Bug 136909 - kjs makes konqueror crash on http://ratp.fr/
Summary: kjs makes konqueror crash on http://ratp.fr/
Status: RESOLVED DUPLICATE of bug 127025
Alias: None
Product: konqueror
Classification: Applications
Component: kjs (show other bugs)
Version: unspecified
Platform: Mandriva RPMs Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-05 21:00 UTC by Thierry Vignaud
Modified: 2006-11-10 15:34 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Vignaud 2006-11-05 21:00:11 UTC 
Version:            (using KDE KDE 3.5.5)
Installed from:    Mandriva RPMs
Compiler:          gcc-4.1.1 
OS:                Linux

konqueror crashes on http://ratp.fr due to Javascript issues.
Strangely it happens only if one type in depart station (eg: chat that is completed by javascript script into chatelet-les-halles) and then the arrival station (eg: cac => completed as arcueil-cachan)

How to reproduce:
* select "station" under "Départ / plan de quartier ",
* type in "chatel" in the textbox below
* select "Chatelet-Les Halles" in the javascript completion list
* select "station" under "Arrivée",
* type in "cac" in the textbox below
* "Arcueil-Cachan" is automatically filled by the javascript helper
It's not always reproductible. Sometimes, it doesn't crash instantatly (as in the below backtrace) but then one needs to "play" with the form. Anyway, ratp.fr is a good way to be sure to make konqueror crash very fast.

Here's the backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47801274439040 (LWP 22474)]
0x00002b7999de77d7 in free () from /lib64/libc.so.6
(gdb) bt
#0  0x00002b7999de77d7 in free () from /lib64/libc.so.6
#1  0x00002b7999de9356 in malloc () from /lib64/libc.so.6
#2  0x00002b799b36982d in KJS::Interpreter::collect () from /usr/lib64/libkjs.so.1
#3  0x00002b799b37cafa in KJS::StringPrototypeImp::get () from /usr/lib64/libkjs.so.1
#4  0x00002b799b38116d in KJS::StringImp::toObject () from /usr/lib64/libkjs.so.1
#5  0x00002b799b380eb6 in KJS::ValueImp::dispatchToObject () from /usr/lib64/libkjs.so.1
#6  0x00002b799b38a460 in KJS::FunctionImp::call () from /usr/lib64/libkjs.so.1
#7  0x00002b799b3915b0 in KJS::UndefinedImp::toObject () from /usr/lib64/libkjs.so.1
#8  0x00002b799b38a3e8 in KJS::FunctionImp::call () from /usr/lib64/libkjs.so.1
#9  0x00002b799b3915b0 in KJS::UndefinedImp::toObject () from /usr/lib64/libkjs.so.1
#10 0x00002b799b388853 in KJS::FunctionImp::call () from /usr/lib64/libkjs.so.1
#11 0x00002b799b39d320 in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#12 0x00002b799b39e50d in KJS::Interpreter::evaluate () from /usr/lib64/libkjs.so.1
#13 0x00002b799b39d4de in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#14 0x00002b799b39c46a in KJS::Interpreter::Interpreter$base () from /usr/lib64/libkjs.so.1
#15 0x00002b799b39e5ac in KJS::Interpreter::evaluate () from /usr/lib64/libkjs.so.1
#16 0x00002b799b39d4de in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#17 0x00002b799b39b69a in KJS::Interpreter::Interpreter$base () from /usr/lib64/libkjs.so.1
#18 0x00002b799b39e5ac in KJS::Interpreter::evaluate () from /usr/lib64/libkjs.so.1
#19 0x00002b799b39d4de in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#20 0x00002b799b39cf1b in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#21 0x00002b799b38810b in KJS::FunctionImp::call () from /usr/lib64/libkjs.so.1
#22 0x00002b799b38adc7 in KJS::Object::call () from /usr/lib64/libkjs.so.1
#23 0x00002b799b39190e in KJS::UndefinedImp::toObject () from /usr/lib64/libkjs.so.1
#24 0x00002b799b39d320 in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#25 0x00002b799b39e50d in KJS::Interpreter::evaluate () from /usr/lib64/libkjs.so.1
#26 0x00002b799b39d4de in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#27 0x00002b799b39cf1b in KJS::DeclaredFunctionImp::execute () from /usr/lib64/libkjs.so.1
#28 0x00002b799b38810b in KJS::FunctionImp::call () from /usr/lib64/libkjs.so.1
#29 0x00002b799b38adc7 in KJS::Object::call () from /usr/lib64/libkjs.so.1
#30 0x00002b799b0f9e42 in EmbedLiveConnect::get () from /usr/lib64/libkhtml.so.4
#31 0x00002b799afc0a76 in DOM::RegisteredListenerList::~RegisteredListenerList$base () from /usr/lib64/libkhtml.so.4
#32 0x00002b799afc5bf6 in DOM::XMLAttributeReader::XMLAttributeReader$base () from /usr/lib64/libkhtml.so.4
#33 0x00002b799afc5e61 in DOM::XMLAttributeReader::XMLAttributeReader$base () from /usr/lib64/libkhtml.so.4
#34 0x00002b799afc84ed in DOM::XMLAttributeReader::startElement () from /usr/lib64/libkhtml.so.4
#35 0x00002b799af6149f in KHTMLView::dispatchKeyEventHelper () from /usr/lib64/libkhtml.so.4
#36 0x00002b799af6f9ba in KHTMLView::dispatchKeyEvent () from /usr/lib64/libkhtml.so.4
#37 0x00002b799af9278e in KHTMLView::keyReleaseEvent () from /usr/lib64/libkhtml.so.4
#38 0x00002b799af677b9 in KHTMLView::eventFilter () from /usr/lib64/libkhtml.so.4
#39 0x00002b79975c8ca2 in QObject::activate_filters () from /usr/lib/qt3/lib64/libqt-mt.so.3
#40 0x00002b79975c8cf7 in QObject::event () from /usr/lib/qt3/lib64/libqt-mt.so.3
#41 0x00002b79975fadb8 in QWidget::event () from /usr/lib/qt3/lib64/libqt-mt.so.3
#42 0x00002b79976f7c73 in QTextEdit::event () from /usr/lib/qt3/lib64/libqt-mt.so.3
#43 0x00002b799b02c6cf in non-virtual thunk to DOM::HTMLAppletElementImpl::~HTMLAppletElementImpl$delete() ()
   from /usr/lib64/libkhtml.so.4
#44 0x00002b79975747e5 in QApplication::internalNotify () from /usr/lib/qt3/lib64/libqt-mt.so.3
#45 0x00002b7997575950 in QApplication::notify () from /usr/lib/qt3/lib64/libqt-mt.so.3
#46 0x00002b7996b2b0a8 in KApplication::notify () from /usr/lib64/libkdecore.so.4
#47 0x00002b799751d8d5 in QETWidget::translateKeyEvent () from /usr/lib/qt3/lib64/libqt-mt.so.3
#48 0x00002b799751e790 in QApplication::x11ProcessEvent () from /usr/lib/qt3/lib64/libqt-mt.so.3
#49 0x00002b799752cfa9 in QEventLoop::processEvents () from /usr/lib/qt3/lib64/libqt-mt.so.3
#50 0x00002b7997588581 in QEventLoop::enterLoop () from /usr/lib/qt3/lib64/libqt-mt.so.3
#51 0x00002b7997588452 in QEventLoop::exec () from /usr/lib/qt3/lib64/libqt-mt.so.3
#52 0x00002b79957c8373 in kdemain () from /usr/lib64/libkdeinit_konqueror.so
#53 0x00002b7999d97e64 in __libc_start_main () from /lib64/libc.so.6
#54 0x0000000000400759 in ?? ()
#55 0x00007fff154bfba8 in ?? ()
#56 0x0000000000000000 in ?? ()
Comment 1 Tommi Tervo 2006-11-10 15:15:34 UTC 
I got a different backtrace:

khtml (jscript): [virtual KJS::Value KJS::DOMNamedNodesCollection::tryGet(KJS::ExecState*, const KJS::Identifier&) const] 1

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1234233680 (LWP 15787)]
0xb60534c6 in typeinfo name for khtml::TreeShared<DOM::NodeImpl> ()
   from /opt/kde354/lib/libkhtml.so.4
(gdb)
(gdb) bt
#0  0xb60534c6 in typeinfo name for khtml::TreeShared<DOM::NodeImpl> ()
   from /opt/kde354/lib/libkhtml.so.4
#1  0xb5e17fc9 in khtml::TreeShared<DOM::NodeImpl>::removedLastRef (
    this=0x88c1b20) at ../../khtml/misc/shared.h:57
#2  0xb5dac1e0 in khtml::TreeShared<DOM::NodeImpl>::deref (this=0x88c1b20)
    at ../../khtml/misc/shared.h:63
#3  0xb601e84c in ~Node (this=0x87110fc) at dom_node.cpp:173
#4  0xb5f54099 in ~DOMNode (this=0x87110d0) at kjs_dom.cpp:108
#5  0xb5fa1ba3 in ~DOMElement (this=0x87110d0)
    at ../../khtml/ecma/kjs_dom.h:141
#6  0xb5fa1c2f in ~HTMLElement (this=0x87110d0)
    at ../../khtml/ecma/kjs_html.h:58
#7  0xb5b73da6 in KJS::Collector::collect () at collector.cpp:222
#8  0xb5b740b8 in KJS::Collector::allocate (s=44) at collector.cpp:85
#9  0xb5bb4a7b in KJS::ValueImp::operator new (s=44) at value.cpp:84
#10 0xb5b98237 in KJS::StringObjectImp::construct (this=0x838b088,
    exec=0xbfd8568c, args=@0xbfd84f4c) at string_object.cpp:609
#11 0xb5ff8360 in KJS::Object::construct (this=0xbfd84f58, exec=0xbfd8568c,
    args=@0xbfd84f4c) at ../../kjs/object.h:698
#12 0xb5ba30e3 in KJS::StringImp::toObject (this=0x866aeb8, exec=0xbfd8568c)
    at internal.cpp:229
#13 0xb5bb4665 in KJS::ValueImp::dispatchToObject (this=0x866aeb8,
    exec=0xbfd8568c) at value.cpp:209
Comment 2 Tommi Tervo 2006-11-10 15:32:56 UTC 
khtml (jscript): [virtual KJS::Value KJS::DOMNamedNodesCollection::tryGet(KJS::ExecState*, const KJS::Identifier&) const] 1
==15832==
==15832== Invalid read of size 4
==15832==    at 0x6A081A7: khtml::TreeShared<DOM::NodeImpl>::deref() (shared.h:61)
==15832==    by 0x6C7A84B: DOM::Node::~Node() (dom_node.cpp:173)
==15832==    by 0x6BB0098: KJS::DOMNode::~DOMNode() (kjs_dom.cpp:108)
==15832==    by 0x6BFDBA2: KJS::DOMElement::~DOMElement() (kjs_dom.h:141)
==15832==    by 0x6BFDC2E: KJS::HTMLElement::~HTMLElement() (kjs_html.h:58)
==15832==    by 0x6D8DDA5: KJS::Collector::collect() (collector.cpp:222)
==15832==    by 0x6D8E0B7: KJS::Collector::allocate(unsigned) (collector.cpp:85)
==15832==    by 0x6DCEA7A: KJS::ValueImp::operator new(unsigned) (value.cpp:84)
==15832==    by 0x6DCEF9C: KJS::String::String(KJS::UString const&) (value.cpp:335)
==15832==    by 0x6DADCA8: KJS::StringProtoFuncImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (string_object.cpp:209)
==15832==    by 0x6DD121F: KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) (object.cpp:73)
==15832==    by 0x6DD13F8: KJS::ObjectImp::defaultValue(KJS::ExecState*, KJS::Type) const (object.cpp:320)
Comment 3 Tommi Tervo 2006-11-10 15:34:39 UTC 

*** This bug has been marked as a duplicate of 127025 ***