Double delete in KJS

George Staikos staikos at kde.org
Wed Jun 18 16:24:22 CEST 2003 

There seems to be a double delete in KJS.  I can reproduce the problem ~50% of 
the time here:

http://webmail.eresmas.com/webmail2/html/index.html

When I load this page, I often get a pure virtual call in 
KJS::ValueImp::dispatchType():151.  When I print the valueimp of the val in 
function.cpp:652 in gdb, I see that _flags=14, which means that VI_DESTRUCTED 
has occurred - that only happens in the destructor.  The call stack from this 
is 68 levels deep, and when I try to run it in valgrind it freezes my x86 
linux box so I have been unable to get any more info than this.

I've attached the backtrace.  Maciej: did you guys happen to fix something 
similar to this that we might not have merged?

Basically as far as I can tell, this valueimp has already been garbage 
collected and deleted.  The last lines of debug output before the pvc are:

processing parameters for (internal) call
KJS: (internal) returns: WMApp : String (0x86eefb8)
KJS: new variable n: WMApp : String (0x86eefb8)
KJS: new variable props: [object Arguments] : Arguments (0x88240e8)
KJS: new variable i: 0 : Number (0x1)

I'm guessing (*guessing*) that there is a deleted ValueImp in ObjectImp::_prop 
so ObjectImp::get() returns Value(getDirect(propertyName)) which results in a 
deleted object in the list.  If I put in an assert for !(imp && imp->_flags & 
VI_DESTRUCTED), I get an assert failure even earlier, and the value of imp is 
0xfa1, which really looks bad to me.

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
-------------- next part --------------
#0  0x4123c861 in kill () from /lib/libc.so.6
#1  0x41170acc in pthread_kill () from /lib/libpthread.so.0
#2  0x41170fd6 in raise () from /lib/libpthread.so.0
#3  0x4123dc81 in abort () from /lib/libc.so.6
#4  0x411c3e48 in __default_terminate () from /usr/lib/libstdc++-libc6.2-2.so.3
#5  0x411c3e6d in __terminate () from /usr/lib/libstdc++-libc6.2-2.so.3
#6  0x40e9f2eb in __pure_virtual () from /opt/qt-copy/lib/libqt-mt.so.3
#7  0x41b3e99c in KJS::ValueImp::dispatchType (this=0x88247a8) at value.cpp:151
#8  0x41b3fc4a in KJS::Object::dynamicCast (v=@0xbfffdd1c) at value.h:195
#9  0x41b3c687 in KJS::ArgumentsImp::get (this=0x8824770, exec=0xbfffe260,
    propertyName=@0xbfffdd5c) at function.cpp:652
#10 0x41b4023b in KJS::ObjectImp::get (this=0x8824770, exec=0xbfffe260,
    propertyName=0) at object.cpp:186
#11 0x41b465f6 in KJS::Reference::getValue (this=0xbfffdde8, exec=0xbfffe260)
    at reference.cpp:141
#12 0x41b12cca in KJS::Node::evaluate (this=0x868fcc8, exec=0xbfffe260)
    at nodes.cpp:122
#13 0x41b14b39 in KJS::ArgumentListNode::evaluateList (this=0x868fce0,
    exec=0xbfffe260) at nodes.cpp:670
#14 0x41b14d4e in KJS::ArgumentsNode::evaluateList (this=0x868fcf8,
    exec=0xbfffe260) at nodes.cpp:718
#15 0x41b1531a in KJS::FunctionCallNode::evaluate (this=0x868fd10,
    exec=0xbfffe260) at nodes.cpp:794
#16 0x41b187fc in KJS::AssignNode::evaluate (this=0x868fd28, exec=0xbfffe260)
    at nodes.cpp:1530
#17 0x41b1a560 in KJS::ExprStatementNode::execute (this=0x868fd48,
    exec=0xbfffe260) at nodes.cpp:1940
#18 0x41b21027 in KJS::SourceElementsNode::execute (this=0x868fd78,
    exec=0xbfffe260) at nodes.cpp:3082
#19 0x41b1a347 in KJS::BlockNode::execute (this=0x8690048, exec=0xbfffe260)
    at nodes.cpp:1902
#20 0x41b1bfdd in KJS::ForNode::execute (this=0x8690078, exec=0xbfffe260)
    at nodes.cpp:2158
#21 0x41b21275 in KJS::SourceElementsNode::execute (this=0x868f970,
    exec=0xbfffe260) at nodes.cpp:3088
#22 0x41b1a347 in KJS::BlockNode::execute (this=0x86900f0, exec=0xbfffe260)
    at nodes.cpp:1902
#23 0x41b205ec in KJS::FunctionBodyNode::execute (this=0x86900f0,
    exec=0xbfffe260) at nodes.cpp:2915
#24 0x41b3c188 in KJS::DeclaredFunctionImp::execute (this=0x86e9838,
    exec=0xbfffe260) at function.cpp:579
#25 0x41b3b457 in KJS::FunctionImp::call (this=0x86e9838, exec=0xbfffe5c0,
    thisObj=@0xbfffe33c, args=@0xbfffe34c) at function.cpp:354
---Type <return> to continue, or q <return> to quit---
#26 0x41b3fd31 in KJS::Object::call (this=0xbfffe348, exec=0xbfffe5c0,
    thisObj=@0xbfffe33c, args=@0xbfffe34c) at object.cpp:69
#27 0x41b156c4 in KJS::FunctionCallNode::evaluate (this=0x87991b8,
    exec=0xbfffe5c0) at nodes.cpp:838
#28 0x41b1a560 in KJS::ExprStatementNode::execute (this=0x87991d0,
    exec=0xbfffe5c0) at nodes.cpp:1940
#29 0x41b21275 in KJS::SourceElementsNode::execute (this=0x85fce90,
    exec=0xbfffe5c0) at nodes.cpp:3088
#30 0x41b1a347 in KJS::BlockNode::execute (this=0x87f0110, exec=0xbfffe5c0)
    at nodes.cpp:1902
#31 0x41b205ec in KJS::FunctionBodyNode::execute (this=0x87f0110,
    exec=0xbfffe5c0) at nodes.cpp:2915
#32 0x41b119bf in KJS::InterpreterImp::evaluate (this=0x85473c0,
    code=@0xbfffe6a4, thisV=@0xbfffe6a8) at internal.cpp:878
#33 0x41b4178b in KJS::Interpreter::evaluate (this=0x8547388,
    code=@0xbfffe6a4, thisV=@0xbfffe6a8) at interpreter.cpp:161
#34 0x41e55394 in KJSProxyImpl::evaluate (this=0xbfffe704,
    filename=0xbfffe704, baseLine=3165, str=@0xbfffe7c8, n=@0xbfffe754,
    completion=0x0) at kjs_proxy.cpp:148
#35 0x41d3d425 in KHTMLPart::executeScript (this=0x8386bd0,
    filename=0xbfffe760, baseLine=3165, n=@0xbfffe754, script=@0xbfffe7c8)
    at khtml_part.cpp:5302
#36 0x41d6e007 in khtml::HTMLTokenizer::scriptExecution (this=0xbfffe7d0,
    str=@0xbfffe7c8, scriptURL=0xbfffe7d0, baseLine=3164)
    at htmltokenizer.cpp:435
#37 0x41d6dd69 in khtml::HTMLTokenizer::scriptHandler (this=0x84d9fd0)
    at htmltokenizer.cpp:404
#38 0x41d6d539 in khtml::HTMLTokenizer::parseSpecial (this=0x84d9fd0,
    src=@0x84da0dc) at htmltokenizer.cpp:322
#39 0x41d70fe9 in khtml::HTMLTokenizer::write (this=0x84d9fd0,
    str=@0xbfffe898, appendData=true) at htmltokenizer.cpp:1255
#40 0x41d285c4 in KHTMLPart::write (this=0x8386bd0,
    str=0x86606a0 ".mbox.flag[wm.flags[i]];\n        }\n    \n    \tvar marka = (wm.mbox.msgs[a].flags & marks);\n    \tvar markb = (wm.mbox.msgs[b].flags & marks);\n    \n    \tfor (var i in wm.mbox.flag){\n    \t\tif (wm.mbox.fla"...,
    len=8192) at khtml_part.cpp:1572
#41 0x41d26c6d in KHTMLPart::slotData (this=0x8386bd0, kio_job=0x84a6ff8,
    data=@0xbfffeda4) at khtml_part.cpp:1278
#42 0x41d3e7ca in KHTMLPart::qt_invoke (this=0x8386bd0, _id=10, _o=0xbfffea80)
    at khtml_part.moc:364
#43 0x40b9aa8a in QObject::activate_signal (this=0x84a6ff8, clist=0x849f8a8,
    o=0xbfffea80) at kernel/qobject.cpp:2214
#44 0x4028e412 in KIO::TransferJob::data (this=0x84a6ff8, t0=0x84a6ff8,
---Type <return> to continue, or q <return> to quit---
    t1=@0xbfffeda4) at jobclasses.moc:728
#45 0x4027d92a in KIO::TransferJob::slotData (this=0x84a6ff8,
    _data=@0xbfffeda4) at job.cpp:779
#46 0x4028e964 in KIO::TransferJob::qt_invoke (this=0x84a6ff8, _id=18,
    _o=0xbfffebb4) at jobclasses.moc:807
#47 0x40b9aa8a in QObject::activate_signal (this=0x849ee10, clist=0x84985f8,
    o=0xbfffebb4) at kernel/qobject.cpp:2214
#48 0x402717c5 in KIO::SlaveInterface::data (this=0x849ee10, t0=@0xbfffeda4)
    at slaveinterface.moc:195
#49 0x4026e980 in KIO::SlaveInterface::dispatch (this=0x849ee10, _cmd=100,
    rawdata=@0xbfffeda4) at slaveinterface.cpp:247
#50 0x4026e522 in KIO::SlaveInterface::dispatch (this=0x849ee10)
    at slaveinterface.cpp:192
#51 0x4026baec in KIO::Slave::gotInput (this=0x849ee10) at slave.cpp:294
#52 0x4026dda9 in KIO::Slave::qt_invoke (this=0x849ee10, _id=4, _o=0xbfffeec0)
    at slave.moc:114
#53 0x40b9aa8a in QObject::activate_signal (this=0x8362228, clist=0x846c3c8,
    o=0xbfffeec0) at kernel/qobject.cpp:2214
#54 0x40b9ad22 in QObject::activate_signal (this=0x8362228, signal=2, param=17)
    at kernel/qobject.cpp:2279
#55 0x40e5014a in QSocketNotifier::activated (this=0x8362228, t0=17)
    at .moc/debug-shared-mt/moc_qsocketnotifier.cpp:86
#56 0x40bb5fba in QSocketNotifier::event (this=0x8362228, e=0xbffff108)
    at kernel/qsocketnotifier.cpp:268
#57 0x40b48399 in QApplication::internalNotify (this=0xbffff4e4,
    receiver=0x8362228, e=0xbffff108) at kernel/qapplication.cpp:2303
#58 0x40b4775f in QApplication::notify (this=0xbffff4e4, receiver=0x8362228,
    e=0xbffff108) at kernel/qapplication.cpp:2067
#59 0x4072486f in KApplication::notify (this=0xbffff4e4, receiver=0x8362228,
    event=0xbffff108) at kapplication.cpp:460
#60 0x40f41d24 in QApplication::sendEvent (receiver=0x8362228,
    event=0xbffff108) at .moc/debug-shared-mt/../../kernel/qapplication.h:478
#61 0x40b296f6 in QEventLoop::activateSocketNotifiers (this=0x8095ee0)
    at kernel/qeventloop_unix.cpp:544
#62 0x40b0500c in QEventLoop::processEvents (this=0x8095ee0, flags=4)
    at kernel/qeventloop_x11.cpp:307
#63 0x40b5ae70 in QEventLoop::enterLoop (this=0x8095ee0)
    at kernel/qeventloop.cpp:191
#64 0x40b5ad95 in QEventLoop::exec (this=0x8095ee0)
    at kernel/qeventloop.cpp:138
#65 0x40b48595 in QApplication::exec (this=0xbffff4e4)
    at kernel/qapplication.cpp:2424
#66 0x40054f50 in kdemain (argc=2, argv=0xbffff644) at konq_main.cc:164

More information about the Khtml-devel mailing list