Bug 128663

Summary: kpager crash when you try to move windows
Product: [Applications] kpager Reporter: Pierre Habouzit <madcoder>
Component: generalAssignee: Antonio Larrosa <larrosa>
Status: RESOLVED FIXED    
Severity: crash CC: vfiend
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:

Description Pierre Habouzit 2006-06-05 10:08:22 UTC 
Version:            (using KDE KDE 3.5.3)
Installed from:    Debian testing/unstable Packages

from debian bug http://bugs.debian.org/370158
=============================================

that's fully reproducible:

[madcoder mad] kpager --nofork
*** glibc detected *** malloc(): memory corruption (fast): 0x00000000007109d0 ***
KCrash: Application 'kpager' crashing...


the kcrash backtrace isn't much useful IMHO:

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 47181392035552 (LWP 2144)]
0x00002ae943091c02 in nanosleep () from /lib/libc.so.6
#0  0x00002ae943091c02 in nanosleep () from /lib/libc.so.6
#1  0x00002ae943091a54 in sleep () from /lib/libc.so.6
#2  0x00002ae94333dd0d in KCrash::startDrKonqi (argv=0x7fffff962740, argc=17)
    at kcrash.cpp:311
#3  0x00002ae943363adc in KCrash::defaultCrashHandler (sig=-6936544)
    at kcrash.cpp:228
#4  0x00002ae94302de90 in killpg () from /lib/libc.so.6
#5  0x0000000000000000 in ?? ()


But in GDB I get:
[madcoder mad] gdb =kpager
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run --nofork
Starting program: /usr/bin/kpager --nofork
[Thread debugging using libthread_db enabled]
[New Thread 47623014928096 (LWP 2246)]
Qt: gdb: -nograb added to command-line options.
         Use the -dograb option to enforce grabbing.
*** glibc detected *** double free or corruption (fasttop): 0x0000000000710b20 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread 47623014928096 (LWP 2246)]
0x00002b5015c96de0 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00002b5015c96de0 in raise () from /lib/libc.so.6
#1  0x00002b5015c98290 in abort () from /lib/libc.so.6
#2  0x00002b5015ccd01e in __fsetlocking () from /lib/libc.so.6
#3  0x00002b5015cd2d7b in malloc_usable_size () from /lib/libc.so.6
#4  0x00002b5015cd305e in free () from /lib/libc.so.6
#5  0x00002b5016aa2fa9 in ~QStringData (this=0x53e170) at qstring.h:364
#6  0x00002b5016a9770a in QStringData::deleteSelf (this=0x53e170) at tools/qstring.cpp:1558
#7  0x0000000000417566 in PagerWindowDrag (this=0x6db4d0, w=41943047, deltax=19, deltay=<value optimized out>, origdesk=1, parent=<value optimized out>) at qstring.h:848
#8  0x000000000041763a in Desktop::startDrag (this=0x6b4c10, p=<value optimized out>) at desktop.cpp:312
#9  0x000000000041784d in Desktop::mouseMoveEvent (this=0x6b4c10, ev=<value optimized out>) at desktop.cpp:85
#10 0x00002b50167d326e in QWidget::event (this=0x6b4c10, e=0x7fffffa92f70) at kernel/qwidget.cpp:4683
#11 0x00002b5016734c0c in QApplication::internalNotify (this=0x5309a0, receiver=0x6b4c10, e=0x7fffffa92f70) at kernel/qapplication.cpp:2635
#12 0x00002b5016735255 in QApplication::notify (this=0x5309a0, receiver=0x6b4c10, e=0x7fffffa92f70) at kernel/qapplication.cpp:2421
#13 0x00002b5016062f1e in KApplication::notify (this=0x5309a0, receiver=0x6b4c10, event=0x7fffffa92f70) at kapplication.cpp:550
#14 0x00002b50166c63d8 in QApplication::sendSpontaneousEvent (receiver=0x6b4c10, event=0x7fffffa92f70) at qapplication.h:523
#15 0x00002b50166c1ba8 in QETWidget::translateMouseEvent (this=0x6b4c10, event=0x7fffffa93510) at kernel/qapplication_x11.cpp:4301
#16 0x00002b50166bffcb in QApplication::x11ProcessEvent (this=0x5309a0, event=0x7fffffa93510) at kernel/qapplication_x11.cpp:3478
#17 0x00002b50166d8e7b in QEventLoop::processEvents (this=0x639350, flags=4) at kernel/qeventloop_x11.cpp:192
#18 0x00002b501674caa2 in QEventLoop::enterLoop (this=0x639350) at kernel/qeventloop.cpp:198
#19 0x00002b501674c9ab in QEventLoop::exec (this=0x639350) at kernel/qeventloop.cpp:145
#20 0x00002b5016733878 in QApplication::exec (this=0x5309a0) at kernel/qapplication.cpp:2758
#21 0x0000000000417a60 in main (argc=<value optimized out>, argv=<value optimized out>) at main.cpp:102
#22 0x00002b5015c834ca in __libc_start_main () from /lib/libc.so.6
#23 0x000000000040f76a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb)
Comment 1 Christopher Martin 2006-06-05 21:00:14 UTC 
SVN commit 548508 by chrsmrtn:

Fix double-free in kpager.

This was caused by a fix to an apparent memory leak. It appears
that QByteArray does free up the memory it is assigned. Then when
'tmp' goes out of scope, the memory is freed again, hence the crash.

I doubt that there was a problem to begin with - at least in the
3.5 branch. A similar fix was checked into HEAD, but QByteArray
behaves differently in Qt4, so perhaps things are now correct there;
I'm not equipped to test that situation.

BUG: 128663


 M  +4 -4      windowdrag.cpp  


--- branches/KDE/3.5/kdebase/kpager/windowdrag.cpp #548507:548508
@@ -28,10 +28,10 @@
 PagerWindowDrag::PagerWindowDrag(WId w,int deltax,int deltay, int origdesk,QWidget *parent)
     : QStoredDrag("application/x-kpager",parent,"windowdrag")
 {
-    QString tmp;
-    tmp.sprintf("%d %d %d %d", static_cast<int>(w), deltax, deltay, origdesk);
-    QByteArray data(tmp.length()+1);
-    data.assign(tmp.latin1(),tmp.length()+1);
+    QString *tmp = new QString();
+    tmp->sprintf("%d %d %d %d", static_cast<int>(w), deltax, deltay, origdesk);
+    QByteArray data(tmp->length()+1);
+    data.assign(tmp->latin1(),tmp->length()+1);
 
     setEncodedData(data);
 }
Comment 2 Andreas Kling 2006-07-16 15:28:51 UTC 
*** Bug 128805 has been marked as a duplicate of this bug. ***