226667 – Crash when clicking on link with ONMOUSEDOWN and blank HREF

Bug 226667 - Crash when clicking on link with ONMOUSEDOWN and blank HREF

Summary: Crash when clicking on link with ONMOUSEDOWN and blank HREF

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	4.5.0
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-13 12:57 UTC by Jonathan Marten
Modified:	2013-11-06 11:57 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
HTML page for test case (293 bytes, text/html) 2010-02-13 13:06 UTC, Jonathan Marten	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jonathan Marten 2010-02-13 12:57:49 UTC

Application: konqueror (4.4.63 (KDE 4.4.63 (KDE 4.5 >= 20100209)))
KDE Platform Version: 4.4.63 (KDE 4.4.63 (KDE 4.5 >= 20100209)) (Compiled from sources)
Qt Version: 4.6.1
Operating System: Linux 2.6.31-gentoo-r6 i686

-- Information about the crash:
The following, admittedly contrived, HTML code crashes the browser when the link is clicked (JS needs to be enabled, of course):

<A ONMOUSEDOWN="javascript:alert('Clicked me!')" HREF="">Click me to crash</A>

The assert is the same as is hit in bug 199752, but the call chain is different.


The crash can be reproduced every time.

 -- Backtrace:
Application: Konqueror (konqueror), signal: Aborted
[KCrash Handler]
#6  0xb76f6424 in __kernel_vsyscall ()
#7  0xb59256e0 in raise () from /lib/libc.so.6
#8  0xb5926f15 in abort () from /lib/libc.so.6
#9  0xb591e90e in __assert_fail () from /lib/libc.so.6
#10 0xb2f203c8 in ~Interpreter (this=0x994a068, __in_chrg=<value optimized out>) at /ws/trunk/kdelibs/kjs/interpreter.cpp:269
#11 0xb32eb1b6 in ~ScriptInterpreter (this=0x994a068, __in_chrg=<value optimized out>) at /ws/trunk/kdelibs/khtml/ecma/kjs_binding.cpp:91
#12 0xb333d5fd in ~KJSProxyImpl (this=0x9a857f8, __in_chrg=<value optimized out>) at /ws/trunk/kdelibs/khtml/ecma/kjs_proxy.cpp:108
#13 0xb30c866f in ~ChildFrame (this=0x9a85750, __in_chrg=<value optimized out>) at /ws/trunk/kdelibs/khtml/khtmlpart_p.h:99
#14 0xb30bfbb0 in ~KHTMLPart (this=0x995f0c8, __in_chrg=<value optimized out>, __vtt_parm=<value optimized out>) at /ws/trunk/kdelibs/khtml/khtml_part.cpp:624
#15 0xb764abab in KonqView::switchView (this=0x995fe00, viewFactory=...) at /ws/trunk/kdebase/apps/konqueror/src/konqview.cpp:260
#16 0xb764b2ac in KonqView::changePart (this=0x995fe00, mimeType=..., serviceName=..., forceAutoEmbed=<value optimized out>) at /ws/trunk/kdebase/apps/konqueror/src/konqview.cpp:376
#17 0xb764ba98 in KonqView::ensureViewSupports (this=0x995fe00, mimeType=..., forceAutoEmbed=false) at /ws/trunk/kdebase/apps/konqueror/src/konqview.cpp:323
#18 0xb769bdfb in KonqMainWindow::openView (this=0x96c4510, mimeType=..., _url=..., childView=0x995fe00, req=...) at /ws/trunk/kdebase/apps/konqueror/src/konqmainwindow.cpp:917
#19 0xb769de0a in KonqMainWindow::openUrl (this=0x96c4510, _view=0x995fe00, _url=..., _mimeType=..., _req=..., trustedSource=false) at /ws/trunk/kdebase/apps/konqueror/src/konqmainwindow.cpp:639
#20 0xb76a0bac in KonqMainWindow::openUrlRequestHelper (this=0x96c4510, childView=0x995fe00, url=..., args=..., browserArgs=...) at /ws/trunk/kdebase/apps/konqueror/src/konqmainwindow.cpp:1025
#21 0xb76a0d8e in KonqMainWindow::slotOpenURLRequest (this=0x96c4510, url=..., args=..., browserArgs=...) at /ws/trunk/kdebase/apps/konqueror/src/konqmainwindow.cpp:1015
#22 0xb76a2b0d in KonqMainWindow::qt_metacall (this=0x96c4510, _c=QMetaObject::InvokeMetaMethod, _id=12, _a=0xbf8a9548)
    at /ws/BUILD.keelhaul/kdebase-trunk-BUILD/apps/konqueror/src/konqmainwindow.moc:351
#23 0xb699e008 in QMetaObject::metacall (object=0x96c4510, cl=QMetaObject::InvokeMetaMethod, idx=62, argv=0xbf8a9548) at kernel/qmetaobject.cpp:237
#24 0xb69aeeed in QMetaObject::activate (sender=0x99a1ca0, m=0xb756f82c, local_signal_index=5, argv=0xbf8a9548) at kernel/qobject.cpp:3272
#25 0xb7556fb5 in KParts::BrowserExtension::openUrlRequestDelayed (this=0x99a1ca0, _t1=..., _t2=..., _t3=...) at /ws/BUILD.keelhaul/kdelibs-trunk-BUILD/kparts/browserextension.moc:293
#26 0xb75598e3 in KParts::BrowserExtension::slotEmitOpenUrlRequestDelayed (this=0x99a1ca0) at /ws/trunk/kdelibs/kparts/browserextension.cpp:668
#27 0xb7559b60 in KParts::BrowserExtension::qt_metacall (this=0x99a1ca0, _c=QMetaObject::InvokeMetaMethod, _id=42, _a=0xbf8a98b8)
    at /ws/BUILD.keelhaul/kdelibs-trunk-BUILD/kparts/browserextension.moc:231
#28 0xb30ed796 in KHTMLPartBrowserExtension::qt_metacall (this=0x99a1ca0, _c=QMetaObject::InvokeMetaMethod, _id=46, _a=0xbf8a98b8) at /ws/BUILD.keelhaul/kdelibs-trunk-BUILD/khtml/khtml_ext.moc:91
#29 0xb699e008 in QMetaObject::metacall (object=0x99a1ca0, cl=QMetaObject::InvokeMetaMethod, idx=46, argv=0xbf8a98b8) at kernel/qmetaobject.cpp:237
#30 0xb69aeeed in QMetaObject::activate (sender=0x9ae2770, m=0xb6a6d288, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3272
#31 0xb69b9816 in QSingleShotTimer::timeout (this=0x9ae2770) at .moc/debug-shared/qtimer.moc:82
#32 QSingleShotTimer::timerEvent (this=0x9ae2770) at kernel/qtimer.cpp:308
#33 0xb69b35bb in QObject::event (this=0x9ae2770, e=0xbf8a9ea4) at kernel/qobject.cpp:1212
#34 0xb5e5ba0f in QApplicationPrivate::notify_helper (this=0x9638868, receiver=0x9ae2770, e=0xbf8a9ea4) at kernel/qapplication.cpp:4298
#35 0xb5e683ad in QApplication::notify (this=0xbf8ac13c, receiver=0x9ae2770, e=0xbf8a9ea4) at kernel/qapplication.cpp:4263
#36 0xb6edd5df in KApplication::notify (this=0xbf8ac13c, receiver=0x9ae2770, event=0xbf8a9ea4) at /ws/trunk/kdelibs/kdeui/kernel/kapplication.cpp:302
#37 0xb6996a1d in QCoreApplication::notifyInternal (this=0xbf8ac13c, receiver=0x9ae2770, event=0xbf8a9ea4) at kernel/qcoreapplication.cpp:704
#38 0xb69cc002 in QCoreApplication::sendEvent (this=0x9639160) at kernel/qcoreapplication.h:215
#39 QTimerInfoList::activateTimers (this=0x9639160) at kernel/qeventdispatcher_unix.cpp:603
#40 0xb69cd150 in QEventDispatcherUNIX::processEvents (this=0x9638828, flags=...) at kernel/qeventdispatcher_unix.cpp:924
#41 0xb5f29c24 in QEventDispatcherX11::processEvents (this=0x9638828, flags=...) at kernel/qeventdispatcher_x11.cpp:152
#42 0xb69955e3 in QEventLoop::processEvents (this=0xbf8aa11c, flags=...) at kernel/qeventloop.cpp:149
#43 0xb69957ad in QEventLoop::exec (this=0xbf8aa11c, flags=...) at kernel/qeventloop.cpp:197
#44 0xb6414352 in QDialog::exec (this=0x9a3c6b8) at dialogs/qdialog.cpp:530
#45 0xb6e53e3c in KMessageBox::createKMessageBox (dialog=0x9a3c6b8, icon=..., text=..., strlist=..., ask=..., checkboxReturn=0x0, options=..., details=..., notifyType=QMessageBox::Critical)
    at /ws/trunk/kdelibs/kdeui/dialogs/kmessagebox.cpp:333
#46 0xb6e54eb7 in KMessageBox::createKMessageBox (dialog=0x9a3c6b8, icon=QMessageBox::Critical, text=..., strlist=..., ask=..., checkboxReturn=0x0, options=..., details=...)
    at /ws/trunk/kdelibs/kdeui/dialogs/kmessagebox.cpp:151
#47 0xb6e55f90 in KMessageBox::errorListWId (parent_id=69206122, text=..., strlist=..., caption=..., options=...) at /ws/trunk/kdelibs/kdeui/dialogs/kmessagebox.cpp:845
#48 0xb6e56186 in KMessageBox::error (parent=0x9970708, text=..., caption=..., options=...) at /ws/trunk/kdelibs/kdeui/dialogs/kmessagebox.cpp:810
#49 0xb3331041 in KJS::WindowFunc::callAsFunction (this=0xb15a0e00, exec=0xbf8aaa70, thisObj=0xb15b0000, args=...) at /ws/trunk/kdelibs/khtml/ecma/kjs_window.cpp:1826
#50 0xb2f1d87a in KJS::JSObject::call (this=0xb15a0e00, exec=0xbf8aaa70, thisObj=0xb15b0000, args=...) at /ws/trunk/kdelibs/kjs/object.cpp:69
#51 0xb2f3dc7c in KJS::Machine::runBlock (exec=0xbf8aaa70, codeBlock=..., parentExec=0x994a078) at codes.def:1192
#52 0xb2f1836a in KJS::FunctionImp::callAsFunction (this=0xb15a0bc0, exec=0x994a078, thisObj=0xb15a0c00, args=...) at /ws/trunk/kdelibs/kjs/function.cpp:144
#53 0xb2f1d87a in KJS::JSObject::call (this=0xb15a0bc0, exec=0x994a078, thisObj=0xb15a0c00, args=...) at /ws/trunk/kdelibs/kjs/object.cpp:69
#54 0xb3354bbc in KJS::JSEventListener::handleEvent (this=0x9adfd40, evt=...) at /ws/trunk/kdelibs/khtml/ecma/kjs_events.cpp:106
#55 0xb311d1ee in DOM::NodeImpl::handleLocalEvents (this=0xbf8aab01, evt=0x9ae2270, useCapture=false) at /ws/trunk/kdelibs/khtml/xml/dom_nodeimpl.cpp:718
#56 0xb311ee5b in DOM::NodeImpl::dispatchGenericEvent (this=0x9a932e8, evt=0x9ae2270) at /ws/trunk/kdelibs/khtml/xml/dom_nodeimpl.cpp:501
#57 0xb311d315 in DOM::NodeImpl::dispatchEvent (this=0x9a932e8, evt=0x9ae2270, exceptioncode=@0xbf8aadc8, tempEvent=true) at /ws/trunk/kdelibs/khtml/xml/dom_nodeimpl.cpp:453
#58 0xb307d5a6 in KHTMLView::dispatchMouseEvent (this=0x9970708, eventId=4, targetNode=0x9a932e8, targetNodeNonShared=0x9adfbf0, cancelable=<value optimized out>, detail=1, 
    _mouse=<value optimized out>, setUnder=true, mouseEventType=0, orient=0) at /ws/trunk/kdelibs/khtml/khtmlview.cpp:3724
#59 0xb3087b52 in KHTMLView::mousePressEvent (this=0x9970708, _mouse=0xbf8aba48) at /ws/trunk/kdelibs/khtml/khtmlview.cpp:1240
#60 0xb5ecf3d2 in QWidget::event (this=0x9970708, event=0xbf8aba48) at kernel/qwidget.cpp:7974
#61 0xb6317679 in QFrame::event (this=0x9970708, e=0xbf8aba48) at widgets/qframe.cpp:557
#62 0xb3084658 in KHTMLView::widgetEvent (this=0x9970708, e=0xbf8aba48) at /ws/trunk/kdelibs/khtml/khtmlview.cpp:2345
#63 0xb308925d in KHTMLView::eventFilter (this=0x9970708, o=0x99756a8, e=0xbf8aba48) at /ws/trunk/kdelibs/khtml/khtmlview.cpp:2198
#64 0xb69965d4 in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=0x9638868, receiver=0x99756a8, event=0xbf8aba48) at kernel/qcoreapplication.cpp:819
#65 0xb5e5b9ff in QApplicationPrivate::notify_helper (this=0x9638868, receiver=0x99756a8, e=0xbf8aba48) at kernel/qapplication.cpp:4294
#66 0xb5e693f0 in QApplication::notify (this=0xbf8ac13c, receiver=0x99756a8, e=0xbf8aba48) at kernel/qapplication.cpp:3863
#67 0xb6edd5df in KApplication::notify (this=0xbf8ac13c, receiver=0x99756a8, event=0xbf8aba48) at /ws/trunk/kdelibs/kdeui/kernel/kapplication.cpp:302
#68 0xb6996a1d in QCoreApplication::notifyInternal (this=0xbf8ac13c, receiver=0x99756a8, event=0xbf8aba48) at kernel/qcoreapplication.cpp:704
#69 0xb5e676bc in QCoreApplication::sendEvent (receiver=0x99756a8, event=0xbf8aba48, alienWidget=0x99756a8, nativeWidget=0x96c4510, buttonDown=0xb674dbf8, lastMouseReceiver=..., spontaneous=true)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#70 QApplicationPrivate::sendMouseEvent (receiver=0x99756a8, event=0xbf8aba48, alienWidget=0x99756a8, nativeWidget=0x96c4510, buttonDown=0xb674dbf8, lastMouseReceiver=..., spontaneous=true)
    at kernel/qapplication.cpp:2963
#71 0xb5efc6ce in QETWidget::translateMouseEvent (this=0x96c4510, event=0xbf8abec8) at kernel/qapplication_x11.cpp:4368
#72 0xb5efb2ec in QApplication::x11ProcessEvent (this=0xbf8ac13c, event=0xbf8abec8) at kernel/qapplication_x11.cpp:3379
#73 0xb5f29e5e in QEventDispatcherX11::processEvents (this=0x9638828, flags=...) at kernel/qeventdispatcher_x11.cpp:132
#74 0xb69955e3 in QEventLoop::processEvents (this=0xbf8abfd0, flags=...) at kernel/qeventloop.cpp:149
#75 0xb69957ad in QEventLoop::exec (this=0xbf8abfd0, flags=...) at kernel/qeventloop.cpp:197
#76 0xb699a742 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:981
#77 0xb5e5ac24 in QApplication::exec () at kernel/qapplication.cpp:3577
#78 0xb76d4634 in kdemain (argc=2, argv=0xbf8ac384) at /ws/trunk/kdebase/apps/konqueror/src/konqmain.cpp:232
#79 0x0804879f in main (argc=) at /ws/BUILD.keelhaul/kdebase-trunk-BUILD/apps/konqueror/src/konqueror_dummy.cpp:3

Possible duplicates by query: bug 199752.

Reported using DrKonqi

Comment 1 Jonathan Marten 2010-02-13 13:06:32 UTC

Created attachment 40738 [details]
HTML page for test case

HTML page for test case attached.

Comment 2 Maksim Orlovich 2010-02-13 17:33:45 UTC

Nasty... event loop reentry. Thanks for the report + testcase

Comment 3 Germain Garand 2010-02-13 18:21:33 UTC

@Maksim: incidentally, I have another nasty JS reentry crash testcase up at #225332 (reentry in RegExp::match)... aren't those lovely collectibles? :-)

Comment 4 Jonathan Marten 2011-05-31 18:09:54 UTC

Problem appears to be resolved (no crash, alert box appears) with current trunk.

Comment 5 Andrea Iacovitti 2013-11-06 11:57:59 UTC

(In reply to comment #4)
> Problem appears to be resolved (no crash, alert box appears) with current
> trunk.

Confirming (using version 4.11.3)