Bug 61467

Summary: KJS related crash on www.starnberger-fuenf-seen-land.de
Product: [Applications] konqueror Reporter: Ralf Holzer <kdebugs>
Component: kjsAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Ralf Holzer 2003-07-20 19:19:16 UTC 
Version:            (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc 3.2 
OS:          Linux

1) Go to http://www.starnberger-fuenf-seen-land.de/index.html (Who comes up with these domain names? :)
2) Click on the image in the upper left-hand corner (Starnberger 5-Seen Land)
3) Click on the "Back" button
4) Crash

Here's the backtrace:

#0  0x41c2dc25 in KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const (this=0x0, exec=0xbfffc2a0) at value.cpp:165
#1  0x41bff512 in KJS::Node::toBoolean(KJS::ExecState*) const (this=0xbfffbfe0, exec=0x0) at value.h:218
#2  0x41c06405 in KJS::IfNode::execute(KJS::ExecState*) (this=0x83637b8, exec=0xbfffc2a0) at nodes.cpp:1975
#3  0x41c0bb6b in KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0xbfffc0b0, exec=0xbfffc2a0) at nodes.cpp:3088
#4  0x41c05f63 in KJS::BlockNode::execute(KJS::ExecState*) (this=0x8331bd0, exec=0xbfffc2a0) at nodes.cpp:1902
#5  0x41c0b0fc in KJS::FunctionBodyNode::execute(KJS::ExecState*) (this=0x8331bd0, exec=0xbfffc2a0) at nodes.cpp:2915
#6  0x41bfddc3 in KJS::InterpreterImp::evaluate(KJS::UString const&, KJS::Value const&) (this=0x83cb548, code=@0x0, thisV=@0xbfffc420)
    at internal.cpp:855
#7  0x41c30fd9 in KJS::Interpreter::evaluate(KJS::UString const&, KJS::Value const&) (this=0xbfffbfe0, code=@0xbfffc410, thisV=@0xbfffc420)
    at interpreter.cpp:161
#8  0x41b004ad in KJSProxyImpl::evaluate(QString, int, QString const&, DOM::Node const&, KJS::Completion*) (this=0x821e670, filename=
      {static null = {static null = <same as static member of an already seen type>, d = 0x804b978, static shared_null = 0x804b978}, d = 0x0, static shared_null = 0x804b978}, baseLine=1, str=@0xbfffc570, n=@0xbfffc510, completion=0x0) at kjs_proxy.cpp:148
#9  0x419ceb59 in KHTMLPart::executeScript(QString const&, int, DOM::Node const&, QString const&) (this=0x8319268, filename=@0xbfffc520,
    baseLine=1, n=@0xbfffc510, script=@0xbfffc570) at khtml_part.cpp:875
#10 0x41a2aadf in khtml::HTMLTokenizer::scriptExecution(QString const&, QString const&, int) (this=0x8393050, str=@0xbfffc570,
    scriptURL=@0xbfffc500, baseLine=0) at ../../khtml/khtmlview.h:107
#11 0x41a2ee0b in khtml::HTMLTokenizer::notifyFinished(khtml::CachedObject*) (this=0x8393050) at htmltokenizer.cpp:1617
#12 0x41ab17b9 in khtml::CachedScript::ref(khtml::CachedObjectClient*) (this=0x8299f30, c=0x8393078) at loader.cpp:301
#13 0x41a2a6c5 in khtml::HTMLTokenizer::scriptHandler() (this=0x8393050) at htmltokenizer.cpp:387
#14 0x41a2a3d9 in khtml::HTMLTokenizer::parseSpecial(khtml::DOMStringIt&) (this=0x8393050, src=@0x839315c) at htmltokenizer.cpp:316
#15 0x41a2cf5f in khtml::HTMLTokenizer::parseTag(khtml::DOMStringIt&) (this=0x8393050, src=@0x839315c) at htmltokenizer.cpp:1123
#16 0x41a2db8f in khtml::HTMLTokenizer::write(QString const&, bool) (this=0x8393050, str=@0xbfffcc40, appendData=224)
    at htmltokenizer.cpp:1330
#17 0x419d2a52 in KHTMLPart::write(char const*, int) (this=0x8319268,
    str=0xbfffce60 "<html>\n<head>\n<title>Tourismusverband Starnberger F&uuml;nf-Seen-Land</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n<script language=\"JavaScript\" type=\"text/JavaScri"..., len=134558576) at khtml_part.cpp:1583
#18 0x419d1068 in KHTMLPart::slotRestoreData(QMemArray<char> const&) (this=0x8319268, data=@0xbfffce50)
    at /usr/lib/qt3/include/qmemarray.h:64
#19 0x419e97e0 in KHTMLPart::qt_invoke(int, QUObject*) (this=0x8319268, _id=12, _o=0xbfffcde0) at /usr/lib/qt3/include/private/qucom_p.h:312
#20 0x40c7e507 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x83867d0, clist=0x8330188, o=0xbfffcde0)
    at kernel/qobject.cpp:2333
#21 0x419fc3b6 in KHTMLPageCacheDelivery::emitData(QMemArray<char> const&) (this=0x83867d0, t0=@0xbfffce50) at khtml_pagecache.moc:177
#22 0x419fbda6 in KHTMLPageCache::sendData() (this=0x821d9a0) at khtml_pagecache.cpp:264
#23 0x419fc18a in KHTMLPageCache::qt_invoke(int, QUObject*) (this=0x821d9a0, _id=2, _o=0xbfffef20) at khtml_pagecache.moc:82
#24 0x40c7e507 in QObject::activate_signal(QConnectionList*, QUObject*) (this=0x80fba38, clist=0x832a538, o=0xbfffef20)
    at kernel/qobject.cpp:2333
#25 0x40fc1efa in QSignal::signal(QVariant const&) (this=0x80fba38, t0=@0x80fba60) at .moc/debug-shared-mt/moc_qsignal.cpp:100
#26 0x40c9b6c5 in QSignal::activate() (this=0x80fba38) at kernel/qsignal.cpp:204
#27 0x40ca29f3 in QSingleShotTimer::event(QEvent*) (this=0x80fba10) at kernel/qtimer.cpp:277
#28 0x40c1c489 in QApplication::internalNotify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, e=0xbffff180)
    at kernel/qapplication.cpp:2578
#29 0x40c1b946 in QApplication::notify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, e=0xbffff180) at kernel/qapplication.cpp:2302
#30 0x407b242e in KApplication::notify(QObject*, QEvent*) (this=0xbffff680, receiver=0x80fba10, event=0xbffff180) at kapplication.cpp:460
#31 0x40bb4551 in QApplication::sendEvent(QObject*, QEvent*) (receiver=0x80fba10, event=0xbffff180) at kernel/qapplication.h:490
#32 0x40c0a4d2 in QEventLoop::activateTimers() (this=0x8095bd8) at kernel/qeventloop_unix.cpp:557
#33 0x40bc5f2f in QEventLoop::processEvents(unsigned) (this=0x8095bd8, flags=4) at kernel/qeventloop_x11.cpp:346
#34 0x40c31c6c in QEventLoop::enterLoop() (this=0x8095bd8) at kernel/qeventloop.cpp:198
---Type <return> to continue, or q <return> to quit---
#35 0x40c31b86 in QEventLoop::exec() (this=0x8095bd8) at kernel/qeventloop.cpp:145
#36 0x40c1c605 in QApplication::exec() (this=0xbffff680) at kernel/qapplication.cpp:2701
#37 0x40055b2b in kdemain () from /opt/kde32/lib/libkdeinit_konqueror.so.0
#38 0x08048677 in main ()
#39 0x4144e082 in __libc_start_main () from /lib/i686/libc.so.6

This is with CVS HEAD from a few days ago.

regards,
Ralf
Comment 1 George Staikos 2003-07-20 20:14:48 UTC 
Subject: Re:  New: KJS related crash on www.starnberger-fuenf-seen-land.de

On Sunday 20 July 2003 13:19, Ralf Holzer wrote:

> 1) Go to http://www.starnberger-fuenf-seen-land.de/index.html (Who comes up
> with these domain names? :) 2) Click on the image in the upper left-hand
> corner (Starnberger 5-Seen Land) 3) Click on the "Back" button
> 4) Crash
>
> Here's the backtrace:
>
> #0  0x41c2dc25 in KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const
> (this=0x0, exec=0xbfffc2a0) at value.cpp:165 #1  0x41bff512 in
> KJS::Node::toBoolean(KJS::ExecState*) const (this=0xbfffbfe0, exec=0x0) at
> value.h:218 #2  0x41c06405 in KJS::IfNode::execute(KJS::ExecState*)
> (this=0x83637b8, exec=0xbfffc2a0) at nodes.cpp:1975 #3  0x41c0bb6b in
> KJS::SourceElementsNode::execute(KJS::ExecState*) (this=0xbfffc0b0,
> exec=0xbfffc2a0) at nodes.cpp:3088 #4  0x41c05f63 in

  This bt is misleading.  At least for me I dont' get exec=0x0, but 
KJS::ValueImp::dispatchToBoolean has this=0x0, indicating that rep=0x0 in 
toBoolean().  Seems to indicate that the expression for the if() statement is 
Null.  The problem is in menu8_com.js:13...

if(!MacExp4&&Trigger.onload)Dummy=Trigger.onload;
Comment 2 Ralf Holzer 2003-09-17 05:02:22 UTC 
Works with current cvs.
Comment 3 Harri Porten 2004-01-13 00:34:39 UTC 
Hermann Jansen reported a very similar crash that still exists in ~7 days
old CVS sources. Go to http://www.heimatverein-boerger.de/1024x768/default.htm (1st bug: menu doesn't appear). Invoke "Reload Frame" and enjoy the crash:

#5  0x4179c6b8 in sigaction () from /lib/libc.so.6
#6  0x41fd189b in KJS::Node::toBoolean () from /home/porten/kde/lib/libkjs.so.1
#7  0x41fd8e89 in KJS::IfNode::execute () from /home/porten/kde/lib/libkjs.so.1
#8  0x41fdf614 in KJS::SourceElementsNode::execute ()
   from /home/porten/kde/lib/libkjs.so.1
#9  0x41fd897a in KJS::BlockNode::execute ()
   from /home/porten/kde/lib/libkjs.so.1
#10 0x41fdea2c in KJS::FunctionBodyNode::execute ()
   from /home/porten/kde/lib/libkjs.so.1
#11 0x41fcfd8b in KJS::InterpreterImp::evaluate ()
   from /home/porten/kde/lib/libkjs.so.1
#12 0x42004e44 in KJS::Interpreter::evaluate ()
   from /home/porten/kde/lib/libkjs.so.1
#13 0x41e79f51 in KJSProxyImpl::evaluate ()
   from /home/porten/kde/lib/libkhtml.so.4
#14 0x41d1c15d in KHTMLPart::executeScript ()
   from /home/porten/kde/lib/libkhtml.so.4
Comment 4 Waldo Bastian 2004-02-05 18:53:46 UTC 
Heimat verein crash (click "Reload Frame" in frame with counter): 

==3893== Invalid read of size 4
==3893==    at 0x49B65D72: KJS::ValueImp::dispatchToBoolean(KJS::ExecState*) const (value.cpp:174)
==3893==    by 0x49B35FE1: KJS::Node::toBoolean(KJS::ExecState*) const (value.h:218)
==3893==    by 0x49B3D184: KJS::IfNode::execute(KJS::ExecState*) (nodes.cpp:1951)
==3893==    by 0x49B42FCA: KJS::SourceElementsNode::execute(KJS::ExecState*) (nodes.cpp:3035)
[snip]
==3893==    Address 0x0 is not stack'd, malloc'd or free'd

The problem seems to be in:

 bool Node::toBoolean(ExecState *exec) const
 {
//   fprintf(stderr, "Node(%s)::toBoolean()\n", typeid(*this).name());
  return evaluate(exec).toBoolean(exec);
 }

Where evaluate(exec) returns an invalid value.
Dunno if it matters, but exec->hadException() is false in this case.

It seems to me that Node::toBoolean(), Node::toNumber() and Noder::toString() should all check whether evaluate() returns a valid value before processing it further.

There is something else wrong as well.. sometimes "rep" seems to have a value of 0x1 in dispatchToBoolean()
Comment 5 Waldo Bastian 2004-02-05 19:13:34 UTC 
Something like this:

bool Node::toBoolean(ExecState *exec) const
{
  Value v = evaluate(exec);
  if (!v.isValid())
  {
     throwError(exec, GeneralError, "Condition could not be evaluated.");
     return false;
  }
  return v.toBoolean(exec);
}

Solves the crash for me....
Comment 6 David Faure 2004-02-09 15:53:07 UTC 
cma/kjs_events.h (clear): set listener object to Null(), not to an invalid Object(),
which will crash when the listener is stored in another frame (#61467). Maybe it would be better
to really remove the event listener in this case, but this is hard to do efficiently.

CCMAIL: 61467-done@bugs.kde.org


  M +4 -0      ChangeLog   1.162.2.11
  M +6 -14     ecma/kjs_events.cpp   1.80.2.1
  M +6 -8      ecma/kjs_events.h   1.30.2.1