Version: (using KDE 4.3.3) OS: Linux Installed from: Fedora RPMs This was found by reviewing Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=525276 The URL which causes konqueror to crash is: http://www.hurriyet.com.tr/spor/ Scenario: --------- 1, echo "http://www.hurriyet.com.tr/spor/" > /tmp/url 2, ulimit -c unlimited 3, konqueror --nocrashhandler `cat /tmp/url` 4, after page is loaded, enable JavaScript debugging: Settings->Configure Konqueror->Java&&JavaScript-> JavaScript tab, check in: v Enable debugger v Report errors Current result: --------------- Once you click "Apply" konqueror crashes with below stack trace. Expected result: ---------------- No crash. Stack trace information (value of "other" and "this" not saved on the stack due gcc optimization): --------------------------------------------- Core was generated by `konqueror --nocrashhandler http://www.hurriyet.com.tr/spor/'. Program terminated with signal 11, Segmentation fault. #0 QString (other=<value optimized out>, this=<value optimized out>) at /usr/include/QtCore/qstring.h:711 711 inline QString::QString(const QString &other) : d(other.d) (gdb) bt full #0 QString (other=<value optimized out>, this=<value optimized out>) at /usr/include/QtCore/qstring.h:711 No locals. #1 KJSDebugger::DebugDocument::name (other=<value optimized out>, this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/ecma/debugger/debugdocument.cpp:81 No locals. #2 0x01b0be9d in KJSDebugger::DebugWindow::enterContext (this=<value optimized out>, exec=<value optimized out>, sourceId=10, lineno=<value optimized out>, function=<value optimized out>, args=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/ecma/debugger/debugwindow.cpp:735 ctx = 0x9c47258 document = {m_ptr = 0x0} stackEntry = {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 16726}, alloc = 0, size = 0, data = 0xc8c63a, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = { _q_value = 173}, alloc = 0, size = 0, data = 0xc8c64e, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, d = 0x94b19f0, static codecForCStrings = 0x0} #3 0x0524f6f9 in KJS::FunctionImp::callAsFunction (this=<value optimized out>, exec=<value optimized out>, thisObj=<value optimized out>, args=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kjs/function.cpp:135 cont = <value optimized out> dbg = <value optimized out> newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_interpreter = 0x928fe38, m_completion = {comp = Normal, val = 0x0, tar = 0}, m_propertyNames = 0x928f718, m_callingExec = 0xbf928760, m_savedExec = 0xbf928760, m_currentBody = 0x94b19f0, m_function = 0xb3556160, scope = {m_top = {ptr = 3008730272}}, m_variable = 0xb35594a0, m_thisVal = 0xb3560000, m_localStore = 0x0, m_localStoreSize = 3214050184, m_pcBase = 0x0, m_pc = 0x0, m_machineLocalStore = 0x0, m_exceptionHandlers = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<KJS::ExecState::ExceptionHandler>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf9282d0, m_capacity = 4}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\377\003\000\000`\207\222\277 \340]\t\333(<e\001\000\000\000\006\000\000\000\373\255%\005x\220\334\001"}}, m_deferredCompletions = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<KJS::Completion>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf9282fc, m_capacity = 4}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "V\270\253\001\070\376(\t\240\350\302\t8\376(\t8\376(\t\200\205\222\277\000\000\000\000ۻ\260\001\370\362*\005\001\000\000\000\350\355]\tX\203\222\277"}}, m_activePropertyNameArrays = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<KJS::ExecState::PropertyNameArrayInfo>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf928338, m_capacity = 2}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "a\001\000\000\350Y\032\t\001\000\000\000\000\000\000"}}, m_codeType = FunctionCode}, <No data fields>} body = 0x94b19f0 currentState = <value optimized out> stackSize = <value optimized out> stackSpace = <value optimized out> activation = <value optimized out> regs = <value optimized out> result = <value optimized out> #4 0x052533ae in KJS::JSObject::call (this=<value optimized out>, exec=<value optimized out>, thisObj=<value optimized out>, args=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kjs/object.cpp:69 depth = 1 ret = <value optimized out> #5 0x052713d7 in KJS::Machine::runBlock (exec=0xbf928760, codeBlock=..., parentExec=0x0) at codes.def:1192 thisVal = 0x0 val = 0x0 fbDestReg = 5 v = 0xb3556160 kjsVMOpHandlers = {0x526de98, 0x526ddc8, 0x526dda2, 0x526dd79, 0x526dd53, 0x526dde9, 0x526bfb2, 0x526bfb8, 0x526de12, 0x526bff1, 0x526bff7, 0x526de4b, 0x526c041, 0x526c047, 0x526df3f, 0x526df1f, 0x526defc, 0x526e546, 0x526e4fd, 0x526e4e0, 0x526e4c0, 0x526c08a, 0x526c090, 0x526e6e3, 0x526c0b7, 0x526c0bd, 0x526e674, 0x526c13d, 0x526c143, 0x526e626, 0x526e5ff, 0x526e589, 0x526c1b1, 0x526c1b7, 0x526ea4f, 0x526c1e1, 0x526c1e7, 0x526d87a, 0x526c219, 0x526c21f, 0x526d8af, 0x526e009, 0x526d26d, 0x5268091, 0x526e014, 0x526e02b, 0x526dfe0, 0x526dfa5, 0x526df82, 0x526ea26, 0x526e9eb, 0x526c23f, 0x526c245, 0x526eaf8, 0x526ea79, 0x526c3b2, 0x526c3b8, 0x526dac4, 0x526c4a0, 0x526c4a6, 0x526da46, 0x526d85d, 0x526d83a, 0x526ec7e, 0x526ec68, 0x526d9ad, 0x526c4da, 0x526c4e0, 0x526d9d2, 0x526d919, 0x526d8ef, 0x526d8bf, 0x526c52d, 0x526c533, 0x526dc32, 0x526da7d, 0x526c553, 0x526c559, 0x526dbe5, 0x526dbb0, 0x5268049, 0x526804f, 0x5268091, 0x52680a2, 0x52680a8, 0x5268119, 0x526811f, 0x526f17b, 0x5268196, 0x526819c, 0x526841b, 0x5268421, 0x52686b3, 0x52686b9, 0x52687ca, 0x52687d0, 0x526914e, 0x5269154, 0x52688b5, 0x52688bb, 0x52689bd, 0x52689c3, 0x5268ae5, 0x5268aeb, 0x5268c3d, 0x5268c43, 0x5268e80, 0x5268e86, 0x5269102, 0x5269108, 0x526ed78, 0x526ecf2, 0x5269128, 0x526912e, 0x526c9bc, 0x526c99e, 0x526c97d, 0x526c960, 0x526c9dc, 0x5269401, 0x5269407, 0x526c9fc, 0x5269447, 0x526944d, 0x5269489, 0x526948f, 0x52694da, 0x52694e0, 0x5269588, 0x526958e, 0x52695e1, 0x52695e7, 0x5269641, 0x5269647, 0x526967c, 0x5269682, 0x52696ba, 0x52696c0, 0x526974d, 0x5269753, 0x526ee50, 0x526ee1b, 0x526ef78, 0x526987b, 0x5269881, 0x526efbc, 0x526ed98, 0x526f0f5, 0x52699c4, 0x52699ca, 0x5269ae4, 0x5269aea, 0x5269c07, 0x5269c0d, 0x526e04e, 0x5269d26, 0x5269d2c, 0x526e165, 0x5269d68, 0x5269d6e, 0x526e1ad, 0x5269db9, 0x5269dbf, 0x5269fbd, 0x5269fc3, 0x526abdd, 0x526abe3, 0x526ac1b, 0x526ac21, 0x526a900, 0x526a906, 0x526a983, 0x526a989, 0x526e36b, 0x526aadd, 0x526aae3, 0x526ab5a, 0x526ab60, 0x526cb58, 0x526cad7, 0x5269ff8, 0x5269ffe, 0x526cc63, 0x526ccbe, 0x526a028, 0x526a02e, 0x526a0f4, 0x526a0fa, 0x526a12e, 0x526a134, 0x526a16b, 0x526a171, 0x526a1a5, 0x526a1ab, 0x526a1e2, 0x526a1e8, 0x526ca93, 0x526ca3c, 0x526a20a, 0x526a210...} localStore = 0x9c48244 globalObject = 0xb3560000 base = 0x9c481b8 "W" pc = 0x9c48218 "n" workList = {_impBase = 0x52afb84} #6 0x05220ffa in KJS::FunctionBodyNode::execute (this=<value optimized out>, exec=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kjs/nodes.cpp:928 ctype = <value optimized out> val = <value optimized out> cmpType = <value optimized out> regs = 0x9c48244 result = {comp = 3214050816, val = 0xbf928628, tar = 0} #7 0x05256642 in KJS::Interpreter::evaluate (this=<value optimized out>, sourceURL=<value optimized out>, startingLineNumber=<value optimized out>, code=<value optimized out>, codeLength=<value optimized out>, thisV=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kjs/interpreter.cpp:556 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_interpreter = 0x928fe38, m_completion = {comp = Normal, val = 0x0, tar = 0}, m_propertyNames = 0x928f718, m_callingExec = 0x0, m_savedExec = 0x928fe48, m_currentBody = 0x92dc5f0, m_function = 0x0, scope = {m_top = {ptr = 163850465}}, m_variable = 0xb3560000, m_thisVal = 0xb3560000, m_localStore = 0x9c48244, m_localStoreSize = 6, m_pcBase = 0x9c481b8 "W", m_pc = 0xbf928658, m_machineLocalStore = 0xbf928650, m_exceptionHandlers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<KJS::ExecState::ExceptionHandler>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf9287b0, m_capacity = 4}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\000\000\000\000t\000\000\000\000\000\000\000T\247\276\004\060\000\000\000\\\210\222\277\370\207\222\277\252\036\273\004"}}, m_deferredCompletions = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<KJS::Completion>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf9287dc, m_capacity = 4}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\034\000\000\000\000\000\000\000\000\000\000\020\220\036\273\004\370\362*\005\016\000\000\000\\\210\222\277(\210\222\277\rt!\005\060\000\000\000\034\000\000\000(\210\222\277"}}, m_activePropertyNameArrays = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<KJS::ExecState::PropertyNameArrayInfo>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0xbf928818, m_capacity = 2}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\005\000\000\000x\220\334\001\016\000\000\000\034\000\000"}}, m_codeType = GlobalCode}, <No data fields>} sourceId = 353 errLine = -1 errMsg = {m_rep = {m_ptr = 0x52af7c0}} thisObj = <value optimized out> globalObj = <value optimized out> res = {comp = Normal, val = 0x0, tar = 0} #8 0x05256838 in KJS::Interpreter::evaluate (this=<value optimized out>, sourceURL=<value optimized out>, startingLineNumber=<value optimized out>, code=<value optimized out>, thisV=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kjs/interpreter.cpp:496 No locals. #9 0x01acee20 in KJS::KJSProxyImpl::evaluate (this=<value optimized out>, filename=<value optimized out>, baseLine=<value optimized out>, str=<value optimized out>, n=<value optimized out>, completion=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/ecma/kjs_proxy.cpp:158 inlineCode = 236 window = <value optimized out> thisNode = 0xb3560000 success = false __PRETTY_FUNCTION__ = "virtual QVariant KJS::KJSProxyImpl::evaluate(QString, int, const QString&, const DOM::Node&, KJS::Completion*)" code = {m_rep = {m_ptr = 0x9c460b8}} comp = {comp = 152721896, val = 0x43460b0, tar = 1} #10 0x0185c67a in KHTMLPart::executeScript (this=<value optimized out>, n=<value optimized out>, script=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/khtml_part.cpp:1377 proxy = 0x9297d28 comp = {comp = Normal, val = 0x0, tar = 0} ret = {d = {data = {c = -27 '\345', i = 28109541, u = 28109541, b = 229, d = 8.1722973869915181e-265, ll = 655935548731222757, ull = 655935548731222757, ptr = 0x1aceae5, shared = 0x1aceae5}, type = 32, is_shared = 0, is_null = 0}, static handler = 0x75087a0} #11 0x01ab3da4 in KJS::ScheduledAction::execute (this=<value optimized out>, window=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/ecma/kjs_window.cpp:2196 part = 0x91a59e8 interpreter = <value optimized out> #12 0x01ab5902 in KJS::WindowQObject::timerEvent (this=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/khtml/ecma/kjs_window.cpp:2362 ok = <value optimized out> action = 0x926dbf0 _container_ = {c = {{p = {static shared_null = {ref = {_q_value = 32523}, alloc = 0, begin = 0, end = 0, sharable = 1, array = {0x0}}, d = 0x9c2fe28}, d = 0x9c2fe28}}, brk = 0, i = {i = 0x9c2fe3c}, e = {i = 0x9c2fe40}} current = {mDate = {jd = 152721896}, mTime = {mds = 163774012}} toExecute = {{p = {static shared_null = {ref = {_q_value = 32523}, alloc = 0, begin = 0, end = 0, sharable = 1, array = {0x0}}, d = 0x9c2fe28}, d = 0x9c2fe28}} #13 0x00b9ad3f in QObject::event (this=<value optimized out>, e=<value optimized out>) at kernel/qobject.cpp:1074 No locals. #14 0x06c70b24 in QApplicationPrivate::notify_helper (this=<value optimized out>, receiver=<value optimized out>, e=<value optimized out>) at kernel/qapplication.cpp:4065 consumed = <value optimized out> #15 0x06c78281 in QApplication::notify (this=<value optimized out>, receiver=<value optimized out>, e=<value optimized out>) at kernel/qapplication.cpp:3605 res = <value optimized out> #16 0x00eb702b in KApplication::notify (this=<value optimized out>, receiver=<value optimized out>, event=<value optimized out>) at /usr/src/debug/kdelibs-4.3.3/kdeui/kernel/kapplication.cpp:302 No locals. #17 0x00b8ad73 in QCoreApplication::notifyInternal (this=<value optimized out>, receiver=<value optimized out>, event=<value optimized out>) at kernel/qcoreapplication.cpp:610 threadData = 0x8fc0820 returnValue = <value optimized out> result = false cbdata = {0x928fe08, 0xbf928ec0, 0xbf928e4f} #18 0x00bb82be in sendEvent (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.h:213 No locals. #19 QTimerInfoList::activateTimers (event=<value optimized out>, receiver=<value optimized out>) at kernel/qeventdispatcher_unix.cpp:580 e = {<QEvent> = {_vptr.QEvent = 0xc8a918, d = 0x0, t = 1, posted = 0, spont = 0, m_accept = 1, reserved = 6130}, id = 16777241} firstTime = false n_act = <value optimized out> saveFirstTimerInfo = 0x0 maxCount = <value optimized out> saveCurrentTimerInfo = 0x0 #20 0x00bb5c21 in timerSourceDispatch (source=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:165 No locals. #21 0x01194118 in g_main_dispatch (context=<value optimized out>) at gmain.c:1960 dispatch = 0xbb5c00 <timerSourceDispatch(GSource*, GSourceFunc, gpointer)> user_data = 0x0 callback = 0 cb_funcs = 0x0 cb_data = <value optimized out> current_source_link = {data = 0x8fdb398, next = 0x0} source = 0x8fdb398 current = <value optimized out> i = <value optimized out> #22 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2513 No locals. #23 0x01197a48 in g_main_context_iterate (context=<value optimized out>, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2591 max_priority = 0 timeout = 0 some_ready = 1 nfds = <value optimized out> allocated_nfds = <value optimized out> fds = <value optimized out> __PRETTY_FUNCTION__ = "g_main_context_iterate" #24 0x01197b74 in IA__g_main_context_iteration (context=0x8fdaa90, may_block=<value optimized out>) at gmain.c:2654 retval = 0 #25 0x00bb5b6d in QEventDispatcherGlib::processEvents (this=<value optimized out>, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:327 d = 0x8fd87e8 canWait = true result = <value optimized out> #26 0x06d10356 in QGuiEventDispatcherGlib::processEvents (this=<value optimized out>, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:202 d = 0x8fd87e8 returnValue = <value optimized out> #27 0x00b892aa in QEventLoop::processEvents (this=<value optimized out>, flags=<value optimized out>) at kernel/qeventloop.cpp:149 d = 0x905afc8 #28 0x00b8970a in QEventLoop::exec (this=<value optimized out>, flags=<value optimized out>) at kernel/qeventloop.cpp:201 d = 0x905afc8 app = <value optimized out> #29 0x00b8bbf7 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:888 threadData = 0x8fc0820 eventLoop = {<QObject> = {_vptr.QObject = 0xc8b988, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0xc24840 "QObject", data = 0xc248e0, extradata = 0xc87398}}, d_ptr = 0x905afc8, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0xc2e020 "Qt", data = 0xc313a0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0xc87388, stringdata = 0xc36440 "QEventLoop", data = 0xc36460, extradata = 0x0}}} returnCode = -1 #30 0x06c709a8 in QApplication::exec () at kernel/qapplication.cpp:3525 No locals. #31 0x00a215f1 in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/kdebase-4.3.3/apps/konqueror/src/konqmain.cpp:257 app = {<KApplication> = {<QApplication> = {<QCoreApplication> = {<QObject> = {_vptr.QObject = 0xa4b128, static staticMetaObject = {d = { superdata = 0x0, stringdata = 0xc24840 "QObject", data = 0xc248e0, extradata = 0xc87398}}, d_ptr = 0x8fd8690, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0xc2e020 "Qt", data = 0xc313a0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0xc87388, stringdata = 0xc364c0 "QCoreApplication", data = 0xc36560, extradata = 0x0}}, static self = 0xbf9292bc}, static staticMetaObject = {d = {superdata = 0xc8b9c4, stringdata = 0x7309540 "QApplication", data = 0x7309740, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x750faa8, stringdata = 0x10404a0 "KApplication", data = 0x1040640, extradata = 0x0}}, static loadedByKdeinit = false, static KApp = 0xbf9292bc, d = 0x8ffd350}, static staticMetaObject = {d = { superdata = 0x10cb0c0, stringdata = 0xa23620 "KonquerorApplication", data = 0xa23700, extradata = 0x0}}, closed_by_sm = false} __PRETTY_FUNCTION__ = "int kdemain(int, char**)" options = {d = 0x8fd7ae0} args = <value optimized out> crashlog_file = {<QTemporaryFile> = {<QFile> = {<QIODevice> = {<QObject> = {_vptr.QObject = 0x5bd0788, static staticMetaObject = {d = { superdata = 0x0, stringdata = 0xc24840 "QObject", data = 0xc248e0, extradata = 0xc87398}}, d_ptr = 0x9057318, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0xc2e020 "Qt", data = 0xc313a0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0xc87388, stringdata = 0xc357a0 "QIODevice", data = 0xc35800, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0xc8b208, stringdata = 0xc35740 "QFile", data = 0xc35760, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0xc8b168, stringdata = 0xc358a0 "QTemporaryFile", data = 0xc358c0, extradata = 0x0}}}, d = 0x905ac40} #32 0x080486dc in main (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/kdebase-4.3.3/i686-redhat-linux-gnu/apps/konqueror/src/konqueror_dummy.cpp:3 No locals. Additional info: ---------------- This seems to be similar to: https://bugs.kde.org/show_bug.cgi?id=195318 and https://bugs.kde.org/show_bug.cgi?id=171747 But from what I can tell, the crash seem to occur on different line (due 'other' || 'this' NULL ptr deref?) Issue experienced in kdelibs-4.3.3, but assuming newer / latest kdelibs release will behave in similar way. Please let me know, if you need the stack trace to be recompiled without the gcc optimization (to see the values of "<value optimized out>"). Thanks && Regards, Jan. -- Jan iankko Lieskovsky
This issue is being tracked at bug 198621. Thanks for the detailed information. *** This bug has been marked as a duplicate of bug 198621 ***