169447 – [testcase] Konqueror crashes when going to www.onlineweg.de (due to negative z-index in iframe)

Bug 169447 - [testcase] Konqueror crashes when going to www.onlineweg.de (due to negative z-index in iframe)

Summary: [testcase] Konqueror crashes when going to www.onlineweg.de (due to negative ...

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	4.1.0
Platform:	unspecified Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Duplicates (1):	169642 (view as bug list)
Depends on:
Blocks:

Reported:	2008-08-19 19:08 UTC by gmud
Modified:	2008-08-31 17:09 UTC (History)
CC List:	6 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
1st part of a test case (1x1 pixel GIF image) (49 bytes, image/gif) 2008-08-20 00:25 UTC, Frank Reininghaus	Details
2nd part of the test case (HTML file) (313 bytes, text/html) 2008-08-20 00:30 UTC, Frank Reininghaus	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description gmud 2008-08-19 19:08:13 UTC

Version:           4.1.00 (KDE 4.1.0) (using 4.1.00 (KDE 4.1.0), Kubuntu packages)
Compiler:          gcc
OS:                Linux (i686) release 2.6.24-19-rt

Steps to reproduce:
1. Go to http://www.onlineweg.de

Result:
Konqueror crashes with the following bt

Anwendung: Konqueror (konqueror), Signal SIGSEGV
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0xb60a8940 (LWP 11448)]
[KCrash handler]
#6  0xb422ccc4 in QVector<khtml::RenderLayer*>::at (this=0x0, i=0)
    at /usr/include/qt4/QtCore/qvector.h:323
#7  0xb422afc4 in khtml::RenderLayer::updateWidgetMasks (this=0x84b5908, 
    rootLayer=0x84b4720)
    at /build/buildd/kde4libs-4.1.0/khtml/rendering/render_layer.cpp:404
#8  0xb422ae46 in khtml::RenderLayer::updateWidgetMasks (this=0x84b582c, 
    rootLayer=0x84b4720)
    at /build/buildd/kde4libs-4.1.0/khtml/rendering/render_layer.cpp:424
#9  0xb422ae46 in khtml::RenderLayer::updateWidgetMasks (this=0x84b4808, 
    rootLayer=0x84b4720)
    at /build/buildd/kde4libs-4.1.0/khtml/rendering/render_layer.cpp:424
#10 0xb422ae46 in khtml::RenderLayer::updateWidgetMasks (this=0x84b4720, 
    rootLayer=0x84b4720)
    at /build/buildd/kde4libs-4.1.0/khtml/rendering/render_layer.cpp:424
#11 0xb42589be in khtml::RenderCanvas::layout (this=0x84b4648)
    at /build/buildd/kde4libs-4.1.0/khtml/rendering/render_canvas.cpp:199
#12 0xb40e758b in KHTMLView::layout (this=0x84fdbd0)
    at /build/buildd/kde4libs-4.1.0/khtml/khtmlview.cpp:969
#13 0xb40e7bad in KHTMLView::timerEvent (this=0x84fdbd0, e=0xbf98cb18)
    at /build/buildd/kde4libs-4.1.0/khtml/khtmlview.cpp:4031
#14 0xb74bcc9a in QObject::event () from /usr/lib/libQtCore.so.4
#15 0xb69efc6f in QWidget::event () from /usr/lib/libQtGui.so.4
#16 0xb6d25063 in QFrame::event () from /usr/lib/libQtGui.so.4
#17 0xb6db9211 in QAbstractScrollArea::event () from /usr/lib/libQtGui.so.4
#18 0xb6dbd08f in QScrollArea::event () from /usr/lib/libQtGui.so.4
#19 0xb40e5759 in KHTMLView::event (this=0x84fdbd0, e=0xbf98cb18)
    at /build/buildd/kde4libs-4.1.0/khtml/khtmlview.cpp:524
#20 0xb6998c0c in QApplicationPrivate::notify_helper ()
   from /usr/lib/libQtGui.so.4
#21 0xb699d898 in QApplication::notify () from /usr/lib/libQtGui.so.4
#22 0xb7929f53 in KApplication::notify (this=0xbf98cf5c, receiver=0x84fdbd0, 
    event=0xbf98cb18)
    at /build/buildd/kde4libs-4.1.0/kdeui/kernel/kapplication.cpp:311
#23 0xb74ac6a9 in QCoreApplication::notifyInternal ()
   from /usr/lib/libQtCore.so.4
#24 0xb74da1a1 in ?? () from /usr/lib/libQtCore.so.4
#25 0xb74d7a40 in ?? () from /usr/lib/libQtCore.so.4
#26 0xb641add6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#27 0xb641e193 in ?? () from /usr/lib/libglib-2.0.so.0
#28 0xb641e74e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#29 0xb74d7f98 in QEventDispatcherGlib::processEvents ()
   from /usr/lib/libQtCore.so.4
#30 0xb6a2c1b5 in ?? () from /usr/lib/libQtGui.so.4
#31 0xb74ab92d in QEventLoop::processEvents () from /usr/lib/libQtCore.so.4
#32 0xb74ababd in QEventLoop::exec () from /usr/lib/libQtCore.so.4
#33 0xb74add3d in QCoreApplication::exec () from /usr/lib/libQtCore.so.4
#34 0xb6998567 in QApplication::exec () from /usr/lib/libQtGui.so.4
#35 0xb7f746fd in kdemain () from /usr/lib/kde4/lib/libkdeinit4_konqueror.so
#36 0x08048582 in _start ()
#0  0xb7f8e410 in __kernel_vsyscall ()

Comment 1 Dario Andres 2008-08-19 21:17:50 UTC

Using KDE 4.1.1 (KDE 4.1.0 (4.1 >= 20080722)) (KDEmod) in ArchLinux i686:
I can reproduce this bug

Also reproducible using:

kdelibs4.2 svn rev.849324
kdebase4.2 svn rev.849337

Comment 2 Frank Reininghaus 2008-08-20 00:25:43 UTC

Created attachment 26941 [details]
1st part of a test case (1x1 pixel GIF image)

Comment 3 Frank Reininghaus 2008-08-20 00:30:56 UTC

Created attachment 26942 [details]
2nd part of the test case (HTML file)

This reduced testcase crashes 4.1 and today's SVN trunk for me with the same backtrace as in the original report. The HTML page contains an iframe which is to show a 1x1 pixel GIF image. The CSS attriutes 'style="position:absolute;z-index:-2"' in the <iframe> tag are needed to get the crash.

Comment 4 Frank Reininghaus 2008-08-20 22:53:36 UTC

I looked into this a bit further:

1. It seems to crash for any image in the iframe. HTML pages in the iframe work fine.
2. It seems to crash for any negative z-index. Positive indices and zero work fine.
3. The backtrace looks similar to the one I pasted in https://bugs.kde.org/show_bug.cgi?id=119292#c5 a while ago (all frames starting from #8 appear in that bt as well). Maybe the crash issue in that report (the original report was about a rendering problem) is related to the problem we have here.

Comment 5 Frank Reininghaus 2008-08-29 17:33:20 UTC

*** Bug 169642 has been marked as a duplicate of this bug. ***

Comment 6 Germain Garand 2008-08-29 20:10:01 UTC

mmh... copy/paste mistake of mine in render_layer. I have to verify the algorithm though.

Comment 7 Germain Garand 2008-08-30 20:30:39 UTC

ah ah, I was already meditating how cruel is the wrath of senility, but it turns out I didn't do that CnP mistake.

r784843
Bad bad dfaure. No more cookies for you, no sir!

(gah... he actually CC'd me the change, and I saw nothing, so cookie-jail for me too ;-/ )

Comment 8 Germain Garand 2008-08-31 17:09:50 UTC

SVN commit 855320 by ggarand:

revert part of r784843
-> copy/paste error

BUG: 169447


 M  +1 -1      render_layer.cpp  


--- trunk/KDE/kdelibs/khtml/rendering/render_layer.cpp #855319:855320
@@ -397,7 +397,7 @@
                     }
                 }
             }
-            count = sc->m_negZOrderList ? sc->m_negZOrderList->count() : 0;
+            count = sc->m_posZOrderList ? sc->m_posZOrderList->count() : 0;
             if ( count > 0 ) {
                 needUpdate = true;
                 for (uint i = 0; i < count; i++) {