187066 – file open dialog crashes on paste/tree expanding

Bug 187066 - file open dialog crashes on paste/tree expanding

Summary: file open dialog crashes on paste/tree expanding

Status:	RESOLVED FIXED

Alias:	None

Product:	kio
Classification:	Unmaintained
Component:	general (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Unspecified

Importance:	NOR crash
Target Milestone:	---
Assignee:	David Faure

URL:
Keywords:	investigated

Duplicates (4):	194666 260577 262181 275818 (view as bug list)
Depends on:
Blocks:

Reported:	2009-03-13 18:56 UTC by Peter Oberndorfer
Modified:	2011-09-07 20:11 UTC (History)
CC List:	6 users (show)

See Also:
Latest Commit:
Version Fixed In:	4.6.4
Sentry Crash Report:

Attachments
Add some debug output to KDirOperator::Private::_k_slotExpandToUrl(...) (1.95 KB, patch) 2011-05-28 16:01 UTC, Frank Reininghaus	Details
Patch (including unit test) (1.81 KB, patch) 2011-05-28 16:49 UTC, Frank Reininghaus	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Oberndorfer 2009-03-13 18:56:12 UTC

Version:            (using Devel)
Installed from:    Compiled sources

How to reproduce:
kde-devel@foo ~ $ mkdir crash_test
kde-devel@foo ~ $ touch crash_test/crash.txt
kde-devel@foo ~ $ kwrite
File->Open
-> File open dialog starts in the current directory
enter '/'
-> a popup with folders opens
press backspace
-> popup closes
now use Ctrl-V or middle mouse button to paste 'crash_test/crash.txt' into the Name combobox
-> crash

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb60fd6d0 (LWP 18134)]
0xb7d3751f in KFileItem::isDir (this=0xbfe25c84) at /home/kde-devel/kde/src/kdelibs/kio/kio/kfileitem.cpp:958
958         if (d->m_fileMode == KFileItem::Unknown) {
(gdb) bt
#0  0xb7d3751f in KFileItem::isDir (this=0xbfe25c84) at /home/kde-devel/kde/src/kdelibs/kio/kio/kfileitem.cpp:958
#1  0xb47fb75b in KDirOperator::Private::_k_slotExpandToUrl (this=0x8318af8, index=@0x84a5b10) at /home/kde-devel/kde/src/kdelibs/kfile/kdiroperator.cpp:2509
#2  0xb4806148 in KDirOperator::qt_metacall (this=0x83228c0, _c=QMetaObject::InvokeMetaMethod, _id=69, _a=0xbfe25ddc) at /home/kde-devel/kde/build/kdelibs/kfile/kdiroperator.moc:253
#3  0xb6b9d0e6 in QMetaObject::activate (sender=0x8322898, from_signal_index=<value optimized out>, to_signal_index=20, argv=<value optimized out>) at kernel/qobject.cpp:3057
#4  0xb6b9d720 in QMetaObject::activate (sender=0x8322898, m=0xb7e8de04, local_signal_index=0, argv=0xbfe25ddc) at kernel/qobject.cpp:3134
#5  0xb7d22566 in KDirModel::expand (this=0x8322898, _t1=@0x84a5b10) at /home/kde-devel/kde/build/kdelibs/kio/kdirmodel.moc:94
#6  0xb7d26927 in KDirModelPrivate::_k_slotNewItems (this=0x8322920, directoryUrl=@0x84a5fc0, items=@0x84a5fc8) at /home/kde-devel/kde/src/kdelibs/kio/kio/kdirmodel.cpp:433
#7  0xb7d26a9f in KDirModel::qt_metacall (this=0x8322898, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xbfe25fd8) at /home/kde-devel/kde/build/kdelibs/kio/kdirmodel.moc:78
#8  0xb6b9d0e6 in QMetaObject::activate (sender=0x8318d30, from_signal_index=<value optimized out>, to_signal_index=14, argv=<value optimized out>) at kernel/qobject.cpp:3057
#9  0xb6b9d720 in QMetaObject::activate (sender=0x8318d30, m=0xb7e8dc7c, local_signal_index=10, argv=0xbfe25fd8) at kernel/qobject.cpp:3134
#10 0xb7d098fb in KDirLister::itemsAdded (this=0x8318d30, _t1=@0x84a5fc0, _t2=@0x84a5fc8) at /home/kde-devel/kde/build/kdelibs/kio/kdirlister.moc:268
#11 0xb7d0afff in KDirLister::Private::emitItems (this=0x8322830) at /home/kde-devel/kde/src/kdelibs/kio/kio/kdirlister.cpp:2274
#12 0xb7d0fe09 in KDirListerCache::slotEntries (this=0x82f2b30, job=0x8387f68, entries=@0xbfe26434) at /home/kde-devel/kde/src/kdelibs/kio/kio/kdirlister.cpp:1089
#13 0xb7d1877a in KDirListerCache::qt_metacall (this=0x82f2b30, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbfe26218) at /home/kde-devel/kde/build/kdelibs/kio/kdirlister_p.moc:98
#14 0xb6b9d0e6 in QMetaObject::activate (sender=0x8387f68, from_signal_index=<value optimized out>, to_signal_index=40, argv=<value optimized out>) at kernel/qobject.cpp:3057
#15 0xb6b9d720 in QMetaObject::activate (sender=0x8387f68, m=0xb7e8cfe0, local_signal_index=0, argv=0xbfe26218) at kernel/qobject.cpp:3134
#16 0xb7ce60d3 in KIO::ListJob::entries (this=0x8387f68, _t1=0x8387f68, _t2=@0xbfe26434) at /home/kde-devel/kde/build/kdelibs/kio/jobclasses.moc:781
#17 0xb7cefd18 in KIO::ListJobPrivate::slotListEntries (this=0x84a5538, list=@0xbfe26434) at /home/kde-devel/kde/src/kdelibs/kio/kio/job.cpp:2347
#18 0xb7cf0074 in KIO::ListJob::qt_metacall (this=0x8387f68, _c=QMetaObject::InvokeMetaMethod, _id=6, _a=0xbfe2639c) at /home/kde-devel/kde/build/kdelibs/kio/jobclasses.moc:767
#19 0xb6b9d0e6 in QMetaObject::activate (sender=0x835c5e0, from_signal_index=<value optimized out>, to_signal_index=10, argv=<value optimized out>) at kernel/qobject.cpp:3057
#20 0xb6b9d720 in QMetaObject::activate (sender=0x835c5e0, m=0xb7e8fba4, local_signal_index=6, argv=0xbfe2639c) at kernel/qobject.cpp:3134
#21 0xb7da3496 in KIO::SlaveInterface::listEntries (this=0x835c5e0, _t1=@0xbfe26434) at /home/kde-devel/kde/build/kdelibs/kio/slaveinterface.moc:179
#22 0xb7da5383 in KIO::SlaveInterface::dispatch (this=0x835c5e0, _cmd=106, rawdata=@0xbfe26504) at /home/kde-devel/kde/src/kdelibs/kio/kio/slaveinterface.cpp:193
#23 0xb7da5e8d in KIO::SlaveInterface::dispatch (this=0x835c5e0) at /home/kde-devel/kde/src/kdelibs/kio/kio/slaveinterface.cpp:91
#24 0xb7d97618 in KIO::Slave::gotInput (this=0x835c5e0) at /home/kde-devel/kde/src/kdelibs/kio/kio/slave.cpp:322
#25 0xb7d98aa8 in KIO::Slave::qt_metacall (this=0x835c5e0, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfe265f8) at /home/kde-devel/kde/build/kdelibs/kio/slave.moc:76
#26 0xb6b9d0e6 in QMetaObject::activate (sender=0x82eae88, from_signal_index=<value optimized out>, to_signal_index=4, argv=<value optimized out>) at kernel/qobject.cpp:3057
#27 0xb6b9d720 in QMetaObject::activate (sender=0x82eae88, m=0xb7e8c540, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3134
#28 0xb7cb7bdf in KIO::Connection::readyRead (this=0x82eae88) at /home/kde-devel/kde/build/kdelibs/kio/connection.moc:86
#29 0xb7cb8c2b in KIO::ConnectionPrivate::dequeue (this=0x8339e90) at /home/kde-devel/kde/src/kdelibs/kio/kio/connection.cpp:82
#30 0xb7cb9b4d in KIO::Connection::qt_metacall (this=0x82eae88, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x843ab78) at /home/kde-devel/kde/build/kdelibs/kio/connection.moc:73
#31 0xb6b97185 in QMetaCallEvent::placeMetaCall (this=0x84a41b8, object=0x82eae88) at kernel/qobject.cpp:489
#32 0xb6b9952a in QObject::event (this=0x82eae88, e=0x84a41b8) at kernel/qobject.cpp:1106
#33 0xb6d65fb4 in QApplicationPrivate::notify_helper (this=0x8053438, receiver=0x82eae88, e=0x84a41b8) at kernel/qapplication.cpp:4084
#34 0xb6d6c9be in QApplication::notify (this=0xbfe27da8, receiver=0x82eae88, e=0x84a41b8) at kernel/qapplication.cpp:3631
#35 0xb793d56e in KApplication::notify (this=0xbfe27da8, receiver=0x82eae88, event=0x84a41b8) at /home/kde-devel/kde/src/kdelibs/kdeui/kernel/kapplication.cpp:309
#36 0xb6b887f6 in QCoreApplication::notifyInternal (this=0xbfe27da8, receiver=0x82eae88, event=0x84a41b8) at kernel/qcoreapplication.cpp:598
#37 0xb6b89a2b in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x804c320) at kernel/qcoreapplication.h:213
#38 0xb6b89ce7 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1132
#39 0xb6bb1cc5 in postEventSourceDispatch (s=0x8054f28) at kernel/qcoreapplication.h:218
#40 0xb63eddf5 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#41 0xb63f1089 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#42 0xb63f1586 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#43 0xb6bb2518 in QEventDispatcherGlib::processEvents (this=0x80533f8, flags=@0xbfe26cb8) at kernel/qeventdispatcher_glib.cpp:323
#44 0xb6df435d in QGuiEventDispatcherGlib::processEvents (this=0x80533f8, flags=@0xbfe26ce8) at kernel/qguieventdispatcher_glib.cpp:202
#45 0xb6b87b25 in QEventLoop::processEvents (this=0xbfe26d5c, flags=@0xbfe26d28) at kernel/qeventloop.cpp:149
#46 0xb6b87ca2 in QEventLoop::exec (this=0xbfe26d5c, flags=@0xbfe26d68) at kernel/qeventloop.cpp:196
#47 0xb7241c83 in QDialog::exec (this=0xbfe26da8) at dialogs/qdialog.cpp:498
#48 0xb7dde086 in KEncodingFileDialog::getOpenUrlsAndEncoding (encoding=@0x819e988, startDir=@0xbfe26e30, filter=@0xbfe26e2c, parent=0x80d5088, caption=@0xbfe26e28) at /home/kde-devel/kde/src/kdelibs/kio/kfile/kencodingfiledialog.cpp:162
#49 0xb7f19142 in KWrite::slotOpen (this=0x80d5088) at /home/kde-devel/kde/src/kdebase/apps/kwrite/kwritemain.cpp:267
#50 0xb7f192d2 in KWrite::qt_metacall (this=0x80d5088, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfe26f3c) at /home/kde-devel/kde/build/kdebase/apps/kwrite/kwritemain.moc:104
#51 0xb6b9d0e6 in QMetaObject::activate (sender=0x8298078, from_signal_index=<value optimized out>, to_signal_index=6, argv=<value optimized out>) at kernel/qobject.cpp:3057
#52 0xb6b9d500 in QMetaObject::activate (sender=0x8298078, m=0xb7493bc8, from_local_signal_index=1, to_local_signal_index=2, argv=0xbfe26f3c) at kernel/qobject.cpp:3154
#53 0xb6d5f717 in QAction::triggered (this=0x8298078, _t1=false) at .moc/debug-shared/moc_qaction.cpp:236
#54 0xb6d6035c in QAction::activate (this=0x8298078, event=QAction::Trigger) at kernel/qaction.cpp:1160
#55 0xb71f8f88 in QToolButton::nextCheckState (this=0xbfe25c84) at ../../include/QtGui/../../src/gui/kernel/qaction.h:203
#56 0xb7126745 in QAbstractButtonPrivate::click (this=0x82bc8f0) at widgets/qabstractbutton.cpp:525
#57 0xb7126975 in QAbstractButton::mouseReleaseEvent (this=0x82ca588, e=0xbfe27620) at widgets/qabstractbutton.cpp:1115
#58 0xb71f9052 in QToolButton::mouseReleaseEvent (this=0x82ca588, e=0xbfe27620) at widgets/qtoolbutton.cpp:709
#59 0xb6db5073 in QWidget::event (this=0x82ca588, event=0xbfe27620) at kernel/qwidget.cpp:7516
#60 0xb71259e5 in QAbstractButton::event (this=0x82ca588, e=0xbfe25bd8) at widgets/qabstractbutton.cpp:1077
#61 0xb71fbd0a in QToolButton::event (this=0x82ca588, event=0xbfe27620) at widgets/qtoolbutton.cpp:1151
#62 0xb6d65fb4 in QApplicationPrivate::notify_helper (this=0x8053438, receiver=0x82ca588, e=0xbfe27620) at kernel/qapplication.cpp:4084
#63 0xb6d6cad9 in QApplication::notify (this=0xbfe27da8, receiver=0x82ca588, e=0xbfe27620) at kernel/qapplication.cpp:3786
#64 0xb793d56e in KApplication::notify (this=0xbfe27da8, receiver=0x82ca588, event=0xbfe27620) at /home/kde-devel/kde/src/kdelibs/kdeui/kernel/kapplication.cpp:309
#65 0xb6b887f6 in QCoreApplication::notifyInternal (this=0xbfe27da8, receiver=0x82ca588, event=0xbfe27620) at kernel/qcoreapplication.cpp:598
#66 0xb6d6c441 in QApplicationPrivate::sendMouseEvent (receiver=0x82ca588, event=0xbfe27620, alienWidget=0x82ca588, nativeWidget=0x80d5088, buttonDown=0xb74acae0, lastMouseReceiver=@0xb74acae4)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:216
#67 0xb6dcfb4e in QETWidget::translateMouseEvent (this=0x80d5088, event=0xbfe27a6c) at kernel/qapplication_x11.cpp:4425
#68 0xb6dcf026 in QApplication::x11ProcessEvent (this=0xbfe27da8, event=0xbfe27a6c) at kernel/qapplication_x11.cpp:3421
#69 0xb6df45ae in x11EventSourceDispatch (s=0x8056320, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#70 0xb63eddf5 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#71 0xb63f1089 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0

(gdb) print d
$1 = {d = 0x0}
(gdb) up
#1  0xb47fb75b in KDirOperator::Private::_k_slotExpandToUrl (this=0x8318af8, index=@0x84a5b10) at /home/kde-devel/kde/src/kdelibs/kfile/kdiroperator.cpp:2509
2509                    if (_item.isDir()) {
(gdb) print _item
$2 = {d = {d = 0x0}}

(gdb) print url
$3 = {<QUrl> = {d = 0x8387140}, d = 0x0}

adding a
kDebug() << "url:" << url;
tells me
url: KUrl("file:///")

Comment 1 Dario Andres 2009-05-30 18:26:16 UTC

*** Bug 194666 has been marked as a duplicate of this bug. ***

Comment 2 Frank Reininghaus 2010-12-20 15:21:26 UTC

I can reproduce the crash in current trunk.

Comment 3 Arkadiusz Miskiewicz 2010-12-30 20:25:44 UTC

Can reproduce on 4.5.4 (also in different form - https://bugs.kde.org/show_bug.cgi?id=260577)

Comment 4 Nicolas L. 2011-01-05 13:18:41 UTC

*** Bug 262181 has been marked as a duplicate of this bug. ***

Comment 5 Dawit Alemayehu 2011-05-09 02:04:22 UTC

I cannot reproduce this crash though the steps to reproduce the problem seem to be missing a step. What exactly am I pasting into the "Name" box. It does not say to "Copy" something anywhere in the steps previous to that statement.

Anyhow, some clarification would be nice or even better if anyone runs into this problem with the recent versions of KDE (v4.6 and up) ?

Comment 6 Dawit Alemayehu 2011-05-28 00:26:58 UTC

Can anyone want to confirm this crash in the current trunk or KDE 4.7 beta 1 ? I personally cannot, but then again I did not clearly understand the instructions on how to reproduce...

Comment 7 Frank Reininghaus 2011-05-28 00:56:21 UTC

I can still reproduce the crash in today's master. I'll try to make the instructions a bit more detailed:

1. $ mkdir crash_test
2. $ touch crash_test/crash.txt
3. $ kwrite
4. File->Open (File open dialog starts in the current directory)
5. In the 'Name' line edit, enter '/', see the combo box open,
   and press backspace
6. Switch to the browser window showing this bug report
7. Mark the text 'crash_test/crash.txt' with the mouse
8. Go back to KWrite's file open dialog
9. Middle-click the 'Name' line edit to paste the text -> Crash

Comment 8 Dawit Alemayehu 2011-05-28 02:22:45 UTC

(In reply to comment #7)
> I can still reproduce the crash in today's master. I'll try to make the
> instructions a bit more detailed:
> 
> 1. $ mkdir crash_test
> 2. $ touch crash_test/crash.txt
> 3. $ kwrite
> 4. File->Open (File open dialog starts in the current directory)
> 5. In the 'Name' line edit, enter '/', see the combo box open,
>    and press backspace
> 6. Switch to the browser window showing this bug report
> 7. Mark the text 'crash_test/crash.txt' with the mouse
> 8. Go back to KWrite's file open dialog
> 9. Middle-click the 'Name' line edit to paste the text -> Crash

Tried that multiple times and it does not crash here with today's master.

Comment 9 Frank Reininghaus 2011-05-28 16:01:21 UTC

Created attachment 60410 [details]
Add some debug output to KDirOperator::Private::_k_slotExpandToUrl(...)

The output I get just before the crash with this patch applied is:

kwrite(24307) KDirOperator::Private::_k_slotExpandToUrl: item: [KFileItem for KUrl("file:///home/kde-devel/tmp/crash_test/crash.txt") ]
kwrite(24307) KDirOperator::Private::_k_slotExpandToUrl: itemsToBeSetAsCurrent: (KUrl("file:///") ,  KUrl("file:///home/kde-devel/tmp/crash_test/crash.txt") ,  KUrl("file:///home/kde-devel/tmp/crash_test") )
kwrite(24307) KDirOperator::Private::_k_slotExpandToUrl: url: KUrl("file:///")
kwrite(24307) KDirOperator::Private::_k_slotExpandToUrl: _item: [null KFileItem]

The URL "file:///" had been appended to itemsToBeSetAsCurrent by KDirOperator::setCurrentItems(const QStringList& urls), but it cannot be found by the dir lister because it is not a subfolder of the folder which is shown in the dialog. This is why _item is a null KFileItem, and checking if it's a directory results in a crash.

Comment 10 Frank Reininghaus 2011-05-28 16:09:39 UTC

Adding a null check for the file item fixes the crash for me (see below).

But I'm not sure if this is the best way - the KFileItem API docs don't mention that calling isDir() for a null KFileItem crashes the app. So one could also move the null check to KFileItem::isDir() (and other similar methods), or the API docs should explicitly mention the crash risk.

@David: Do you have an idea about this issue?

--- a/kfile/kdiroperator.cpp
+++ b/kfile/kdiroperator.cpp
@@ -2526,7 +2526,7 @@ void KDirOperator::Private::_k_slotExpandToUrl(const QModelIndex &index)
             const KUrl url = *it;
             if (url.isParentOf(item.url())) {
                 const KFileItem _item = dirLister->findByUrl(url);
-                if (_item.isDir()) {
+                if (!_item.isNull() && _item.isDir()) {
                     const QModelIndex _index = dirModel->indexForItem(_item);
                     const QModelIndex _proxyIndex = proxyModel->mapFromSource(_index);
                     treeView->expand(_proxyIndex);

Comment 11 Frank Reininghaus 2011-05-28 16:49:33 UTC

Created attachment 60412 [details]
Patch (including unit test)

I've added a unit test which might be useful no matter how the bug is fixed. I've verified that the test crashes with an unpatched KDirOperator and passes with the patch from my previous comment applied.

Comment 12 Frank Reininghaus 2011-05-31 20:40:27 UTC

(In reply to comment #10)
> So one could also move the null check to KFileItem::isDir() (and other similar methods), or the
> API docs should explicitly mention the crash risk.

Hm, when I investigated another bug 196695, I found out that null KFileItems are used for special purposes in various places, and just make isDir() return false for them could cause other problems in the long run. So the best idea I have so far is my patch from comment 10.

Comment 13 Frank Reininghaus 2011-05-31 20:48:01 UTC

Git commit 8b5c38c8d9fae85e002fae9f325277b5b200d44d by Frank Reininghaus.
Committed on 28/05/2011 at 17:00.
Pushed by freininghaus into branch 'master'.

Fix crash in KDirOperator::Private::_k_slotExpandToUrl(...)

When entering '/' in the 'Name' line of the file open dialog, pressing
backspace and then pasting 'a/b', where a is a subfolder of the current
folder and b a file in that folder, KDirOperator may crash because it
accesses a null KFileItem. This commit fixes the crash. Unit test
included.
CCBUG: 187066

M  +1    -1    kfile/kdiroperator.cpp     
M  +22   -0    kfile/tests/kdiroperatortest.cpp     

http://commits.kde.org/kdelibs/8b5c38c8d9fae85e002fae9f325277b5b200d44d

Comment 14 Frank Reininghaus 2011-05-31 20:52:02 UTC

Git commit dd4ff99421fc0aa96d74bc616e64137c11862f20 by Frank Reininghaus.
Committed on 28/05/2011 at 17:00.
Pushed by freininghaus into branch 'KDE/4.6'.

Fix crash in KDirOperator::Private::_k_slotExpandToUrl(...)

When entering '/' in the 'Name' line of the file open dialog, pressing
backspace and then pasting 'a/b', where a is a subfolder of the current
folder and b a file in that folder, KDirOperator may crash because it
accesses a null KFileItem. This commit fixes the crash. Unit test
included.
BUG: 187066
FIXED-IN: 4.6.4
(cherry picked from commit 8b5c38c8d9fae85e002fae9f325277b5b200d44d)

M  +1    -1    kfile/kdiroperator.cpp     
M  +22   -0    kfile/tests/kdiroperatortest.cpp     

http://commits.kde.org/kdelibs/dd4ff99421fc0aa96d74bc616e64137c11862f20

Comment 15 Frank Reininghaus 2011-06-09 16:32:17 UTC

*** Bug 260577 has been marked as a duplicate of this bug. ***

Comment 16 Christoph Feck 2011-09-07 20:11:37 UTC

*** Bug 275818 has been marked as a duplicate of this bug. ***