Bug 83996

Summary: [test case] another crash with <DL compact>
Product: [Applications] konqueror Reporter: Josh Metzler <joshdeb>
Component: khtml rendererAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: test case

Description Josh Metzler 2004-06-25 19:54:25 UTC 
Version:           3.2.90 (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc version 3.3.4 (Debian)
OS:                Linux (i686) release 2.4.26-co-0.6.1

When directed to http://www.delorie.com/gnu/docs/wget/wget_9.html, Konqueror (compiled from CVS on June 24, 2004) crashes with the following backtrace:

#6  0x414d6721 in kill () from /lib/libc.so.6
#7  0x41298771 in pthread_kill () from /lib/libpthread.so.0
#8  0x41298a7b in raise () from /lib/libpthread.so.0
#9  0x414d64d4 in raise () from /lib/libc.so.6
#10 0x414d79e8 in abort () from /lib/libc.so.6
#11 0x414cfb3f in __assert_fail () from /lib/libc.so.6
#12 0x41b2abc8 in khtml::RenderBlock::layoutBlock (this=0x83346d0, 
    relayoutChildren=false)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:433
#13 0x41b2a9dd in khtml::RenderBlock::layout (this=0x83346d0)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:419
#14 0x41b2c57f in khtml::RenderBlock::layoutBlockChildren (this=0x8c14468, 
    relayoutChildren=true)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:922
#15 0x41b2ae2d in khtml::RenderBlock::layoutBlock (this=0x8c14468, 
    relayoutChildren=true)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:502
#16 0x41b2a9dd in khtml::RenderBlock::layout (this=0x8c14468)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:419
#17 0x41b8229e in khtml::RenderBody::layout (this=0x8c14468)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_body.cpp:94
#18 0x41b2c18c in khtml::RenderBlock::layoutBlockChildren (this=0x8c143a8, 
    relayoutChildren=true)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:824
#19 0x41b2ae2d in khtml::RenderBlock::layoutBlock (this=0x8c143a8, 
    relayoutChildren=true)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:502
#20 0x41b2a9dd in khtml::RenderBlock::layout (this=0x8c143a8)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:419
#21 0x41b2c18c in khtml::RenderBlock::layoutBlockChildren (this=0x8c142b8, 
    relayoutChildren=false)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:824
#22 0x41b2ae2d in khtml::RenderBlock::layoutBlock (this=0x8c142b8, 
    relayoutChildren=false)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:502
#23 0x41b2a9dd in khtml::RenderBlock::layout (this=0x8c142b8)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_block.cpp:419
#24 0x41b7a9a2 in khtml::RenderCanvas::layout (this=0x8c142b8)
    at /home/kdecvs/kdecvs/kdelibs/khtml/rendering/render_canvas.cpp:171
#25 0x41a6eb59 in KHTMLView::layout (this=0x85932d0)
    at /home/kdecvs/kdecvs/kdelibs/khtml/khtmlview.cpp:632
#26 0x41a76427 in KHTMLView::timerEvent (this=0x85932d0, e=0xbffff260)
    at /home/kdecvs/kdecvs/kdelibs/khtml/khtmlview.cpp:2470
#27 0x40cd767f in QObject::event (this=0x85932d0, e=0xbffff260)
    at kernel/qobject.cpp:741
#28 0x40d1225b in QWidget::event (this=0x85932d0, e=0xbffff260)
    at kernel/qwidget.cpp:4653
#29 0x40c76f05 in QApplication::internalNotify (this=0xbffff670, 
    receiver=0x85932d0, e=0xbffff260) at kernel/qapplication.cpp:2620
#30 0x40c76b9b in QApplication::notify (this=0xbffff670, receiver=0x85932d0, 
    e=0xbffff260) at kernel/qapplication.cpp:2508
#31 0x407baad9 in KApplication::notify (this=0xbffff670, receiver=0x85932d0, 
    event=0xbffff260)
    at /home/kdecvs/kdecvs/kdelibs/kdecore/kapplication.cpp:512
#32 0x4004c804 in QApplication::sendEvent (receiver=0x85932d0, 
    event=0xbffff260) at qapplication.h:491
#33 0x40c656ac in QEventLoop::activateTimers (this=0x8089e58)
    at kernel/qeventloop_unix.cpp:558
#34 0x40c1e7bb in QEventLoop::processEvents (this=0x8089e58, flags=4)
    at kernel/qeventloop_x11.cpp:389
#35 0x40c8b489 in QEventLoop::enterLoop (this=0x8089e58)
    at kernel/qeventloop.cpp:198
#36 0x40c8b3a2 in QEventLoop::exec (this=0x8089e58)
    at kernel/qeventloop.cpp:145
#37 0x40c77071 in QApplication::exec (this=0xbffff670)
    at kernel/qapplication.cpp:2743
#38 0x416f21b7 in kdemain (argc=2, argv=0x8060e80)
    at /home/kdecvs/kdecvs/kdebase/konqueror/konq_main.cc:204
#39 0x0804e165 in launch (argc=2, _name=0x805fcc4 "konqueror", 
    args=0x805fcd7 "\001", cwd=0x0, envc=1, envs=0x805fce8 "", 
    reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x805fcec "colinux;1088098783;963492;8315_TIME1472057866")
    at /home/kdecvs/kdecvs/kdelibs/kinit/kinit.cpp:591
#40 0x0804f478 in handle_launcher_request (sock=8)
    at /home/kdecvs/kdecvs/kdelibs/kinit/kinit.cpp:1155
#41 0x0804fb39 in handle_requests (waitForPid=0)
    at /home/kdecvs/kdecvs/kdelibs/kinit/kinit.cpp:1348
#42 0x08051137 in main (argc=3, argv=0xbffffcd4, envp=0xbffffce4)
    at /home/kdecvs/kdecvs/kdelibs/kinit/kinit.cpp:1785
Comment 1 Stephan Kulow 2004-06-26 09:41:55 UTC 

*** This bug has been marked as a duplicate of 75806 ***
Comment 2 Stephan Kulow 2004-06-26 10:00:12 UTC 
I don't get it. This is the very same crash as all the other duplicates, but this one is crashing while all the others are fixed ;(
Comment 3 Stephan Kulow 2004-06-26 10:19:15 UTC 
Created attachment 6478 [details]
test case

konqueror: /home/coolo/prod/kdelibs/khtml/rendering/render_block.cpp:434: void
khtml::RenderBlock::layoutBlock(bool): Zusicherung »minMaxKnown()« nicht
erfüllt.
Comment 4 Josh Metzler 2004-07-01 14:21:26 UTC 
I did some debugging of this crash.  When the layout is being calculated, m_minMaxKnown ends up set for every node.  The problem occurs later, when actually laying out the nodes.  We get to the COMPACT node and then in render_block.c:750, removeChildNode() gets called.  This calls setMinMaxKnown(false) on both the child node and the current node.  Neither recalcMinMaxWidths() nor calcMinMaxWidth() are ever called again before the crash.  So, I don't see how this could ever work.   don't know HTML very well, or what COMPACT is supposed to do, but it looks like it would almost always cause this crash.

While debugging, I came across a couple of possible small logic simplifications:

render_object.c:1715 right before returning, recalcMinMaxWidths() calls calcMinMaxWidth() which sets m_minMaxKnown to true right before returning, so the check here should be unnecessary.
  
render_block.c:2164 the !child->isRenderInline() could be moved inside the previous block where we already know that !child->isText() is true.  The else if (child->isText()) could then be just an else for the earlier if.  This eliminates 3 calls in the istext() case and 1 or 2 otherwise.

I'm not sure where this is set, but a text node has m_minMaxKnown = true and m_recalcMinMaxWidth = true, but it has no children and is inline.  So, since m_recalcMinMaxWidth is true, recalcMinMaxWidths() is called on it, but for an inline object with no children, all this does is set m_recalcMinMax to false.  It seems to me that a lot of time could be saved on each text node if m_recalcMinMaxWidth were set to false to start with.
Comment 5 Germain Garand 2004-10-15 04:40:23 UTC 
fixed in CVS. re #4: thanks for the investigation. We ended up changing the implementation of display:compact to something more reliable (i.e: not inlining the compact block).
Comment 6 Germain Garand 2004-10-15 10:08:47 UTC 
fixed as in FIXED