Version: (using KDE Devel) Installed from: Compiled sources Compiler: gcc 4.2 OS: Linux Konqueror (with kdelibs r747105) crashes while running a query against bugs.kde.org. To get the crash, I did the following: - Went to http://bugs.kde.org/ - Clicked on "Query existing reports" at the top - Selected the "dolphin" product and hit "Search" - Crash, as follows: #5 0x00002b9b2afa1185 in raise () from /lib64/libc.so.6 #6 0x00002b9b2afa2630 in abort () from /lib64/libc.so.6 #7 0x00002b9b2af9a77f in __assert_fail () from /lib64/libc.so.6 #8 0x00002b9b3271e584 in KHTMLGlobal::finalCheck () at /home/des/Code/kde/kdelibs/khtml/khtml_global.cpp:244 #9 0x00002aaaac8437c5 in ~KHTMLFactory (this=0xaaaa00) at /home/des/Code/kde/kdelibs/khtml/khtml_factory.cpp:35 #10 0x00002b9b28cc076a in QObjectCleanupHandler::clear (this=0x9da890) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobjectcleanuphandler.cpp:133 #11 0x00002b9b28cc07b1 in ~QObjectCleanupHandler (this=0x5e50) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobjectcleanuphandler.cpp:79 #12 0x00002b9b25e9ca7b in destroy () at /home/des/Code/kde/kdelibs/kdecore/util/kpluginfactory.cpp:29 #13 0x00002b9b25d98755 in ~KCleanUpGlobalStatic (this=0x2b9b26133430) at /home/des/Code/kde/kdelibs/kdecore/kernel/kglobal.h:65 #14 0x00002b9b25e9c9e0 in __tcf_0 () at /home/des/Code/kde/kdelibs/kdecore/util/kpluginfactory.cpp:29 #15 0x00002b9b2afa3b8e in exit () from /lib64/libc.so.6 #16 0x00002b9b28c1af0d in qt_message_output (msgType=QtFatalMsg, buf=<value optimized out>) at /home/des/Code/kde/qt-copy/src/corelib/global/qglobal.cpp:2162 #17 0x00002b9b28c1b025 in qFatal (msg=<value optimized out>) at /home/des/Code/kde/qt-copy/src/corelib/global/qglobal.cpp:2392 #18 0x00002b9b326d52a1 in QString::operator[] (this=0x7fff85e25fe0, i=56) at /home/des/Code/kde/build/qt-copy/include/QtCore/../../../../qt-copy/src/corelib/tools/qstring.h:638 #19 0x00002b9b327aa872 in parseDocTypePart (buffer=@0x7fff85e25fe0, index=56) at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:280 #20 0x00002b9b327aac83 in parseDocTypeDeclaration (buffer=@0x7fff85e25fe0, resultFlags=0x7fff85e25e7c, publicID=@0x7fff85e25e80, systemID=@0x7fff85e25e90) at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:345 #21 0x00002b9b327ac81b in DOM::HTMLDocumentImpl::determineParseMode ( this=0xe2f180, str=@0x7fff85e25fe0) at /home/des/Code/kde/kdelibs/khtml/html/html_documentimpl.cpp:437 #22 0x00002b9b326f6fa9 in KHTMLPart::onFirstData (this=0x9d92c0, firstData=@0x7fff85e25fe0) at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1989 #23 0x00002b9b326f719c in KHTMLPart::write (this=0x9d92c0, data=0xa5b278 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html \n ", len=56) at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1947 #24 0x00002b9b326f9734 in KHTMLPart::slotData (this=0x9d92c0, kio_job=0xf7de10, data=@0x7fff85e271d0) at /home/des/Code/kde/kdelibs/khtml/khtml_part.cpp:1636 #25 0x00002b9b32703824 in KHTMLPart::qt_metacall (this=0x9d92c0, _c=QMetaObject::InvokeMetaMethod, _id=19, _a=0x7fff85e26980) at /home/des/Code/kde/build/kdelibs/khtml/khtml_part.moc:263 #26 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xf7de10, from_signal_index=40, to_signal_index=40, argv=0xffffffffffffffff) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 #27 0x00002b9b25927031 in KIO::TransferJob::data (this=0xf7de10, _t1=0xf7de10, _t2=@0x7fff85e271d0) at /home/des/Code/kde/build/kdelibs/kio/jobclasses.moc:355 #28 0x00002b9b259278f0 in KIO::TransferJob::slotData (this=0xf7de10, _data=@0x7fff85e271d0) at /home/des/Code/kde/kdelibs/kio/kio/job.cpp:921 #29 0x00002b9b25931841 in KIO::TransferJob::qt_metacall (this=0xf7de10, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7fff85e26f30) at /home/des/Code/kde/build/kdelibs/kio/jobclasses.moc:336 #30 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xbf66d0, from_signal_index=4, to_signal_index=4, argv=0xffffffffffffffff) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 #31 0x00002b9b259c8101 in KIO::SlaveInterface::data (this=0xbf66d0, _t1=@0x7fff85e271d0) at /home/des/Code/kde/build/kdelibs/kio/slaveinterface.moc:137 #32 0x00002b9b259c9ae4 in KIO::SlaveInterface::dispatch (this=0xbf66d0, _cmd=100, rawdata=@0x7fff85e271d0) at /home/des/Code/kde/kdelibs/kio/kio/slaveinterface.cpp:161 #33 0x00002b9b259c9a0a in KIO::SlaveInterface::dispatch (this=0xbf66d0) at /home/des/Code/kde/kdelibs/kio/kio/slaveinterface.cpp:88 #34 0x00002b9b259be135 in KIO::Slave::gotInput (this=0xbf66d0) at /home/des/Code/kde/kdelibs/kio/kio/slave.cpp:318 #35 0x00002b9b259bf33f in KIO::Slave::qt_metacall (this=0xbf66d0, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0x7fff85e27750) at /home/des/Code/kde/build/kdelibs/kio/slave.moc:74 #36 0x00002b9b28cbd6cc in QMetaObject::activate (sender=0xa35ca0, from_signal_index=4, to_signal_index=4, argv=0xffffffffffffffff) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:3087 #37 0x00002b9b25905006 in KIO::Connection::readyRead (this=0xa35ca0) at /home/des/Code/kde/build/kdelibs/kio/connection.moc:83 #38 0x00002b9b25905dfc in KIO::ConnectionPrivate::dequeue (this=0xacf560) at /home/des/Code/kde/kdelibs/kio/kio/connection.cpp:82 #39 0x00002b9b25906c86 in KIO::Connection::qt_metacall (this=0xa35ca0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xf87d00) at /home/des/Code/kde/build/kdelibs/kio/connection.moc:71 #40 0x00002b9b28cbb0b4 in QObject::event (this=0xa35ca0, e=0xffffffffffffffff) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qobject.cpp:1128 #41 0x00002b9b297d69d2 in QApplicationPrivate::notify_helper (this=0x61f5d0, receiver=0xa35ca0, e=0x10544e0) at /home/des/Code/kde/qt-copy/src/gui/kernel/qapplication.cpp:3556 #42 0x00002b9b297dc5af in QApplication::notify (this=0x7fff85e281d0, receiver=0xa35ca0, e=0x10544e0) at /home/des/Code/kde/qt-copy/src/gui/kernel/qapplication.cpp:3497 #43 0x00002b9b26317f2a in KApplication::notify (this=0x7fff85e281d0, receiver=0xa35ca0, event=0x10544e0) at /home/des/Code/kde/kdelibs/kdeui/kernel/kapplication.cpp:319 #44 0x00002b9b28cae9be in QCoreApplication::notifyInternal ( this=0x7fff85e281d0, receiver=0xa35ca0, event=0x10544e0) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qcoreapplication.cpp:530 #45 0x00002b9b28cb009b in QCoreApplicationPrivate::sendPostedEvents ( receiver=0x0, event_type=0, data=0x604f60) at ../../include/QtCore/../../../../qt-copy/src/corelib/kernel/qcoreapplication.h:200 #46 0x00002b9b28cca983 in postEventSourceDispatch (s=<value optimized out>) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:207 #47 0x00002b9b2c305682 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #48 0x00002b9b2c305ee5 in ?? () from /usr/lib/libglib-2.0.so.0 #49 0x00002b9b2c306407 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0 #50 0x00002b9b28ccab9b in QEventDispatcherGlib::processEvents (this=0x61eed0, flags=<value optimized out>) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:338 #51 0x00002b9b2983d0a4 in QGuiEventDispatcherGlib::processEvents ( this=0x5e50, flags=<value optimized out>) at /home/des/Code/kde/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:191 #52 0x00002b9b28cae13c in QEventLoop::processEvents ( this=<value optimized out>, flags=<value optimized out>) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventloop.cpp:140 #53 0x00002b9b28cae225 in QEventLoop::exec (this=0x7fff85e280e0, flags=@0x7fff85e280f0) at /home/des/Code/kde/qt-copy/src/corelib/kernel/qeventloop.cpp:182 #54 0x00002b9b28cb03d7 in QCoreApplication::exec () at /home/des/Code/kde/qt-copy/src/corelib/kernel/qcoreapplication.cpp:759 #55 0x00002b9b24f60611 in kdemain (argc=2, argv=0x7fff85e28cd8) at /home/des/Code/kde/kdebase/apps/konqueror/src/konqmain.cpp:218 #56 0x000000000040098b in main (argc=2, argv=0x7fff85e28cd8) at /home/des/Code/kde/build/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3 #0 0x00002b9b2b007c41 in nanosleep () from /lib64/libc.so.6
*** Bug 153803 has been marked as a duplicate of this bug. ***
*** Bug 153662 has been marked as a duplicate of this bug. ***
Presence of problem confirmed via code inspection --- the doctype parsing code can walk outside of the string willy-nilly, and QString in Qt4 aborts on that (while Qt3 one would return a fallback value). I think this is a borderline showstopper, given that some of the reports involve wikipedia, and the potential for wide impact / nature of regression.. Allan, do you know that code well perchance? If so, would be nice if you could take a look, otherwise I'll try to dig throught it I guess.
Yes I know the code and I even have a patch to fix it applied to my local tree. I will see if I can extract it. However my patch only fixes the crash but creates a new problem: The function never gets run to an end.
Created attachment 22483 [details] Fast patch The patch probably needs some check in KHTMLPart::onFirstData, so the determineDocType can be run again when more data is available.
The state post-patch is what it is in 3.5.x though, right?
*** Bug 153925 has been marked as a duplicate of this bug. ***
Created attachment 22514 [details] Break loop also when the character "<" is the last one of the buffer Try from command line: konqueror http://es.wikipedia.org/wiki/Imagen:I_Wikiencuentro_en_la_Bahía_de_Cádiz_\(Asistentes\).jpg For some reason, the buffer in parseDocTypeDeclaration with that URL is only "<". Therefore, there are no more characters after it and bang!. The patch checks for that and it works here. By the way, just to introduce myself, I am the guy in the middle with my little daughter.
Created attachment 22516 [details] Stdout log to verify my previous patch This is the log from command line I got to verify my previous patch. So konqueror loads the image succesfully and all is fine. Look at "my output" in HTMLDocumentImpl::parseDocTypeDeclaration : konqueror(20349): BUFFER: "<" konqueror(20349): index: 0 bf.len: 1 This gave me the hint of what was going on in the method. The point is that the XML header is non existant. I just comment this in case there is also another bug somewhere else.
Excelent analysis Pablo. Unfortunately it is a well known issue, to solve it correctly requires putting more responsibility in the HTML parser/tokenizer, and thus a larger rewrite. I think though this is a new instance of the bug, because in KDE 3.5.x the HTTP-slave would never send just 1 byte. I would like to know what causes the HTTP-slave to send such a small buffer. It not only reveals this bug, but it is also a waste of resources
FYI, checking the stdout log I attached, I see in the BUFFER that all the headers are truncated: pleira@barebone:~$ egrep -C 1 "BUFF|index:" log_from_stdout.log konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2 konqueror(20349): BUFFER: "<" konqueror(20349): index: 0 bf.len: 1 konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode: using compatibility parseMode -- konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2 konqueror(20349): BUFFER: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transi" konqueror(20349): index: 0 bf.len: 51 konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode: using compatibility parseMode -- konqueror(20349)/khtml KHTMLGlobal::ref: s_refcnt= 2 konqueror(20349): BUFFER: "<" konqueror(20349): index: 0 bf.len: 1 konqueror(20349)/khtml (html) DOM::HTMLDocumentImpl::determineParseMode: using compatibility parseMode
*** Bug 154312 has been marked as a duplicate of this bug. ***
SVN commit 750614 by carewolf: Don't crash bugs.kde.org and other places, even if we risk misdetermining doctype CCBUG: 153827 M +17 -2 html_documentimpl.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=750614
Can't reproduce, so I guess this is fixed by the patch sent by carewolf?
This does appear to be fixed in trunk. I can no longer reproduce either.
Cannot reproduce on r797319 too.
Other people are confirming that the crash doesn't happen anymore in trunk.
Someone should mark this as RESOLVED/FIXED (I don't have permission).
Ok