Bug 243910 - Infinite recursion in khtml::RenderWidget::handleEvent
Summary: Infinite recursion in khtml::RenderWidget::handleEvent
Alias: None
Product: konqueror
Classification: Applications
Component: khtml forms (show other bugs)
Version: 4.8.3
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
: 226737 269830 270829 271113 279570 299181 (view as bug list)
Depends on:
Reported: 2010-07-08 03:46 UTC by Christoph Feck
Modified: 2012-12-30 23:11 UTC (History)
10 users (show)

See Also:
Latest Commit:
Version Fixed In: 4.8.4

crashtest 1/2 (363 bytes, text/html)
2010-07-08 23:11 UTC, Baldo Davide
testcrash 2/2 (193 bytes, text/html)
2010-07-08 23:12 UTC, Baldo Davide
Possible patch (1.32 KB, patch)
2011-03-31 22:40 UTC, Allan Sandfeld
Valgrind log for the crash. (32.59 KB, text/plain)
2012-02-01 10:49 UTC, Raúl
testcase: IFRAME whose content is the attachment at comment #2 (347 bytes, text/html)
2012-05-26 20:47 UTC, Andrea Iacovitti

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Feck 2010-07-08 03:46:06 UTC
Version:           SVN (using Devel) 
OS:                Linux

I was trying to report feedback using http://kde-look.org/feedback/ Clicking into the Spam protection field "Type the two words" I got a crash without a backtrace.

Running in gdb I get a backtrace indicating a stack overflow due to this infinite recursion (the displayed part repeats infinitively):

#17049 0xb2bccaea in khtml::RenderWidget::handleEvent (this=0x8803270, ev=...) at /local/svn/kde/trunk/KDE/kdelibs/khtml/rendering/render_replaced.cpp:1069
#17050 0xb2b20eee in DOM::HTMLFrameElementImpl::defaultEventHandler (this=0x8615cc8, e=0x8721ff0) at /local/svn/kde/trunk/KDE/kdelibs/khtml/html/html_baseimpl.cpp:303
#17051 0xb2abba85 in DOM::NodeImpl::dispatchGenericEvent (this=0x8615cd0, evt=0x8721ff0) at /local/svn/kde/trunk/KDE/kdelibs/khtml/xml/dom_nodeimpl.cpp:494
#17052 0xb2abb564 in DOM::NodeImpl::dispatchEvent (this=0x8615cd0, evt=0x8721ff0, exceptioncode=@0xbfba8518, tempEvent=true) at /local/svn/kde/trunk/KDE/kdelibs/khtml/xml/dom_nodeimpl.cpp:401
#17053 0xb2a164c6 in KHTMLView::dispatchMouseEvent (this=0x844f0c0, eventId=7, targetNode=0x8615cd0, targetNodeNonShared=0x87320e0, cancelable=false, detail=0, _mouse=0xbfba8cbc, setUnder=true, 
#17054 0xb2a09c52 in KHTMLView::mouseMoveEvent (this=0x844f0c0, _mouse=0xbfba8cbc) at /local/svn/kde/trunk/KDE/kdelibs/khtml/khtmlview.cpp:1362
#17055 0xb65843ec in QWidget::event (this=0x844f0c0, event=0xbfba8cbc) at /local/git/Qt/qt/src/gui/kernel/qwidget.cpp:8143
#17056 0xb69807a3 in QFrame::event (this=0x844f0c0, e=0xbfba8cbc) at /local/git/Qt/qt/src/gui/widgets/qframe.cpp:557
#17057 0xb2a0e4ea in KHTMLView::widgetEvent (this=0x844f0c0, e=0xbfba8cbc) at /local/svn/kde/trunk/KDE/kdelibs/khtml/khtmlview.cpp:2362
#17058 0xb2a0deaf in KHTMLView::eventFilter (this=0x844f0c0, o=0x844ef80, e=0xbfba8cbc) at /local/svn/kde/trunk/KDE/kdelibs/khtml/khtmlview.cpp:2207
#17059 0xb709500a in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=0x806a398, receiver=0x844ef80, event=0xbfba8cbc) at /local/git/Qt/qt/src/corelib/kernel/qcoreapplication.cpp:847
#17060 0xb652a830 in QApplicationPrivate::notify_helper (this=0x806a398, receiver=0x844ef80, e=0xbfba8cbc) at /local/git/Qt/qt/src/gui/kernel/qapplication.cpp:4385
#17061 0xb6533be9 in QApplication::notify (this=0xbffff054, receiver=0x86c0ee8, e=0xbfba8f20) at /local/git/Qt/qt/src/gui/kernel/qapplication.cpp:3952
#17062 0xb7669aee in KApplication::notify (this=0xbffff054, receiver=0x86c0ee8, event=0xbfba8f20) at /local/svn/kde/trunk/KDE/kdelibs/kdeui/kernel/kapplication.cpp:309
#17063 0xb7094e6b in QCoreApplication::notifyInternal (this=0xbffff054, receiver=0x86c0ee8, event=0xbfba8f20) at /local/git/Qt/qt/src/corelib/kernel/qcoreapplication.cpp:732
#17064 0xb2a1c32b in QCoreApplication::sendEvent (receiver=0x86c0ee8, event=0xbfba8f20) at /local/qt4/include/QtCore/qcoreapplication.h:215

Reproducible: Always

Steps to Reproduce:
Open kde-look.org
Click on Report Abuse link at the bottom
Click into "Type the two words"

Actual Results:  
=> Konqueror crashes

Expected Results:  
Konqueror smiles
Comment 1 Baldo Davide 2010-07-08 23:11:40 UTC
Created attachment 48699 [details]
crashtest 1/2

crashtest (to be used with iframe_crash.html)
Comment 2 Baldo Davide 2010-07-08 23:12:47 UTC
Created attachment 48700 [details]
testcrash 2/2

crash test 2/2 (to be used with crash.html)
Comment 3 Baldo Davide 2010-07-08 23:14:31 UTC
Very similar crash here:
#16682 0x00007f24e2f9ffed in KHTMLView::mouseMoveEvent (this=0x20ca010, _mouse=0x7ffff24633d0) at /d/kde/src/4/kdelibs/khtml/khtmlview.cpp:1362
#16683 0x00007f24f1d0791d in QWidget::event (this=0x20ca010, event=0x7ffff24633d0) at kernel/qwidget.cpp:8006
#16684 0x00007f24f21e1de7 in QFrame::event (this=0x20ca010, e=0x7ffff24633d0) at widgets/qframe.cpp:557
#16685 0x00007f24e2fa52c5 in KHTMLView::widgetEvent (this=0x20ca010, e=0x7ffff24633d0) at /d/kde/src/4/kdelibs/khtml/khtmlview.cpp:2362
#16686 0x00007f24e2fa4ad9 in KHTMLView::eventFilter (this=0x20ca010, o=0x20dcab0, e=0x7ffff24633d0) at /d/kde/src/4/kdelibs/khtml/khtmlview.cpp:2207
#16687 0x00007f24f31012ab in QCoreApplicationPrivate::sendThroughObjectEventFilters (this=0x18afbb0, receiver=0x20dcab0, event=0x7ffff24633d0) at kernel/qcoreapplication.c
#16688 0x00007f24f1c93b09 in QApplicationPrivate::notify_helper (this=0x18afbb0, receiver=0x20dcab0, e=0x7ffff24633d0) at kernel/qapplication.cpp:4296
#16689 0x00007f24f1c919da in QApplication::notify (this=0x7ffff28bf310, receiver=0x24d8950, e=0x7ffff2463950) at kernel/qapplication.cpp:3865
#16690 0x00007f24f3eae6f9 in KApplication::notify (this=0x7ffff28bf310, receiver=0x24d8950, event=0x7ffff2463950) at /d/kde/src/4/kdelibs/kdeui/kernel/kapplication.cpp:309
#16691 0x00007f24f3100f90 in QCoreApplication::notifyInternal (this=0x7ffff28bf310, receiver=0x24d8950, event=0x7ffff2463950) at kernel/qcoreapplication.cpp:704
#16692 0x00007f24e2fb4edf in QCoreApplication::sendEvent (receiver=0x24d8950, event=0x7ffff2463950) at /d/qt/4/kde-qt-4.6/include/QtCore/../../src/corelib/kernel/qcoreappl
#16693 0x00007f24e31bb64c in khtml::RenderWidget::handleEvent (this=0x23f3608, ev=...) at /d/kde/src/4/kdelibs/khtml/rendering/render_replaced.cpp:1069
#16694 0x00007f24e30f0bb8 in DOM::HTMLFrameElementImpl::defaultEventHandler (this=0x24ca3a0, e=0x2ed82c0) at /d/kde/src/4/kdelibs/khtml/html/html_baseimpl.cpp:303
#16695 0x00007f24e3073a02 in DOM::NodeImpl::dispatchGenericEvent (this=0x24ca3b0, evt=0x2ed82c0) at /d/kde/src/4/kdelibs/khtml/xml/dom_nodeimpl.cpp:494
#16696 0x00007f24e3073408 in DOM::NodeImpl::dispatchEvent (this=0x24ca3b0, evt=0x2ed82c0, exceptioncode=@0x7ffff2463f54, tempEvent=true) at /d/kde/src/4/kdelibs/khtml/xml/
#16697 0x00007f24e2fae485 in KHTMLView::dispatchMouseEvent (this=0x20ca010, eventId=7, targetNode=0x24ca3b0, targetNodeNonShared=0x2452960, cancelable=false, detail=0, _mo
use=0x7ffff24649f0, setUnder=true, mouseEventType=4, orient=0) at /d/kde/src/4/kdelibs/khtml/khtmlview.cpp:3747
#16698 0x00007f24e2f9ffed in KHTMLView::mouseMoveEvent (this=0x20ca010, _mouse=0x7ffff24649f0) at /d/kde/src/4/kdelibs/khtml/khtmlview.cpp:1362
#16699 0x00007f24f1d0791d in QWidget::event (this=0x20ca010, event=0x7ffff24649f0) at kernel/qwidget.cpp:8006

how do trigger the crash:
1) open the crash.html file
2) click on both radio buttons
3) click on the submit button
4) click again the radio buttons
Comment 4 Christoph Feck 2011-03-31 20:33:32 UTC
*** Bug 269830 has been marked as a duplicate of this bug. ***
Comment 5 Christoph Feck 2011-03-31 20:38:18 UTC
The bug is still reproducible with todays' trunk and the link from comment #0. Bug 269830 mentions an important detail: you have to disable JavaScript.
Comment 6 Allan Sandfeld 2011-03-31 22:03:29 UTC
With or without javascript enabled, I am not able to reproduce this bug from the captcha. 

I got the example to crash konqueror when used from a local file-directory, but not when accessed via http. 

Not sure what is going on with that.
Comment 7 Allan Sandfeld 2011-03-31 22:40:02 UTC
Created attachment 58482 [details]
Possible patch

A part of the infinite loop had comments above it, warning of event duplication and question the need to do it. This patch simplies disables that part, hopefully this doesn't break anything.
Comment 8 Christoph Feck 2011-03-31 23:23:35 UTC
Thanks Allen, the patch fixes the bug. If there are regressions because of this, I will report them clearly indicating that I applied this patch.
Comment 9 2011-04-27 20:42:40 UTC
This is not a good patch, i have done tests building kdelibs with and without the patch and with the patch applied in severall websites konqueror takes forever to load, seams like theres no internet.

Althoutgh this patch does fix this problem, but since causes a major issue.
Comment 10 Christoph Feck 2011-04-28 23:39:40 UTC
What you see has nothing to do with this patch, but is a recent kio issue. And you already noticed it yourself, see bug 271896...
Comment 11 2011-05-10 04:12:11 UTC
Yes, please ignore my previous comment.
Why not commit it in trunk?
Comment 12 Christoph Feck 2011-05-23 14:32:27 UTC
Allen, I am using your patch since nearly two months now, and I did not see any regressions. Could you commit it to master?
Comment 13 Andrea Iacovitti 2011-07-05 09:59:40 UTC
(In reply to comment #7)
> Created an attachment (id=58482) [details]
> Possible patch
> A part of the infinite loop had comments above it, warning of event duplication
> and question the need to do it. This patch simplies disables that part,
> hopefully this doesn't break anything.

Your patch fixes another bad bug i encountered:
open http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe and try to scroll down the iframe on the left of page by left clicking an moving down the vertical scrollbar -> konq will first block then simply die with "Segmentation fault".
Comment 14 Andrea Iacovitti 2011-11-10 10:23:55 UTC
*** Bug 271113 has been marked as a duplicate of this bug. ***
Comment 15 Andrea Iacovitti 2012-01-16 15:29:46 UTC
*** Bug 270829 has been marked as a duplicate of this bug. ***
Comment 16 Raúl 2012-02-01 10:47:47 UTC
I triaged this bug at http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe I couldn't get konqueror to crash with either of the tescase files or the URL reported by the original reporter.

I'm attaching a valgrind log which indicates that this bug leads to a stack overflow.

I cam here since I myself had a stack overflow crash, only with a different top part KJS related (KJS::Machine::runBlock KJS::FunctionImp::callAsFunction). If you are interested I got this crash when I chose firefox 3.6 as UA on gmail and I moved around while viewing an HTML draft message.

If this bug is about stack overflow maybe worthwhile to also take a look at https://bugs.kde.org/show_bug.cgi?id=258111 and eventually to mark it as duplicate.

Comment 17 Raúl 2012-02-01 10:49:27 UTC
Created attachment 68389 [details]
Valgrind log for the crash.

Crash reproduced on KDE 4.7.4 on Debian testing.
Comment 18 Andrea Iacovitti 2012-04-26 19:19:35 UTC
http://www.atm-molise.it/orari.asp is another page that makes konqueror close with "segmentstion fault" error: just try to scroll one of the SELECT element by moving the scollbar with the mouse.
Patch in comment #7 fixes the issue.

@Allan: I am using your patch since you posted it and AFAICT I have not observed any regression
Comment 19 Andrea Iacovitti 2012-05-01 17:13:09 UTC
*** Bug 299181 has been marked as a duplicate of this bug. ***
Comment 20 Andrea Iacovitti 2012-05-26 20:47:17 UTC
Created attachment 71388 [details]
testcase: IFRAME whose content is the attachment at comment #2
Comment 21 Andrea Iacovitti 2012-05-28 05:19:56 UTC
Git commit 5feb2da93c4fcd18d3a38659abb9fb040704d123 by Andrea Iacovitti.
Committed on 28/05/2012 at 07:18.
Pushed by aiacovitti into branch 'KDE/4.8'.

Do not duplicate mouse move events
(patch by Allan Sandfeld)
FIXED-IN: 4.8.4

M  +2    -2    khtml/rendering/render_replaced.cpp

Comment 22 Andrea Iacovitti 2012-10-04 17:33:32 UTC
*** Bug 279570 has been marked as a duplicate of this bug. ***
Comment 23 Andrea Iacovitti 2012-12-30 23:11:33 UTC
*** Bug 226737 has been marked as a duplicate of this bug. ***