332132 – segmentation fault caused by KFileItemDelegate

Bug 332132 - segmentation fault caused by KFileItemDelegate

Summary: segmentation fault caused by KFileItemDelegate

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	kio
Classification:	Unmaintained
Component:	general (show other bugs)
Version:	4.11.3
Platform:	Debian testing Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Fredrik Höglund

URL:
Keywords:	triaged

Depends on:
Blocks:

Reported:	2014-03-14 11:16 UTC by Paul Chavent
Modified:	2018-10-29 02:08 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Use QSharedPointer for states. (9.03 KB, patch) 2014-03-15 12:23 UTC, Paul Chavent	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Chavent 2014-03-14 11:16:07 UTC

KFileItemDelegate::paint causes a segmentation fault by dereferencing freed memory.

Tested with version 4.11.3, but the suspisious code seems unchanged in the current git tree.

Reproducible: Sometimes

Steps to Reproduce:
1. Open a new document under libreoffice with kde dialog boxes
2. Save the document (it opens a kde file chooser dialog box)
3. Hover the mouse on files
Actual Results:  
The application crashes.

Expected Results:  
The application still runs.

The bug is reproductible but hard to track (disapear if i attach gdb or valgrind to the process).

However, i got a core dump that lead us to kio/kio/kfileitemdelegate.cpp:1291 (hereunder the top of the backtrace) :
#0  checkValidity (current=..., this=0x540058) at .../../kio/kio/delegateanimationhandler_p.h:46
#1  KFileItemDelegate::paint (this=0x27644d0, painter=0x7fff702f0090, option=..., index=...) at ../../kio/kio/kfileitemdelegate.cpp:1291
#2  0x00007fe31f539791 in QListView::paintEvent (this=0x27769d0, e=<optimized out>) at itemviews/qlistview.cpp:1039

After code review it seems that the problem is due to the 'cache' pointer that is not null neither valid.

The problems seems to be that 'KFileItemDelegate::paint' ask for a state with 'd->animationState(...)' (see <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/kfileitemdelegate.cpp#L1271">kio/kio/kfileitemdelegate.cpp line 1271</a>) and get a state that can have been deleted meanwhile.

Indeed, 'DelegateAnimationHandler::animationState' (in <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/delegateanimationhandler.cpp#L321">kio/kio/delegateanimationhandler.cpp line 321</a>) calls 'setSequenceIndex(0)' which has the effect of finally call 'DelegateAnimationHandler::runAnimations' and delete state (in <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/delegateanimationhandler.cpp#L430">kio/kio/delegateanimationhandler.cpp line 430</a>).

So the crash append at <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/kfileitemdelegate.cpp#L1291">kio/kio/kfileitemdelegate.cpp line 1291</a>.

A (less-precise) bug report has been filled to the debian bug tracker with the id 741564.

Comment 1 Paul Chavent 2014-03-15 12:20:45 UTC

The diagnostic in the description is not exact. DelegateAnimationHandler::animationState can set state->direction to QTimeLine::Backward and launch an animation.

When the animation timer (synchronously) expire, it calls DelegateAnimationHandler::runAnimations which delete finished state with Bacward direction. 

However, the state can be used by the KFileItemDelegate::paint function and can cause a segfault if dereferenced.

Comment 2 Paul Chavent 2014-03-15 12:23:03 UTC

Created attachment 85588 [details]
Use QSharedPointer for states.

This patch fix the bug by sharing the states pointer. So their deletion are deleyed to the last owner.

Comment 3 Nate Graham 2018-04-24 21:20:48 UTC

Thanks for the patch, Paul! Sorry it took so long for anyone to notice it...

If the issue is still present in KDE Frameworks 5, would you mind submitting your patch via Phabricator? http://phabricator.kde.org/

Here's the documentation: https://community.kde.org/Infrastructure/Phabricator

Thanks!

Comment 4 Andrew Crouthamel 2018-09-28 03:26:52 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days, the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information.

For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please set the bug status as REPORTED so that the KDE team knows that the bug is ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 5 Andrew Crouthamel 2018-10-29 02:08:51 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information.

For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!