Summary: | Crash on www.betandwin.com if you click in password field | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Hans-Peter Schadler <blade.runner> |
Component: | khtml | Assignee: | Leo Savernik <l.savernik> |
Status: | RESOLVED FIXED | ||
Severity: | crash | CC: | adasi, aliakc, gmoreira, i.sondermann, jtscsousa, kde, kdebugs-050220211414-96ad, maksim, ndeb, niels.misc, sodotem |
Priority: | NOR | ||
Version: | 3.3 | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: | |||
Attachments: |
patch
updated patch |
Description
Hans-Peter Schadler
2004-08-28 15:02:05 UTC
There is no password field on the main page. Awaiting detailed steps to reproduce. 1) Left click on the link above 2) Then there are links to select the language and a next link (you see this page only once if cookies are enabled) 3) Click on a language or on the next link 4) Click in the passwortd field (there is only one, between the User ID field and the login button) 5) Konqueror crashes If you jump from user id field to password field with tab konqueror doesn' crash Doesn't crash for me, but it's dog slow, and one needs several clicks to actually focus the input field. Seems to be among the family of crashes that can't be reproduced on gcc 2.95 Can confirm crash: kde 3.3.1 compiled on debian sarge gcc version 3.3.4 Reproducible on trunk. Reduced to a small test case: http://cis.strath.ac.uk/~ac/break7.html Two input boxes, the second of which has onFocus="this.style.display='none';" in its definition. Clicking in the second text box causes a crash; tabbing into it from the first doesn't. Backtrace: #0 0xb5fbbe0b in khtml::CaretBoxLine::addConvertedInlineBox (this=0x83bc000, box=0x83972b0, sbp=@0xbfffcec0) at khtml_caret.cpp:684 #1 0xb5fbbf51 in khtml::CaretBoxLine::addConvertedInlineBox (this=0x83bc000, box=0x8397234, sbp=@0xbfffcec0) at khtml_caret.cpp:713 #2 0xb5fbc5ae in khtml::CaretBoxLine::constructCaretBoxLine (deleter=0xbfffd020, basicFlowBox=0x8397234, seekBox=0x839727c, seekOutside=false, seekOutsideEnd=false, iter=@0xbfffd010, seekObject=0x0) at khtml_caret.cpp:831 #3 0xb5fbcb48 in findCaretBoxLine (node=0x80fcb30, offset=1, cblDeleter=0xbfffd020, base=0x8396f88, r_ofs=@0xbfffd01c, caretBoxIt=@0xbfffd010) at khtml_caret.cpp:1010 #4 0xb5fc20e8 in KHTMLView::moveCaretTo (this=0x8358308, node=0x80fcb30, offset=1, clearSel=true) at khtmlview.cpp:3919 #5 0xb5fecca6 in KHTMLPart::khtmlMousePressEvent (this=0x8351968, event=0xbfffd3e0) at khtml_part.cpp:5967 #6 0xb5fec559 in KHTMLPart::customEvent (this=0x8351968, event=0xbfffd3e0) at khtml_part.cpp:5819 #7 0xb6eef9d6 in QObject::event (this=0x8351968, e=0xbfffd3e0) at kernel/qobject.cpp:755 Am Donnerstag, 19. Mai 2005 15:22 schrieb Andrew Coles: > Reduced to a small test case: > > http://cis.strath.ac.uk/~ac/break7.html > > Two input boxes, the second of which has > > onFocus="this.style.display='none';" > > in its definition. Clicking in the second text box causes a crash; tabbing > into it from the first doesn't. Is this reproduceable on the KDE 3.4 branch? If not, it has no priority. It crashes KDE 3.4 branch. Backtrace courtesy of Michael Buesch: #7 0xb5aa3ddc in khtml::CaretBoxLine::addConvertedInlineBox (this=0x82b90f0, box=0x82abb44, sbp=@0xbfffbd90) at khtml_caret.cpp:684 #8 0xb5aa3d7e in khtml::CaretBoxLine::addConvertedInlineBox (this=0x82b90f0, box=0x82abac8, sbp=@0xbfffbd90) at render_line.h:162 #9 0xb5aa5338 in khtml::CaretBoxLine::constructCaretBoxLine ( deleter=0xbfffbfa0, basicFlowBox=0x82abac8, seekBox=0x0, seekOutside=false, seekOutsideEnd=false, iter=@0x0, seekObject=0x0) at khtml_caret.cpp:831 #10 0xb5aa5506 in findCaretBoxLine (node=0x82d1680, offset=1, cblDeleter=0xbfffbfa0, base=0x82ab808, r_ofs=@0xbfffbf44, caretBoxIt=@0xbfffbf48) at khtml_caret.cpp:1035 #11 0xb5aa5ebe in KHTMLView::moveCaretTo (this=0x8255ef0, node=0x82d1680, offset=1, clearSel=true) at khtmlview.cpp:3609 #12 0xb5ad2933 in KHTMLPart::khtmlMousePressEvent (this=0x8246240, event=0xbfffc3a0) at qguardedptr.h:113 #13 0xb5ab5e73 in KHTMLPart::customEvent (this=0x8246240, event=0xbfffc3a0) at khtml_part.cpp:5716 #14 0xb712daf0 in QObject::event (this=0x8246240, e=0xbfffc3a0) at kernel/qobject.cpp:755 #15 0xb70cb6dd in QApplication::internalNotify (this=0xbfffd510, receiver=0x8246240, e=0xbfffc3a0) at kernel/qapplication.cpp:2635 #16 0xb70cac1e in QApplication::notify (this=0xbfffd510, receiver=0x8246240, e=0xbfffc3a0) at kernel/qapplication.cpp:2358 #17 0xb7762914 in KApplication::notify (this=0xbfffd510, receiver=0x8246240, event=0xbfffc3a0) at kapplication.cpp:549 #18 0xb5a9bff8 in KHTMLView::viewportMousePressEvent (this=0x8255ef0, _mouse=0xb5cfd4f0) at qapplication.h:491 #19 0xb5aa0d75 in KHTMLView::eventFilter (this=0x8255ef0, o=0x82dd180, e=0xbfffcc40) at khtmlview.cpp:1874 #20 0xb712dba1 in QObject::activate_filters (this=0x82dd180, e=0xbfffcc40) at kernel/qobject.cpp:902 #21 0xb712da21 in QObject::event (this=0x82dd180, e=0xbfffcc40) at kernel/qobject.cpp:735 #22 0xb7169da7 in QWidget::event (this=0x82dd180, e=0xbfffcc40) at kernel/qwidget.cpp:4658 #23 0xb7202acd in QLineEdit::event (this=0x82dd180, e=0xbfffcc40) at widgets/qlineedit.cpp:1413 #24 0xb5babae8 in khtml::LineEditWidget::event (this=0x82dd180, e=0xbfffcc40) at render_form.cpp:403 #25 0xb70cb6dd in QApplication::internalNotify (this=0xbfffd510, receiver=0x82dd180, e=0xbfffcc40) at kernel/qapplication.cpp:2635 #26 0xb70caf0c in QApplication::notify (this=0xbfffd510, receiver=0x82dd180, e=0xbfffcc40) at kernel/qapplication.cpp:2421 #27 0xb7762914 in KApplication::notify (this=0xbfffd510, receiver=0x82dd180, event=0xbfffcc40) at kapplication.cpp:549 #28 0xb705da28 in QApplication::sendSpontaneousEvent (receiver=0x82dd180, event=0xbfffcc40) at qapplication.h:494 #29 0xb7057f61 in QETWidget::translateMouseEvent (this=0x82dd180, event=0xbfffd000) at kernel/qapplication_x11.cpp:4291 #30 0xb7055b44 in QApplication::x11ProcessEvent (this=0xbfffd510, event=0xbfffd000) at kernel/qapplication_x11.cpp:3442 #31 0xb7070b02 in QEventLoop::processEvents (this=0x80964c0, flags=4) at kernel/qeventloop_x11.cpp:192 #32 0xb70e093f in QEventLoop::enterLoop (this=0x80964c0) at kernel/qeventloop.cpp:198 #33 0xb70e085a in QEventLoop::exec (this=0x80964c0) at kernel/qeventloop.cpp:145 #34 0xb70cb849 in QApplication::exec (this=0xbfffd510) at kernel/qapplication.cpp:2758 #35 0xb6063093 in kdemain (argc=0, argv=0x0) at konq_main.cc:206 #36 0xb610195b in kdeinitmain (argc=0, argv=0x0) at konqueror_dummy.cc:2 #37 0x0804e4c9 in launch (argc=2, _name=0x8071bac "konqueror", args=0xbfffd6a0 "Ð(\a\b±Ë\236¶", cwd=0x0, envc=1, envs=0x8071bd1 "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x0) at kinit.cpp:625 #38 0x0804ed0b in handle_launcher_request (sock=8) at kinit.cpp:1189 #39 0x0804f2e8 in handle_requests (waitForPid=0) at kinit.cpp:1392 #40 0x0804fb3e in main (argc=2, argv=0xbfffdea4, envp=0x0) at kinit.cpp:1848 Am Donnerstag, 19. Mai 2005 17:49 schrieb Andrew Coles:
> It crashes KDE 3.4 branch.
Thanks for checking. Now it has priority, but still I don't have any time to
fix it for 3.4.1 :-(
*** Bug 102918 has been marked as a duplicate of this bug. *** *** Bug 108065 has been marked as a duplicate of this bug. *** *** Bug 106395 has been marked as a duplicate of this bug. *** Bug #106395 has one extra function in the backtrace. I can confirm it. *** Bug 108378 has been marked as a duplicate of this bug. *** *** Bug 109146 has been marked as a duplicate of this bug. *** *** Bug 114246 has been marked as a duplicate of this bug. *** *** Bug 70532 has been marked as a duplicate of this bug. *** *** Bug 115903 has been marked as a duplicate of this bug. *** *** Bug 115951 has been marked as a duplicate of this bug. *** *** Bug 116722 has been marked as a duplicate of this bug. *** The code gets confused because a child linebox has been destroyed. valgrind trace, needed to disable the arena allocator to get it: ==5373== Invalid read of size 4 ==5373== at 0x1DE28DF5: khtml::CaretBoxLine::addConvertedInlineBox(khtml::InlineBox*, khtml::CaretBoxLine::SeekBoxParams&) (khtml_caret.cpp:678) ==5373== by 0x1DE28DA6: khtml::CaretBoxLine::addConvertedInlineBox(khtml::InlineBox*, khtml::CaretBoxLine::SeekBoxParams&) (khtml_caret.cpp:722) ==5373== by 0x1DE2AE31: khtml::CaretBoxLine::constructCaretBoxLine(khtml::MassDeleter<khtml::CaretBoxLine>*, khtml::InlineFlowBox*, khtml::InlineBox*, bool, bool, khtml::CaretBoxIterator&, khtml::RenderObject*) (khtml_caret.cpp:840) ==5373== by 0x1DE2D59D: khtml::findCaretBoxLine(DOM::NodeImpl*, long, khtml::MassDeleter<khtml::CaretBoxLine>*, khtml::RenderObject*, long&, khtml::CaretBoxIterator&) (khtml_caret.cpp:946) ==5373== by 0x1DE2FFCF: KHTMLView::moveCaretTo(DOM::NodeImpl*, long, bool) (khtmlview.cpp:4023) ==5373== by 0x1DE43586: KHTMLPart::khtmlMousePressEvent(khtml::MousePressEvent*) (khtml_part.cpp:6056) ==5373== by 0x1DE370FC: KHTMLPart::customEvent(QCustomEvent*) (khtml_part.cpp:5908) ==5373== by 0x1C671FE0: QObject::event(QEvent*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==5373== by 0x1C6310F7: QApplication::internalNotify(QObject*, QEvent*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==5373== by 0x1C63163F: QApplication::notify(QObject*, QEvent*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4) ==5373== by 0x1C20282A: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:550) ==5373== by 0x1DE1F198: KHTMLView::viewportMousePressEvent(QMouseEvent*) (qapplication.h:491) ==5373== Address 0x1E42B5E8 is 8 bytes inside a block of size 48 free'd ==5373== at 0x1B9003B3: free (vg_replace_malloc.c:235) ==5373== by 0x1DF17833: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:114) ==5373== by 0x1DF4B1FF: khtml::InlineBox::detach(khtml::RenderArena*) (render_line.cpp:59) ==5373== by 0x1DF0B26D: khtml::RenderBox::deleteInlineBoxes(khtml::RenderArena*) (render_box.cpp:213) ==5373== by 0x1DF3060E: khtml::RenderWidget::detach() (render_replaced.cpp:113) ==5373== by 0x1DE9516A: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:878) ==5373== by 0x1DE951E1: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1416) ==5373== by 0x1DE9B91D: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:556) ==5373== by 0x1DEC000F: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:262) ==5373== by 0x1DE9B89B: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:585) ==5373== by 0x1DEC000F: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:262) ==5373== by 0x1DE9B89B: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:585) Created attachment 13561 [details]
patch
OK, this is my attempt at fixing it -- the code tries to always accurately
maintain the parent/child/next/prev information. It passes testregression just
fine. The thing that's worrying me is that I've seen parents deleted before
children, and I don't see how the kids are supposed to be deleted -- can a tree
of lineboxes correspond to multiple render objects?
On a related node, this looks bogus:
while (!prev->isInlineFlowBox()) {
prev = prev->prevLineBox();
prev->detach(arena);
}
(from RenderFlow::deleteLastLineBox)
Created attachment 13564 [details]
updated patch
I missed that InlineTextBox has its own detach impl.
*** Bug 116029 has been marked as a duplicate of this bug. *** > Created an attachment (id=13564)
Thank you for fixing this bug :-) Patch looks good as far as I can tell from
looking. Too bad that it missed 3.5.0.
SVN commit 485596 by orlovich: Be careful to keep the inlinebox tree's links up-to-date BUG:88306 M +11 -0 render_line.cpp M +2 -0 render_line.h M +4 -1 render_text.cpp --- branches/KDE/3.5/kdelibs/khtml/rendering/render_line.cpp #485595:485596 @@ -47,6 +47,8 @@ void InlineBox::detach(RenderArena* renderArena) { + if (m_parent) + m_parent->removeFromLine(this); #ifndef NDEBUG inInlineBoxDetach = true; #endif @@ -80,6 +82,13 @@ return static_cast<RootInlineBox*>(this); } +InlineFlowBox::~InlineFlowBox() +{ + /* If we're destroyed, set the children free, and break their links */ + while (m_firstChild) + removeFromLine(m_firstChild); +} + void InlineFlowBox::removeFromLine(InlineBox *child) { if (child == m_firstChild) { @@ -94,6 +103,8 @@ if (child->prevOnLine()) { child->prevOnLine()->m_next = child->nextOnLine(); } + + child->setParent(0); } int InlineFlowBox::marginLeft() const --- branches/KDE/3.5/kdelibs/khtml/rendering/render_line.h #485595:485596 @@ -158,6 +158,8 @@ m_afterPageBreak = false; } + ~InlineFlowBox(); + virtual bool isInlineFlowBox() const { return true; } InlineBox* firstChild() const { return m_firstChild; } --- branches/KDE/3.5/kdelibs/khtml/rendering/render_text.cpp #485595:485596 @@ -64,6 +64,9 @@ void InlineTextBox::detach(RenderArena* renderArena) { + if (m_parent) + m_parent->removeFromLine(this); + #ifndef NDEBUG inInlineTextBoxDetach = true; #endif @@ -208,7 +211,7 @@ p.end(); QImage img = pixmap.convertToImage().convertDepth(32); - int md = thickness*thickness; // max-dist http://www.biteplius.lt/lt.php clicking on the field "Slaptazodis" (Password), yellow one on the right side, near the "El.pasto adr" (login), crashes Konqueror. KDE: 3.4.1 OS: 2.6.12.2 (Slax 5.0.6) Compiler: gcc 3.3.5 P.S. works fine with TAB Bug 116722 is marked as a duplicate of this bug. I find it is still active. Circumstances of my crash (repeatable today): Visit http://www.orbitz.com/ Select "Flights" tab Potentially important: Orbitz has cached my previous selections, so date of travel and origination and destination fields are pre populated. Click on Leave date box, select date from popup calendar. Click on Return date box, Konqueror crashes as I begin to mouse over the calendar. Have saved backtrace. Platform: kubuntu, Konq 3.5.2, KDE 3.5.2 Using host libthread_db library "/lib/tls/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread -1232152896 (LWP 332)] [KCrash handler] #5 0x002e002e in ?? () #6 0xb5ff3121 in DOM::DocumentImpl::setCSSTarget (this=0x8995010, n=0x8b86108) at dom_docimpl.cpp:2197 #7 0xb5fb443f in KHTMLPart::gotoAnchor (this=0x8de7bd8, name=@0xbff51aac) at khtml_part.cpp:2518 #8 0xb5fde562 in KHTMLPart::urlSelectedIntern (this=0x8de7bd8, url=@0xbff51c00, button=1, state=0, _target=@0x8db3ad0, args=@0xbff51af0) at khtml_part.cpp:3981 #9 0xb5fdeba7 in KHTMLPart::urlSelected (this=0x8de7bd8, url=@0x8db3ad0, button=148585168, state=148585168, _target=@0x8db3ad0, args=@0x8db3ad0) at khtml_part.cpp:3877 #10 0xb6035d45 in DOM::HTMLAnchorElementImpl::defaultEventHandler ( this=0x8e45fc0, evt=0x8d8ec70) at html_inlineimpl.cpp:158 #11 0xb6014af7 in DOM::NodeImpl::dispatchGenericEvent (this=0x8e45fc0, evt=0x8d8ec70) at dom_nodeimpl.cpp:399 #12 0xb6014ed0 in DOM::NodeImpl::dispatchEvent (this=0x8e45fc0, evt=0x8d8ec70, exceptioncode=@0x8db3ad0, tempEvent=true) at dom_nodeimpl.cpp:343 #13 0xb5fa4218 in KHTMLView::dispatchMouseEvent (this=0x89125a8, eventId=4, targetNode=0x8e45fc0, targetNodeNonShared=0x8c39cf0, cancelable=true, detail=148585168, _mouse=0xbff51e98, setUnder=true, mouseEventType=148585168) at khtmlview.cpp:3186 #14 0xb5fa959f in KHTMLView::viewportMouseReleaseEvent (this=0x89125a8, _mouse=0xbff5245c) at khtmlview.cpp:1280 #15 0xb73b51f4 in QScrollView::eventFilter () from /usr/lib/libqt-mt.so.3 #16 0xb5fa272d in KHTMLView::eventFilter (this=0x89125a8, o=0x8cfdaa8, e=0xbff5245c) at khtmlview.cpp:1977 #17 0xb727b19a in QObject::activate_filters () from /usr/lib/libqt-mt.so.3 #18 0xb727b218 in QObject::event () from /usr/lib/libqt-mt.so.3 #19 0xb72b8742 in QWidget::event () from /usr/lib/libqt-mt.so.3 #20 0xb7213f3e in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 #21 0xb72144c8 in QApplication::notify () from /usr/lib/libqt-mt.so.3 #22 0xb78e0d7d in KApplication::notify (this=0xbff52afc, receiver=0x8cfdaa8, event=0xbff5245c) at kapplication.cpp:550 #23 0xb71a51c5 in QApplication::sendSpontaneousEvent () from /usr/lib/libqt-mt.so.3 #24 0xb71a0873 in QETWidget::translateMouseEvent () from /usr/lib/libqt-mt.so.3 #25 0xb719ed59 in QApplication::x11ProcessEvent () from /usr/lib/libqt-mt.so.3 #26 0xb71b84db in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3 #27 0xb722ca2f in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3 #28 0xb722c952 in QEventLoop::exec () from /usr/lib/libqt-mt.so.3 #29 0xb7212a4d in QApplication::exec () from /usr/lib/libqt-mt.so.3 #30 0xb6717a51 in kdemain () from /usr/lib/libkdeinit_konqueror.so #31 0xb7f304f4 in kdeinitmain () from /usr/lib/kde3/konqueror.so #32 0x0804e063 in launch (argc=2, _name=0x8170b8c "konqueror", args=0x8170b9f "\001", cwd=0x0, envc=1, envs=0x8170bb0 "", reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x8db3ad0 "") at kinit.cpp:639 #33 0x0804e705 in handle_launcher_request (sock=8) at kinit.cpp:1205 #34 0x0804ec8d in handle_requests (waitForPid=0) at kinit.cpp:1406 #35 0x0804fd53 in main (argc=2, argv=0xbff53634, envp=0x8db3ad0) at kinit.cpp:1850 #36 0xb7cc7ea4 in __libc_start_main () from /lib/tls/libc.so.6 #37 0x0804b811 in _start () at ../sysdeps/i386/elf/start.S:119 Am Mittwoch, 31. Januar 2007 schrieb mikeraz@patch.com: > ------- Bug 116722 is marked as a duplicate of this bug. I find it is > still active. Being a duplicate doesn't mean it has been fixed. > > Circumstances of my crash (repeatable today): [...] > Platform: kubuntu, Konq 3.5.2, KDE 3.5.2 Can somebody reproduce with KDE 3.5.6? |