112905 – Crash on http://www.uni-kl.de/HSSP/

Bug 112905 - Crash on http://www.uni-kl.de/HSSP/

Summary: Crash on http://www.uni-kl.de/HSSP/

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	SVN
Platform:	Compiled Sources Linux

Importance:	NOR major
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Duplicates (5):	113251 113600 113813 117028 131249 (view as bug list)
Depends on:
Blocks:

Reported:	2005-09-19 21:21 UTC by Frank Osterfeld
Modified:	2006-07-23 20:03 UTC (History)
CC List:	8 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
suggested patch (1.38 KB, patch) 2005-09-26 16:07 UTC, David Faure	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Frank Osterfeld 2005-09-19 21:21:59 UTC

kdelibs from 3.5 branch, rev. 462025  
gcc 3.3.5 (from kubuntu hoary) 
Qt: 3.3.3 (from kubuntu hoary) 
 
1) Go to http://www.uni-kl.de/HSSP/ 
2) Select "Sportarten" in the menu on the left 
3) Crash (if it doesn't crash at once, retry a few times) 
 
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". 
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols. 
[Thread debugging using libthread_db enabled] 
[New Thread -1232883584 (LWP 22587)] 
[KCrash handler] 
#4  0x00342e6f in ?? () 
#5  0xb6f4a7bf in qt_inheritedBy () from /usr/share/qt3/lib/libqt-mt.so.3 
#6  0xb61a0e88 in qt_cast<KHTMLPart*> (object=0x0) at qobjectdefs.h:173 
#7  0xb62f941d in KJS::Window::retrieve (p=0x8679470) at kjs_window.cpp:373 
#8  0xb62f9222 in KJS::Window::retrieveWindow (p=0x8679470) 
    at kjs_window.cpp:343 
#9  0xb6169478 in KHTMLPart::begin (this=0x85a4918, url=@0x867cef8,  
    xOffset=137419232, yOffset=137419232) at khtml_part.cpp:1884 
#10 0xb616668e in KHTMLPart::slotData (this=0x85a4918, kio_job=0x8723290,  
    data=@0xbfffeb80) at khtml_part.cpp:1578 
#11 0xb618ac2b in KHTMLPart::qt_invoke (this=0x85a4918, _id=16, _o=0xbfffe6d0) 
    at qucom_p.h:312 
#12 0xb6f4d067 in QObject::activate_signal () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#13 0xb7b58b64 in KIO::TransferJob::data (this=0xbfffe70c, t0=0x830d9e0,  
    t1=@0x830d9e0) at jobclasses.moc:993 
#14 0xb7b408c3 in KIO::TransferJob::slotData (this=0x8723290, 
_data=@0x830d9e0) 
    at job.cpp:900 
#15 0xb7b590b4 in KIO::TransferJob::qt_invoke (this=0x8723290, _id=18,  
    _o=0xbfffe7f0) at qucom_p.h:312 
#16 0xb6f4d067 in QObject::activate_signal () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#17 0xb7b2ff0a in KIO::SlaveInterface::data (this=0x86746d0, t0=@0x830d9e0) 
    at slaveinterface.moc:194 
#18 0xb7b2c282 in KIO::SlaveInterface::dispatch (this=0x86746d0, _cmd=100,  
    rawdata=@0xbfffeb80) at slaveinterface.cpp:234 
#19 0xb7b2bfb0 in KIO::SlaveInterface::dispatch (this=0x86746d0) 
    at slaveinterface.cpp:173 
#20 0xb7b28db8 in KIO::Slave::gotInput (this=0x86746d0) at slave.cpp:300 
#21 0xb7b2b6f8 in KIO::Slave::qt_invoke (this=0x86746d0, _id=4, _o=0xbfffece0) 
    at slave.moc:113 
#22 0xb6f4d067 in QObject::activate_signal () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#23 0xb6f4d1be in QObject::activate_signal () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#24 0xb7268ee0 in QSocketNotifier::activated () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#25 0xb6f68036 in QSocketNotifier::event () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#26 0xb6ef5370 in QApplication::internalNotify () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#27 0xb6ef49d4 in QApplication::notify () 
from /usr/share/qt3/lib/libqt-mt.so.3 
#28 0xb7520145 in KApplication::notify (this=0xbffff680, receiver=0x85d7868,  
    event=0xbffff080) at kapplication.cpp:550 
#29 0xb6ee5a10 in QEventLoop::activateSocketNotifiers () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#30 0xb6ea1917 in QEventLoop::processEvents () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#31 0xb6f0674c in QEventLoop::enterLoop () 
   from /usr/share/qt3/lib/libqt-mt.so.3 
#32 0xb6f0660e in QEventLoop::exec () from /usr/share/qt3/lib/libqt-mt.so.3 
#33 0xb6ef557b in QApplication::exec () from /usr/share/qt3/lib/libqt-mt.so.3 
#34 0xb7f3918c in kdemain (argc=137419232, argv=0x830d9e0) at konq_main.cc:206 
#35 0x0804867b in main (argc=137419232, argv=0x830d9e0) at konqueror.la.cc:2

Comment 1 Frank Osterfeld 2005-09-19 21:34:15 UTC

Some more notes:
- It doesn't crash when I go to the "Sportarten" page directly
- When I leave http://www.uni-kl.de/HSSP/ by entering an URL or selecting a bookmark, it crashes as well (with the same backtrace)

So it seems that the crash happens when I leave http://www.uni-kl.de/HSSP/ .

Comment 2 Maksim Orlovich 2005-09-19 22:27:38 UTC

This is in the new popup-queue thingie. Beineri, that's your baby; and this is not an uncommon crasher

==4674== Invalid read of size 4
==4674==    at 0x1C77EFD4: qt_inheritedBy(QMetaObject*, QObject const*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4)
==4674==    by 0x1DCB3532: KHTMLPart* qt_cast<KHTMLPart*>(QObject const*) (in /code/opt/kde3.5/lib/kde3/libsearchbarplugin.so)
==4674==    by 0x1E034F9A: KJS::Window::retrieve(KParts::ReadOnlyPart*) (kjs_window.cpp:373)
==4674==    by 0x1E0350B6: KJS::Window::retrieveWindow(KParts::ReadOnlyPart*) (kjs_window.cpp:343)
==4674==    by 0x1DE750F1: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1884)
==4674==    by 0x1DE67EBE: KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (khtml_part.cpp:1578)
==4674==    by 0x1DE84304: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:501)
==4674==    by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4)
==4674==    by 0x1BC98C10: KIO::TransferJob::data(KIO::Job*, QMemArray<char> const&) (jobclasses.moc:993)
==4674==    by 0x1BC98CB0: KIO::TransferJob::slotData(QMemArray<char> const&) (job.cpp:900)
==4674==    by 0x1BC98D84: KIO::TransferJob::qt_invoke(int, QUObject*) (jobclasses.moc:1072)
==4674==    by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4)
==4674==  Address 0x1D7CCB30 is 0 bytes inside a block of size 132 free'd
==4674==    at 0x1B900647: operator delete(void*) (vg_replace_malloc.c:246)
==4674==    by 0x1DE76E11: KHTMLPart::~KHTMLPart() (khtml_part.cpp:524)
==4674==    by 0x1DE74C40: KHTMLPart::clear() (khtml_part.cpp:1446)
==4674==    by 0x1DE74F8E: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1863)
==4674==    by 0x1DE67EBE: KHTMLPart::slotData(KIO::Job*, QMemArray<char> const&) (khtml_part.cpp:1578)
==4674==    by 0x1DE84304: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:501)
==4674==    by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4)
==4674==    by 0x1BC98C10: KIO::TransferJob::data(KIO::Job*, QMemArray<char> const&) (jobclasses.moc:993)
==4674==    by 0x1BC98CB0: KIO::TransferJob::slotData(QMemArray<char> const&) (job.cpp:900)
==4674==    by 0x1BC98D84: KIO::TransferJob::qt_invoke(int, QUObject*) (jobclasses.moc:1072)
==4674==    by 0x1C7829CF: QObject::activate_signal(QConnectionList*, QUObject*) (in /code/opt/kde3.5/lib/libqt-mt.so.3.3.4)
==4674==    by 0x1BC8378C: KIO::SlaveInterface::data(QMemArray<char> const&) (slaveinterface.moc:194)

Comment 3 Maksim Orlovich 2005-09-23 02:16:19 UTC

I am seeing this a lot. Seems like a must-fix for 3.5, elevating severity.

Comment 4 Tommi Tervo 2005-09-25 14:23:05 UTC

*** Bug 113251 has been marked as a duplicate of this bug. ***

Comment 5 David Faure 2005-09-26 16:07:12 UTC

Created attachment 12711 [details]
suggested patch

The loop in begin() iterates over m_suppressedPopupOriginParts which contains
frames/iframes that were deleted by clear(). Does this patch help?

Comment 6 Stephan Binner 2005-09-27 16:07:34 UTC

Your patch works fine for me. Thanks, committed it. :-)

Comment 7 Frank Osterfeld 2005-10-01 14:45:04 UTC

This is not fixed. I can't reproduce it with the URL above, but see #113600 for another example with the same backtrace.

Comment 8 Frank Osterfeld 2005-10-01 14:45:43 UTC

*** Bug 113600 has been marked as a duplicate of this bug. ***

Comment 9 Maksim Orlovich 2005-10-03 17:12:50 UTC

valgrind trace for #113600 stuff:
==20938== Invalid read of size 4
==20938==    at 0x1C66AFBD: qt_inheritedBy(QMetaObject*, QObject const*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)
==20938==    by 0x1D81CE34: KHTMLPart* qt_cast<KHTMLPart*>(QObject const*) (in /opt/kde3.4/lib/kde3/libsearchbarplugin.so)
==20938==    by 0x1DDE2B08: KJS::Window::retrieve(KParts::ReadOnlyPart*) (kjs_window.cpp:373)
==20938==    by 0x1DDE2C01: KJS::Window::retrieveWindow(KParts::ReadOnlyPart*) (kjs_window.cpp:343)
==20938==    by 0x1DC63318: KHTMLPart::begin(KURL const&, int, int) (khtml_part.cpp:1869)
==20938==    by 0x1DC548F5: KHTMLPart::slotRestoreData(QMemArray<char> const&) (khtml_part.cpp:1670)
==20938==    by 0x1DC7761F: KHTMLPart::qt_invoke(int, QUObject*) (khtml_part.moc:503)
==20938==    by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)
==20938==    by 0x1DC925B1: KHTMLPageCacheDelivery::emitData(QMemArray<char> const&) (khtml_pagecache.moc:177)
==20938==    by 0x1DC92EFB: KHTMLPageCache::sendData() (khtml_pagecache.cpp:264)
==20938==    by 0x1DC92F8D: KHTMLPageCache::qt_invoke(int, QUObject*) (khtml_pagecache.moc:82)
==20938==    by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)
==20938==  Address 0x1E77C860 is 0 bytes inside a block of size 132 free'd
==20938==    at 0x1B906959: operator delete(void*) (vg_replace_malloc.c:155)
==20938==    by 0x1DC68081: KHTMLPart::~KHTMLPart() (khtml_part.cpp:524)
==20938==    by 0x1DC512E0: KHTMLPart::clear() (khtml_part.cpp:1446)
==20938==    by 0x1DC66D8F: KHTMLPart::restoreState(QDataStream&) (khtml_part.cpp:5532)
==20938==    by 0x1DC85D58: KHTMLPartBrowserExtension::restoreState(QDataStream&) (khtml_ext.cpp:104)
==20938==    by 0x1B96D297: KonqView::restoreHistory() (in /opt/kde3.4/lib/libkdeinit_konqueror.so)
==20938==    by 0x1B96D5B4: KonqView::go(int) (in /opt/kde3.4/lib/libkdeinit_konqueror.so)
==20938==    by 0x1B9B05D6: KonqMainWindow::slotGoHistoryDelayed() (in /opt/kde3.4/lib/libkdeinit_konqueror.so)
==20938==    by 0x1B9B8EDF: KonqMainWindow::qt_invoke(int, QUObject*) (in /opt/kde3.4/lib/libkdeinit_konqueror.so)
==20938==    by 0x1C66DA5F: QObject::activate_signal(QConnectionList*, QUObject*) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)
==20938==    by 0x1C8ED3EC: QSignal::signal(QVariant const&) (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)
==20938==    by 0x1C6816EE: QSignal::activate() (in /opt/kde3.4/lib/libqt-mt.so.3.3.4)

Comment 10 Maksim Orlovich 2005-10-04 01:51:50 UTC

*** Bug 113813 has been marked as a duplicate of this bug. ***

Comment 11 Niels 2005-10-07 02:34:07 UTC

I'm getting what I think is a similar backtrace from frequent crashes on isohunt.com:

Using host libthread_db library "/lib/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread -1209469264 (LWP 15629)]
[KCrash handler]
#4  0x00000098 in ?? ()
#5  0xb7bbdf87 in qt_cast<KHTMLPart*> (object=0x91a1670) at qobjectdefs.h:173
#6  0x491927d6 in KJS::Window::retrieve (p=0xb7bc1470) at kjs_window.cpp:373
#7  0x491925b6 in KJS::Window::retrieveWindow (p=0x913f858)
    at kjs_window.cpp:343
#8  0x49019a6c in KHTMLPart::begin (this=0x8d21248, url=@0x8d3eca8, 
    xOffset=152, yOffset=152) at khtml_part.cpp:1884
#9  0x49017f30 in KHTMLPart::slotData (this=0x8d21248, kio_job=0x91dca90, 
    data=@0xbfb2c960) at khtml_part.cpp:1578
#10 0x49032ff4 in KHTMLPart::qt_invoke (this=0x8d21248, _id=-1078802080, 
    _o=0xbfb2c5dc) at khtml_part.moc:501
#11 0x47a63510 in QObject::activate_signal (this=0x91dca90, clist=0x91f21f8, 
    o=0xbfb2c5b0) at qobject.cpp:2355
#12 0x48846210 in KIO::TransferJob::data (this=0x91dca90, t0=0x98, t1=@0x98)
    at jobclasses.moc:993
#13 0x48833a27 in KIO::TransferJob::slotData (this=0x91dca90, _data=@0x98)
    at job.cpp:900
#14 0x488467d1 in KIO::TransferJob::qt_invoke (this=0x91dca90, 
    _id=1208523976, _o=0x48a1ace8) at jobclasses.moc:1072
#15 0x47a63510 in QObject::activate_signal (this=0x823ead8, clist=0x8dbf8e0, 
    o=0xbfb2c6e0) at qobject.cpp:2355
#16 0x48828121 in KIO::SlaveInterface::data (this=0x823ead8, t0=@0x98)
    at slaveinterface.moc:194
#17 0x48826a2f in KIO::SlaveInterface::dispatch (this=0x823ead8, _cmd=100, 
    rawdata=@0xbfb2c960) at slaveinterface.cpp:234
#18 0x4882676f in KIO::SlaveInterface::dispatch (this=0x823ead8)
    at slaveinterface.cpp:173
#19 0x48824955 in KIO::Slave::gotInput (this=0x823ead8) at slave.cpp:300
#20 0x4882610e in KIO::Slave::qt_invoke (this=0x823ead8, _id=4, _o=0xbfb2cac0)
    at slave.moc:113
#21 0x47a63510 in QObject::activate_signal (this=0x823e6b0, clist=0x823d3f0, 
    o=0xbfb2cac0) at qobject.cpp:2355
#22 0x47a638ca in QObject::activate_signal (this=0x823e6b0, signal=2, 
    param=13) at qobject.cpp:2448
#23 0x47e475a1 in QSocketNotifier::activated (this=0x823e6b0, t0=13)
    at moc_qsocketnotifier.cpp:85
#24 0x47a8845d in QSocketNotifier::event (this=0x823e6b0, e=0xbfb2cdd0)
    at qsocketnotifier.cpp:258
#25 0x479f30a5 in QApplication::internalNotify (this=0xbfb2d2f0, 
    receiver=0x823e6b0, e=0xbfb2cdd0) at qapplication.cpp:2635
#26 0x479f22e8 in QApplication::notify (this=0xbfb2d2f0, receiver=0x823e6b0, 
    e=0xbfb2cdd0) at qapplication.cpp:2358
#27 0x4818e557 in KApplication::notify (this=0xbfb2d2f0, receiver=0x823e6b0, 
    event=0xbfb2cdd0) at kapplication.cpp:550
#28 0x48ce0c16 in QApplication::sendEvent (receiver=0x98, event=0x913f858)
    at qapplication.h:491
#29 0x479de6ab in QEventLoop::activateSocketNotifiers (this=0x81459e8)
    at qeventloop_unix.cpp:578
#30 0x4798d641 in QEventLoop::processEvents (this=0x81459e8, flags=4)
    at qeventloop_x11.cpp:383
#31 0x47a0a649 in QEventLoop::enterLoop (this=0x81459e8) at qeventloop.cpp:198
#32 0x47a0a562 in QEventLoop::exec (this=0x81459e8) at qeventloop.cpp:145
#33 0x479f3247 in QApplication::exec (this=0xbfb2d2f0)
    at qapplication.cpp:2758
#34 0x48c79966 in kdemain (argc=152, argv=0x98) at konq_main.cc:206
#35 0x0804876b in main (argc=152, argv=0x98) at konqueror.la.cc:2

Comment 12 David Faure 2005-10-10 16:51:12 UTC

SVN commit 469249 by dfaure:

Don't keep deleted frames in a list, this tends to crash at some point
BUG: 112905


 M  +1 -2      khtml_part.cpp  


--- branches/KDE/3.5/kdelibs/khtml/khtml_part.cpp #469248:469249
@@ -245,7 +245,6 @@
   d->m_statusBarIconLabel = 0L;
   d->m_statusBarPopupLabel = 0L;
   d->m_openableSuppressedPopups = 0;
-  d->m_suppressedPopupOriginParts.clear();
 
   d->m_bSecurityInQuestion = false;
   d->m_paLoadImages = 0;
@@ -1448,6 +1447,7 @@
       delete *it;
     }
   }
+  d->m_suppressedPopupOriginParts.clear();
 
   if (d->m_objects.count())
   {
@@ -1870,7 +1870,6 @@
        if (w)
            w->forgetSuppressedWindows();
     }
-    d->m_suppressedPopupOriginParts.clear();
   }
 
   clear();

Comment 13 Tommi Tervo 2005-12-14 15:16:13 UTC

*** Bug 117028 has been marked as a duplicate of this bug. ***

Comment 14 Tommi Tervo 2006-07-23 20:03:16 UTC

*** Bug 131249 has been marked as a duplicate of this bug. ***