khtml::cache crash
David Faure
faure at kde.org
Tue Jan 13 14:19:18 GMT 2004
It seems the cache objects can be in both a QDict (called "cache")
and a QPtrList (called "freeList")? Sounds bad, when both are set to autodelete.
Testcase:
* Enable tabbed browsing
* KDE_FULL_SESSION= konqueror www.kde.org
(the env. var. is to ensure it doesn't stay preloaded)
* Right click the logo on top, choose "View Image (kde_logo.jpg)"
It opens in khtmlimage (in a new tab).
* Close window, [confirm], -> crash
==19976== Invalid read of size 4
==19976== at 0x4AE10CDB: QPtrList<khtml::CachedObject>::deleteItem(void*) (qptrlist.h:150)
==19976== by 0x41266632: QGList::clear() (qglist.cpp:701)
==19976== by 0x4AE0FFF7: QPtrList<khtml::CachedObject>::clear() (qptrlist.h:93)
==19976== by 0x4AE108AF: QPtrList<khtml::CachedObject>::~QPtrList() (qptrlist.h:70)
==19976== by 0x4AE0D462: khtml::Cache::clear() (loader.cpp:1326)
==19976== by 0x4AD1B653: KHTMLFactory::~KHTMLFactory() (khtml_factory.cpp:97)
==19976== by 0x4AD1B7B3: KHTMLFactory::deref() (khtml_factory.cpp:136)
==19976== by 0x4AD1B65A: KHTMLFactory::~KHTMLFactory() (khtml_factory.cpp:100)
==19976== by 0x40B4AB8C: KLibrary::~KLibrary() (klibloader.cpp:141)
==19976== by 0x40B4C809: KLibLoader::close_pending(KLibWrapPrivate*) (klibloader.cpp:521)
==19976== by 0x40B4BC96: KLibLoader::~KLibLoader() (klibloader.cpp:338)
==19976== by 0x40B4B5CA: KLibLoader::cleanUp() (klibloader.cpp:308)
==19976== by 0x40AAC094: KApplication::~KApplication() (kapplication.cpp:1478)
==19976== by 0x40272F93: kdemain (in /usr/local/kde/lib/libkdeinit_konqueror.so)
==19976== by 0x80486E6: main (in /usr/local/kde/bin/konqueror)
==19976== by 0x418077F6: __libc_start_main (in /lib/i686/libc-2.3.1.so)
==19976== by 0x8048630: (within /usr/local/kde/bin/konqueror)
==19976== Address 0x4AA24D04 is 40 bytes inside a block of size 164 free'd
==19976== at 0x400270D3: __builtin_delete (vg_replace_malloc.c:244)
==19976== by 0x400270F1: operator delete(void*) (vg_replace_malloc.c:253)
==19976== by 0x4AE09994: khtml::CachedImage::~CachedImage() (loader.cpp:516)
==19976== by 0x4AE10B90: QDict<khtml::CachedObject>::deleteItem(void*) (qdict.h:97)
==19976== by 0x41264121: QGDict::clear() (qgdict.cpp:787)
==19976== by 0x4AE10A83: QDict<khtml::CachedObject>::clear() (qdict.h:75)
==19976== by 0x4AE107F7: QDict<khtml::CachedObject>::~QDict() (qdict.h:57)
==19976== by 0x4AE0D354: khtml::Cache::clear() (loader.cpp:1321)
==19976== by 0x4AD1B653: KHTMLFactory::~KHTMLFactory() (khtml_factory.cpp:97)
==19976== by 0x4AD1B7B3: KHTMLFactory::deref() (khtml_factory.cpp:136)
==19976== by 0x4AD1B65A: KHTMLFactory::~KHTMLFactory() (khtml_factory.cpp:100)
==19976== by 0x40B4AB8C: KLibrary::~KLibrary() (klibloader.cpp:141)
==19976== by 0x40B4C809: KLibLoader::close_pending(KLibWrapPrivate*) (klibloader.cpp:521)
==19976== by 0x40B4BC96: KLibLoader::~KLibLoader() (klibloader.cpp:338)
==19976== by 0x40B4B5CA: KLibLoader::cleanUp() (klibloader.cpp:308)
==19976== by 0x40AAC094: KApplication::~KApplication() (kapplication.cpp:1478)
==19976== by 0x40272F93: kdemain (in /usr/local/kde/lib/libkdeinit_konqueror.so)
==19976== by 0x80486E6: main (in /usr/local/kde/bin/konqueror)
==19976== by 0x418077F6: __libc_start_main (in /lib/i686/libc-2.3.1.so)
==19976== by 0x8048630: (within /usr/local/kde/bin/konqueror)
The part above khtml::Cache::clear() is common. It's inside clear() that
objects are getting deleted twice.
The strange thing is that it doesn't happen if I pass both urls on the command
line (to get both tabs immediately), and it doesn't happen on my other machine (??).
Race condition?
--
David FAURE, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
More information about the kfm-devel
mailing list