Bug 68181

Summary: [test case] crash following misuse of preloading (preload css as img)
Product: [Applications] konqueror Reporter: MDonoughe <MDonoughe>
Component: khtmlAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: luis
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description MDonoughe 2003-11-14 05:16:26 UTC 
Version:            (using KDE KDE 3.1.93)
Installed from:    Compiled From Sources
Compiler:          2.95.3 
OS:          Linux

if you go to http://www.angelfire.com/electronic2/mdonoughe/ and wait for the splash to compleate, you get a sigabrt.  I got a backtrace this time!  Yay!  I didn't close the dialog so it didn't get deleted or misplaced.  Here it is:

[New Thread 1024 (LWP 2291)]
0x4113b079 in wait4 () from /lib/libc.so.6
#0  0x4113b079 in wait4 () from /lib/libc.so.6
#1  0x411b5b98 in __DTOR_END__ () from /lib/libc.so.6
#2  0x40fef072 in waitpid () from /lib/libpthread.so.0
#3  0x406aaa5d in KCrash::defaultCrashHandler ()
   from /opt/kde3/lib/libkdecore.so.4
#4  0x40feca74 in pthread_sighandler () from /lib/libpthread.so.0
#5  <signal handler called>
#6  0x410c1ab1 in kill () from /lib/libc.so.6
#7  0x40fec982 in pthread_kill () from /lib/libpthread.so.0
#8  0x40fece6d in raise () from /lib/libpthread.so.0
#9  0x410c2edb in abort () from /lib/libc.so.6
#10 0x410bbc1b in Letext () from /lib/libc.so.6
#11 0x41794524 in khtml::Cache::requestStyleSheet ()
   from /opt/kde3/lib/libkhtml.so.4
#12 0x417925c0 in khtml::DocLoader::requestStyleSheet ()
   from /opt/kde3/lib/libkhtml.so.4
#13 0x4170f5d2 in DOM::HTMLLinkElementImpl::process ()
   from /opt/kde3/lib/libkhtml.so.4
#14 0x4170f6ec in DOM::HTMLLinkElementImpl::insertedIntoDocument ()
   from /opt/kde3/lib/libkhtml.so.4
#15 0x416f4cad in DOM::NodeBaseImpl::addChild ()
   from /opt/kde3/lib/libkhtml.so.4
#16 0x417059d0 in khtml::KHTMLParser::insertNode ()
   from /opt/kde3/lib/libkhtml.so.4
#17 0x4170594d in khtml::KHTMLParser::parseToken ()
   from /opt/kde3/lib/libkhtml.so.4
#18 0x4170da44 in khtml::HTMLTokenizer::processToken ()
   from /opt/kde3/lib/libkhtml.so.4
#19 0x4170c7cb in khtml::HTMLTokenizer::parseTag ()
   from /opt/kde3/lib/libkhtml.so.4
#20 0x4170d00b in khtml::HTMLTokenizer::write ()
   from /opt/kde3/lib/libkhtml.so.4
#21 0x416c57bd in KHTMLPart::write () from /opt/kde3/lib/libkhtml.so.4
#22 0x416c3ebf in KHTMLPart::slotData () from /opt/kde3/lib/libkhtml.so.4
#23 0x416de445 in KHTMLPart::qt_invoke () from /opt/kde3/lib/libkhtml.so.4
#24 0x40a44717 in QObject::activate_signal () from /opt/kde3/lib/libqt-mt.so.3
#25 0x40173d42 in KIO::TransferJob::data () from /opt/kde3/lib/libkio.so.4
#26 0x401632aa in KIO::TransferJob::slotData () from /opt/kde3/lib/libkio.so.4
#27 0x40174294 in KIO::TransferJob::qt_invoke () from /opt/kde3/lib/libkio.so.4
#28 0x40a44717 in QObject::activate_signal () from /opt/kde3/lib/libqt-mt.so.3
#29 0x401574e5 in KIO::SlaveInterface::data () from /opt/kde3/lib/libkio.so.4
#30 0x40154610 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#31 0x401541b2 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#32 0x4015185c in KIO::Slave::gotInput () from /opt/kde3/lib/libkio.so.4
#33 0x40153b49 in KIO::Slave::qt_invoke () from /opt/kde3/lib/libkio.so.4
#34 0x40a44717 in QObject::activate_signal () from /opt/kde3/lib/libqt-mt.so.3
#35 0x40a44966 in QObject::activate_signal () from /opt/kde3/lib/libqt-mt.so.3
#36 0x40ccdecd in QSocketNotifier::activated ()
   from /opt/kde3/lib/libqt-mt.so.3
#37 0x40a5b52f in QSocketNotifier::event () from /opt/kde3/lib/libqt-mt.so.3
#38 0x409feb74 in QApplication::internalNotify ()
   from /opt/kde3/lib/libqt-mt.so.3
#39 0x409fe7f4 in QApplication::notify () from /opt/kde3/lib/libqt-mt.so.3
#40 0x40627262 in KApplication::notify () from /opt/kde3/lib/libkdecore.so.4
#41 0x409f1e47 in QEventLoop::activateSocketNotifiers ()
   from /opt/kde3/lib/libqt-mt.so.3
#42 0x409bb6fb in QEventLoop::processEvents () from /opt/kde3/lib/libqt-mt.so.3
#43 0x40a0df60 in QEventLoop::enterLoop () from /opt/kde3/lib/libqt-mt.so.3
#44 0x40a0dea7 in QEventLoop::exec () from /opt/kde3/lib/libqt-mt.so.3
#45 0x409fece6 in QApplication::exec () from /opt/kde3/lib/libqt-mt.so.3
#46 0x4127877e in kdemain () from /opt/kde3/lib/libkdeinit_konqueror.so
#47 0x41235893 in kdeinitmain () from /opt/kde3/lib/kde3/konqueror.so
#48 0x0804d3ad in launch ()
#49 0x0804e3e8 in handle_launcher_request ()
#50 0x0804e9a5 in handle_requests ()
#51 0x0804fb10 in main ()
#52 0x410b09ed in __libc_start_main () from /lib/libc.so.6

probably has something to do with my javascript coding style, even though I don't see any references to kjs in there...
Comment 1 Thiago Macieira 2003-11-14 21:41:37 UTC 
Confirmed. Here goes the same backtrace with debugging info:

[New Thread 16384 (LWP 205591)]
[New Thread 32769 (LWP 205592)]
[New Thread 16386 (LWP 205593)]
0x41337004 in __libc_waitpid (pid=205694, stat_loc=0x0, options=0)
    at ../sysdeps/unix/sysv/linux/waitpid.c:32
	in ../sysdeps/unix/sysv/linux/waitpid.c
#0  0x41337004 in __libc_waitpid (pid=205694, stat_loc=0x0, options=0)
    at ../sysdeps/unix/sysv/linux/waitpid.c:32
#1  0x4079974f in KCrash::defaultCrashHandler(int) (sig=6)
    at /home/thiago/programs/src/kde/kdelibs/kdecore/kcrash.cpp:246
#2  0x413358e9 in __pthread_sighandler (signo=6, ctx=
      {gs = 0, __gsh = 0, fs = 0, __fsh = 0, es = 123, __esh = 0, ds = 123, __dsh = 0, edi = 1093906080, esi = 205591, ebp = 3221215560, esp = 3221215516, ebx = 205591, edx = 1093897160, ecx = 6, eax = 0, trapno = 0, err = 0, eip = 1095519649, cs = 115, __csh = 0, eflags = 2097734, esp_at_signal = 3221215516, ss = 123, __ssh = 0, fpstate = 0xbfffd6a0, oldmask = 2147483648, cr2 = 0})
    at sighandler.c:38
#3  0x414c4c88 in __libc_sigaction () from /lib/libc.so.6
#4  0x4133262d in __pthread_raise (sig=6) at signals.c:187
#5  0x414c4a1a in raise () from /lib/libc.so.6
#6  0x414c60f5 in abort () from /lib/libc.so.6
#7  0x414be4f3 in __assert_fail () from /lib/libc.so.6
#8  0x41ed7acd in khtml::Cache::requestStyleSheet(khtml::DocLoader*, DOM::DOMString const&, bool, long, QString const&, char const*) (dl=0x836bf70, 
    url=@0x83a4c08, _expireDate=0, charset=@0xfffffe00, 
    accept=0xfffffe00 <Address 0xfffffe00 out of bounds>)
    at /home/thiago/programs/src/kde/kdelibs/khtml/misc/loader.cpp:1412
#9  0x41ed5572 in khtml::DocLoader::requestStyleSheet(DOM::DOMString const&, QString const&, char const*) (this=0x836bf70, url=@0x8332f64, charset=@0x0, 
    accept=0x0)
    at /home/thiago/programs/src/kde/kdelibs/khtml/misc/loader.cpp:1015
#10 0x41e3e4b9 in DOM::HTMLLinkElementImpl::process() (this=0x8332f20)
    at dom_docimpl.h:243
#11 0x41e3e66d in DOM::HTMLLinkElementImpl::insertedIntoDocument() (
    this=0x8332f20)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/html_headimpl.cpp:219
#12 0x41e1f56f in DOM::NodeBaseImpl::addChild(DOM::NodeImpl*) (this=0x81ab9f0, 
    newChild=0x8332f20)
    at /home/thiago/programs/src/kde/kdelibs/khtml/xml/dom_nodeimpl.cpp:1435
#13 0x41e34436 in khtml::KHTMLParser::insertNode(DOM::NodeImpl*, bool) (
    this=0x8432ea8, n=0x8332f24, flat=true)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/htmlparser.cpp:306
#14 0x41e34142 in khtml::KHTMLParser::parseToken(khtml::Token*) (
    this=0x8432ea8, t=0x84c3fac)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/htmlparser.cpp:274
#15 0x41e3bf94 in khtml::HTMLTokenizer::processToken() (this=0x84c3f78)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/htmltokenizer.cpp:1577
#16 0x41e3a843 in khtml::HTMLTokenizer::parseTag(khtml::DOMStringIt&) (
    this=0x84c3f78, src=@0x84c408c)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/htmltokenizer.cpp:1091
#17 0x41e3b576 in khtml::HTMLTokenizer::write(QString const&, bool) (
    this=0x84c3f78, str=@0x84c408c, appendData=false)
    at /home/thiago/programs/src/kde/kdelibs/khtml/html/htmltokenizer.cpp:1345
#18 0x41dd5956 in KHTMLPart::write(char const*, int) (this=0x83c0538, 
    str=0x8385950 "<html>\n\t<head>\n\t\t<title>Home</title>\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"css/blue/blue.css\" media=\"screen, projection\">\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"print.css\" media=\"prin"..., len=1720)
    at /home/thiago/programs/src/kde/kdelibs/khtml/khtml_part.cpp:1707
#19 0x41dd2cab in KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (
    this=0x83c0538, kio_job=0x8368828, data=@0xbfffe950) at qmemarray.h:64
#20 0x41df0257 in KHTMLPart::qt_invoke(int, QUObject*) (this=0x83c0538, 
    _id=16, _o=0xbfffe4d0) at qucom_p.h:312
#21 0x40b93c81 in QObject::activate_signal(QConnectionList*, QUObject*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#22 0x40199584 in KIO::TransferJob::data(KIO::Job*, QMemArray<char> const&) (
    this=0xbfffe50c, t0=0xfffffe00, t1=@0xfffffe00) at jobclasses.moc:711
#23 0x401860a4 in KIO::TransferJob::slotData(QMemArray<char> const&) (
    this=0x8368828, _data=@0xfffffe00)
    at /home/thiago/programs/src/kde/kdelibs/kio/kio/job.cpp:770
#24 0x40199a77 in KIO::TransferJob::qt_invoke(int, QUObject*) (this=0x8368828, 
    _id=137791528, _o=0x836890c) at qucom_p.h:312
#25 0x40b93c81 in QObject::activate_signal(QConnectionList*, QUObject*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#26 0x401752e8 in KIO::SlaveInterface::data(QMemArray<char> const&) (
    this=0x84ce3b0, t0=@0xfffffe00) at slaveinterface.moc:194
#27 0x40171b65 in KIO::SlaveInterface::dispatch(int, QMemArray<char> const&) (
    this=0x84ce3b0, _cmd=100, rawdata=@0xbfffe608)
    at /home/thiago/programs/src/kde/kdelibs/kio/kio/slaveinterface.cpp:246
#28 0x401718ba in KIO::SlaveInterface::dispatch() (this=0x84ce3b0)
    at /home/thiago/programs/src/kde/kdelibs/kio/kio/slaveinterface.cpp:191
#29 0x4016e818 in KIO::Slave::gotInput() (this=0x84ce3b0)
    at /home/thiago/programs/src/kde/kdelibs/kio/kio/slave.cpp:294
#30 0x40170e09 in KIO::Slave::qt_invoke(int, QUObject*) (this=0x84ce3b0, 
    _id=4, _o=0xbfffeab0) at slave.moc:113
#31 0x40b93c81 in QObject::activate_signal(QConnectionList*, QUObject*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#32 0x40b93db4 in QObject::activate_signal(int, int) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#33 0x40ebfb31 in QSocketNotifier::activated(int) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#34 0x40baeebc in QSocketNotifier::event(QEvent*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#35 0x40b3668d in QApplication::internalNotify(QObject*, QEvent*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#36 0x40b35cbc in QApplication::notify(QObject*, QEvent*) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#37 0x406f0c1e in KApplication::notify(QObject*, QEvent*) (this=0xbffff320, 
    receiver=0x837efe8, event=0xbfffee10)
    at /home/thiago/programs/src/kde/kdelibs/kdecore/kapplication.cpp:509
#38 0x40b256c4 in QEventLoop::activateSocketNotifiers() ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#39 0x40ae1719 in QEventLoop::processEvents(unsigned) ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#40 0x40b4a3cb in QEventLoop::enterLoop() ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#41 0x40b4a290 in QEventLoop::exec() ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#42 0x40b368bc in QApplication::exec() ()
   from /home/thiago/programs/obj-linux/kde/qt-copy/lib/libqt-mt.so.3
#43 0x416dff8e in kdemain (argc=-512, argv=0xfffffe00)
    at /home/thiago/programs/src/kde/kdebase/konqueror/konq_main.cc:162
#44 0x4169a9a6 in kdeinitmain (argc=-512, argv=0xfffffe00)
    at konqueror_dummy.cc:2
#45 0x0804cdad in launch (argc=4, _name=0x80672f4 "konqueror", 
    args=0x806733c "/home/thiago", cwd=0x806733c "/home/thiago", envc=44, 
    envs=0x8067923 "", reset_env=true, tty=0x0, avoid_loops=false, 
    startup_id_str=0xfffffe00 <Address 0xfffffe00 out of bounds>)
    at /home/thiago/programs/src/kde/kdelibs/kinit/kinit.cpp:597
#46 0x0804e22d in handle_launcher_request (sock=4)
    at /home/thiago/programs/src/kde/kdelibs/kinit/kinit.cpp:1094
#47 0x0804e7c2 in handle_requests (waitForPid=0)
    at /home/thiago/programs/src/kde/kdelibs/kinit/kinit.cpp:1255
#48 0x0804f634 in main (argc=3, argv=0xbffffa04, envp=0xfffffe00)
    at /home/thiago/programs/src/kde/kdelibs/kinit/kinit.cpp:1686
#49 0x414b3654 in __libc_start_main () from /lib/libc.so.6
Current language:  auto; currently c
Comment 2 Thiago Macieira 2003-11-14 21:48:58 UTC 
Oh, yea, forgot the assert reason:

konqueror: /home/thiago/programs/src/kde/kdelibs/khtml/misc/loader.cpp:1434: static khtml::CachedCSSStyleSheet* khtml::Cache::requestStyleSheet(khtml::DocLoader*, const DOM::DOMString&, bool, long int, const QString&, const char*): Assertiva `o->type() == CachedObject::CSSStyleSheet' falhou.
Comment 3 Luís Pedro Coelho 2003-12-27 15:57:49 UTC 
This wasn't an easy bug to trace down, but I finally came up with a simple test case. It's online at

http://luispedro.org/~luis/bugs-kde/68181/test1.html

The main part is:

file1 : <img src="style.css" /> for preloading
file2 : <link res="stylesheet" href="style.css" /> 

CRASH: style.css is preloaded as image !!! 

<not-interesting except-for="programmers">
What took me a long time was that I was trying to follow the object creation/insertion but due to the use of multiple inheritance, two different pointers can refer to the same object and so the logs were apparently impossible: the cache returned an object which had never been inserted!

The real problem was that I was using:

kdDebug() << "Inserting: " << p << endl;
cache->insert(p,_);

instead of 

kdDebug() << "Inserting: " << (CachedObject*)p << endl;
cache->insert(p,_);

Since p was a CachedImage which inhearits from QObject and CachedObject, the pointers were not the same

</not-interesting>

Probably the solution is something like:

- assert ( o->type == CSS );
+ if ( o->type != CSS ) { 
+ 	delete o;
+	removeFromCache(o);
+	fetch(o),
+ }

I will try to prepare a patch 
(but today I must go and do some for-school work, so maybe tomorrow - but I don't really know the internals here).

hth,
luis
Comment 4 Luís Pedro Coelho 2003-12-28 18:50:18 UTC 
Subject: kdelibs/khtml

CVS commit by luis_pedro: 

If we look up something in the cache and it has the wrong type, throw it away and start again.

Discussed in kfm-devel, OKed by Waldo.
CCMAIL: 68181-close@bugs.kde.org


  M +4 -0      ChangeLog   1.140
  M +15 -4     misc/loader.cpp   1.164


--- kdelibs/khtml/ChangeLog  #1.139:1.140
@@ -1,2 +1,6 @@
+2003-12-27  Luis Pedro Coelho <luis@luispedro.org>
+
+        * misc/loader.cpp : Discard items from cache if they have the wrong type (#68181)
+
 2003-12-20  Koos Vriezen  <koos.vriezen@xs4all.nl>
 

--- kdelibs/khtml/misc/loader.cpp  #1.163:1.164
@@ -1417,4 +1417,12 @@ CachedCSSStyleSheet *Cache::requestStyle
 
     CachedObject *o = cache->find(kurl.url());
+    if ( o && o->type() != CachedObject::CSSStyleSheet ) {
+#ifdef CACHE_DEBUG
+            kdDebug( 6060 ) << "An object for " << kurl.url() << " was present, but was not a stylesheet. Removing it." << endl;
+#endif
+            removeCacheEntry( o );
+            o = 0;
+    }
+
     if(!o)
     {
@@ -1429,6 +1437,4 @@ CachedCSSStyleSheet *Cache::requestStyle
     o->setExpireDate(_expireDate, true);
 
-    assert(o->type() == CachedObject::CSSStyleSheet);
-
     moveToFront(o);
 
@@ -1473,4 +1479,11 @@ CachedScript *Cache::requestScript( DocL
 
     CachedObject *o = cache->find(kurl.url());
+    if ( o && o->type() != CachedObject::Script ) {
+#ifdef CACHE_DEBUG
+            kdDebug( 6060 ) << "An object for " << kurl.url() << " was present, but was not a script. Removing it." << endl;
+#endif
+            removeCacheEntry( o );
+            o = 0;
+    }
     if(!o)
     {
@@ -1485,6 +1498,4 @@ CachedScript *Cache::requestScript( DocL
     o->setExpireDate(_expireDate, true);
 
-    assert(o->type() == CachedObject::Script);
-
     moveToFront(o);
     if ( dl ) {
Comment 5 MDonoughe 2004-01-10 03:57:29 UTC 
Thank you.  Now I can update my page there.