Crash in KHTML on www.tweakers.net

Jonathan Brugge jonathan at tweakers.net
Tue Jan 20 20:50:40 GMT 2004 

Since it's a bit late in the release process and this is a crash on a large 
(>100,000 registered users) website, I decided to post this here instead of 
opening a report on Bugzilla. It might be possible to solve this without too 
much effort.

THE PROBLEM: http://www.tweakers.net crashes KHTML while loading.  Safari has 
the same problem, according to user reports on 
http://gathering.tweakers.net/forum/list_messages/863577. The crash only 
happens when loading of banners has been enabled - while I had them disabled, 
I experienced no crashes at all. Reportedly, the banner is loaded by some 
javascript-wizardry, but the crash doesn't seem to be there - though it may 
be that the problems already start in KJS, of course.

DEBUG INFO: I created a backtrace and a valgrind log. First the backtrace (I 
skipped the last part, since it doesn't seem to be relevant - if you need it, 
just ask for it):
--------------------
[New Thread 1102615200 (LWP 17538)]
0x4188f30e in __waitpid_nocancel () from /lib/tls/libpthread.so.0
#0  0x4188f30e in __waitpid_nocancel () from /lib/tls/libpthread.so.0
#1  0x408e44b4 in KCrash::defaultCrashHandler(int) (sig=11) at kcrash.cpp:246
#2  <signal handler called>
#3  0x40e008b2 in khtml::KHTMLParser::popOneBlock() (this=0x83298f8)
    at htmlparser.cpp:1195
#4  0x40e00aea in khtml::KHTMLParser::freeBlock() (this=0x83298f8)
    at htmlparser.cpp:1236
#5  0x40dfe0f9 in ~KHTMLParser (this=0x83298f8) at htmlparser.cpp:158
#6  0x40e06b58 in ~HTMLTokenizer (this=0x83297c0) at htmltokenizer.cpp:1595
#7  0x40dde672 in DOM::DocumentImpl::close() (this=0x8322838)
    at khtmlview.h:110
#8  0x40e0fdc8 in DOM::HTMLDocumentImpl::close() (this=0x8322838)
    at html_documentimpl.cpp:292
#9  0x40d9f516 in KHTMLPart::checkEmitLoadEvent() (this=0x8202a48)
    at khtml_part.cpp:2025
#10 0x40d9ec5a in KHTMLPart::checkCompleted() (this=0x8202a48)
    at khtml_part.cpp:1947
#11 0x40d9e698 in KHTMLPart::slotLoaderRequestDone(khtml::DocLoader*, 
khtml::CachedObject*) (this=0x8202a48, dl=0x5f006e00, obj=0x5f006e00)
    at khtml_part.cpp:1834
#12 0x40db94cd in KHTMLPart::qt_invoke(int, QUObject*) (this=0x8202a48, 
    _id=57, _o=0xbfffe740) at qucom_p.h:312
#13 0x41306b47 in QObject::activate_signal(QConnectionList*, QUObject*) (
    this=0x81dea50, clist=0x82f91c0, o=0xbfffe740) at kernel/qobject.cpp:2383
#14 0x40eaa765 in khtml::Loader::requestDone(khtml::DocLoader*, 
khtml::CachedObject*) (this=0x81dea50, t0=0x5f006e00, t1=0x5f006e00) at 
loader.moc:240
--------------------

The important part of the valgrind log, where it states a problem in 
popOneBlock() - the same function that can be seen as #3 in the backtrace 
above (again, the complete valgrind log can be posted upon request; I didn't 
do that yet since it's 26KB large):
---------------------
khtml (xml):  using compatibility parseMode
NodeImpl::toHTML
NodeImpl::toHTML
khtml (css): CSSStyleDeclarationImpl::setProperty invalid property: [width] 
value: [-1px]
khtml (css): CSSStyleDeclarationImpl::setProperty invalid property: [height] 
value: [-1px]
NodeImpl::toHTML
NodeImpl::toHTML
==19744==
==19744== Invalid read of size 4
==19744==    at 0x4997790D: khtml::KHTMLParser::popOneBlock() (shared.h:34)
==19744==    by 0x49977AE9: khtml::KHTMLParser::freeBlock() 
(htmlparser.cpp:1236)
==19744==    by 0x499750F8: khtml::KHTMLParser::~KHTMLParser() 
(htmlparser.cpp:158)
==19744==    by 0x4997DB57: khtml::HTMLTokenizer::~HTMLTokenizer() 
(htmltokenizer.cpp:1595)
==19744==  Address 0x4D0858DC is not stack'd, malloc'd or free'd
==19744==
==19744== Invalid read of size 4
==19744==    at 0x499778AD: khtml::KHTMLParser::popOneBlock() 
(htmlparser.cpp:1195)
==19744==    by 0x49977AE9: khtml::KHTMLParser::freeBlock() 
(htmlparser.cpp:1236)
==19744==    by 0x499750F8: khtml::KHTMLParser::~KHTMLParser() 
(htmlparser.cpp:158)
==19744==    by 0x4997DB57: khtml::HTMLTokenizer::~HTMLTokenizer() 
(htmltokenizer.cpp:1595)
==19744==  Address 0x4D0858D8 is not stack'd, malloc'd or free'd
==19744==
==19744== Invalid read of size 4
==19744==    at 0x499778B2: khtml::KHTMLParser::popOneBlock() 
(htmlparser.cpp:1195)
==19744==    by 0x49977AE9: khtml::KHTMLParser::freeBlock() 
(htmlparser.cpp:1236)
==19744==    by 0x499750F8: khtml::KHTMLParser::~KHTMLParser() 
(htmlparser.cpp:158)
==19744==    by 0x4997DB57: khtml::HTMLTokenizer::~HTMLTokenizer() 
(htmltokenizer.cpp:1595)
==19744==  Address 0xD0 is not stack'd, malloc'd or free'd
==19744== Warning: invalid file descriptor 821 in syscall close()
==19744==    Use --logfile-fd=<number> to select an alternative logfile fd.
---------------------

VERSION: GCC 3.3.3 (or maybe 3.3.2 a week ago, don't know for sure). 
kdelibs/kdebase CVS HEAD about a week old. Can't test with newer versions due 
to problems when compiling kdelibs (that's a separate issue which surely will 
be solved and might be a problem on my side). There's one report of it 
working correctly with Konqueror 3.1.3, but I don't know for sure whether the 
reporter was loading banners or not.

If there's anything I can do to help fixing this crash, just ask for it. If 
it's better to open a report on Bugzilla, even this close to the release, 
I'll do that instead.

Jonathan Brugge

More information about the kfm-devel mailing list