted
Comment 6 Graeme Hewson 2012-10-04 15:52:28 UTC 
Don: That doesn't seem to be the same kind of crash as mine. The fact that they both have SIGSEGV doesn't mean anything. I think the message you're seeing means you need to install the debug symbols. See, for instance, https://bugzilla.redhat.com/show_bug.cgi?id=750616.

Problem still reproducible on 4.9.2, so updating version number for ticket.
Comment 7 Andrea Iacovitti 2012-10-04 16:52:51 UTC 
Created attachment 74337 [details]
reduced testcase
Comment 8 Tim Brown 2013-03-03 15:35:20 UTC 
Looks like a NULL pointer dereference:

(gdb) bt
#0  0x00007fffe372fd9a in khtml::RenderBlock::nodeAtPoint (this=0xcf8110, info=..., _x=_x@entry=184, _y=_y@entry=8, _tx=10, _ty=_ty@entry=10, hitTestAction=hitTestAction@entry=HitTestAll, inBox=inBox@entry=false)
    at ../../khtml/rendering/render_block.cpp:2802
#1  0x00007fffe372fe47 in khtml::RenderBlock::nodeAtPoint (this=0xcf7ec8, info=..., _x=184, _y=8, _tx=0, _ty=0, hitTestAction=HitTestChildrenOnly, inBox=false) at ../../khtml/rendering/render_block.cpp:2805
#2  0x00007fffe375c96d in khtml::RenderLayer::nodeAtPointForLayer (this=0xcf7f90, rootLayer=rootLayer@entry=0xcf7e10, info=..., xMousePos=xMousePos@entry=184, yMousePos=yMousePos@entry=8, hitTestRect=...)
    at ../../khtml/rendering/render_layer.cpp:1254
#3  0x00007fffe375c773 in khtml::RenderLayer::nodeAtPointForLayer (this=this@entry=0xcf7e10, rootLayer=rootLayer@entry=0xcf7e10, info=..., xMousePos=xMousePos@entry=184, yMousePos=yMousePos@entry=8, hitTestRect=...)
    at ../../khtml/rendering/render_layer.cpp:1232
#4  0x00007fffe375cad2 in khtml::RenderLayer::nodeAtPoint (this=0xcf7e10, info=..., x=184, y=8) at ../../khtml/rendering/render_layer.cpp:1193
#5  0x00007fffe36b580f in DOM::MouseEventImpl::computeLayerPos (this=this@entry=0xd43870) at ../../khtml/xml/dom2_eventsimpl.cpp:531
#6  0x00007fffe36b6ca5 in DOM::MouseEventImpl::MouseEventImpl (this=0xd43870, _id=<optimized out>, canBubbleArg=<optimized out>, cancelableArg=<optimized out>, viewArg=<optimized out>, detailArg=<optimized out>, 
    screenXArg=184, screenYArg=78, clientXArg=184, clientYArg=8, pageXArg=184, pageYArg=8, ctrlKeyArg=false, altKeyArg=false, shiftKeyArg=false, metaKeyArg=false, buttonArg=65535, relatedTargetArg=0xd0e1b0, qe=0x0, 
    isDoubleClick=false, orient=DOM::MouseEventImpl::ONone) at ../../khtml/xml/dom2_eventsimpl.cpp:511
#7  0x00007fffe35ef613 in KHTMLView::dispatchMouseEvent (this=this@entry=0xb0e980, eventId=eventId@entry=7, targetNode=targetNode@entry=0xcca7c0, targetNodeNonShared=<optimized out>, cancelable=cancelable@entry=false, 
    detail=detail@entry=0, _mouse=_mouse@entry=0x7fffffffcce0, setUnder=setUnder@entry=true, mouseEventType=mouseEventType@entry=4, orient=orient@entry=0) at ../../khtml/khtmlview.cpp:3561
#8  0x00007fffe35f691a in KHTMLView::mouseMoveEvent (this=0xb0e980, _mouse=0x7fffffffcce0) at ../../khtml/khtmlview.cpp:1350
#9  0x00007ffff4470e44 in QWidget::event (this=0xb0e980, event=0x7fffffffcce0) at kernel/qwidget.cpp:8356
#10 0x00007ffff481bd36 in QFrame::event (this=0xb0e980, e=0x7fffffffcce0) at widgets/qframe.cpp:557
#11 0x00007fffe35f5b55 in KHTMLView::widgetEvent (this=0xb0e980, e=<optimized out>) at ../../khtml/khtmlview.cpp:2209
#12 0x00007fffe35f61c0 in KHTMLView::eventFilter (this=0xb0e980, o=0xb2cf00, e=0x7fffffffcce0) at ../../khtml/khtmlview.cpp:2054
#13 0x00007ffff52f4cc6 in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=<optimized out>, receiver=0xb2cf00, event=0x7fffffffcce0) at kernel/qcoreapplication.cpp:1025
#14 0x00007ffff44216dc in QApplicationPrivate::notify_helper (this=this@entry=0x62f6b0, receiver=receiver@entry=0xb2cf00, e=e@entry=0x7fffffffcce0) at kernel/qapplication.cpp:4552
#15 0x00007ffff44263eb in QApplication::notify (this=<optimized out>, receiver=0xb2cf00, e=0x7fffffffcce0) at kernel/qapplication.cpp:4099
#16 0x00007ffff5d80886 in KApplication::notify (this=0x7fffffffdb20, receiver=0xb2cf00, event=0x7fffffffcce0) at ../../kdeui/kernel/kapplication.cpp:311
#17 0x00007ffff52f4b5e in QCoreApplication::notifyInternal (this=0x7fffffffdb20, receiver=0xb2cf00, event=0x7fffffffcce0) at kernel/qcoreapplication.cpp:915
#18 0x00007ffff442254b in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#19 QApplicationPrivate::sendMouseEvent (receiver=0xb2cf00, event=0x7fffffffcce0, alienWidget=0xb2cf00, nativeWidget=0x67da30, buttonDown=0x7ffff4ef72a8, lastMouseReceiver=..., spontaneous=true)
    at kernel/qapplication.cpp:3167
#20 0x00007ffff449cfc4 in QETWidget::translateMouseEvent (this=this@entry=0x67da30, event=event@entry=0x7fffffffd450) at kernel/qapplication_x11.cpp:4523
#21 0x00007ffff449bd51 in QApplication::x11ProcessEvent (this=0x7fffffffdb20, event=0x7fffffffd450) at kernel/qapplication_x11.cpp:3646
#22 0x00007ffff44c2bc2 in x11EventSourceDispatch (s=0x62f270, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#23 0x00007ffff0650355 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007ffff0650688 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007ffff0650744 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007ffff5323276 in QEventDispatcherGlib::processEvents (this=0x603b30, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#27 0x00007ffff44c283e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#28 0x00007ffff52f38af in QEventLoop::processEvents (this=this@entry=0x7fffffffd820, flags=...) at kernel/qeventloop.cpp:149
#29 0x00007ffff52f3b38 in QEventLoop::exec (this=0x7fffffffd820, flags=...) at kernel/qeventloop.cpp:204
#30 0x00007ffff52f8cf8 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1187
#31 0x00007ffff7bad062 in kdemain () from /usr/lib/kde4/libkdeinit/libkdeinit4_konqueror.so
#32 0x00007ffff778fead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd98)
    at libc-start.c:228
#33 0x0000000000400771 in _start ()
(gdb) x/1i $pc
=> 0x7fffe372fd9a <khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool)+394>:       callq  *0x58(%rax)
(gdb) i r rax
rax            0x0      0
Comment 9 Andrea Iacovitti 2013-11-02 00:31:15 UTC 
*** Bug 320145 has been marked as a duplicate of this bug. ***
Comment 10 Andrea Iacovitti 2013-11-02 12:22:48 UTC 
Git commit 218cce8e53e378ab5f269636d768ac1c7aa1f70b by Andrea Iacovitti.
Committed on 02/11/2013 at 12:16.
Pushed by aiacovitti into branch 'KDE/4.11'.

Remove the object from the floatingObject list too in RenderObject::removeFromObjectLists,
otherwise FloatingObject.node become a dangling pointer.
Related: bug 215719
FIXED-IN: 4.11.4

M  +7    -0    khtml/rendering/render_object.cpp

http://commits.kde.org/kdelibs/218cce8e53e378ab5f269636d768ac1c7aa1f70b