Version: (using KDE KDE 3.5.4) Installed from: SuSE RPMs Simple HTML file: ------------------------------------------------------------------------------ <html> <head> <title>Konqui-Crash</title> <link rel="stylesheet" href="df.css" type="text/css" media="screen" /> </head> <p> This is a <a href="#">link<span class="label">This is a label</span></a>. </p> </body> </html> ------------------------------------------------------------------------------ Simple CSS-file ------------------------------------------------------------------------------ a span.label { display: none; position: absolute; } a:hover span.label { display: block; position: absolute; } ------------------------------------------------------------------------------ Move the mouse over the link and the label-text appears. Move the mouse out and Konqueror crashes. This happens only, when "position" is set to "absolute". Changing to "relative" or removing the line, and Konqueror survives this file.
http://zebra.tky.hut.fi/~teve/kde/134291.html #6 0xb6113e36 in khtml::InlineFlowBox::nodeAtPoint (this=0x85de6bc, i=@0xbfa38314, x=71, y=11, tx=10, ty=10) at render_line.cpp:590 #7 0xb60cb44e in khtml::RenderFlow::hitTestLines (this=0x85de4dc, i=@0xbfa38314, x=71, y=11, tx=10, ty=10, hitTestAction=HitTestAll) at render_flow.cpp:254 #8 0xb60a75f3 in khtml::RenderInline::nodeAtPoint (this=0x85de4dc, info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, inside=false) at render_inline.cpp:834 #9 0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de410, info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, inside=true) at render_object.cpp:1730 #10 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de410, info=@0xbfa38314, _x=71, _y=11, _tx=10, _ty=10, hitTestAction=HitTestAll, inBox=false) at render_block.cpp:2506 #11 0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de38c, info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestAll, inside=true) at render_object.cpp:1730 #12 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de38c, info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestAll, inBox=false) at render_block.cpp:2506 #13 0xb60b74fc in khtml::RenderObject::nodeAtPoint (this=0x85de2a4, info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestChildrenOnly, inside=false) at render_object.cpp:1730 #14 0xb609d3b2 in khtml::RenderBlock::nodeAtPoint (this=0x85de2a4, info=@0xbfa38314, _x=71, _y=11, _tx=0, _ty=0, hitTestAction=HitTestChildrenOnly, inBox=false) at render_block.cpp:2506 #15 0xb60d5cfb in khtml::RenderLayer::nodeAtPointForLayer (this=0x85de328, rootLayer=0x85de240, info=@0xbfa38314, xMousePos=71, yMousePos=11, hitTestRect=@0xbfa382b0) at render_layer.cpp:1040 #16 0xb60d5ac6 in khtml::RenderLayer::nodeAtPointForLayer (this=0x85de240, rootLayer=0x85de240, info=@0xbfa38314, xMousePos=71, yMousePos=11, hitTestRect=@0xbfa382b0) at render_layer.cpp:1023
==6336== Invalid read of size 4 ==6336== at 0x7442E36: khtml::InlineFlowBox::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int) (render_line.cpp:590) ==6336== by 0x73FA44D: khtml::RenderFlow::hitTestLines(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction) (render_flow.cpp:254) ==6336== by 0x73D65F2: khtml::RenderInline::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_inline.cpp:834)
*** Bug 133427 has been marked as a duplicate of this bug. ***
vg analysis from build with arenas disabled: ==15528== Invalid read of size 4 ==15528== at 0x7A309B0: khtml::InlineFlowBox::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int) (render_line.cpp:584) ==15528== by 0x79F108C: khtml::RenderFlow::hitTestLines(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction) (render_flow.cpp:254) ==15528== by 0x79D2424: khtml::RenderInline::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_inline.cpp:834) ==15528== by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730) ==15528== by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506) ==15528== by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730) ==15528== by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506) ==15528== by 0x79E039E: khtml::RenderObject::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_object.cpp:1730) ==15528== by 0x79C9E37: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2506) ==15528== by 0x79FA5D9: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1040) ==15528== by 0x79FA425: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1023) ==15528== by 0x79FAE19: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:984) ==15528== Address 0x62F08F0 is 8 bytes inside a block of size 140 free'd ==15528== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==15528== by 0x79F7A1B: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:126) ==15528== by 0x79E0502: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:1606) ==15528== by 0x79E05D8: khtml::RenderObject::detach() (render_object.cpp:1591) ==15528== by 0x79E8973: khtml::RenderContainer::detach() (render_container.cpp:73) ==15528== by 0x79EF804: khtml::RenderBox::detach() (render_box.cpp:190) ==15528== by 0x796B78B: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:855) ==15528== by 0x796BB9A: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1406) ==15528== by 0x7974E4D: DOM::ElementImpl::detach() (dom_elementimpl.cpp:540) ==15528== by 0x7974A8F: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:609) ==15528== by 0x799BB58: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:274) ==15528== by 0x7974B7E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:639)
Created attachment 17833 [details] patch The problem is that we create a place holder box in some cases inside RenderFlow::createInlineBox by upcalling, but never clean it up when the element is dead, since deleteInlineBoxes doesn't upcall. That's first hunk, and the fix. The second is a guess at a potential issue, and needs feedback from Carewolf or Spart, likely to be wrong...
SVN commit 586170 by orlovich: Make sure to destroy any place holder box we may have created by upcalling to RenderBox in the creation method in the destruction method. BUG:134291 M +2 -0 render_flow.cpp --- branches/KDE/3.5/kdelibs/khtml/rendering/render_flow.cpp #586169:586170 @@ -128,6 +128,8 @@ void RenderFlow::deleteInlineBoxes(RenderArena* arena) { + RenderBox::deleteInlineBoxes(arena); //In case we upcalled + //during construction if (m_firstLineBox) { if (!arena) arena = renderArena();
*** Bug 134310 has been marked as a duplicate of this bug. ***
nice catch... :) the second chunk looks fine but rather overkill as it's a rare condition and the box just wouldn't be used. I can't see how this would be a problem so I'd rather advise saving the call, but do as you see fit.
*** Bug 144334 has been marked as a duplicate of this bug. ***