Bug 170880 - Konqueror crashes each time opening a special page
Summary: Konqueror crashes each time opening a special page
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: unspecified Linux
: NOR crash (vote)
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-11 21:25 UTC by Richard Hartmann
Modified: 2008-09-12 02:42 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Test case (not minimal) (1.24 KB, text/html)
2008-09-11 23:43 UTC, Frank Reininghaus
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Hartmann 2008-09-11 21:25:03 UTC
Version:           3.5.9 (using 3.5.9, Gentoo)
Compiler:          gcc version 3.4.6 (Gentoo 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10)
OS:                Linux (i686) release 2.6.24-gentoo-r8


Open just.blogsport.de an watch konqueror crash eache time you open the page.

It must have to do something with Javascript. When Javascript is switched off, the page loads fine.

Plugins are switched off.
Comment 1 Maksim Orlovich 2008-09-11 21:28:27 UTC
[KCrash handler]
#6  0x00000000 in ?? ()
#7  0xb3196015 in khtml::Marquee::timerEvent ()
   from /opt/kde4/lib/libkhtml.so.5
#8  0xb74a2164 in QObject::event () from /opt/kde4/lib/libQtCore.so.4
#9  0xb6a16f7c in QApplicationPrivate::notify_helper ()
   from /opt/kde4/lib/libQtGui.so.4
#10 0xb6a1e049 in QApplication::notify () from /opt/kde4/lib/libQtGui.so.4
#11 0xb7a579dd in KApplication::notify () from /opt/kde4/lib/libkdeui.so.5
#12 0xb74942a9 in QCoreApplication::notifyInternal ()
   from /opt/kde4/lib/libQtCore.so.4
#13 0xb74bd031 in ?? () from /opt/kde4/lib/libQtCore.so.4
#14 0xb74bab30 in ?? () from /opt/kde4/lib/libQtCore.so.4
#15 0xb64fbdd6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb64ff193 in ?? () from /usr/lib/libglib-2.0.so.0
#17 0xb64ff74e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#18 0xb74bb268 in QEventDispatcherGlib::processEvents ()
   from /opt/kde4/lib/libQtCore.so.4
#19 0xb6a9d305 in ?? () from /opt/kde4/lib/libQtGui.so.4
#20 0xb749352d in QEventLoop::processEvents ()
   from /opt/kde4/lib/libQtCore.so.4
#21 0xb74936c1 in QEventLoop::exec () from /opt/kde4/lib/libQtCore.so.4
#22 0xb749595a in QCoreApplication::exec () from /opt/kde4/lib/libQtCore.so.4
#23 0xb6a16687 in QApplication::exec () from /opt/kde4/lib/libQtGui.so.4
#24 0xb7f35fce in kdemain () from /opt/kde4/lib/libkdeinit4_konqueror.so
#25 0x08048772 in main ()
#0  0xb7f4d410 in __kernel_vsyscall ()
Comment 2 Frank Reininghaus 2008-09-11 23:43:30 UTC
Created attachment 27376 [details]
Test case (not minimal)

I reduced the page a bit, but my test case still depends on two external JS files which looked a bit ugly to me ;-). I could try to fight my way through them if you think it helps...

Note that 

QObject: Do not delete object, 'unnamed', during its event handler!

is shown in Konsole.
Comment 3 Maksim Orlovich 2008-09-12 01:26:42 UTC
The crash is because RenderLayer::scrollToOffset, triggered by a marquee, 
runs some JavaScript which detaches the layer on after-the-execution 
CSS recomputation. Seeing this many bugs of this class makes me wonder 
if we should only be doing updateRendering off the main event loop or such?

==7959== Invalid read of size 4                                                                                                                
==7959==    at 0xB980900: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:723)                                      
==7959==    by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184)                                                        
==7959==    by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957)                                                     
==7959==    by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105)                                                                           
==7959==    by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800)                                        
==7959==    by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392)                                                      
==7959==    by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)                                                       
==7959==    by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587)                                       
==7959==    by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215)                                                            
==7959==    by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166)                                          
==7959==    by 0x5E25799: g_main_context_dispatch (gmain.c:2142)                                                                               
==7959==    by 0x5E28EB7: g_main_context_iterate (gmain.c:2775)                                                                                
==7959==    by 0x5E29077: g_main_context_iteration (gmain.c:2838)                                                                              
==7959==    by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325)           
==7959==    by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)     
==7959==    by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                                
==7959==    by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196)                                         
==7959==    by 0x4E008CC: QCoreApplication::exec() (qcoreapplication.cpp:849)                                                                  
==7959==    by 0x541EA56: QApplication::exec() (qapplication.cpp:3330)                                                                         
==7959==    by 0x4127BBA: kdemain (konqmain.cpp:227)                                                                                           
==7959==    by 0x80487A1: main (konqueror_dummy.cpp:3)                                                                                         
==7959==  Address 0xdec0988 is 8 bytes inside a block of size 108 free'd                                                                       
==7959==    at 0x40218FA: free (vg_replace_malloc.c:323)                                                                                       
==7959==    by 0xB97A445: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122)                                                     
==7959==    by 0xB97ED58: khtml::RenderLayer::detach(khtml::RenderArena*) (render_layer.cpp:500)                                               
==7959==    by 0xB97100D: khtml::RenderBox::detach() (render_box.cpp:221)                                                                      
==7959==    by 0xB97383A: khtml::RenderFlow::detach() (render_flow.cpp:361)                                                                    
==7959==    by 0xB8A4BCB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:985)                                                                       
==7959==    by 0xB8A4C4A: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1747)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8A4C34: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1745)                                                                  
==7959==    by 0xB8B17C1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:863)                                                                 
==7959==    by 0xB8B1422: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:937)                                  
==7959==    by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280)                             
==7959==    by 0xB8B1526: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:968)                                  
==7959==    by 0xB8F75F8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:280)                             
==7959==    by 0xB8946A9: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1266)                                    
==7959==    by 0xB88AF78: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1295)                                                          
==7959==    by 0xB894295: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1308)                                                 
==7959==    by 0xBA6F26B: KJS::Window::afterScriptExecution() (kjs_window.cpp:1270)                                                            
==7959==    by 0xBA9949A: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119)                                                  
==7959==    by 0xB88D9A6: DOM::DocumentImpl::defaultEventHandler(DOM::EventImpl*) (dom_docimpl.cpp:2699)                                       
==7959==    by 0xB8AA974: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:524)                                    
==7959==    by 0xB8A8FCA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:451)                                     
==7959==    by 0xB8AB0B9: DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) (dom_nodeimpl.cpp:550)                                             
==7959==    by 0xB9808F6: khtml::RenderLayer::scrollToOffset(int, int, bool, bool) (render_layer.cpp:719)                                      
==7959==    by 0xB98284A: khtml::RenderLayer::scrollToXOffset(int) (render_layer.h:184)                                                        
==7959==    by 0xB980CAB: khtml::Marquee::timerEvent(QTimerEvent*) (render_layer.cpp:1957)                                                     
==7959==    by 0x4E0DF1E: QObject::event(QEvent*) (qobject.cpp:1105)                                                                           
==7959==    by 0x541EBDB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3800)                                        
==7959==    by 0x5424FED: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3392)                                                      
==7959==    by 0x46D4588: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)                                                       
==7959==    by 0x4DFFD20: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:587)                                       
==7959==    by 0x4E29B60: QTimerInfoList::activateTimers() (qcoreapplication.h:215)                                                            
==7959==    by 0x4E266EF: _ZL19timerSourceDispatchP8_GSourcePFiPvES1_ (qeventdispatcher_glib.cpp:166)                                          
==7959==    by 0x5E25799: g_main_context_dispatch (gmain.c:2142)                                                                               
==7959==    by 0x5E28EB7: g_main_context_iterate (gmain.c:2775)                                                                                
==7959==    by 0x5E29077: g_main_context_iteration (gmain.c:2838)                                                                              
==7959==    by 0x4E26647: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:325)           
==7959==    by 0x54A8594: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)     
==7959==    by 0x4DFE489: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)                                
==7959==    by 0x4DFE649: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:196)                                         
Comment 4 Maksim Orlovich 2008-09-12 01:44:35 UTC
OK, have a fix. Now just need to figure out how to make the test standalone..

Also, the original idea doesn't really help since event handlers can 
handle a detach or a restyle in other ways anyway.
Comment 5 Maksim Orlovich 2008-09-12 02:42:44 UTC
Fixed in r860095

I gave up on making a standalone reduction since the lighbox JS file registers 
a whole bunch of hooks. It'd probably be easier to figure out how to trigger an appropriately heavy detach...

Shame, since it's the very sort of bug a regression test would be highly useful on..