Bug 332132 - segmentation fault caused by KFileItemDelegate
Summary: segmentation fault caused by KFileItemDelegate
Status: RESOLVED WORKSFORME
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 4.11.3
Platform: Debian testing Linux
: NOR crash
Target Milestone: ---
Assignee: Fredrik Höglund
URL:
Keywords: triaged
Depends on:
Blocks:
 
Reported: 2014-03-14 11:16 UTC by Paul Chavent
Modified: 2018-10-29 02:08 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Use QSharedPointer for states. (9.03 KB, patch)
2014-03-15 12:23 UTC, Paul Chavent 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Chavent 2014-03-14 11:16:07 UTC 
KFileItemDelegate::paint causes a segmentation fault by dereferencing freed memory.

Tested with version 4.11.3, but the suspisious code seems unchanged in the current git tree.

Reproducible: Sometimes

Steps to Reproduce:
1. Open a new document under libreoffice with kde dialog boxes
2. Save the document (it opens a kde file chooser dialog box)
3. Hover the mouse on files
Actual Results:  
The application crashes.

Expected Results:  
The application still runs.

The bug is reproductible but hard to track (disapear if i attach gdb or valgrind to the process).

However, i got a core dump that lead us to kio/kio/kfileitemdelegate.cpp:1291 (hereunder the top of the backtrace) :
#0  checkValidity (current=..., this=0x540058) at .../../kio/kio/delegateanimationhandler_p.h:46
#1  KFileItemDelegate::paint (this=0x27644d0, painter=0x7fff702f0090, option=..., index=...) at ../../kio/kio/kfileitemdelegate.cpp:1291
#2  0x00007fe31f539791 in QListView::paintEvent (this=0x27769d0, e=<optimized out>) at itemviews/qlistview.cpp:1039

After code review it seems that the problem is due to the 'cache' pointer that is not null neither valid.

The problems seems to be that 'KFileItemDelegate::paint' ask for a state with 'd->animationState(...)' (see <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/kfileitemdelegate.cpp#L1271">kio/kio/kfileitemdelegate.cpp line 1271</a>) and get a state that can have been deleted meanwhile.

Indeed, 'DelegateAnimationHandler::animationState' (in <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/delegateanimationhandler.cpp#L321">kio/kio/delegateanimationhandler.cpp line 321</a>) calls 'setSequenceIndex(0)' which has the effect of finally call 'DelegateAnimationHandler::runAnimations' and delete state (in <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/delegateanimationhandler.cpp#L430">kio/kio/delegateanimationhandler.cpp line 430</a>).

So the crash append at <a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/kio/kfileitemdelegate.cpp#L1291">kio/kio/kfileitemdelegate.cpp line 1291</a>.

A (less-precise) bug report has been filled to the debian bug tracker with the id 741564.
Comment 1 Paul Chavent 2014-03-15 12:20:45 UTC 
The diagnostic in the description is not exact. DelegateAnimationHandler::animationState can set state->direction to QTimeLine::Backward and launch an animation.

When the animation timer (synchronously) expire, it calls DelegateAnimationHandler::runAnimations which delete finished state with Bacward direction. 

However, the state can be used by the KFileItemDelegate::paint function and can cause a segfault if dereferenced.
Comment 2 Paul Chavent 2014-03-15 12:23:03 UTC 
Created attachment 85588 [details]
Use QSharedPointer for states.

This patch fix the bug by sharing the states pointer. So their deletion are deleyed to the last owner.
Comment 3 Nate Graham 2018-04-24 21:20:48 UTC 
Thanks for the patch, Paul! Sorry it took so long for anyone to notice it...

If the issue is still present in KDE Frameworks 5, would you mind submitting your patch via Phabricator? http://phabricator.kde.org/

Here's the documentation: https://community.kde.org/Infrastructure/Phabricator

Thanks!
Comment 4 Andrew Crouthamel 2018-09-28 03:26:52 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days, the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information.

For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please set the bug status as REPORTED so that the KDE team knows that the bug is ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 5 Andrew Crouthamel 2018-10-29 02:08:51 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information.

For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!