Bug 132509

Summary:	kmail crash when removing a line in the editor
Product:	[Unmaintained] kdelibs	Reporter:	Olivier Goffart <ogoffart>
Component:	qt	Assignee:	kdelibs bugs <kdelibs-bugs-null>
Status:	RESOLVED FIXED
Severity:	crash	CC:	info
Priority:	NOR
Version First Reported In:	unspecified
Target Milestone:	---
Platform:	unspecified
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Qt-only test case

Description Olivier Goffart 2006-08-16 18:37:09 UTC

Version:           1.9.4 (using KDE 3.5.4, Frugalware Linux)
Compiler:          Target: i686-pc-linux-gnu
OS:                Linux (i686) release 2.6.13.3

When I'm editing a mail, if i remove a line, it crash.
This is prefectly reproducible here.

Valgrind trace:





vex x86->IR: unhandled instruction bytes: 0xD5 0x35 0x29 0xC9
==15752==
==15752== Invalid read of size 1
==15752==    at 0x4A154D3: QTextParagraph::join(QTextParagraph*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B1997C: QTextEdit::removeSelectedText(int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B19EC4: QTextEdit::doKeyboardAction(QTextEdit::KeyboardAction) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B12497: QTextEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5DDD9CF: KEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4248A9D: KMEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/libkmailprivate.so)
==15752==    by 0x49E9AF6: QWidget::event(QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B044A7: QTextEdit::event(QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49540A6: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49553B6: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x469118D: KApplication::notify(QObject*, QEvent*) (in /usr/lib/libkdecore.so.4.2.0)
==15752==    by 0x48F28C2: QETWidget::translateKeyEvent(_XEvent const*, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==  Address 0xC3757D31 is not stack'd, malloc'd or (recently) free'd
*** KMail got signal 11 (Crashing)
==15752==
==15752== Conditional jump or move depends on uninitialised value(s)
==15752==    at 0x4A2CCC2: QMap<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49FCD9D: QTextParagraph::format(int, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A11D09: QTextDocument::draw(QPainter*, int, int, int, int, QColorGroup const&, bool, bool, QTextCursor*, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B04BE6: QTextEdit::paintDocument(bool, QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B13166: QTextEdit::drawContents(QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC0652: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC2184: QScrollView::viewportPaintEvent(QPaintEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5D48F95: KEdit::viewportPaintEvent(QPaintEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4AC3B4E: QScrollView::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B17916: QTextEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x42D1039: KMEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/libkmailprivate.so)
==15752==    by 0x49B1CC5: QObject::activate_filters(QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==
==15752== Invalid read of size 4
==15752==    at 0x4A2BF2A: QMapPrivate<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A2CCF7: QMap<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49FCD9D: QTextParagraph::format(int, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A11D09: QTextDocument::draw(QPainter*, int, int, int, int, QColorGroup const&, bool, bool, QTextCursor*, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B04BE6: QTextEdit::paintDocument(bool, QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B13166: QTextEdit::drawContents(QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC0652: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC2184: QScrollView::viewportPaintEvent(QPaintEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5D48F95: KEdit::viewportPaintEvent(QPaintEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4AC3B4E: QScrollView::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B17916: QTextEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x42D1039: KMEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/libkmailprivate.so)
==15752==  Address 0xA8E7188 is 0 bytes after a block of size 24 alloc'd
==15752==    at 0x4021B19: operator new(unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==15752==    by 0x4A2CBA2: QMapPrivate<int, QTextLineStart*>::QMapPrivate() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A2CCDB: QMap<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49FCD9D: QTextParagraph::format(int, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B04255: QTextEdit::formatMore() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B19DE9: QTextEdit::doKeyboardAction(QTextEdit::KeyboardAction) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B1267A: QTextEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5DDD9CF: KEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4248C88: KMEdit::keyPressEvent(QKeyEvent*) (in /usr/lib/libkmailprivate.so)
==15752==    by 0x49E9AF6: QWidget::event(QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B044A7: QTextEdit::event(QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49540A6: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==
==15752== Invalid read of size 4
==15752==    at 0x4A2BF2D: QMapPrivate<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A2CCF7: QMap<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49FCD9D: QTextParagraph::format(int, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A11D09: QTextDocument::draw(QPainter*, int, int, int, int, QColorGroup const&, bool, bool, QTextCursor*, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B04BE6: QTextEdit::paintDocument(bool, QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B13166: QTextEdit::drawContents(QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC0652: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC2184: QScrollView::viewportPaintEvent(QPaintEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5D48F95: KEdit::viewportPaintEvent(QPaintEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4AC3B4E: QScrollView::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B17916: QTextEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x42D1039: KMEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/libkmailprivate.so)
==15752==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==15752==
==15752== Process terminating with default action of signal 11 (SIGSEGV)
==15752==  Access not within mapped region at address 0x8
==15752==    at 0x4A2BF2D: QMapPrivate<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A2CCF7: QMap<int, QTextLineStart*>::clear() (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x49FCD9D: QTextParagraph::format(int, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4A11D09: QTextDocument::draw(QPainter*, int, int, int, int, QColorGroup const&, bool, bool, QTextCursor*, bool) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B04BE6: QTextEdit::paintDocument(bool, QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B13166: QTextEdit::drawContents(QPainter*, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC0652: QScrollView::drawContentsOffset(QPainter*, int, int, int, int, int, int) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4AC2184: QScrollView::viewportPaintEvent(QPaintEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x5D48F95: KEdit::viewportPaintEvent(QPaintEvent*) (in /usr/lib/libkdeui.so.4.2.0)
==15752==    by 0x4AC3B4E: QScrollView::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x4B17916: QTextEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/qt/lib/libqt-mt.so.3.3.6)
==15752==    by 0x42D1039: KMEdit::eventFilter(QObject*, QEvent*) (in /usr/lib/libkmailprivate.so)
==15752==
==15752== ERROR SUMMARY: 100 errors from 30 contexts (suppressed: 205 from 1)
==15752== malloc/free: in use at exit: 3,704,161 bytes in 126,084 blocks.
==15752== malloc/free: 829,570 allocs, 703,486 frees, 30,675,943 bytes allocated.
==15752== For counts of detected errors, rerun with: -v
==15752== searching for pointers to 126,084 not-freed blocks.
==15752== checked 30,360,688 bytes.
==15752==
==15752== LEAK SUMMARY:
==15752==    definitely lost: 5,988 bytes in 115 blocks.
==15752==      possibly lost: 600 bytes in 6 blocks.
==15752==    still reachable: 3,697,573 bytes in 125,963 blocks.
==15752==         suppressed: 0 bytes in 0 blocks.
==15752== Use --leak-check=full to see details of leaked memory.
Killed
kde@l18:/home/olivier$

Comment 1 Andreas Kling 2006-08-16 21:21:04 UTC

This happens because QTextParagraph::join() deletes the paragraph it joins with while that paragraph is still referenced by QTextDocuments and QTextCursors all over the place. It is a Qt bug, and I have no idea what to do about it.

Comment 2 Ingo Klöcker 2006-08-17 00:04:27 UTC

If this problem can be reproduced with Qt's QTextEdit example then report it to qt-bugs@trolltech.com. Otherwise, it's probably us doing things in KMEdit or KEdit we shouldn't do.

Comment 3 Andreas Kling 2006-08-17 00:15:58 UTC

Easily reproduced in Qt3's examples/textedit/

==369== Invalid read of size 1
==369==    at 0x4FDA372: QTextParagraph::document() const (qrichtext_p.h:1190)
==369==    by 0x4FEB2A2: QTextCursor::gotoPosition(QTextParagraph*, int) (qrichtext_p.cpp:144)
==369==    by 0x4FE4CB9: QTextCursor::setParagraph(QTextParagraph*) (qrichtext_p.h:324)
==369==    by 0x4FD917A: QTextDeleteCommand::unexecute(QTextCursor*) (qrichtext.cpp:246)
==369==    by 0x4FA4944: QTextCommandHistory::undo(QTextCursor*) (qrichtext.cpp:147)
==369==    by 0x4FA49F7: QTextDocument::undo(QTextCursor*) (qrichtext.cpp:2999)
==369==    by 0x51069B9: QTextEdit::undo() (qtextedit.cpp:3200)
==369==    by 0x510C9BC: QTextEdit::keyPressEvent(QKeyEvent*) (qtextedit.cpp:1520)
==369==    by 0x4F8A1AD: QWidget::event(QEvent*) (qwidget.cpp:4723)
==369==    by 0x5103C89: QTextEdit::event(QEvent*) (qtextedit.cpp:1205)
==369==    by 0x4ED7BA1: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635)
==369==    by 0x4ED9CAE: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2392)
==369==  Address 0x75C2541 is 49 bytes inside a block of size 152 free'd
==369==    at 0x4A21FE9: operator delete(void*) (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==369==    by 0x4FCB01C: QTextParagraph::join(QTextParagraph*) (qrichtext.cpp:4233)
==369==    by 0x4FCB597: QTextDocument::removeSelectedText(int, QTextCursor*) (qrichtext.cpp:2965)
==369==    by 0x4FCB7E6: QTextDeleteCommand::execute(QTextCursor*) (qrichtext.cpp:228)
==369==    by 0x4FA4807: QTextCommandHistory::redo(QTextCursor*) (qrichtext.cpp:159)
==369==    by 0x4FA48FD: QTextDocument::redo(QTextCursor*) (qrichtext.cpp:3004)
==369==    by 0x51067C7: QTextEdit::redo() (qtextedit.cpp:3251)
==369==    by 0x510C99E: QTextEdit::keyPressEvent(QKeyEvent*) (qtextedit.cpp:1518)
==369==    by 0x4F8A1AD: QWidget::event(QEvent*) (qwidget.cpp:4723)
==369==    by 0x5103C89: QTextEdit::event(QEvent*) (qtextedit.cpp:1205)
==369==    by 0x4ED7BA1: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635)
==369==    by 0x4ED9CAE: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2392)
==369==
==369== Invalid read of size 8
==369==    at 0x4FDA381: QTextParagraph::document() const (qrichtext_p.h:1190)
==369==    by 0x4FEB2A2: QTextCursor::gotoPosition(QTextParagraph*, int) (qrichtext_p.cpp:144)
==369==    by 0x4FE4CB9: QTextCursor::setParagraph(QTextParagraph*) (qrichtext_p.h:324)
==369==    by 0x4FD917A: QTextDeleteCommand::unexecute(QTextCursor*) (qrichtext.cpp:246)
==369==    by 0x4FA4944: QTextCommandHistory::undo(QTextCursor*) (qrichtext.cpp:147)
==369==    by 0x4FA49F7: QTextDocument::undo(QTextCursor*) (qrichtext.cpp:2999)
==369==    by 0x51069B9: QTextEdit::undo() (qtextedit.cpp:3200)
==369==    by 0x510C9BC: QTextEdit::keyPressEvent(QKeyEvent*) (qtextedit.cpp:1520)
==369==    by 0x4F8A1AD: QWidget::event(QEvent*) (qwidget.cpp:4723)
==369==    by 0x5103C89: QTextEdit::event(QEvent*) (qtextedit.cpp:1205)
==369==    by 0x4ED7BA1: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635)
==369==    by 0x4ED9CAE: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2392)
==369==  Address 0x75C2538 is 40 bytes inside a block of size 152 free'd
==369==    at 0x4A21FE9: operator delete(void*) (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==369==    by 0x4FCB01C: QTextParagraph::join(QTextParagraph*) (qrichtext.cpp:4233)
==369==    by 0x4FCB597: QTextDocument::removeSelectedText(int, QTextCursor*) (qrichtext.cpp:2965)
==369==    by 0x4FCB7E6: QTextDeleteCommand::execute(QTextCursor*) (qrichtext.cpp:228)
==369==    by 0x4FA4807: QTextCommandHistory::redo(QTextCursor*) (qrichtext.cpp:159)
==369==    by 0x4FA48FD: QTextDocument::redo(QTextCursor*) (qrichtext.cpp:3004)
==369==    by 0x51067C7: QTextEdit::redo() (qtextedit.cpp:3251)
==369==    by 0x510C99E: QTextEdit::keyPressEvent(QKeyEvent*) (qtextedit.cpp:1518)
==369==    by 0x4F8A1AD: QWidget::event(QEvent*) (qwidget.cpp:4723)
==369==    by 0x5103C89: QTextEdit::event(QEvent*) (qtextedit.cpp:1205)
==369==    by 0x4ED7BA1: QApplication::internalNotify(QObject*, QEvent*) (qapplication.cpp:2635)
==369==    by 0x4ED9CAE: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2392)

Comment 4 Ingo Klöcker 2006-08-17 00:40:34 UTC

Great. Then please send a bug report to the trolls. I'll reassign the bug.

Comment 5 Andreas Kling 2006-08-28 15:04:42 UTC

Reported to Trolltech, TT ID 127520.

Comment 6 Olivier Goffart 2006-08-28 15:20:19 UTC

Note that I can't reproduce the problem anymore. 
It's misteriously gone, and I did not do something special.

Comment 7 Andreas Kling 2006-08-28 15:30:41 UTC

Created attachment 17529 [details]
Qt-only test case

A small Qt-only test application to demonstrate the crash.

Comment 8 Olivier Goffart 2008-01-17 17:01:53 UTC

The Qt bug is fixed and i have not been able to reprocude for age anyway...