330599 – Crash in problem data serialization

Bug 330599 - Crash in problem data serialization

Summary: Crash in problem data serialization

Status:	RESOLVED FIXED

Alias:	None

Product:	kdevelop
Classification:	Applications
Component:	general (show other bugs)
Version:	4.6.60
Platform:	Arch Linux Linux

Importance:	VHI crash
Target Milestone:	---
Assignee:	kdevelop-bugs-null

URL:
Keywords:	drkonqi, release_blocker, reproducible

Depends on:
Blocks:

Reported:	2014-01-31 00:10 UTC by Milian Wolff
Modified:	2014-02-11 23:30 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	http://commits.kde.org/kdevplatform/83365b0cb5dbd08839e787b85ebdb5ba7316717e
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Milian Wolff 2014-01-31 00:10:25 UTC

Application: kdevelop (4.6.60)
KDE Platform Version: 4.12.1
Qt Version: 4.8.5
Operating System: Linux 3.12.8-1-ARCH x86_64
Distribution: "Arch Linux"

-- Information about the crash:
Loading a session with some problems, then closing all files and waiting ~3min for the cleanup thread to kick in. Then closing KDevelop will crash in the problem model if that contained any problems since it tries to delete data which points into mmapped regions on-disk which where unmapped already and must not be deleted.

This shows that my problem-serialization workflow must be rethought, see 0c2eb5c70c1f3795242cf8a2292ba9fea96d983a

The crash can be reproduced every time.

-- Backtrace:
Application: KDevelop (kdevelop), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f533ef8a7c0 (LWP 24154))]

Thread 10 (Thread 0x7f53376a5700 (LWP 24155)):
#0  0x00007f534df7603f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f534af3afcb in ?? () from /usr/lib/libQtScript.so.4
#2  0x00007f534af3b009 in ?? () from /usr/lib/libQtScript.so.4
#3  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 9 (Thread 0x7f52b62e0700 (LWP 24156)):
#0  0x00007f534df763e8 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f534e202244 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQtCore.so.4
#2  0x00007f534c4bfc7e in KDevelop::DUChainPrivate::CleanupThread::run (this=0x3085b40) at /home/milian/projects/kde4/kdevplatform/language/duchain/duchain.cpp:283
#3  0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#4  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#5  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 8 (Thread 0x7f52aa418700 (LWP 24157)):
#0  0x00007f534884afba in ?? () from /usr/lib/libglib-2.0.so.0
#1  0x00007f534884b299 in g_mutex_unlock () from /usr/lib/libglib-2.0.so.0
#2  0x00007f534880ac20 in g_main_context_prepare () from /usr/lib/libglib-2.0.so.0
#3  0x00007f534880b4a3 in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00007f534880b68c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#5  0x00007f534e32eb46 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#6  0x00007f534e300b1f in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#7  0x00007f534e300e15 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#8  0x00007f534e1ff6ef in QThread::exec() () from /usr/lib/libQtCore.so.4
#9  0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#10 0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#11 0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 7 (Thread 0x7f5293df2700 (LWP 24176)):
#0  0x00007f534df754f0 in __pthread_mutex_unlock_usercnt () from /usr/lib/libpthread.so.0
#1  0x00007f534884b2a1 in g_mutex_unlock () from /usr/lib/libglib-2.0.so.0
#2  0x00007f534880afc8 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#3  0x00007f534880b51b in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00007f534880b68c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#5  0x00007f534e32eb46 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#6  0x00007f534e300b1f in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#7  0x00007f534e300e15 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#8  0x00007f534e1ff6ef in QThread::exec() () from /usr/lib/libQtCore.so.4
#9  0x00007f534e2e22c3 in ?? () from /usr/lib/libQtCore.so.4
#10 0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#11 0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#12 0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 6 (Thread 0x7f52935f1700 (LWP 24186)):
#0  0x00007f534df7603f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f5346a7494d in ?? () from /usr/lib/libQtWebKit.so.4
#2  0x00007f5346a74989 in ?? () from /usr/lib/libQtWebKit.so.4
#3  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 5 (Thread 0x7f52925ef700 (LWP 24187)):
#0  0x00007f534df7603f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f53467b644d in ?? () from /usr/lib/libQtWebKit.so.4
#2  0x00007f5346aa40e6 in ?? () from /usr/lib/libQtWebKit.so.4
#3  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 4 (Thread 0x7f5292df0700 (LWP 24188)):
#0  0x00007f534df7422c in pthread_mutex_lock () from /usr/lib/libpthread.so.0
#1  0x00007f534884b271 in g_mutex_lock () from /usr/lib/libglib-2.0.so.0
#2  0x00007f534880b678 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3  0x00007f534e32eb46 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#4  0x00007f534e300b1f in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#5  0x00007f534e300e15 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#6  0x00007f534e1ff6ef in QThread::exec() () from /usr/lib/libQtCore.so.4
#7  0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#8  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#9  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 3 (Thread 0x7f5291370700 (LWP 24195)):
#0  0x00007f534df7603f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f534e202266 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQtCore.so.4
#2  0x00007f535144ab7c in ?? () from /usr/lib/libthreadweaver.so.4
#3  0x00007f535144d613 in ?? () from /usr/lib/libthreadweaver.so.4
#4  0x00007f535144c32f in ThreadWeaver::Thread::run() () from /usr/lib/libthreadweaver.so.4
#5  0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#6  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#7  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x7f5290b6f700 (LWP 24196)):
#0  0x00007f534df7603f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f534e202266 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQtCore.so.4
#2  0x00007f535144ab7c in ?? () from /usr/lib/libthreadweaver.so.4
#3  0x00007f535144d613 in ?? () from /usr/lib/libthreadweaver.so.4
#4  0x00007f535144c32f in ThreadWeaver::Thread::run() () from /usr/lib/libthreadweaver.so.4
#5  0x00007f534e201d8f in ?? () from /usr/lib/libQtCore.so.4
#6  0x00007f534df720a2 in start_thread () from /usr/lib/libpthread.so.0
#7  0x00007f534d48832d in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x7f533ef8a7c0 (LWP 24154)):
[KCrash Handler]
#5  0x0000000000000054 in ?? ()
#6  0x00007f52aace6bb1 in KSharedPtr<KDevelop::Problem>::~KSharedPtr (this=0x5539560) at /usr/include/ksharedptr.h:90
#7  0x00007f52aace81a0 in QList<KSharedPtr<KDevelop::Problem> >::node_destruct (this=0x3d6bba8, from=0x4d89a08, to=0x4d89a68) at /usr/include/qt4/QtCore/qlist.h:431
#8  0x00007f52aace812f in QList<KSharedPtr<KDevelop::Problem> >::free (this=0x3d6bba8, data=0x4d899f0) at /usr/include/qt4/QtCore/qlist.h:757
#9  0x00007f52aacf04c2 in QList<KSharedPtr<KDevelop::Problem> >::operator= (this=0x3d6bba8, l=...) at /usr/include/qt4/QtCore/qlist.h:443
#10 0x00007f52aacefbdd in QList<KSharedPtr<KDevelop::Problem> >::clear (this=0x3d6bba8) at /usr/include/qt4/QtCore/qlist.h:766
#11 0x00007f52aaced90a in ProblemModel::~ProblemModel (this=0x3d6bb90) at /home/milian/projects/kde4/kdevplatform/plugins/problemreporter/problemmodel.cpp:71
#12 0x00007f52aaced8c9 in ProblemModel::~ProblemModel (this=0x3d6bb90) at /home/milian/projects/kde4/kdevplatform/plugins/problemreporter/problemmodel.cpp:70
#13 0x00007f534e318438 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#14 0x00007f534e31a9df in QObject::~QObject() () from /usr/lib/libQtCore.so.4
#15 0x00007f5352a412c6 in KDevelop::IPlugin::~IPlugin (this=0x3d6bbf0) at /home/milian/projects/kde4/kdevplatform/interfaces/iplugin.cpp:120
#16 0x00007f52aace4334 in ProblemReporterPlugin::~ProblemReporterPlugin (this=0x3d6bbf0) at /home/milian/projects/kde4/kdevplatform/plugins/problemreporter/problemreporterplugin.cpp:103
#17 0x00007f52aace4299 in ProblemReporterPlugin::~ProblemReporterPlugin (this=0x3d6bbf0) at /home/milian/projects/kde4/kdevplatform/plugins/problemreporter/problemreporterplugin.cpp:101
#18 0x00007f5352252724 in KDevelop::PluginController::unloadPlugin (this=0x1b5c2c0, plugin=0x3d6bbf0, deletion=KDevelop::PluginController::Now) at /home/milian/projects/kde4/kdevplatform/shell/plugincontroller.cpp:330
#19 0x00007f53522523f4 in KDevelop::PluginController::cleanup (this=0x1b5c2c0) at /home/milian/projects/kde4/kdevplatform/shell/plugincontroller.cpp:194
#20 0x00007f5352262b7f in KDevelop::Core::cleanup (this=0x160f030) at /home/milian/projects/kde4/kdevplatform/shell/core.cpp:408
#21 0x00007f53522629fe in KDevelop::Core::shutdown (this=0x160f030) at /home/milian/projects/kde4/kdevplatform/shell/core.cpp:377
#22 0x00007f53522632b3 in KDevelop::Core::qt_static_metacall (_o=0x160f030, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fff0022fc30) at /home/milian/projects/.build/kde4/kdevplatform/shell/core.moc:53
#23 0x00007f534e315b48 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/libQtCore.so.4
#24 0x00007f534e305fa5 in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#25 0x0000000000416b06 in main (argc=3, argv=0x7fff00231918) at /home/milian/projects/kde4/kdevelop/app/main.cpp:562

Reported using DrKonqi

Comment 1 Milian Wolff 2014-02-11 23:30:43 UTC

Git commit 254b7f1c78714a4169334eba9ce4d267a0e48b61 by Milian Wolff.
Committed on 11/02/2014 at 23:04.
Pushed by mwolff into branch 'master'.

Add unit test for ProblemSerialization, it will crash as-is.

A fix for the crash will follow.

M  +2    -2    language/duchain/duchain.cpp
M  +1    -1    language/duchain/duchain.h
M  +79   -0    language/duchain/tests/test_duchain.cpp
M  +1    -0    language/duchain/tests/test_duchain.h

http://commits.kde.org/kdevplatform/254b7f1c78714a4169334eba9ce4d267a0e48b61

Comment 2 Milian Wolff 2014-02-11 23:30:44 UTC

Git commit 83365b0cb5dbd08839e787b85ebdb5ba7316717e by Milian Wolff.
Committed on 11/02/2014 at 23:09.
Pushed by mwolff into branch 'master'.

Fix crashes due to Problem serialization.

This is a major refactoring of the initial problem serialization
code as introduced by 0c2eb5c70c1.

We now add "proper" support for serializing data items which inherit
QSharedData in the top context file, i.e. TopDUContextDynamicData.

Shared data items are special, as in order to keep the expected
invariants we deviate from other items behavior when serializing:

1) When an item is serialized, we do not change the d_ptr of the
Item, i.e. the data will still point to the dynamic data and never
to the constant serialized data.

2) When deserializing, similar to above, we make the item dynamic
instantly such that the Item is not pointing to the constant data.

This is required in order to prevent double deletions or crashes
due to use-after-free when a shared data pointer outlives the
"parent" TopDUContext. When that one is deleted, or saved to disk,
we previously deleted items (as we assumed to have ownership), and
unmapped the data - thus shared data pointers must never point to
the mmapped data regions.

While complicated and big, I think this patch is cleaner than my
initial implementation. And since the previously added test now
passes, I'm confident this is an improvement. Memory is also still
cleaned up as before.

M  +38   -57   language/duchain/problem.cpp
M  +5    -14   language/duchain/problem.h
M  +8    -33   language/duchain/topducontext.cpp
M  +0    -7    language/duchain/topducontext.h
M  +91   -37   language/duchain/topducontextdynamicdata.cpp
M  +12   -13   language/duchain/topducontextdynamicdata.h

http://commits.kde.org/kdevplatform/83365b0cb5dbd08839e787b85ebdb5ba7316717e