Bug 97085

Summary: Konqueror crash after click on a link
Product: [Applications] konqueror Reporter: Konrad Twardowski <twardowski>
Component: khtml rendererAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: benoit.amiaux, enleth, jos
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Konrad Twardowski 2005-01-15 19:21:03 UTC 
Version:            (using KDE KDE 3.3.91)
Installed from:    Compiled From Sources
Compiler:          gcc (GCC) 3.3.3 20040412 (Red Hat Linux 3.3.3-7) 

STEPS TO REPRODUCE:

1. Go to http://marcoos.jogger.pl
2. Click a "komentarzy" link
3. [Konqueror crash]

BACKTRACE:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -151169984 (LWP 19299)]
[KCrash handler]
#4  0x017acb34 in collectHorizontalBoxCoordinates (box=0x9d105f8, 
    pointArray=@0xfef87880, bottom=false, limit=-500000)
    at render_inline.cpp:501
#5  0x017acba2 in collectHorizontalBoxCoordinates (box=0x9dbe978, 
    pointArray=@0xfef87880, bottom=false, limit=-500000)
    at render_inline.cpp:512
#6  0x017ad3af in khtml::RenderInline::paintOutlines (this=0x9c85714, 
    p=0x9b568e0, _tx=141, _ty=188) at render_inline.cpp:632
#7  0x017ac8ca in khtml::RenderInline::paint (this=0x9c85714, i=@0xfef87d70, 
    _tx=141, _ty=188) at render_inline.cpp:280
#8  0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c8569c, 
    pI=@0xfef87d70, _tx=141, _ty=188) at render_block.cpp:1306
#9  0x017a7b1a in khtml::RenderBlock::paint (this=0x9c8569c, pI=@0xfef87d70, 
    _tx=141, _ty=188) at render_block.cpp:1262
#10 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c85354, 
    pI=@0xfef87d70, _tx=141, _ty=124) at render_block.cpp:1306
#11 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c85354, pI=@0xfef87d70, 
    _tx=141, _ty=124) at render_block.cpp:1262
#12 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c852dc, 
    pI=@0xfef87d70, _tx=134, _ty=112) at render_block.cpp:1306
#13 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c852dc, pI=@0xfef87d70, 
    _tx=134, _ty=112) at render_block.cpp:1262
#14 0x017a80aa in khtml::RenderBlock::paintFloats (this=0x0, pI=@0xfef87d70, 
    _tx=133, _ty=10, paintSelection=false) at render_block.cpp:1352
#15 0x017a7daa in khtml::RenderBlock::paintObject (this=0x9c8503c, 
    pI=@0xfef87d70, _tx=133, _ty=10) at render_block.cpp:1320
#16 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c8503c, pI=@0xfef87d70, 
    _tx=133, _ty=10) at render_block.cpp:1262
#17 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c84fc0, 
    pI=@0xfef87d70, _tx=0, _ty=10) at render_block.cpp:1306
#18 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c84fc0, pI=@0xfef87d70, 
    _tx=0, _ty=10) at render_block.cpp:1262
#19 0x017a7ed8 in khtml::RenderBlock::paintObject (this=0x9c84eec, 
    pI=@0xfef87d70, _tx=0, _ty=0) at render_block.cpp:1306
#20 0x017a7b1a in khtml::RenderBlock::paint (this=0x9c84eec, pI=@0xfef87d70, 
    _tx=0, _ty=0) at render_block.cpp:1262
#21 0x017c927e in khtml::RenderLayer::paintLayer (this=0x9c84f64, 
    rootLayer=0x9c84e90, p=0x9b568e0, paintDirtyRect=@0xfef87fe0, 
    selectionOnly=false) at render_layer.h:137
#22 0x017c910b in khtml::RenderLayer::paintLayer (this=0x9c84e90, 
    rootLayer=0x9c84e90, p=0x9b568e0, paintDirtyRect=@0xfef87fe0, 
    selectionOnly=false) at render_layer.cpp:810
#23 0x017c8e09 in khtml::RenderLayer::paint (this=0xfef877c0, p=0x0, 
    damageRect=@0x0) at render_layer.cpp:693
#24 0x016eacc6 in KHTMLView::drawContents (this=0x9b56268, p=0xfef88110, 
    ex=140, ey=187, ew=87, eh=19) at dom_nodeimpl.h:278
#25 0x066487b3 in QScrollView::drawContentsOffset ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#26 0x0664726c in QScrollView::viewportPaintEvent ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#27 0x06646d62 in QScrollView::eventFilter ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#28 0x016ef59c in KHTMLView::eventFilter (this=0x9b56268, o=0x9ae3b00, 
    e=0xfef887f0) at khtmlview.cpp:1843
#29 0x0652fb4e in QObject::activate_filters ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#30 0x0652fa7c in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3
#31 0x0656822f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3
#32 0x064d5cdf in QApplication::internalNotify ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#33 0x064d52de in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3
#34 0x00dbd8f2 in KApplication::notify (this=0xfef89400, receiver=0x9ae3b00, 
    event=0xfef887f0) at kapplication.cpp:548
#35 0x0649f78d in QWidget::repaint () from /usr/lib/qt/lib/libqt-mt.so.3
#36 0x066486d5 in QScrollView::repaintContents ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#37 0x06648561 in QScrollView::repaintContents ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#38 0x016f6128 in KHTMLView::timerEvent (this=0x9b56268, e=0x0)
    at khtmlview.cpp:2937
#39 0x0652fa43 in QObject::event () from /usr/lib/qt/lib/libqt-mt.so.3
#40 0x0656822f in QWidget::event () from /usr/lib/qt/lib/libqt-mt.so.3
#41 0x064d5cdf in QApplication::internalNotify ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#42 0x064d52de in QApplication::notify () from /usr/lib/qt/lib/libqt-mt.so.3
#43 0x00dbd8f2 in KApplication::notify (this=0xfef89400, receiver=0x9b56268, 
    event=0xfef88de0) at kapplication.cpp:548
#44 0x064c55c5 in QEventLoop::activateTimers ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#45 0x0647ff3b in QEventLoop::processEvents ()
   from /usr/lib/qt/lib/libqt-mt.so.3
#46 0x064e7f28 in QEventLoop::enterLoop () from /usr/lib/qt/lib/libqt-mt.so.3
#47 0x064e7dd8 in QEventLoop::exec () from /usr/lib/qt/lib/libqt-mt.so.3
#48 0x064d5f31 in QApplication::exec () from /usr/lib/qt/lib/libqt-mt.so.3
#49 0x010300e8 in kdemain (argc=0, argv=0x0) at konq_main.cc:206
#50 0x0032e566 in kdeinitmain (argc=0, argv=0x0) at konqueror_dummy.cc:2
#51 0x0804cc91 in launch (argc=4, _name=0x97f6384 "konqueror", 
    args=0x97f63bb "/home/kdt", cwd=0x97f63bb "/home/kdt", envc=35, 
    envs=0x97f682f "", reset_env=true, tty=0x0, avoid_loops=false, 
    startup_id_str=0x0) at kinit.cpp:623
#52 0x0804e274 in handle_launcher_request (sock=4) at kinit.cpp:1187
#53 0x0804e8ab in handle_requests (waitForPid=0) at kinit.cpp:1378
#54 0x0804f924 in main (argc=2, argv=0xfef89b24, envp=0x0) at kinit.cpp:1841
Comment 1 Thiago Macieira 2005-01-17 02:37:22 UTC 
Confirmed. My backtrace looks exactly the same.
Comment 2 George Staikos 2005-02-25 06:45:15 UTC 
Seems to work fine now with CVS-HEAD.  Confirm?
Comment 3 Tommi Tervo 2005-02-25 09:42:11 UTC 
For me konqi 3.4.0 crashes, bt looks same.
Comment 4 George Staikos 2005-02-25 16:56:52 UTC 
Valgrind log then?
Comment 5 George Staikos 2005-02-25 17:42:26 UTC 
==30947== Invalid read of size 4
==30947==    at 0x1E253685: collectHorizontalBoxCoordinates(khtml::InlineBox*, QValueVector<QPoint>&, bool, int) (render_inline.cpp:497)
==30947==    by 0x1E2536F9: collectHorizontalBoxCoordinates(khtml::InlineBox*, QValueVector<QPoint>&, bool, int) (render_inline.cpp:508)
==30947==    by 0x1E253F24: khtml::RenderInline::paintOutlines(QPainter*, int, int) (render_inline.cpp:632)
==30947==    by 0x1E2543E7: khtml::RenderInline::paint(khtml::RenderObject::PaintInfo&, int, int) (render_inline.cpp:276)
==30947==    by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E24A19B: khtml::RenderBlock::paintFloats(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1353)
==30947==    by 0x1E24DFEA: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1321)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E24DE34: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1307)
==30947==    by 0x1E24E0D3: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1263)
==30947==    by 0x1E273C49: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.h:137)
==30947==    by 0x1E273B51: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:810)
==30947==    by 0x1E273E7A: khtml::RenderLayer::paint(QPainter*, QRect const&, bool) (render_layer.cpp:693)
==30947==    by 0x1E19C345: KHTMLView::drawContents(QPainter*, int, int, int, int) (dom_nodeimpl.h:280)
==30947==    by 0x1C8BCBCF: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (qscrollview.cpp:2334)
==30947==    by 0x1C8BB441: QScrollView::viewportPaintEvent(QPaintEvent*) (qscrollview.cpp:1693)
==30947==    by 0x1C8BAD18: QScrollView::eventFilter(QObject*, QEvent*) (qscrollview.cpp:1490)
==30947==    by 0x1E193B44: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:1904)
==30947==    by 0x1C7941BB: QObject::activate_filters(QEvent*) (qobject.cpp:902)
==30947==    by 0x1C79402D: QObject::event(QEvent*) (qobject.cpp:735)
==30947==    by 0x1C7CE9DE: QWidget::event(QEvent*) (qwidget.cpp:4655)
==30947==    by 0x1C7339D2: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635)
==30947==    by 0x1C733602: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2523)
==30947==    by 0x1C2367F9: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:549)
==30947==    by 0x1C6C9396: QApplication::sendEvent(QObject*, QEvent*) (qapplication.h:491)
==30947==    by 0x1C6FD2A4: QWidget::repaint(QRegion const&, bool) (qwidget_x11.cpp:1626)
==30947==    by 0x1C7348C6: QApplication::sendPostedEvents(QObject*, int) (qapplication.cpp:3258)
==30947==    by 0x1C734672: QApplication::sendPostedEvents() (qapplication.cpp:3172)
==30947==    by 0x1C6DA6DA: QEventLoop::processEvents(unsigned) (qeventloop_x11.cpp:202)
==30947==    by 0x1C747C0D: QEventLoop::enterLoop() (qeventloop.cpp:198)
==30947==    by 0x1C747B29: QEventLoop::exec() (qeventloop.cpp:145)
==30947==    by 0x1C733B52: QApplication::exec() (qapplication.cpp:2758)
==30947==    by 0x1B955D4D: kdemain (konq_main.cc:206)
==30947==    by 0x80486F7: main (konqueror.la.cc:2)
==30947==  Address 0xC is not stack'd, malloc'd or (recently) free'd
Comment 6 Thiago Macieira 2005-02-27 02:56:26 UTC 
*** Bug 100346 has been marked as a duplicate of this bug. ***
Comment 7 Germain Garand 2005-03-03 14:17:25 UTC 
CVS commit by ggarand: 

Don't delete this's placeholder box on layout, parent will take care of it.
Fix crash in dynamic pop-ups.

BUG: 97085


  M +2 -0      render_box.cpp   1.256
  M +0 -1      render_flow.cpp   1.362


--- kdelibs/khtml/rendering/render_box.cpp  #1.255:1.256
@@ -201,4 +201,6 @@ void RenderBox::detach()
 InlineBox* RenderBox::createInlineBox(bool /*makePlaceHolderBox*/, bool /*isRootLineBox*/)
 {
+    if (m_placeHolderBox)
+        m_placeHolderBox->detach(renderArena());
     return (m_placeHolderBox = new (renderArena()) InlineBox(this));
 }

--- kdelibs/khtml/rendering/render_flow.cpp  #1.361:1.362
@@ -141,5 +141,4 @@ void RenderFlow::deleteInlineBoxes(Rende
         m_lastLineBox = 0;  
     }
-    RenderBox::deleteInlineBoxes(arena);
 }
Comment 8 Germain Garand 2005-03-18 17:28:08 UTC 
CVS commit by ggarand: 

backport crash fix

CCBUG: 97085


  M +2 -0      render_box.cpp   1.255.2.1
  M +0 -1      render_flow.cpp   1.361.2.1


--- kdelibs/khtml/rendering/render_box.cpp  #1.255:1.255.2.1
@@ -201,4 +201,6 @@ void RenderBox::detach()
 InlineBox* RenderBox::createInlineBox(bool /*makePlaceHolderBox*/, bool /*isRootLineBox*/)
 {
+    if (m_placeHolderBox)
+        m_placeHolderBox->detach(renderArena());
     return (m_placeHolderBox = new (renderArena()) InlineBox(this));
 }

--- kdelibs/khtml/rendering/render_flow.cpp  #1.361:1.361.2.1
@@ -141,5 +141,4 @@ void RenderFlow::deleteInlineBoxes(Rende
         m_lastLineBox = 0;  
     }
-    RenderBox::deleteInlineBoxes(arena);
 }
Comment 9 Tommi Tervo 2005-03-29 12:30:16 UTC 
*** Bug 102729 has been marked as a duplicate of this bug. ***
Comment 10 Maksim Orlovich 2005-05-08 15:59:02 UTC 
*** Bug 105287 has been marked as a duplicate of this bug. ***