236666 – [testcase] [patch] konqueror crashed

Bug 236666 - [testcase] [patch] konqueror crashed

Summary: [testcase] [patch] konqueror crashed

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml renderer (show other bugs)
Version:	4.10.97
Platform:	openSUSE Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:	reproducible, testcase

Depends on:
Blocks:

Reported:	2010-05-07 09:44 UTC by anton
Modified:	2013-10-26 23:52 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	http://commits.kde.org/kdelibs/bb170448b18e7c98bc0e3febf1082e3db28eef89
Version Fixed In:	4.11.3

Attachments
draft patch to fix the bug (563 bytes, patch) 2010-05-07 16:49 UTC, Dmitriy Taychenachev	Details
online testcase posted in comment #1 (345 bytes, text/html) 2013-08-01 16:43 UTC, Andrea Iacovitti	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description anton 2010-05-07 09:44:25 UTC

Application: konqueror (4.4.2 (KDE 4.4.2) "release 234")
KDE Platform Version: 4.4.2 (KDE 4.4.2) "release 234"
Qt Version: 4.6.2
Operating System: Linux 2.6.31.5-0.1-desktop x86_64
Distribution: "openSUSE 11.2 (x86_64)"

-- Information about the crash:
I had many tabs opened in one konquror window, clicked on http://www.job.ru/law/1645746 link inside of one tabs and konqueror crashed. After restoring session/repeating situation the crash did not happen.

The crash does not seem to be reproducible.

 -- Backtrace:
Application: Konqueror (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#5  d_func (this=<value optimized out>) at ../../src/gui/kernel/qwidget.h:143
#6  QWidget::setEnabled (this=<value optimized out>) at kernel/qwidget.cpp:3063
#7  0x00007f0ae11e502d in khtml::RenderLayer::checkScrollbarsAfterLayout (this=0x3888950) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_layer.cpp:921
#8  0x00007f0ae11c6015 in khtml::RenderObject::attemptDirectLayerTranslation (this=0x3888888) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_object.cpp:2171
#9  0x00007f0ae11cf4e8 in khtml::RenderObject::setStyle (this=0x3888888, style=0xcee4800) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_object.cpp:2111
#10 0x00007f0ae11d082e in khtml::RenderContainer::setStyle (this=0x0, _style=0x0) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_container.cpp:264
#11 0x00007f0ae11d42de in khtml::RenderBox::setStyle (this=0x3888888, _style=0xcee4800) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_box.cpp:153
#12 0x00007f0ae11b560b in khtml::RenderBlock::setStyle (this=0x3888888, _style=0x0) at /usr/src/debug/kdelibs-4.4.2/khtml/rendering/render_block.cpp:123
#13 0x00007f0ae11217be in DOM::ElementImpl::recalcStyle (this=0xf57e1f0, change=NoInherit) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:995
#14 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#15 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0xd1d9e50, change=NoInherit) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#16 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#17 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0x968faf0, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#18 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#19 0x00007f0ae1121807 in DOM::ElementImpl::recalcStyle (this=0x5dc2430, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_elementimpl.cpp:1015
#20 0x00007f0ae116c949 in DOM::HTMLElementImpl::recalcStyle (this=0x0, ch=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_elementimpl.cpp:238
#21 0x00007f0ae1110aff in DOM::DocumentImpl::recalcStyle (this=0x9dc6c50, change=NoChange) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:1435
#22 0x00007f0ae110c571 in DOM::DocumentImpl::updateLayout (this=0x9dc6c50) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:1493
#23 0x00007f0ae12b3501 in KJS::DOMNode::getValueProperty (this=0x7f0ae4fe90c0, exec=0x7fffbeabcc50, token=62) at /usr/src/debug/kdelibs-4.4.2/khtml/ecma/kjs_dom.cpp:374
#24 0x00007f0ae0a16fe0 in getValue (propertyName=<value optimized out>, originalObject=<value optimized out>, exec=<value optimized out>, this=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/property_slot.h:46
#25 KJS::JSObject::get (propertyName=<value optimized out>, originalObject=<value optimized out>, exec=<value optimized out>, this=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:133
#26 0x00007f0ae0a2f4b6 in KJS::Machine::runBlock (exec=0x7fffbeabcc50, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:715
#27 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fb5a00, exec=0x7fffbeabd640, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#28 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#29 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabd640, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#30 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ad63453c0, exec=0x7fffbeabe100, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#31 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#32 0x00007f0ae09fa0c5 in KJS::FunctionProtoFunc::callAsFunction (this=<value optimized out>, exec=0x7fffbeabe100, thisObj=0x7f0ad63453c0, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function_object.cpp:123
#33 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#34 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabe100, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#35 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fe6e40, exec=0x7fffbeabebc0, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#36 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#37 0x00007f0ae09fa0c5 in KJS::FunctionProtoFunc::callAsFunction (this=<value optimized out>, exec=0x7fffbeabebc0, thisObj=0x7f0ae4fe6e40, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function_object.cpp:123
#38 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#39 0x00007f0ae0a338ba in KJS::Machine::runBlock (exec=0x7fffbeabebc0, codeBlock=<value optimized out>, parentExec=<value optimized out>) at codes.def:1192
#40 0x00007f0ae0a13dfa in KJS::FunctionImp::callAsFunction (this=0x7f0ae4fdb2c0, exec=0xe099d0, thisObj=<value optimized out>, args=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/kjs/function.cpp:144
#41 0x00007f0ae0a176b9 in KJS::JSObject::call (this=0x0, exec=0x0, thisObj=0x0, args=...) at /usr/src/debug/kdelibs-4.4.2/kjs/object.cpp:70
#42 0x00007f0ae1315913 in KJS::JSEventListener::handleEvent (this=0x10ad0f20, evt=...) at /usr/src/debug/kdelibs-4.4.2/khtml/ecma/kjs_events.cpp:106
#43 0x00007f0ae1102b96 in DOM::DocumentImpl::defaultEventHandler (this=<value optimized out>, evt=0x1a2b0c90) at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_docimpl.cpp:2749
#44 0x00007f0ae1119578 in DOM::NodeImpl::dispatchWindowEvent (this=0x17abdb70, _id=26, canBubbleArg=<value optimized out>, cancelableArg=<value optimized out>)
    at /usr/src/debug/kdelibs-4.4.2/khtml/xml/dom_nodeimpl.cpp:568
#45 0x00007f0ae118fd0a in DOM::HTMLPartContainerElementImpl::event (this=<value optimized out>, e=0x15a42000) at /usr/src/debug/kdelibs-4.4.2/khtml/html/html_objectimpl.cpp:150
#46 0x00007f0af3291e1c in QApplicationPrivate::notify_helper (this=0x671bf0, receiver=0x17abdb60, e=0x15a42000) at kernel/qapplication.cpp:4300
#47 0x00007f0af32983fb in QApplication::notify (this=0x7fffbeabf8e0, receiver=0x17abdb60, e=0x15a42000) at kernel/qapplication.cpp:4183
#48 0x00007f0af45c4506 in KApplication::notify (this=0x7fffbeabf8e0, receiver=0x17abdb60, event=0x15a42000) at /usr/src/debug/kdelibs-4.4.2/kdeui/kernel/kapplication.cpp:302
#49 0x00007f0af40f198c in QCoreApplication::notifyInternal (this=0x7fffbeabf8e0, receiver=0x17abdb60, event=0x15a42000) at kernel/qcoreapplication.cpp:704
#50 0x00007f0af40f4107 in sendEvent (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.h:215
#51 QCoreApplicationPrivate::sendPostedEvents (event=<value optimized out>, receiver=<value optimized out>) at kernel/qcoreapplication.cpp:1345
#52 0x00007f0af411b373 in sendPostedEvents () at kernel/qcoreapplication.h:220
#53 postEventSourceDispatch () at kernel/qeventdispatcher_glib.cpp:276
#54 0x00007f0aef352dde in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#55 0x00007f0aef3567a8 in ?? () from /usr/lib64/libglib-2.0.so.0
#56 0x00007f0aef3568d0 in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#57 0x00007f0af411aeb3 in QEventDispatcherGlib::processEvents (this=0x61a8e0, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:412
#58 0x00007f0af334051e in QGuiEventDispatcherGlib::processEvents (this=0x0, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#59 0x00007f0af40f02a2 in QEventLoop::processEvents (this=<value optimized out>, flags=) at kernel/qeventloop.cpp:149
#60 0x00007f0af40f067c in QEventLoop::exec (this=0x7fffbeabf6d0, flags=) at kernel/qeventloop.cpp:201
#61 0x00007f0af40f43cb in QCoreApplication::exec () at kernel/qcoreapplication.cpp:981
#62 0x00007f0ae770506b in kdemain (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/kdebase-4.4.2/apps/konqueror/src/konqmain.cpp:257
#63 0x00000000004073b8 in launch (argc=3, _name=<value optimized out>, args=<value optimized out>, cwd=<value optimized out>, envc=24, envs=<value optimized out>, reset_env=false, tty=0x0, 
    avoid_loops=false, startup_id_str=0x409c52 "0") at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:717
#64 0x0000000000408070 in handle_launcher_request (sock=8, who=<value optimized out>) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1209
#65 0x0000000000408521 in handle_requests (waitForPid=0) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1402
#66 0x0000000000409202 in main (argc=4, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/kdelibs-4.4.2/kinit/kinit.cpp:1845

Reported using DrKonqi

Comment 1 Dmitriy Taychenachev 2010-05-07 13:45:22 UTC

Reduced to
<body>
<div id="base" style='height:100%; width:100%; position:absolute; background:#00ff00'/>
 <div class="popup" id="container" style="position:relative" >
 </div>
</div>
<script type="text/javascript">
 document.getElementById("base").style.overflowX = "scroll";
 document.getElementById("container").style.top = "0.0px";
</script>
</body>

As for me, it's 100% reproducible. Seems to be race, inserting alert (and waiting for some time) before `top' assignment prevents crash.

Comment 2 Dmitriy Taychenachev 2010-05-07 16:47:51 UTC

I have tried to investigate this bug. Seems it happen when setStyle() of a RenderBlock tries to "fix" current layout due to position change, but the current layout have not been built yet. checkScrollbarsAfterLayout() which is called by attemptDirectLayerTranslation() relies on proper scrollbars state, so it fails because layouting was not yet done and scrollbars are not initialized.
I have tried to fix it by not reusing incomplete layouts (patch attached), but I can't really tell if it is correct, it would be very nice if someone who is really familiar with KHTML will review and explain all that stuff more correctly.

Comment 3 Dmitriy Taychenachev 2010-05-07 16:49:17 UTC

Created attachment 43340 [details]
draft patch to fix the bug

Comment 4 Andrea Iacovitti 2013-08-01 16:43:02 UTC

Created attachment 81510 [details]
online testcase posted in comment #1

Comment 5 Andrea Iacovitti 2013-10-26 23:52:04 UTC

Git commit bb170448b18e7c98bc0e3febf1082e3db28eef89 by Andrea Iacovitti.
Committed on 26/10/2013 at 23:48.
Pushed by aiacovitti into branch 'KDE/4.11'.

Fix crash.
FIXED-IN: 4.11.3

M  +5    -5    khtml/rendering/render_layer.cpp

http://commits.kde.org/kdelibs/bb170448b18e7c98bc0e3febf1082e3db28eef89