Bug 318032

Summary: Konqueror crashes opening gwenview preview
Product: [Applications] konqueror Reporter: Andreas Schwab <schwab>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: adawit
Priority: NOR    
Version: 4.10.0   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: .kde4/share/apps/konqueror/konqueror.rc

Description Andreas Schwab 2013-04-08 13:11:46 UTC
Visit any web page, right click on a picture and select "view picture".

Application: Konqueror (kdeinit4), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
81	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
[Current thread is 1 (Thread 0x7f99d5329780 (LWP 21965))]

Thread 3 (Thread 0x7f99bacb7700 (LWP 21968)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007f99c99627c7 in WTF::TCMalloc_PageHeap::scavengerThread() () from /usr/lib64/libQtWebKit.so.4
#2  0x00007f99c99627f9 in WTF::TCMalloc_PageHeap::runScavengerThread(void*) () from /usr/lib64/libQtWebKit.so.4
#3  0x00007f99d3bece0f in start_thread (arg=0x7f99bacb7700) at pthread_create.c:308
#4  0x00007f99d29637dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 2 (Thread 0x7f99ba3b6700 (LWP 21969)):
#0  0x00007f99d3beee25 in __GI___pthread_mutex_lock (mutex=0x7f99b4000a60) at pthread_mutex_lock.c:95
#1  0x00007f99cf8e4a71 in g_mutex_lock (mutex=mutex@entry=0x7f99b40009a0) at gthread-posix.c:210
#2  0x00007f99cf8a7343 in g_main_context_prepare (context=context@entry=0x7f99b40009a0, priority=priority@entry=0x7f99ba3b5ca8) at gmain.c:2988
#3  0x00007f99cf8a79cb in g_main_context_iterate (context=context@entry=0x7f99b40009a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3270
#4  0x00007f99cf8a7bc4 in g_main_context_iteration (context=0x7f99b40009a0, may_block=1) at gmain.c:3351
#5  0x00007f99d3fad1f6 in QEventDispatcherGlib::processEvents (this=0x7f99b40008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#6  0x00007f99d3f7d9ef in QEventLoop::processEvents (this=this@entry=0x7f99ba3b5e00, flags=...) at kernel/qeventloop.cpp:149
#7  0x00007f99d3f7dc78 in QEventLoop::exec (this=0x7f99ba3b5e00, flags=...) at kernel/qeventloop.cpp:204
#8  0x00007f99d3e800f0 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:542
#9  0x00007f99d3e830cc in QThreadPrivate::start (arg=0x22afa80) at thread/qthread_unix.cpp:338
#10 0x00007f99d3bece0f in start_thread (arg=0x7f99ba3b6700) at pthread_create.c:308
#11 0x00007f99d29637dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 1 (Thread 0x7f99d5329780 (LWP 21965)):
[KCrash Handler]
#6  0x0000000400000001 in ?? ()
#7  0x00007f99d3f91252 in QObject::property (this=0x27f4e50, name=0x31488f8 "shortcut") at kernel/qobject.cpp:3742
#8  0x00007f99d4e1c37f in KXMLGUIFactoryPrivate::configureAction (this=this@entry=0x209d520, action=action@entry=0x27f4e50, attribute=..., shortcutOption=shortcutOption@entry=KXMLGUIFactoryPrivate::SetActiveShortcut) at /usr/src/debug/kdelibs-4.10.0/kdeui/xmlgui/kxmlguifactory.cpp:646
#9  0x00007f99d4e1cac3 in KXMLGUIFactoryPrivate::configureAction (this=this@entry=0x209d520, action=action@entry=0x27f4e50, attributes=..., shortcutOption=shortcutOption@entry=KXMLGUIFactoryPrivate::SetActiveShortcut) at /usr/src/debug/kdelibs-4.10.0/kdeui/xmlgui/kxmlguifactory.cpp:621
#10 0x00007f99d4e1cc49 in KXMLGUIFactoryPrivate::applyActionProperties (this=this@entry=0x209d520, actionPropElement=..., shortcutOption=shortcutOption@entry=KXMLGUIFactoryPrivate::SetActiveShortcut) at /usr/src/debug/kdelibs-4.10.0/kdeui/xmlgui/kxmlguifactory.cpp:608
#11 0x00007f99d4e1e960 in KXMLGUIFactoryPrivate::refreshActionProperties (this=0x209d520, client=client@entry=0x2106ac8, actions=..., doc=...) at /usr/src/debug/kdelibs-4.10.0/kdeui/xmlgui/kxmlguifactory.cpp:357
#12 0x00007f99d4e1f467 in KXMLGUIFactory::plugActionList (this=0x209d400, client=0x2106ac8, name=..., actionList=...) at /usr/src/debug/kdelibs-4.10.0/kdeui/xmlgui/kxmlguifactory.cpp:577
#13 0x00007f99c1e35fd5 in KonqMainWindow::plugViewModeActions (this=this@entry=0x21067c0) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmainwindow.cpp:5089
#14 0x00007f99c1e4aa1e in KonqMainWindow::updateViewModeActions (this=this@entry=0x21067c0) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmainwindow.cpp:5060
#15 0x00007f99c1e4afc6 in KonqMainWindow::slotPartActivated (this=0x21067c0, part=0x23a41f0) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmainwindow.cpp:2119
#16 0x00007f99c1e06251 in KonqViewManager::doSetActivePart (this=0x2067b20, part=0x23a41f0) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqviewmanager.cpp:1076
#17 0x00007f99c1e476ab in KonqMainWindow::slotPartChanged (this=0x21067c0, childView=<optimized out>, oldPart=0x3012320, newPart=0x23a41f0) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmainwindow.cpp:1943
#18 0x00007f99c1e50210 in qt_static_metacall (_a=<optimized out>, _id=<optimized out>, _o=<optimized out>, _c=<optimized out>) at /usr/src/debug/kde-baseapps-4.10.0/build/konqueror/src/konqmainwindow.moc:362
#19 KonqMainWindow::qt_static_metacall (_o=0x21067c0, _c=41897552, _id=51677432, _a=0x20f2c4a) at /usr/src/debug/kde-baseapps-4.10.0/build/konqueror/src/konqmainwindow.moc:304
#20 0x00007f99d3f941af in QMetaObject::activate (sender=0x3011f90, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff183bae80) at kernel/qobject.cpp:3548
#21 0x00007f99c1e0002d in KonqView::sigPartChanged (this=this@entry=0x3011f90, _t1=_t1@entry=0x3011f90, _t2=_t2@entry=0x3012320, _t3=0x23a41f0) at /usr/src/debug/kde-baseapps-4.10.0/build/konqueror/src/konqview.moc:162
#22 0x00007f99c1e000d1 in KonqView::switchView (this=this@entry=0x3011f90, viewFactory=...) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqview.cpp:252
#23 0x00007f99c1e0134d in changePart (forceAutoEmbed=<optimized out>, serviceName=..., mimeType=..., this=0x3011f90) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqview.cpp:366
#24 KonqView::changePart (this=0x3011f90, mimeType=..., serviceName=..., forceAutoEmbed=<optimized out>) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqview.cpp:319
#25 0x00007f99c1e01a7b in KonqView::ensureViewSupports (this=0x3011f90, mimeType=..., forceAutoEmbed=true) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqview.cpp:316
#26 0x00007f99c1e414cb in KonqMainWindow::openView (this=0x21067c0, mimeType=..., _url=..., childView=0x3011f90, req=...) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmainwindow.cpp:967
#27 0x00007f99c1dfbb6f in KonqRun::tryOpenView (this=this@entry=0x2fb0c00, mimeType=..., associatedAppIsKonqueror=associatedAppIsKonqueror@entry=false) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqrun.cpp:157
#28 0x00007f99c1dfc0d2 in KonqRun::foundMimeType (this=0x2fb0c00, _type=...) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqrun.cpp:89
#29 0x00007f99ccc5e8b2 in KRun::mimeTypeDetermined (this=0x2fb0c00, mimeType=...) at /usr/src/debug/kdelibs-4.10.0/kio/kio/krun.cpp:1452
#30 0x00007f99cad676da in KParts::BrowserRun::slotBrowserMimetype (this=0x2fb0c00, _job=<optimized out>, type=...) at /usr/src/debug/kdelibs-4.10.0/kparts/browserrun.cpp:261
#31 0x00007f99d3f941af in QMetaObject::activate (sender=0x2936e90, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff183bb770) at kernel/qobject.cpp:3548
#32 0x00007f99ccbfdb17 in KIO::TransferJob::mimetype (this=this@entry=0x2936e90, _t1=_t1@entry=0x2936e90, _t2=...) at /usr/src/debug/kdelibs-4.10.0/build/kio/jobclasses.moc:475
#33 0x00007f99ccbfdb67 in KIO::TransferJob::slotMimetype (this=0x2936e90, type=...) at /usr/src/debug/kdelibs-4.10.0/kio/kio/job.cpp:1180
#34 0x00007f99d3f941af in QMetaObject::activate (sender=0x28d8d50, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff183bb910) at kernel/qobject.cpp:3548
#35 0x00007f99ccc9c505 in KIO::SlaveInterface::mimeType (this=this@entry=0x28d8d50, _t1=...) at /usr/src/debug/kdelibs-4.10.0/build/kio/slaveinterface.moc:287
#36 0x00007f99ccc9e8cc in KIO::SlaveInterface::dispatch (this=0x28d8d50, _cmd=21, rawdata=...) at /usr/src/debug/kdelibs-4.10.0/kio/kio/slaveinterface.cpp:267
#37 0x00007f99ccc9b93a in KIO::SlaveInterface::dispatch (this=0x28d8d50) at /usr/src/debug/kdelibs-4.10.0/kio/kio/slaveinterface.cpp:88
#38 0x00007f99ccc8fe9e in KIO::Slave::gotInput (this=0x28d8d50) at /usr/src/debug/kdelibs-4.10.0/kio/kio/slave.cpp:344
#39 0x00007f99d3f941af in QMetaObject::activate (sender=0x2824700, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3548
#40 0x00007f99ccbd0c92 in dequeue (this=<optimized out>) at /usr/src/debug/kdelibs-4.10.0/kio/kio/connection.cpp:82
#41 KIO::ConnectionPrivate::dequeue (this=0x28ddf10) at /usr/src/debug/kdelibs-4.10.0/kio/kio/connection.cpp:71
#42 0x00007f99d3f9368e in QObject::event (this=0x2824700, e=<optimized out>) at kernel/qobject.cpp:1203
#43 0x00007f99d310c86c in QApplicationPrivate::notify_helper (this=this@entry=0x1deb320, receiver=receiver@entry=0x2824700, e=e@entry=0x27df190) at kernel/qapplication.cpp:4562
#44 0x00007f99d3110ceb in QApplication::notify (this=0x7fff183bc920, receiver=0x2824700, e=0x27df190) at kernel/qapplication.cpp:4423
#45 0x00007f99d4d20cb6 in KApplication::notify (this=0x7fff183bc920, receiver=0x2824700, event=0x27df190) at /usr/src/debug/kdelibs-4.10.0/kdeui/kernel/kapplication.cpp:311
#46 0x00007f99d3f7ec9e in QCoreApplication::notifyInternal (this=0x7fff183bc920, receiver=receiver@entry=0x2824700, event=event@entry=0x27df190) at kernel/qcoreapplication.cpp:946
#47 0x00007f99d3f82601 in sendEvent (event=0x27df190, receiver=0x2824700) at kernel/qcoreapplication.h:231
#48 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x1d192b0) at kernel/qcoreapplication.cpp:1570
#49 0x00007f99d3fad043 in sendPostedEvents () at kernel/qcoreapplication.h:236
#50 postEventSourceDispatch (s=s@entry=0x1deda20) at kernel/qeventdispatcher_glib.cpp:279
#51 0x00007f99cf8a77d5 in g_main_dispatch (context=0x1dec900) at gmain.c:2715
#52 g_main_context_dispatch (context=context@entry=0x1dec900) at gmain.c:3219
#53 0x00007f99cf8a7b08 in g_main_context_iterate (context=context@entry=0x1dec900, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3290
#54 0x00007f99cf8a7bc4 in g_main_context_iteration (context=0x1dec900, may_block=1) at gmain.c:3351
#55 0x00007f99d3fad1d6 in QEventDispatcherGlib::processEvents (this=0x1deb5e0, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#56 0x00007f99d31acc1e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#57 0x00007f99d3f7d9ef in QEventLoop::processEvents (this=this@entry=0x7fff183bc620, flags=...) at kernel/qeventloop.cpp:149
#58 0x00007f99d3f7dc78 in QEventLoop::exec (this=0x7fff183bc620, flags=...) at kernel/qeventloop.cpp:204
#59 0x00007f99d3f82918 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1218
#60 0x00007f99c1e703c2 in kdemain (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/kde-baseapps-4.10.0/konqueror/src/konqmain.cpp:227
#61 0x000000000040889a in launch (argc=argc@entry=2, _name=_name@entry=0x1dd0488 "/usr/bin/konqueror", args=0x1dd04a4 "", args@entry=0x1dd049b "--silent", cwd=cwd@entry=0x0, envc=envc@entry=0, envs=<optimized out>, envs@entry=0x1dd04ac "", reset_env=false, tty=tty@entry=0x0, avoid_loops=false, startup_id_str=startup_id_str@entry=0x1dd04b4 "hawking.suse.de;1365425040;118711;5862_TIME8290341") at /usr/src/debug/kdelibs-4.10.0/kinit/kinit.cpp:726
#62 0x000000000040974b in handle_launcher_request (sock=8, who=<optimized out>) at /usr/src/debug/kdelibs-4.10.0/kinit/kinit.cpp:1218
#63 0x0000000000409d90 in handle_requests (waitForPid=waitForPid@entry=0) at /usr/src/debug/kdelibs-4.10.0/kinit/kinit.cpp:1411
#64 0x0000000000405a47 in main (argc=4, argv=<optimized out>, envp=0x7fff183bd860) at /usr/src/debug/kdelibs-4.10.0/kinit/kinit.cpp:1899
Comment 1 Andreas Schwab 2013-04-08 17:14:13 UTC
valgrind says it's a use-after-free.

$ valgrind --db-attach=yes konqueror http://www.tagesschau.de/multimedia/bilder/thatcher170~_v-banner3x1.jpg
==2096== Memcheck, a memory error detector
==2096== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==2096== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==2096== Command: konqueror http://www.tagesschau.de/multimedia/bilder/thatcher170~_v-banner3x1.jpg
==2096== 
==2097== Warning: invalid file descriptor 1024 in syscall close()
==2097== Warning: invalid file descriptor 1025 in syscall close()
==2097== Warning: invalid file descriptor 1026 in syscall close()
==2097==    Use --log-fd=<number> to select an alternative log fd.
==2097== Warning: invalid file descriptor 1027 in syscall close()
==2097== Warning: invalid file descriptor 1028 in syscall close()
kbuildsycoca4 running...
==2096== Invalid read of size 8
==2096==    at 0x8607243: QObject::property(char const*) const (qobject.cpp:3742)
==2096==    by 0x6FD237E: KXMLGUIFactoryPrivate::configureAction(QAction*, QDomAttr const&, KXMLGUIFactoryPrivate::ShortcutOption) (kxmlguifactory.cpp:646)
==2096==    by 0x6FD2AC2: KXMLGUIFactoryPrivate::configureAction(QAction*, QDomNamedNodeMap const&, KXMLGUIFactoryPrivate::ShortcutOption) (kxmlguifactory.cpp:621)
==2096==    by 0x6FD2C48: KXMLGUIFactoryPrivate::applyActionProperties(QDomElement const&, KXMLGUIFactoryPrivate::ShortcutOption) (kxmlguifactory.cpp:608)
==2096==    by 0x6FD495F: KXMLGUIFactoryPrivate::refreshActionProperties(KXMLGUIClient*, QList<QAction*> const&, QDomDocument const&) (kxmlguifactory.cpp:357)
==2096==    by 0x6FD5466: KXMLGUIFactory::plugActionList(KXMLGUIClient*, QString const&, QList<QAction*> const&) (kxmlguifactory.cpp:577)
==2096==    by 0x4EAEFD4: KonqMainWindow::plugViewModeActions() (konqmainwindow.cpp:5089)
==2096==    by 0x4EC3A1D: KonqMainWindow::updateViewModeActions() (konqmainwindow.cpp:5060)
==2096==    by 0x4EC3FC5: KonqMainWindow::slotPartActivated(KParts::Part*) (konqmainwindow.cpp:2119)
==2096==    by 0x4E7F250: KonqViewManager::doSetActivePart(KParts::ReadOnlyPart*) (konqviewmanager.cpp:1076)
==2096==    by 0x4EC06AA: KonqMainWindow::slotPartChanged(KonqView*, KParts::ReadOnlyPart*, KParts::ReadOnlyPart*) (konqmainwindow.cpp:1943)
==2096==    by 0x4EC920F: KonqMainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (konqmainwindow.moc:362)
==2096==  Address 0x10e3b640 is 0 bytes inside a block of size 32 free'd
==2096==    at 0x4C2AA9C: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2096==    by 0x4EC3A68: KonqMainWindow::updateViewModeActions() (konqmainwindow.cpp:4988)
==2096==    by 0x4EC3FC5: KonqMainWindow::slotPartActivated(KParts::Part*) (konqmainwindow.cpp:2119)
==2096==    by 0x4E7F250: KonqViewManager::doSetActivePart(KParts::ReadOnlyPart*) (konqviewmanager.cpp:1076)
==2096==    by 0x4EC06AA: KonqMainWindow::slotPartChanged(KonqView*, KParts::ReadOnlyPart*, KParts::ReadOnlyPart*) (konqmainwindow.cpp:1943)
==2096==    by 0x4EC920F: KonqMainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (konqmainwindow.moc:362)
==2096==    by 0x860A1AE: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3548)
==2096==    by 0x4E7902C: KonqView::sigPartChanged(KonqView*, KParts::ReadOnlyPart*, KParts::ReadOnlyPart*) (konqview.moc:162)
==2096==    by 0x4E790D0: KonqView::switchView(KonqViewFactory&) (konqview.cpp:252)
==2096==    by 0x4E7A34C: KonqView::changePart(QString const&, QString const&, bool) (konqview.cpp:366)
==2096==    by 0x4E7AA7A: KonqView::ensureViewSupports(QString const&, bool) (konqview.cpp:316)
==2096==    by 0x4EBA4CA: KonqMainWindow::openView(QString, KUrl const&, KonqView*, KonqOpenURLRequest const&) (konqmainwindow.cpp:967)
Comment 2 Andreas Schwab 2013-04-08 17:58:35 UTC
Created attachment 78733 [details]
.kde4/share/apps/konqueror/konqueror.rc

This konqueror.rc file was created by a previous version of konqueror, and is the cause of the crash.
Comment 3 Andreas Schwab 2013-04-08 18:46:06 UTC
I think the actual cause are the shortcuts for khtml-viewmode and kwebkitpart-viewmode.
Comment 4 Dawit Alemayehu 2013-04-20 12:13:25 UTC

*** This bug has been marked as a duplicate of bug 299020 ***