| Summary: | [test case] crash with javascript manipulated tables | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Michael Nottebrock <lofi> |
| Component: | khtml | Assignee: | Konqueror Bugs <konqueror-bugs-null> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | CC: | maksim |
| Priority: | NOR | ||
| Version First Reported In: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | FreeBSD Ports | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
| Attachments: |
Testcase
Crash backtrace reduced test case |
||
|
Description
Michael Nottebrock
2004-07-29 12:27:11 UTC
Created attachment 6905 [details]
Testcase
Created attachment 6906 [details]
Crash backtrace
Please note that the CSS code is buggy itself, instead of setting the display to inline it should have been set to table-row and table-cell. Confirmed. Crash also reproducible on KDE 3.3 Beta 2. for duplicate finder.
#0 0x2936dbf3 in wait4 () from /lib/libc.so.5
#1 0x2935f691 in waitpid () from /lib/libc.so.5
#2 0x291f2c86 in waitpid () from /usr/lib/libpthread.so.1
#3 0x2893fdd0 in KCrash::defaultCrashHandler(int) (sig=6) at kcrash.cpp:246
#4 0x291f96a5 in sigaction () from /usr/lib/libpthread.so.1
#5 <signal handler called>
#6 0x2936d8f3 in kill () from /lib/libc.so.5
#7 0x293d6616 in abort () from /lib/libc.so.5
#8 0x293b12ee in __assert () from /lib/libc.so.5
#9 0x29b1434f in khtml::RenderFlow::addChildWithContinuation(khtml::RenderObject*, khtml::RenderObject*) (this=0x8465de0, newChild=0x8465814,
beforeChild=0x84ff43c) at render_flow.cpp:110
#10 0x29b14393 in khtml::RenderFlow::addChild(khtml::RenderObject*, khtml::RenderObject*) (this=0x8465de0, newChild=0x8465814, beforeChild=0x84ff43c)
at render_flow.cpp:125
#11 0x29abede4 in DOM::ElementImpl::attach() (this=0x84ff43c)
at dom_elementimpl.cpp:450
#12 0x29af6838 in DOM::HTMLTableCellElementImpl::attach() (this=0x84fc080)
at html_tableimpl.cpp:839
#13 0x29abef78 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x84fc080, change=NoChange) at dom_elementimpl.cpp:490
#14 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x84fc080, ch=7) at html_elementimpl.cpp:262
#15 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x84fa6c0, change=NoChange) at dom_elementimpl.cpp:517
#16 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x84fa6c0, ch=7) at html_elementimpl.cpp:262
#17 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x84fa500, change=NoChange) at dom_elementimpl.cpp:517
#18 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x84fa500, ch=7) at html_elementimpl.cpp:262
#19 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x84e3b80, change=NoChange) at dom_elementimpl.cpp:517
#20 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x84e3b80, ch=7) at html_elementimpl.cpp:262
#21 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x819f940, change=NoChange) at dom_elementimpl.cpp:517
#22 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x819f940, ch=7) at html_elementimpl.cpp:262
#23 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x84e5700, change=NoChange) at dom_elementimpl.cpp:517
#24 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
(this=0x84e5700, ch=7) at html_elementimpl.cpp:262
#25 0x29aad9b7 in DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
this=0x8428200, change=NoChange) at dom_docimpl.cpp:979
#26 0x29aadd23 in DOM::DocumentImpl::updateRendering() (this=0x8428200)
at dom_docimpl.cpp:1012
#27 0x29aadd85 in DOM::DocumentImpl::updateDocumentsRendering() ()
at dom_docimpl.cpp:1026
#28 0x29ba6a2a in KJS::Window::afterScriptExecution() (this=0x84e3600)
at kjs_window.cpp:937
#29 0x29bcb000 in KJS::JSEventListener::handleEvent(DOM::Event&) (
this=0x84f5de0, evt=@0xbfbfda40) at kjs_events.cpp:120
#30 0x29ab8ef7 in DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) (
this=0x20, evt=0x8421480, useCapture=false) at dom_nodeimpl.cpp:707
#31 0x29ab8583 in DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (
this=0x84fa400, evt=0x8421480) at dom_nodeimpl.cpp:518
#32 0x29ab8331 in DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (
this=0x84fa400, evt=0x8421480, exceptioncode=@0x7, tempEvent=true)
at dom_nodeimpl.cpp:470
#33 0x29a5fba6 in KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int) (this=0x83a0800, eventId=4, targetNode=0x84fa400,
cancelable=true, detail=0, _mouse=0xbfbfdc90, setUnder=true,
mouseEventType=0) at khtmlview.cpp:2135
#34 0x29a5b487 in KHTMLView::viewportMouseReleaseEvent(QMouseEvent*) (
this=0x83a0800, _mouse=0xbfbfe200) at khtmlview.cpp:905
#35 0x28dca554 in QScrollView::eventFilter(QObject*, QEvent*) (this=0x83a0800,
obj=0x8352e00, e=0xbfbfe200) at widgets/qscrollview.cpp:1502
#36 0x29a5c264 in KHTMLView::eventFilter(QObject*, QEvent*) (this=0x83a0800,
o=0x8352e00, e=0xbfbfe200) at khtmlview.cpp:1420
#37 0x28cd3624 in QObject::activate_filters(QEvent*) (this=0x8352e00,
e=0xbfbfe200) at kernel/qobject.cpp:902
#38 0x28cd34f8 in QObject::event(QEvent*) (this=0x8352e00, e=0xbfbfe200)
at kernel/qobject.cpp:735
#39 0x28d0510a in QWidget::event(QEvent*) (this=0x8352e00, e=0xbfbfe200)
at kernel/qwidget.cpp:4653
#40 0x28c82fe9 in QApplication::internalNotify(QObject*, QEvent*) (this=0x0,
receiver=0x8352e00, e=0xbfbfe200) at kernel/qapplication.cpp:2620
#41 0x28c826b6 in QApplication::notify(QObject*, QEvent*) (this=0xbfbfe900,
receiver=0x8352e00, e=0xbfbfe200) at kernel/qapplication.cpp:2406
#42 0x288be596 in KApplication::notify(QObject*, QEvent*) (this=0xbfbfe900,
receiver=0x8352e00, event=0xbfbfe200) at kapplication.cpp:511
#43 0x28c244a5 in QETWidget::translateMouseEvent(_XEvent const*) (
this=0x8352e00, event=0xbfbfe530) at qapplication.h:494
#44 0x28c22906 in QApplication::x11ProcessEvent(_XEvent*) (this=0xbfbfe900,
event=0xbfbfe530) at kernel/qapplication_x11.cpp:3521
#45 0x28c362a9 in QEventLoop::processEvents(unsigned) (this=0x80fe5c0, flags=4)
at kernel/qeventloop_x11.cpp:192
#46 0x28c92adb in QEventLoop::enterLoop() (this=0x80fe5c0)
at kernel/qeventloop.cpp:198
#47 0x28c92a2c in QEventLoop::exec() (this=0x80fe5c0)
at kernel/qeventloop.cpp:145
#48 0x28c83144 in QApplication::exec() (this=0xbfbfe900)
at kernel/qapplication.cpp:2743
#49 0x280d4565 in kdemain (argc=7, argv=0x7) at konq_main.cc:184
#50 0x080486c3 in main (argc=7, argv=0x7) at konqueror.la.cc:2
#51 0x08048602 in _start ()
Still present in KDE 3.3.1. konqueror: /suse/coolo/prod/kdelibs/khtml/rendering/render_flow.cpp:89: void khtml::RenderFlow:: (khtml::RenderObject*, khtml::RenderObject*): Zusicherung »!beforeChild || beforeChild->parent()->isRenderBlock() || beforeChild->parent()->isRenderInline()« nicht erfüllt. No other bug with that Created attachment 8407 [details]
reduced test case
the assert of course only triggers if you're building with debug
just for reference: gtk-webcore crashes too SVN commit 598668 by carewolf:
When a sibling renderer has caused implicit containers, make nextRenderer
traverse those to find one we can use as a sibling.
BUG: 86221
M +8 -2 dom_nodeimpl.cpp
--- branches/KDE/3.5/kdelibs/khtml/xml/dom_nodeimpl.cpp #598667:598668
@@ -910,8 +910,14 @@
RenderObject * NodeImpl::nextRenderer()
{
for (NodeImpl *n = nextSibling(); n; n = n->nextSibling()) {
- if (n->renderer())
- return n->renderer();
+ if (n->renderer()) {
+ RenderObject *r = n->renderer();
+ // If the renderer has caused implicit containers,
+ // return the topmost implicit container
+ while (r->parent()->isAnonymous() && !r->parent()->isAnonymousBlock())
+ r = r->parent();
+ return r;
+ }
}
return 0;
}
SVN commit 598760 by carewolf: Move fix of bug #86221 to RenderFlow where it doesn't cause other regressions CCBUG: 86221 M +5 -3 rendering/render_flow.cpp M +2 -8 xml/dom_nodeimpl.cpp --- branches/KDE/3.5/kdelibs/khtml/rendering/render_flow.cpp #598759:598760 @@ -85,8 +85,10 @@ void RenderFlow::addChildWithContinuation(RenderObject* newChild, RenderObject* beforeChild) { RenderFlow* flow = continuationBefore(beforeChild); - KHTMLAssert(!beforeChild || beforeChild->parent()->isRenderBlock() || - beforeChild->parent()->isRenderInline()); + while(beforeChild && beforeChild->parent() != this && !beforeChild->parent()->isAnonymousBlock()) { + // skip implicit containers around beforeChild + beforeChild = beforeChild->parent(); + } RenderFlow* beforeChildParent = beforeChild ? static_cast<RenderFlow*>(beforeChild->parent()) : (flow->continuation() ? flow->continuation() : flow); @@ -260,7 +262,7 @@ } } } - + return false; } --- branches/KDE/3.5/kdelibs/khtml/xml/dom_nodeimpl.cpp #598759:598760 @@ -910,14 +910,8 @@ RenderObject * NodeImpl::nextRenderer() { for (NodeImpl *n = nextSibling(); n; n = n->nextSibling()) { - if (n->renderer()) { - RenderObject *r = n->renderer(); - // If the renderer has caused implicit containers, - // return the topmost implicit container - while (r->parent()->isAnonymous() && !r->parent()->isAnonymousBlock()) - r = r->parent(); - return r; - } + if (n->renderer()) + return n->renderer(); } return 0; } |