Summary: | kig crashes when creating a locus if compiled with -fstack-protector-strong | ||
---|---|---|---|
Product: | [Applications] kig | Reporter: | Maurizio Paolini <maurizio.paolini> |
Component: | general | Assignee: | David E. Narvaez <david.narvaez> |
Status: | RESOLVED FIXED | ||
Severity: | crash | CC: | kevin.kofler, rdieter |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Fedora RPMs | ||
OS: | Linux | ||
Latest Commit: | http://commits.kde.org/kig/5e940459d99eab90394372b8c052ff6a8f2ea4d0 | Version Fixed In: | 4.14.2 |
Description
Maurizio Paolini
2014-09-10 13:49:15 UTC
Here's one included in downstream report, https://bugzilla.redhat.com/show_bug.cgi?id=1105867 from kcrash: https://bugzilla.redhat.com/show_bug.cgi?id=1105867 (and better, includes line numbers): inline (so searchable): Application: kig (v1.0) KDE Platform Version: 4.12.5 Qt Version: 4.8.6 Operating System: Linux 3.14.4-200.fc20.i686+PAE i686 Distribution: "Fedora release 20 (Heisenbug)" -- Information about the crash: Creating a locus works fine up to the end, but as soon as the cursor is moved after the creation, kig crashes. test case: - open kig - create a circle by center and point - create a constrained point on the circle - create the midpoint between the constrained point and the center of the circle - create a locus with the midpoint as dependent point and the constrained point as the constrained point - move the mouse after the locus construction ---> kig crashes Remark: compiling from the latest git source solves the problem. The crash can be reproduced every time. -- Backtrace: Application: Kig (kig), signal: Aborted Using host libthread_db library "/lib/libthread_db.so.1". [KCrash Handler] #7 0xb773f424 in __kernel_vsyscall () #8 0x418fab96 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #9 0x418fc3d3 in __GI_abort () at abort.c:89 #10 0x4193a2f8 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x41a43033 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #11 0x419d55c5 in __GI___fortify_fail (msg=msg@entry=0x41a4301b "stack smashing detected") at fortify_fail.c:31 #12 0x419d557a in __stack_chk_fail () at stack_chk_fail.c:28 #13 0xb6427484 in __stack_chk_fail_local () from /usr/lib/kde4/kigpart.so #14 0xb63133fe in CurveImp::getParam (this=this@entry=0x86f3210, p=..., doc=...) at /usr/src/debug/kig-4.12.5/objects/curve_imp.cc:252 #15 0xb631344c in CurveImp::getParam (this=0x86f3210, p=..., doc=...) at /usr/src/debug/kig-4.12.5/objects/curve_imp.cc:165 #16 0xb631f4b7 in LocusImp::internalContainsPoint (this=this@entry=0x86f3210, p=..., threshold=0.051823592949233561, doc=...) at /usr/src/debug/kig-4.12.5/objects/locus_imp.cc:229 #17 0xb631f544 in LocusImp::contains (this=0x86f3210, p=..., width=-1, w=...) at /usr/src/debug/kig-4.12.5/objects/locus_imp.cc:54 #18 0xb63212ba in ObjectDrawer::contains (this=0x86c8de8, imp=..., pt=..., w=..., nv=nv@entry=false) at /usr/src/debug/kig-4.12.5/objects/object_drawer.cc:49 #19 0xb6325d5c in ObjectHolder::contains (this=0x86f1f48, pt=..., w=..., nv=false) at /usr/src/debug/kig-4.12.5/objects/object_holder.cc:85 #20 0xb63ebcb3 in KigDocument::whatAmIOn (this=0x842fb98, p=..., w=...) at /usr/src/debug/kig-4.12.5/kig/kig_document.cc:76 #21 0xb6388908 in BaseMode::mouseMoved (this=0x8445cc8, e=0xbf851164, w=0x83eb7a8) at /usr/src/debug/kig-4.12.5/modes/base_mode.cc:130 #22 0xb63f6422 in KigWidget::mouseMoveEvent (this=0x83eb7a8, e=0xbf851164) at /usr/src/debug/kig-4.12.5/kig/kig_view.cpp:102 #23 0x47969247 in QWidget::event (this=0x83eb7a8, event=0xbf851164) at kernel/qwidget.cpp:8374 #24 0x4790abd4 in QApplicationPrivate::notify_helper (this=0x82c3ad8, receiver=0x83eb7a8, e=0xbf851164) at kernel/qapplication.cpp:4565 #25 0x47913896 in QApplication::notify (this=0xbf8516e8, receiver=0x83eb7a8, e=e@entry=0xbf851164) at kernel/qapplication.cpp:4108 #26 0x43487ec0 in KApplication::notify (this=0xbf8516e8, receiver=0x83eb7a8, event=0xbf851164) at /usr/src/debug/kdelibs-4.12.5/kdeui/kernel/kapplication.cpp:311 #27 0x495dd5f6 in QCoreApplication::notifyInternal (this=0xbf8516e8, receiver=receiver@entry=0x83eb7a8, event=event@entry=0xbf851164) at kernel/qcoreapplication.cpp:953 #28 0x479112e2 in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../src/corelib/kernel/qcoreapplication.h:231 #29 QApplicationPrivate::sendMouseEvent (receiver=receiver@entry=0x83eb7a8, event=0xbf851164, alienWidget=0x0, nativeWidget=0x83eb7a8, buttonDown=buttonDown@entry=0x482c73e4 <qt_button_down>, lastMouseReceiver=..., spontaneous=spontaneous@entry=true) at kernel/qapplication.cpp:3173 #30 0x47996db8 in QETWidget::translateMouseEvent (this=0x83eb7a8, event=event@entry=0xbf85137c) at kernel/qapplication_x11.cpp:4540 #31 0x479954a3 in QApplication::x11ProcessEvent (this=0xbf8516e8, event=event@entry=0xbf85137c) at kernel/qapplication_x11.cpp:3663 #32 0x479c118b in x11EventSourceDispatch (s=s@entry=0x82c35c0, callback=0x0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:148 #33 0x41dac556 in g_main_dispatch (context=0x82c3c30) at gmain.c:3066 #34 g_main_context_dispatch (context=context@entry=0x82c3c30) at gmain.c:3642 #35 0x41dac920 in g_main_context_iterate (context=context@entry=0x82c3c30, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3713 #36 0x41dac9e9 in g_main_context_iteration (context=0x82c3c30, may_block=1) at gmain.c:3774 #37 0x4960f270 in QEventDispatcherGlib::processEvents (this=this@entry=0x8299e00, flags=...) at kernel/qeventdispatcher_glib.cpp:425 #38 0x479c134c in QGuiEventDispatcherGlib::processEvents (this=0x8299e00, flags=...) at kernel/qguieventdispatcher_glib.cpp:207 #39 0x495dbea0 in QEventLoop::processEvents (this=this@entry=0xbf851644, flags=...) at kernel/qeventloop.cpp:149 #40 0x495dc231 in QEventLoop::exec (this=this@entry=0xbf851644, flags=...) at kernel/qeventloop.cpp:204 #41 0x495e206b in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225 #42 0x47908ee5 in QApplication::exec () at kernel/qapplication.cpp:3823 #43 0x0804dc86 in main (argc=1, argv=0xbf8517c4) at /usr/src/debug/kig-4.12.5/kig/main.cpp:142 Possible duplicates by query: bug 327574, bug 323830, bug 322782. Report to https://bugs.kde.org/ I can confirm this using the latest version from master and -fstack-protector-all (I don't have -fstack-protector-strong in Gentoo, I guess it is a Fedora thing? https://fedorahosted.org/fesco/ticket/1128) All affected parties, please try the patch at https://git.reviewboard.kde.org/r/120129/ (In reply to David E. Narvaez from comment #3) > All affected parties, please try the patch at > https://git.reviewboard.kde.org/r/120129/ The proposed patch works fine for me. Git commit 5e940459d99eab90394372b8c052ff6a8f2ea4d0 by David E. Narvaez. Committed on 12/09/2014 at 14:33. Pushed by narvaez into branch 'master'. Fix Iteration Over Array mm Because of the initial value of j it was missing j = 1, causing Valgrind to report a jump over uninitialized value. Because of the check at the while loop, it was modifying j = N + 1, causing a stack buffer overflow. FIXED-IN: 4.14.2 REVIEW: 120129 M +2 -8 objects/curve_imp.cc http://commits.kde.org/kig/5e940459d99eab90394372b8c052ff6a8f2ea4d0 |