86221 – [test case] crash with javascript manipulated tables

Bug 86221 - [test case] crash with javascript manipulated tables

Summary: [test case] crash with javascript manipulated tables

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml (show other bugs)
Version:	unspecified
Platform:	FreeBSD Ports Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-07-29 12:27 UTC by Michael Nottebrock
Modified:	2006-10-24 16:21 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Testcase (882 bytes, text/html) 2004-07-29 12:28 UTC, Michael Nottebrock	Details
Crash backtrace (5.86 KB, text/plain) 2004-07-29 12:29 UTC, Michael Nottebrock	Details
reduced test case (300 bytes, text/html) 2004-11-23 17:16 UTC, Stephan Kulow	Details
Show Obsolete (1) View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Nottebrock 2004-07-29 12:27:11 UTC

Version:            (using KDE KDE 3.2.3)
Installed from:    FreeBSD Ports

A bit of clicking around on the underlined of the attached testcase stuff reprocably crashes konqueror. Backtrace is attached to the bug.

Comment 1 Michael Nottebrock 2004-07-29 12:28:28 UTC

Created attachment 6905 [details]
Testcase

Comment 2 Michael Nottebrock 2004-07-29 12:29:46 UTC

Created attachment 6906 [details]
Crash backtrace

Comment 3 Michael Nottebrock 2004-07-29 13:13:29 UTC

Please note that the CSS code is buggy itself, instead of setting the display to inline it should have been set to table-row and table-cell.

Comment 4 Dik Takken 2004-08-04 13:04:33 UTC

Confirmed. Crash also reproducible on KDE 3.3 Beta 2.

Comment 5 Tommi Tervo 2004-09-01 15:53:53 UTC

for duplicate finder.

#0  0x2936dbf3 in wait4 () from /lib/libc.so.5
#1  0x2935f691 in waitpid () from /lib/libc.so.5
#2  0x291f2c86 in waitpid () from /usr/lib/libpthread.so.1
#3  0x2893fdd0 in KCrash::defaultCrashHandler(int) (sig=6) at kcrash.cpp:246
#4  0x291f96a5 in sigaction () from /usr/lib/libpthread.so.1
#5  <signal handler called>
#6  0x2936d8f3 in kill () from /lib/libc.so.5
#7  0x293d6616 in abort () from /lib/libc.so.5
#8  0x293b12ee in __assert () from /lib/libc.so.5
#9  0x29b1434f in khtml::RenderFlow::addChildWithContinuation(khtml::RenderObject*, khtml::RenderObject*) (this=0x8465de0, newChild=0x8465814, 
    beforeChild=0x84ff43c) at render_flow.cpp:110
#10 0x29b14393 in khtml::RenderFlow::addChild(khtml::RenderObject*, khtml::RenderObject*) (this=0x8465de0, newChild=0x8465814, beforeChild=0x84ff43c)
    at render_flow.cpp:125
#11 0x29abede4 in DOM::ElementImpl::attach() (this=0x84ff43c)
    at dom_elementimpl.cpp:450
#12 0x29af6838 in DOM::HTMLTableCellElementImpl::attach() (this=0x84fc080)
    at html_tableimpl.cpp:839
#13 0x29abef78 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x84fc080, change=NoChange) at dom_elementimpl.cpp:490
#14 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x84fc080, ch=7) at html_elementimpl.cpp:262
#15 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x84fa6c0, change=NoChange) at dom_elementimpl.cpp:517
#16 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x84fa6c0, ch=7) at html_elementimpl.cpp:262
#17 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x84fa500, change=NoChange) at dom_elementimpl.cpp:517
#18 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x84fa500, ch=7) at html_elementimpl.cpp:262
#19 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x84e3b80, change=NoChange) at dom_elementimpl.cpp:517
#20 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x84e3b80, ch=7) at html_elementimpl.cpp:262
#21 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x819f940, change=NoChange) at dom_elementimpl.cpp:517
#22 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x819f940, ch=7) at html_elementimpl.cpp:262
#23 0x29abf034 in DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x84e5700, change=NoChange) at dom_elementimpl.cpp:517
#24 0x29ad8f9f in DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange)
    (this=0x84e5700, ch=7) at html_elementimpl.cpp:262
#25 0x29aad9b7 in DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (
    this=0x8428200, change=NoChange) at dom_docimpl.cpp:979
#26 0x29aadd23 in DOM::DocumentImpl::updateRendering() (this=0x8428200)
    at dom_docimpl.cpp:1012
#27 0x29aadd85 in DOM::DocumentImpl::updateDocumentsRendering() ()
    at dom_docimpl.cpp:1026
#28 0x29ba6a2a in KJS::Window::afterScriptExecution() (this=0x84e3600)
    at kjs_window.cpp:937
#29 0x29bcb000 in KJS::JSEventListener::handleEvent(DOM::Event&) (
    this=0x84f5de0, evt=@0xbfbfda40) at kjs_events.cpp:120
#30 0x29ab8ef7 in DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) (
    this=0x20, evt=0x8421480, useCapture=false) at dom_nodeimpl.cpp:707
#31 0x29ab8583 in DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (
    this=0x84fa400, evt=0x8421480) at dom_nodeimpl.cpp:518
#32 0x29ab8331 in DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (
    this=0x84fa400, evt=0x8421480, exceptioncode=@0x7, tempEvent=true)
    at dom_nodeimpl.cpp:470
#33 0x29a5fba6 in KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int) (this=0x83a0800, eventId=4, targetNode=0x84fa400, 
    cancelable=true, detail=0, _mouse=0xbfbfdc90, setUnder=true, 
    mouseEventType=0) at khtmlview.cpp:2135
#34 0x29a5b487 in KHTMLView::viewportMouseReleaseEvent(QMouseEvent*) (
    this=0x83a0800, _mouse=0xbfbfe200) at khtmlview.cpp:905
#35 0x28dca554 in QScrollView::eventFilter(QObject*, QEvent*) (this=0x83a0800, 
    obj=0x8352e00, e=0xbfbfe200) at widgets/qscrollview.cpp:1502
#36 0x29a5c264 in KHTMLView::eventFilter(QObject*, QEvent*) (this=0x83a0800, 
    o=0x8352e00, e=0xbfbfe200) at khtmlview.cpp:1420
#37 0x28cd3624 in QObject::activate_filters(QEvent*) (this=0x8352e00, 
    e=0xbfbfe200) at kernel/qobject.cpp:902
#38 0x28cd34f8 in QObject::event(QEvent*) (this=0x8352e00, e=0xbfbfe200)
    at kernel/qobject.cpp:735
#39 0x28d0510a in QWidget::event(QEvent*) (this=0x8352e00, e=0xbfbfe200)
    at kernel/qwidget.cpp:4653
#40 0x28c82fe9 in QApplication::internalNotify(QObject*, QEvent*) (this=0x0, 
    receiver=0x8352e00, e=0xbfbfe200) at kernel/qapplication.cpp:2620
#41 0x28c826b6 in QApplication::notify(QObject*, QEvent*) (this=0xbfbfe900, 
    receiver=0x8352e00, e=0xbfbfe200) at kernel/qapplication.cpp:2406
#42 0x288be596 in KApplication::notify(QObject*, QEvent*) (this=0xbfbfe900, 
    receiver=0x8352e00, event=0xbfbfe200) at kapplication.cpp:511
#43 0x28c244a5 in QETWidget::translateMouseEvent(_XEvent const*) (
    this=0x8352e00, event=0xbfbfe530) at qapplication.h:494
#44 0x28c22906 in QApplication::x11ProcessEvent(_XEvent*) (this=0xbfbfe900, 
    event=0xbfbfe530) at kernel/qapplication_x11.cpp:3521
#45 0x28c362a9 in QEventLoop::processEvents(unsigned) (this=0x80fe5c0, flags=4)
    at kernel/qeventloop_x11.cpp:192
#46 0x28c92adb in QEventLoop::enterLoop() (this=0x80fe5c0)
    at kernel/qeventloop.cpp:198
#47 0x28c92a2c in QEventLoop::exec() (this=0x80fe5c0)
    at kernel/qeventloop.cpp:145
#48 0x28c83144 in QApplication::exec() (this=0xbfbfe900)
    at kernel/qapplication.cpp:2743
#49 0x280d4565 in kdemain (argc=7, argv=0x7) at konq_main.cc:184
#50 0x080486c3 in main (argc=7, argv=0x7) at konqueror.la.cc:2
#51 0x08048602 in _start ()

Comment 6 Michael Nottebrock 2004-10-30 11:39:42 UTC

Still present in KDE 3.3.1.

Comment 7 Stephan Kulow 2004-11-23 16:49:59 UTC

konqueror: /suse/coolo/prod/kdelibs/khtml/rendering/render_flow.cpp:89: void khtml::RenderFlow:: (khtml::RenderObject*, khtml::RenderObject*): Zusicherung »!beforeChild || beforeChild->parent()->isRenderBlock() || beforeChild->parent()->isRenderInline()« nicht erfüllt.

No other bug with that

Comment 8 Stephan Kulow 2004-11-23 17:16:07 UTC

Created attachment 8407 [details]
reduced test case

the assert of course only triggers if you're building with debug

Comment 9 Stephan Kulow 2004-11-23 17:35:24 UTC

just for reference: gtk-webcore crashes too

Comment 10 Allan Sandfeld 2006-10-24 13:41:44 UTC

SVN commit 598668 by carewolf:

When a sibling renderer has caused implicit containers, make nextRenderer
traverse those to find one we can use as a sibling.
BUG: 86221


 M  +8 -2      dom_nodeimpl.cpp  


--- branches/KDE/3.5/kdelibs/khtml/xml/dom_nodeimpl.cpp #598667:598668
@@ -910,8 +910,14 @@
 RenderObject * NodeImpl::nextRenderer()
 {
     for (NodeImpl *n = nextSibling(); n; n = n->nextSibling()) {
-        if (n->renderer())
-            return n->renderer();
+        if (n->renderer()) {
+            RenderObject *r = n->renderer();
+            // If the renderer has caused implicit containers,
+            // return the topmost implicit container
+            while (r->parent()->isAnonymous() && !r->parent()->isAnonymousBlock())
+                r = r->parent();
+            return r;
+        }
     }
     return 0;
 }

Comment 11 Allan Sandfeld 2006-10-24 16:21:10 UTC

SVN commit 598760 by carewolf:

Move fix of bug #86221 to RenderFlow where it doesn't cause other
regressions
CCBUG: 86221


 M  +5 -3      rendering/render_flow.cpp  
 M  +2 -8      xml/dom_nodeimpl.cpp  


--- branches/KDE/3.5/kdelibs/khtml/rendering/render_flow.cpp #598759:598760
@@ -85,8 +85,10 @@
 void RenderFlow::addChildWithContinuation(RenderObject* newChild, RenderObject* beforeChild)
 {
     RenderFlow* flow = continuationBefore(beforeChild);
-    KHTMLAssert(!beforeChild || beforeChild->parent()->isRenderBlock() ||
-                beforeChild->parent()->isRenderInline());
+    while(beforeChild && beforeChild->parent() != this && !beforeChild->parent()->isAnonymousBlock()) {
+        // skip implicit containers around beforeChild
+        beforeChild = beforeChild->parent();
+    }
     RenderFlow* beforeChildParent = beforeChild ? static_cast<RenderFlow*>(beforeChild->parent()) :
                                     (flow->continuation() ? flow->continuation() : flow);
 
@@ -260,7 +262,7 @@
             }
         }
     }
-    
+
     return false;
 }
 
--- branches/KDE/3.5/kdelibs/khtml/xml/dom_nodeimpl.cpp #598759:598760
@@ -910,14 +910,8 @@
 RenderObject * NodeImpl::nextRenderer()
 {
     for (NodeImpl *n = nextSibling(); n; n = n->nextSibling()) {
-        if (n->renderer()) {
-            RenderObject *r = n->renderer();
-            // If the renderer has caused implicit containers,
-            // return the topmost implicit container
-            while (r->parent()->isAnonymous() && !r->parent()->isAnonymousBlock())
-                r = r->parent();
-            return r;
-        }
+        if (n->renderer())
+            return n->renderer();
     }
     return 0;
 }