Version: (using Devel) Installed from: Compiled sources Compiler: g++ (Debian 4.3.1-6) 4.3.1 OS: Linux Konqueror crashes when visiting www.snowboardclub.co.uk. Below is a backtrace: Application: Konqueror (konqueror), signal SIGABRT [Current thread is 0 (LWP 32293)] Thread 4 (Thread 0xb0d25b90 (LWP 514)): #0 0xb7f70424 in __kernel_vsyscall () #1 0xb7261342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/i686/cmov/libpthread.so.0 #2 0xb72f2da2 in QWaitConditionPrivate::wait (this=0x9d5bbf0, time=30000) at thread/qwaitcondition_unix.cpp:86 #3 0xb72f28bb in QWaitCondition::wait (this=0x9d5c088, mutex=0x9d5c084, time=30000) at thread/qwaitcondition_unix.cpp:265 #4 0xb72e619a in QThreadPoolThread::run (this=0x988b8b0) at concurrent/qthreadpool.cpp:179 #5 0xb72f2497 in QThreadPrivate::start (arg=0x988b8b0) at thread/qthread_unix.cpp:190 #6 0xb725d4b0 in start_thread () from /lib/i686/cmov/libpthread.so.0 #7 0xb651938e in clone () from /lib/i686/cmov/libc.so.6 Thread 3 (Thread 0xb1d52b90 (LWP 521)): #0 0xb7f70424 in __kernel_vsyscall () #1 0xb6511771 in select () from /lib/i686/cmov/libc.so.6 #2 0xb73c4abb in QProcessManager::run (this=0x96edf30) at io/qprocess_unix.cpp:307 #3 0xb72f2497 in QThreadPrivate::start (arg=0x96edf30) at thread/qthread_unix.cpp:190 #4 0xb725d4b0 in start_thread () from /lib/i686/cmov/libpthread.so.0 #5 0xb651938e in clone () from /lib/i686/cmov/libc.so.6 Thread 2 (Thread 0xb2553b90 (LWP 530)): #0 0xb7f70424 in __kernel_vsyscall () #1 0xb650eb27 in poll () from /lib/i686/cmov/libc.so.6 #2 0xb6f398da in ?? () from /lib/i686/cmov/libresolv.so.2 #3 0xb2551574 in ?? () #4 0x00000001 in ?? () #5 0x00001388 in ?? () #6 0x00004000 in ?? () #7 0xb2551550 in ?? () #8 0xb2551580 in ?? () #9 0xb2551593 in ?? () #10 0xb2551588 in ?? () #11 0xb2551550 in ?? () #12 0x00000000 in ?? () Thread 1 (Thread 0xb60fa700 (LWP 32293)): [KCrash Handler] #6 0xb7f70424 in __kernel_vsyscall () #7 0xb64645e0 in raise () from /lib/i686/cmov/libc.so.6 #8 0xb6465fb8 in abort () from /lib/i686/cmov/libc.so.6 #9 0xb64a7643 in ?? () from /lib/i686/cmov/libc.so.6 #10 0x00006f88 in ?? () #11 0xbfc88564 in ?? () #12 0xb658fff4 in ?? () from /lib/i686/cmov/libc.so.6 #13 0x0a6a1500 in ?? () #14 0x0a6a1500 in ?? () #15 0xb65741c4 in ?? () from /lib/i686/cmov/libc.so.6 #16 0xb64a9919 in ?? () from /lib/i686/cmov/libc.so.6 #17 0xb6591160 in ?? () from /lib/i686/cmov/libc.so.6 #18 0x09f78048 in ?? () #19 0xb658fff4 in ?? () from /lib/i686/cmov/libc.so.6 #20 0x00000001 in ?? () #21 0x0a6a1500 in ?? () #22 0xbfc88518 in ?? () #23 0xb64a97b5 in free () from /lib/i686/cmov/libc.so.6 Backtrace stopped: frame did not save the PC
Confirmed but I don't get any useful bt. 0xffffe424 in __kernel_vsyscall () (gdb) bt #0 0xffffe424 in __kernel_vsyscall () #1 0xb65de5e0 in raise () from /lib/i686/cmov/libc.so.6 #2 0xb65dffb8 in abort () from /lib/i686/cmov/libc.so.6 #3 0xb6621643 in ?? () from /lib/i686/cmov/libc.so.6 #4 0x00009b66 in ?? () #5 0xb670b160 in ?? () from /lib/i686/cmov/libc.so.6 #6 0xb6709ff4 in ?? () from /lib/i686/cmov/libc.so.6 #7 0x090617c8 in ?? () #8 0x090617c8 in ?? () #9 0xb66ee1c4 in ?? () from /lib/i686/cmov/libc.so.6 #10 0xb6623919 in ?? () from /lib/i686/cmov/libc.so.6 #11 0xb670b160 in ?? () from /lib/i686/cmov/libc.so.6 #12 0x08cc7bb8 in ?? () #13 0xb6709ff4 in ?? () from /lib/i686/cmov/libc.so.6 #14 0x00000000 in ?? () (gdb) thread 2 [Switching to thread 2 (Thread 0xb1f63b90 (LWP 26642))]#0 0xffffe424 in __kernel_vsyscall () (gdb) list 1 extern "C" int kdemain(int argc, char* argv[]); 2 extern "C" int kdeinitmain(int argc, char* argv[]) { return kdemain(argc,argv); } 3 int main(int argc, char* argv[]) { return kdemain(argc,argv); }
ok, I got something better after install the libc6-dbg package : Program received signal SIGABRT, Aborted. [Switching to Thread 0xb6114700 (LWP 28407)] 0xffffe424 in __kernel_vsyscall () (gdb) bt #0 0xffffe424 in __kernel_vsyscall () #1 0xb64e15e0 in raise () from /lib/i686/cmov/libc.so.6 #2 0xb64e2fb8 in abort () from /lib/i686/cmov/libc.so.6 #3 0xb6524643 in malloc_printerr () from /lib/i686/cmov/libc.so.6 #4 0xb65267b5 in free () from /lib/i686/cmov/libc.so.6 #5 0xb40c4759 in ~CSSParser (this=0xbfd5c104) at /media/kde/src/KDE/kdelibs/khtml/css/cssparser.cpp:134 #6 0xb40ac7a4 in DOM::CSSStyleSheetImpl::parseString (this=0x98e3238, string=@0xbfd5c1b4, strict=<value optimized out>) at /media/kde/src/KDE/kdelibs/khtml/css/css_stylesheetimpl.cpp:288 #7 0xb3fe3037 in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x98714b8, url=@0x9871a10, sheetStr=@0x9871a4c, charset=@0xbfd5c228, mimetype=@0xbfd5c220) at /media/kde/src/KDE/kdelibs/khtml/html/html_headimpl.cpp:258 #8 0xb40ea460 in khtml::CachedCSSStyleSheet::checkNotify (this=0x9871a08) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:302 #9 0xb40ef4b0 in khtml::CachedCSSStyleSheet::data (this=0x9871a08, buffer=@0x99f158c, eof=true) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:292 #10 0xb40ec065 in khtml::Loader::slotFinished (this=0x9684f38, job=0x98f2ae0) at /media/kde/src/KDE/kdelibs/khtml/misc/loader.cpp:1397 #11 0xb40ec387 in khtml::Loader::qt_metacall (this=0x9684f38, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfd5c43c) at /media/kde/build/KDE/kdelibs/khtml/loader.moc:129 #12 0xb744788c in QMetaObject::activate (sender=0x98f2ae0, from_signal_index=7, to_signal_index=7, argv=0xbfd5c43c) at kernel/qobject.cpp:3007 #13 0xb7447d19 in QMetaObject::activate (sender=0x98f2ae0, m=0xb7707928, local_signal_index=3, argv=0xbfd5c43c) at kernel/qobject.cpp:3080 #14 0xb760e7b3 in KJob::result (this=0x98f2ae0, _t1=0x98f2ae0) at /media/kde/build/KDE/kdelibs/kdecore/kjob.moc:186 #15 0xb760ecb2 in KJob::emitResult (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kdecore/jobs/kjob.cpp:290 #16 0xb7c83d9f in KIO::SimpleJob::slotFinished (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kio/kio/job.cpp:498 #17 0xb7c84123 in KIO::TransferJob::slotFinished (this=0x98f2ae0) at /media/kde/src/KDE/kdelibs/kio/kio/job.cpp:967 #18 0xb7c8a99b in KIO::TransferJob::qt_metacall (this=0x98f2ae0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfd5c674) at /media/kde/build/KDE/kdelibs/kio/jobclasses.moc:336 #19 0xb744788c in QMetaObject::activate (sender=0x98e6620, from_signal_index=8, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3007 #20 0xb7447d19 in QMetaObject::activate (sender=0x98e6620, m=0xb7df1684, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3080 #21 0xb7d26b37 in KIO::SlaveInterface::finished (this=0x98e6620) at /media/kde/build/KDE/kdelibs/kio/slaveinterface.moc:163 #22 0xb7d2885f in KIO::SlaveInterface::dispatch (this=0x98e6620, _cmd=104, rawdata=@0xbfd5c844) at /media/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:176 #23 0xb7d29358 in KIO::SlaveInterface::dispatch (this=0x98e6620) at /media/kde/src/KDE/kdelibs/kio/kio/slaveinterface.cpp:91 #24 0xb7d1b6d7 in KIO::Slave::gotInput (this=0x98e6620) at /media/kde/src/KDE/kdelibs/kio/kio/slave.cpp:319 #25 0xb7d1caa3 in KIO::Slave::qt_metacall (this=0x98e6620, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfd5c944) at /media/kde/build/KDE/kdelibs/kio/slave.moc:75 ---Type <return> to continue, or q <return> to quit--- #26 0xb744788c in QMetaObject::activate (sender=0x98e6b90, from_signal_index=4, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3007 #27 0xb7447d19 in QMetaObject::activate (sender=0x98e6b90, m=0xb7dee2e0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3080 #28 0xb7c56ee7 in KIO::Connection::readyRead (this=0x98e6b90) at /media/kde/build/KDE/kdelibs/kio/connection.moc:84 #29 0xb7c57d46 in KIO::ConnectionPrivate::dequeue (this=0x987daf0) at /media/kde/src/KDE/kdelibs/kio/kio/connection.cpp:82 #30 0xb7c58b96 in KIO::Connection::qt_metacall (this=0x98e6b90, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x99a44f0) at /media/kde/build/KDE/kdelibs/kio/connection.moc:72 #31 0xb74419ca in QMetaCallEvent::placeMetaCall (this=0x9d4acb0, object=0x98e6b90) at kernel/qobject.cpp:535 #32 0xb7445c36 in QObject::event (this=0x98e6b90, e=0x9d4acb0) at kernel/qobject.cpp:1137 #33 0xb68b6289 in QApplicationPrivate::notify_helper (this=0x91ac538, receiver=0x98e6b90, e=0x9d4acb0) at kernel/qapplication.cpp:3772 #34 0xb68b659e in QApplication::notify (this=0xbfd5d42c, receiver=0x98e6b90, e=0x9d4acb0) at kernel/qapplication.cpp:3366 #35 0xb7a5ad81 in KApplication::notify (this=0xbfd5d42c, receiver=0x98e6b90, event=0x9d4acb0) at /media/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:311 #36 0xb743328b in QCoreApplication::notifyInternal (this=0xbfd5d42c, receiver=0x98e6b90, event=0x9d4acb0) at kernel/qcoreapplication.cpp:583 #37 0xb7436dd3 in QCoreApplication::sendEvent (receiver=0x98e6b90, event=0x9d4acb0) at kernel/qcoreapplication.h:215 #38 0xb74337ab in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x919ecc0) at kernel/qcoreapplication.cpp:1195 #39 0xb7433967 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1091 #40 0xb74628aa in QCoreApplication::sendPostedEvents () at kernel/qcoreapplication.h:220 #41 0xb7461abc in postEventSourceDispatch (s=0x91ae8e8) at kernel/qeventdispatcher_glib.cpp:211 #42 0xb635a2f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #43 0xb635d983 in ?? () from /usr/lib/libglib-2.0.so.0 #44 0x091ae860 in ?? () #45 0x00000000 in ?? () (gdb) thread 2 [Switching to thread 2 (Thread 0xb1e67b90 (LWP 28483))]#0 0xffffe424 in __kernel_vsyscall () (gdb) bt #0 0xffffe424 in __kernel_vsyscall () #1 0xb72dc342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/i686/cmov/libpthread.so.0 #2 0xb7344d4e in QWaitConditionPrivate::wait (this=0x97a96f8, time=30000) at thread/qwaitcondition_unix.cpp:86 #3 0xb7344867 in QWaitCondition::wait (this=0x9792870, mutex=0x979286c, time=30000) at thread/qwaitcondition_unix.cpp:265 #4 0xb733814a in QThreadPoolThread::run (this=0x9636908) at concurrent/qthreadpool.cpp:179 #5 0xb7344443 in QThreadPrivate::start (arg=0x9636908) at thread/qthread_unix.cpp:190 #6 0xb72d84b0 in start_thread () from /lib/i686/cmov/libpthread.so.0 #7 0xb659638e in clone () from /lib/i686/cmov/libc.so.6 (gdb) thread 3
Confirm in 4.0.98 (debian experimental)
confirmed with konqueror svn r836919 (gdb) bt #0 0x00007fa1842f8235 in raise () from /lib64/libc.so.6 #1 0x00007fa1842f9753 in abort () from /lib64/libc.so.6 #2 0x00007fa18433abf0 in ?? () from /lib64/libc.so.6 #3 0x00007fa17719b480 in DOM::CSSStyleSheetImpl::parseString () from /usr/kde/svn/lib64/libkhtml.so.5 #4 0x00007fa1771a15bb in DOM::CSSImportRuleImpl::setStyleSheet () from /usr/kde/svn/lib64/libkhtml.so.5 #5 0x00007fa1771e326f in khtml::CachedCSSStyleSheet::checkNotify () from /usr/kde/svn/lib64/libkhtml.so.5 #6 0x00007fa1771e34dd in khtml::CachedCSSStyleSheet::data () from /usr/kde/svn/lib64/libkhtml.so.5 #7 0x00007fa1771e2ced in khtml::Loader::slotFinished () from /usr/kde/svn/lib64/libkhtml.so.5 #8 0x00007fa1771e3077 in khtml::Loader::qt_metacall () from /usr/kde/svn/lib64/libkhtml.so.5 #9 0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4 #10 0x00007fa1836a6a32 in KJob::result () from /usr/kde/svn/lib64/libkdecore.so.5 #11 0x00007fa1836a6da7 in KJob::emitResult () from /usr/kde/svn/lib64/libkdecore.so.5 #12 0x00007fa182bd8898 in KIO::SimpleJob::slotFinished () from /usr/kde/svn/lib64/libkio.so.5 #13 0x00007fa182bda483 in KIO::TransferJob::slotFinished () from /usr/kde/svn/lib64/libkio.so.5 #14 0x00007fa182bdb2d5 in KIO::TransferJob::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5 #15 0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4 #16 0x00007fa182c8a5d0 in KIO::SlaveInterface::dispatch () from /usr/kde/svn/lib64/libkio.so.5 #17 0x00007fa182c87981 in KIO::SlaveInterface::dispatch () from /usr/kde/svn/lib64/libkio.so.5 #18 0x00007fa182c77b4e in KIO::Slave::gotInput () from /usr/kde/svn/lib64/libkio.so.5 #19 0x00007fa182c77e58 in KIO::Slave::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5 #20 0x00007fa183b9de6c in QMetaObject::activate () from /usr/lib64/qt4/libQtCore.so.4 #21 0x00007fa182ba87c6 in KIO::ConnectionPrivate::dequeue () from /usr/kde/svn/lib64/libkio.so.5 #22 0x00007fa182ba98ca in KIO::Connection::qt_metacall () from /usr/kde/svn/lib64/libkio.so.5 #23 0x00007fa183b97a65 in QObject::event () from /usr/lib64/qt4/libQtCore.so.4 #24 0x00007fa1816acffd in QApplicationPrivate::notify_helper () from /usr/lib64/qt4/libQtGui.so.4 #25 0x00007fa1816ae53a in QApplication::notify () from /usr/lib64/qt4/libQtGui.so.4 #26 0x00007fa1831c829b in KApplication::notify () from /usr/kde/svn/lib64/libkdeui.so.5 #27 0x00007fa183b85bd0 in QCoreApplication::notifyInternal () from /usr/lib64/qt4/libQtCore.so.4 #28 0x00007fa183b8a0a7 in QCoreApplicationPrivate::sendPostedEvents () from /usr/lib64/qt4/libQtCore.so.4 #29 0x00007fa183bb83f0 in QEventDispatcherUNIX::processEvents () from /usr/lib64/qt4/libQtCore.so.4 #30 0x00007fa18174ed4a in QEventDispatcherX11::processEvents () from /usr/lib64/qt4/libQtGui.so.4 #31 0x00007fa183b84812 in QEventLoop::processEvents () from /usr/lib64/qt4/libQtCore.so.4 #32 0x00007fa183b84cad in QEventLoop::exec () from /usr/lib64/qt4/libQtCore.so.4 #33 0x00007fa183b8a3ef in QCoreApplication::exec () from /usr/lib64/qt4/libQtCore.so.4 #34 0x00007fa1846e7a22 in kdemain () from /usr/kde/svn/lib64/libkdeinit4_konqueror.so #35 0x00007fa1842e4486 in __libc_start_main () from /lib64/libc.so.6 #36 0x00000000004006d9 in _start ()
Note: the bug 156646 may be related.
Backtrace Application: Konqueror (konqueror), signal SIGABRT [Thread debugging using libthread_db enabled] [New Thread 0xb6006700 (LWP 19542)] [KCrash handler] #6 0xffffe424 in __kernel_vsyscall () #7 0xb7d7a5e0 in raise () from /lib/i686/cmov/libc.so.6 #8 0xb7d7bfb8 in abort () from /lib/i686/cmov/libc.so.6 #9 0xb7dbd643 in malloc_printerr () from /lib/i686/cmov/libc.so.6 #10 0xb7dbf7b5 in free () from /lib/i686/cmov/libc.so.6 #11 0xb41fb421 in ~CSSParser (this=0xbfcc13d4) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/css/cssparser.cpp:134 #12 0xb41e4d84 in DOM::CSSStyleSheetImpl::parseString (this=0x84d8b88, string=@0xbfcc1474, strict=<value optimized out>) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/css/css_stylesheetimpl.cpp:288 #13 0xb411912c in DOM::HTMLLinkElementImpl::setStyleSheet (this=0x84f2338, url=@0x84f9ff0, sheetStr=@0x84fa02c, charset=@0xbfcc14e4, mimetype=@0xbfcc14dc) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/html/html_headimpl.cpp:258 #14 0xb423521c in khtml::CachedCSSStyleSheet::checkNotify (this=0x84f9fe8) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:302 #15 0xb4235596 in khtml::CachedCSSStyleSheet::data (this=0x84f9fe8, buffer=@0x84ecad4, eof=true) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:292 #16 0xb423009a in khtml::Loader::slotFinished (this=0x8429ef0, job=0x850c7c8) at /tmp/buildd/kde4libs-4.0.98+svn833207/khtml/misc/loader.cpp:1397 #17 0xb4235be7 in khtml::Loader::qt_metacall (this=0x8429ef0, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbfcc16cc) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/khtml/loader.moc:129 #18 0xb69230c0 in QMetaObject::activate (sender=0x850c7c8, from_signal_index=7, to_signal_index=7, argv=0xbfcc16cc) at kernel/qobject.cpp:3010 #19 0xb6923e42 in QMetaObject::activate (sender=0x850c7c8, m=0xb771f8e8, local_signal_index=3, argv=0xbfcc16cc) at kernel/qobject.cpp:3080 #20 0xb75e7483 in KJob::result (this=0x850c7c8, _t1=0x850c7c8) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kdecore/kjob.moc:186 #21 0xb75e7992 in KJob::emitResult (this=0x850c7c8) at /tmp/buildd/kde4libs-4.0.98+svn833207/kdecore/jobs/kjob.cpp:290 #22 0xb7b4dfe5 in KIO::SimpleJob::slotFinished (this=0x850c7c8) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/job.cpp:498 #23 0xb7b51693 in KIO::TransferJob::slotFinished (this=0x850c7c8) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/job.cpp:967 #24 0xb7b5246b in KIO::TransferJob::qt_metacall (this=0x850c7c8, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfcc1908) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/jobclasses.moc:336 #25 0xb69230c0 in QMetaObject::activate (sender=0x84eef28, from_signal_index=8, to_signal_index=8, argv=0x0) at kernel/qobject.cpp:3010 #26 0xb6923e42 in QMetaObject::activate (sender=0x84eef28, m=0xb7cff184, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3080 #27 0xb7c12f77 in KIO::SlaveInterface::finished (this=0x84eef28) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/slaveinterface.moc:161 #28 0xb7c16be7 in KIO::SlaveInterface::dispatch (this=0x84eef28, _cmd=104, rawdata=@0xbfcc1ad4) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slaveinterface.cpp:175 #29 0xb7c136f7 in KIO::SlaveInterface::dispatch (this=0x84eef28) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slaveinterface.cpp:90 #30 0xb7c036cd in KIO::Slave::gotInput (this=0x84eef28) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/slave.cpp:319 #31 0xb7c06113 in KIO::Slave::qt_metacall (this=0x84eef28, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfcc1be8) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/slave.moc:75 #32 0xb69230c0 in QMetaObject::activate (sender=0x84ec308, from_signal_index=4, to_signal_index=4, argv=0x0) at kernel/qobject.cpp:3010 #33 0xb6923e42 in QMetaObject::activate (sender=0x84ec308, m=0xb7cfbde0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3080 #34 0xb7b155c7 in KIO::Connection::readyRead (this=0x84ec308) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/connection.moc:84 #35 0xb7b17689 in KIO::ConnectionPrivate::dequeue (this=0x848c848) at /tmp/buildd/kde4libs-4.0.98+svn833207/kio/kio/connection.cpp:82 #36 0xb7b17816 in KIO::Connection::qt_metacall (this=0x84ec308, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x84a9078) at /tmp/buildd/kde4libs-4.0.98+svn833207/obj-i486-linux-gnu/kio/connection.moc:72 #37 0xb691c23b in QMetaCallEvent::placeMetaCall (this=0x857bf20, object=0x84ec308) at kernel/qobject.cpp:535 #38 0xb691ddf9 in QObject::event (this=0x84ec308, e=0x857bf20) at kernel/qobject.cpp:1140 #39 0xb6b9b66c in QApplicationPrivate::notify_helper (this=0x8057db0, receiver=0x84ec308, e=0x857bf20) at kernel/qapplication.cpp:3772 #40 0xb6ba343e in QApplication::notify (this=0xbfcc2584, receiver=0x84ec308, e=0x857bf20) at kernel/qapplication.cpp:3366 #41 0xb78f363d in KApplication::notify (this=0xbfcc2584, receiver=0x84ec308, event=0x857bf20) at /tmp/buildd/kde4libs-4.0.98+svn833207/kdeui/kernel/kapplication.cpp:311 #42 0xb690e571 in QCoreApplication::notifyInternal (this=0xbfcc2584, receiver=0x84ec308, event=0x857bf20) at kernel/qcoreapplication.cpp:587 #43 0xb690f1e5 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x804b848) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215 #44 0xb690f3fd in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1091 #45 0xb6938f2f in postEventSourceDispatch (s=0x805a520) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:220 #46 0xb63372f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #47 0xb633a983 in ?? () from /usr/lib/libglib-2.0.so.0 #48 0x0805a498 in ?? () #49 0x00000000 in ?? () #0 0xffffe424 in __kernel_vsyscall ()
Created attachment 26387 [details] HTML file testcase
Created attachment 26388 [details] style sheet which causes konqueror to crash
I've attached a HTML file and a CSS file which in combination cause Konqueror to crash. The testcase files are based on similar code from the www.snowboardclub.co.uk webpage. AIUI the css file isn't valid as it doesn't properly terminate the various blocks.
Running Konqueror with Valgrind and loading the test HTML & CSS files posted earlier gives the following error message (repeated several times): ==30085== Invalid read of size 2 ==30085== at 0x9E27F88: DOM::CSSParser::lex() (tokenizer.cpp:673) ==30085== by 0x9E28784: DOM::CSSParser::lex(void*) (cssparser.cpp:2397) ==30085== by 0x9E4D36D: _ZL8cssyylexP7YYSTYPE (parser.cpp:355) ==30085== by 0x9E4D87A: cssyyparse(void*) (parser.cpp:1936) ==30085== by 0x9E302A9: DOM::CSSParser::runParser(int) (cssparser.cpp:165) ==30085== by 0x9E30960: DOM::CSSParser::parseSheet(DOM::CSSStyleSheetImpl*, DOM::DOMString const&) (cssparser.cpp:182) ==30085== by 0x9E113D4: DOM::CSSStyleSheetImpl::parseString(DOM::DOMString const&, bool) (css_stylesheetimpl.cpp:287) ==30085== by 0x9D194CD: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:258) ==30085== by 0x9E632DD: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:302) ==30085== by 0x9E69A27: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:292) ==30085== by 0x9E657AB: khtml::Loader::slotFinished(KJob*) (loader.cpp:1400) ==30085== by 0x9E65B56: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:129) ==30085== Address 0x6151a1e is 0 bytes after a block of size 182 alloc'd ==30085== at 0x4023D6E: malloc (vg_replace_malloc.c:207) ==30085== by 0x9E30915: DOM::CSSParser::parseSheet(DOM::CSSStyleSheetImpl*, DOM::DOMString const&) (cssparser.cpp:176) ==30085== by 0x9E113D4: DOM::CSSStyleSheetImpl::parseString(DOM::DOMString const&, bool) (css_stylesheetimpl.cpp:287) ==30085== by 0x9D194CD: DOM::HTMLLinkElementImpl::setStyleSheet(DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&, DOM::DOMString const&) (html_headimpl.cpp:258) ==30085== by 0x9E632DD: khtml::CachedCSSStyleSheet::checkNotify() (loader.cpp:302) ==30085== by 0x9E69A27: khtml::CachedCSSStyleSheet::data(QBuffer&, bool) (loader.cpp:292) ==30085== by 0x9E657AB: khtml::Loader::slotFinished(KJob*) (loader.cpp:1400) ==30085== by 0x9E65B56: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:129) ==30085== by 0x4ADFEF8: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3013) ==30085== by 0x4AE0386: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3086) ==30085== by 0x47F9903: KJob::result(KJob*) (kjob.moc:186) ==30085== by 0x47F9E41: KJob::emitResult() (kjob.cpp:290) Interestingly, the testcase doesn't cause Konqueror to crash when it is running in Valgrind. Full log from Valgrind & Konqueror attached below.
Created attachment 27036 [details] terminal log of Konqueror running testcase in Valgrind
Created attachment 28331 [details] Proposed patch for bug 167318 The attached patch stops Konqueror from crashing when parsing the malformed CSS of the testcase and a local saved copy of the www.snowboardclub.co.uk webpage that led to the original bug report. (Note that the website mentioned has been changed since the initial bug report.) The patch is based on CSSParser.cpp from the qt-copy version of Webkit. Please can someone familiar with this section of code check that this is an appropriate patch as I don't want to inadvertently cause further problems! Note that valgrind still reports some problems when run with --leak-check=full however Konqueror no longer crashes.
*** Bug 180929 has been marked as a duplicate of this bug. ***
*** Bug 182793 has been marked as a duplicate of this bug. ***
Who would be a good person to speak with to arrange getting this patch (or a similar one) committed?
*** Bug 183544 has been marked as a duplicate of this bug. ***
*** Bug 184231 has been marked as a duplicate of this bug. ***
I can confirm that the sites mentioned in bug 180929 and bug 184231 do not cause crashes with the patch above applied to khtml.
*** Bug 186426 has been marked as a duplicate of this bug. ***
Hi, sorry for the late reply, I didn't quite notice this bug before. First, I can't reproduce this (or any of the duplicates thereof) crash in trunk, and I read a comment to the same effect at #183544#c2. I think the recent changes in CSS grammar may have changed the error conditions triggering such crashes. Nevertheless, the patch -even if a bit of voodoo-merging, as it doesn't really change the logic, and even regresses the security padding to 2 bytes- is still a nice factoring, so I'll check it in, with an additional factoring of the repetitive cssyparse invocation code inside a runParser() method, and fixing the padding. As there are still some visible out-of-bound read/write detectable through Valgrind on e.g. http://shop1auto.rtrk.com.au, I'll raise our security padding from five to eight bytes. This seems to appease Valgrind on all available testcases.
Created attachment 32510 [details] the modified patch I intend to commit
Any chance you could move the strlen(prefix) call out of the loop? I know it's short, but the quadratic bugs me, and, well, there is always inline style..
sure, I'll factor all those, if only to save a kitten.
*** Bug 188601 has been marked as a duplicate of this bug. ***
SVN commit 948014 by ggarand: .factor out some CSS parser code (initial patch from mccope@googlemail.com, derived from code found in webcore) .increase CSS buffer's security padding to 8 bytes to prevent buggy flex from reading/writing past the end in some situations. BUG: 167318 M +49 -64 cssparser.cpp M +2 -1 cssparser.h WebSVN link: http://websvn.kde.org/?view=rev&revision=948014
SVN commit 948352 by ggarand: automatically merged revision 948014: .factor out some CSS parser code (initial patch from mccope@googlemail.com, derived from code found in webcore) .increase CSS buffer's security padding to 8 bytes to prevent buggy flex from reading/writing past the end in some situations. BUG: 167318 M +49 -64 cssparser.cpp M +2 -1 cssparser.h WebSVN link: http://websvn.kde.org/?view=rev&revision=948352
the same bug, konqueror crash in this site : http://fr.wikipedia.org/wiki/Pays_de_Galles