Bug 196695

The crashing line is 
"
if (d->m_fileMode == KFileItem::Unknown) { 
"
The d pointer may be invalid due to memory corruption.
Adding David to the CC. 

Thanks

Bug 209251 is about Plasma crashing when moving a dir from Desktop to another partition. It has an updated backtrace:

Thread 1 (Thread 0x7f8235617750 (LWP 1971)):
[KCrash Handler]
#5  0x00007f823403d183 in KFileItem::isDir (this=0x18722e0) at
/var/tmp/portage/kde-base/kdelibs-4.3.1/work/kdelibs-4.3.1/kio/kio/kfileitem.cpp:969
#6  0x00007f823402ae18 in KDirModelPrivate::removeFromNodeHash (this=0x2110430,
node=0x18722e0, url=@0x7fffd28eab10)
    at
/var/tmp/portage/kde-base/kdelibs-4.3.1/work/kdelibs-4.3.1/kio/kio/kdirmodel.cpp:200
#7  0x00007f823402bd29 in KDirModelPrivate::_k_slotDeleteItems (this=0x2110430,
items=<value optimized out>) at
/var/tmp/portage/kde-base/kdelibs-4.3.1/work/kdelibs-4.3.1/kio/kio/kdirmodel.cpp:487

Thanks

*** Bug 209251 has been marked as a duplicate of this bug. ***

*** Bug 209465 has been marked as a duplicate of this bug. ***

*** Bug 210831 has been marked as a duplicate of this bug. ***

From bug 212255:
What I was doing when the application crashed:
1. split windows ledt and right, with terminal emulator enabled on the bottom.
2. move a foler form desktop to another folder where another disk is mounted on
3. crashed during the moving process, about half number of files have been
moved.

*** Bug 212255 has been marked as a duplicate of this bug. ***

*** Bug 213851 has been marked as a duplicate of this bug. ***

From bug 217482:
---
What I was doing when the application crashed:
dolphin crashed after entering non existing folder - dolphin did not refresh
after move

*** Bug 217482 has been marked as a duplicate of this bug. ***

From bug 217498:
---
using ripit to rip an audio CD while quitting amarok

*** Bug 217498 has been marked as a duplicate of this bug. ***

*** Bug 217824 has been marked as a duplicate of this bug. ***

*** Bug 218839 has been marked as a duplicate of this bug. ***

From bug 218839:
---
What I was doing when the application crashed:
My pc was copying a large folder (4 Gb or so) on an external HDD when, almost
at the end of the process, it went in stand-by. When I woke it up, the
application crashed.

*** Bug 219624 has been marked as a duplicate of this bug. ***

*** Bug 220971 has been marked as a duplicate of this bug. ***

*** Bug 217045 has been marked as a duplicate of this bug. ***

*** Bug 220983 has been marked as a duplicate of this bug. ***

*** Bug 223070 has been marked as a duplicate of this bug. ***

*** Bug 223186 has been marked as a duplicate of this bug. ***

From bug 223681:
-- What I was doing when the application crashed:
I tried to rename a directory in my desktop and Plasma Workspace crashed. The
directory was renamed correctly, though.

*** Bug 223681 has been marked as a duplicate of this bug. ***

*** Bug 224009 has been marked as a duplicate of this bug. ***

From bug 224858:
...used a split view in dolphin, moved a full directory from a memory card to my hard disk and switched to the dolphin tab which showed the (old) content of the moved directory. Clicking at an icon crashed it.

*** Bug 224858 has been marked as a duplicate of this bug. ***

*** Bug 225100 has been marked as a duplicate of this bug. ***

*** Bug 226338 has been marked as a duplicate of this bug. ***

*** Bug 227848 has been marked as a duplicate of this bug. ***

*** Bug 232421 has been marked as a duplicate of this bug. ***

*** Bug 232710 has been marked as a duplicate of this bug. ***

From bug 233919:
What I was doing when the application crashed:
Gwenview crashes when you move the folder an open image was in.
1: Open image with gwenview
2: Move folder that image was inside somewhere else
3: Boom (segfault) see attached

*** Bug 233919 has been marked as a duplicate of this bug. ***

*** Bug 239929 has been marked as a duplicate of this bug. ***

*** Bug 242155 has been marked as a duplicate of this bug. ***

*** Bug 252261 has been marked as a duplicate of this bug. ***

[Comment from a bug triager]
Updated backtrace (KDE SC 4.5.1) from bug 224009 comment 4:

[KCrash Handler]
#7  0x00fa2d08 in KFileItem::isDir (this=0x8e29fc8) at ../../kio/kio/kfileitem.cpp:1000
#8  0x00f9c9c2 in KDirModelPrivate::removeFromNodeHash (this=0x8e3a328, node=0x8e29fc8, url=...) at ../../kio/kio/kdirmodel.cpp:204
#9  0x00f9d910 in KDirModelPrivate::_k_slotDeleteItems (this=0x8e3a328, items=...) at ../../kio/kio/kdirmodel.cpp:494
#10 0x00f9e008 in KDirModel::qt_metacall (this=0x8e580c8, _c=QMetaObject::InvokeMetaMethod, _id=27, _a=0xbfa40a28) at ./kdirmodel.moc:91
#11 0x00abd1ea in DolphinModel::qt_metacall (this=0x8e580c8, _c=QMetaObject::InvokeMetaMethod, _id=27, _a=0xbfa40a28) at moc_dolphinmodel.cpp:68
#12 0x075fa8ca in QMetaObject::metacall (object=0x8e580c8, cl=3215198344, idx=27, argv=0xbfa40a28) at kernel/qmetaobject.cpp:237
#13 0x0760d6ad in QMetaObject::activate (sender=0x8e01dc0, m=0x1112b9c, local_signal_index=13, argv=0x0) at kernel/qobject.cpp:3280
#14 0x00f7d1c3 in KDirLister::itemsDeleted (this=0x8e01dc0, _t1=...) at ./kdirlister.moc:295
#15 0x00f7e049 in KDirLister::Private::emitItemsDeleted (this=0x8da34b8, _items=...) at ../../kio/kio/kdirlister.cpp:2417
#16 0x00f89e46 in KDirListerCache::itemsDeleted (this=0x8d958d8, listers=..., deletedItems=...) at ../../kio/kio/kdirlister.cpp:1765
#17 0x00f8b952 in KDirListerCache::slotFilesRemoved (this=0x8d958d8, fileList=...) at ../../kio/kio/kdirlister.cpp:833
#18 0x00f8bda8 in KDirListerCache::slotFilesRemoved (this=0x8d958d8, fileList=...) at ../../kio/kio/kdirlister.cpp:788
#19 0x00f92b05 in KDirListerCache::qt_metacall (this=0x8d958d8, _c=QMetaObject::InvokeMetaMethod, _id=5, _a=0xbfa40d68) at ./kdirlister_p.moc:98
#20 0x075fa8ca in QMetaObject::metacall (object=0x8d958d8, cl=3215198344, idx=5, argv=0xbfa40d68) at kernel/qmetaobject.cpp:237
#21 0x0760d6ad in QMetaObject::activate (sender=0x8e13c78, m=0x1112df4, local_signal_index=4, argv=0x0) at kernel/qobject.cpp:3280
#22 0x00f9ebb3 in OrgKdeKDirNotifyInterface::FilesRemoved (this=0x8e13c78, _t1=...) at ./kdirnotify.moc:131
#23 0x00f9edb5 in OrgKdeKDirNotifyInterface::qt_metacall (this=0x8e13c78, _c=QMetaObject::InvokeMetaMethod, _id=9, _a=0xbfa40ecc) at ./kdirnotify.moc:89
#24 0x00ce09dc in QDBusConnectionPrivate::deliverCall (this=0x8c7b4e8, object=0x8e13c78, msg=..., metaTypes=..., slotIdx=9) at qdbusintegrator.cpp:919
#25 0x00cec1f7 in QDBusCallDeliveryEvent::placeMetaCall (this=0xb2f3bba0, object=0x8e13c78) at qdbusintegrator_p.h:103
#26 0x076076a2 in QObject::event (this=0x8e13c78, e=0x1) at kernel/qobject.cpp:1219
#27 0x0557afdc in QApplicationPrivate::notify_helper (this=0x8c89920, receiver=0x8e13c78, e=0xb2f3bba0) at kernel/qapplication.cpp:4396
#28 0x0558104e in QApplication::notify (this=0xbfa417a0, receiver=0x8e13c78, e=0xb2f3bba0) at kernel/qapplication.cpp:3798
#29 0x0405168a in KApplication::notify (this=0xbfa417a0, receiver=0x8e13c78, event=0xb2f3bba0) at ../../kdeui/kernel/kapplication.cpp:310
#30 0x075f4b3b in QCoreApplication::notifyInternal (this=0xbfa417a0, receiver=0x8e13c78, event=0xb2f3bba0) at kernel/qcoreapplication.cpp:732
#31 0x075f7d8b in sendEvent (receiver=0x0, event_type=0, data=0x8c64e98) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#32 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x8c64e98) at kernel/qcoreapplication.cpp:1373
#33 0x075f7f4d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1266
#34 0x07623a74 in sendPostedEvents (s=0x8c86590) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:220
#35 postEventSourceDispatch (s=0x8c86590) at kernel/qeventdispatcher_glib.cpp:277
#36 0x01507855 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#37 0x0150b668 in ?? () from /lib/libglib-2.0.so.0
#38 0x0150b848 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#39 0x07623565 in QEventDispatcherGlib::processEvents (this=0x8c64b58, flags=...) at kernel/qeventdispatcher_glib.cpp:415
#40 0x0563cbe5 in QGuiEventDispatcherGlib::processEvents (this=0x8c64b58, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#41 0x075f3609 in QEventLoop::processEvents (this=0xbfa416f4, flags=) at kernel/qeventloop.cpp:149
#42 0x075f3a8a in QEventLoop::exec (this=0xbfa416f4, flags=...) at kernel/qeventloop.cpp:201
#43 0x075f800f in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#44 0x05579e07 in QApplication::exec () at kernel/qapplication.cpp:3672
#45 0x007f4dab in kdemain (argc=5, argv=0xbfa41994) at ../../../../apps/dolphin/src/main.cpp:98
#46 0x080485ab in main (argc=5, argv=0xbfa41994) at dolphin_dummy.cpp:3

*** Bug 261342 has been marked as a duplicate of this bug. ***

*** Bug 273957 has been marked as a duplicate of this bug. ***

Created attachment 60474 [details]
Suggested patch (including unit test)

I think I've found out what goes wrong: If the root item of a KDirModel is deleted, and it is the first item in the list that is passed to KDirModelPrivate::_k_slotDeleteItems(const KFileItemList& items), there is no crash because Peter added some protection against that in

https://projects.kde.org/projects/kde/kdelibs/repository/revisions/c8939409eed00420fb43ff22cfc6c9092e4da7e5

However, this protection is not effective if the root item is not the first one in the list. In that case, the root node is passed to removeFromNodeHash(...), which accesses to null KFileItem that belongs to the root node (to detect if it's a directory), and that leads to the crash.

I couldn't reproduce the crash in Dolphin or other apps so far, but my new unit test crashes with the same backtrace when using the unpatched KDirModel, so I'm quite confident that this is really the root cause of the crash which has been reported here. Moreover, I can't imagine any other way how that kind of backtrace could be generated.

Git commit 83538b4339a65c90764975f01a4b9bafbabd9595 by Frank Reininghaus.
Committed on 29/05/2011 at 15:41.
Pushed by freininghaus into branch 'master'.

Fix possible crash in KDirModel if the root item is deleted or moved

If the root item of the dir model is deleted, but it is not the first
item in the list that KDirModelPrivate::_k_slotDeleteItems(...) gets
from the dir lister, a crash may result because
KDirModelPrivate::removeFromNodeHash(...) calls isDir() for a null
KFileItem. This commit extends the protection agains this kind of crash
that has been introduced in c8939409eed00420fb43ff22cfc6c9092e4da7e5 for
the first item to the rest of the list.
CCBUG: 196695

M  +5    -0    kio/kio/kdirmodel.cpp     
M  +21   -0    kio/tests/kdirmodeltest.cpp     
M  +1    -0    kio/tests/kdirmodeltest.h     

http://commits.kde.org/kdelibs/83538b4339a65c90764975f01a4b9bafbabd9595

Git commit 8d885c97b483b21ee13b6bf9539a1cb7e529102a by Frank Reininghaus.
Committed on 29/05/2011 at 15:41.
Pushed by freininghaus into branch 'KDE/4.6'.

Fix possible crash in KDirModel if the root item is deleted or moved

If the root item of the dir model is deleted, but it is not the first
item in the list that KDirModelPrivate::_k_slotDeleteItems(...) gets
from the dir lister, a crash may result because
KDirModelPrivate::removeFromNodeHash(...) calls isDir() for a null
KFileItem. This commit extends the protection agains this kind of crash
that has been introduced in c8939409eed00420fb43ff22cfc6c9092e4da7e5 for
the first item to the rest of the list.
BUG: 196695
FIXED-IN: 4.6.4
(cherry picked from commit 83538b4339a65c90764975f01a4b9bafbabd9595)

M  +5    -0    kio/kio/kdirmodel.cpp     
M  +21   -0    kio/tests/kdirmodeltest.cpp     
M  +1    -0    kio/tests/kdirmodeltest.h     

http://commits.kde.org/kdelibs/8d885c97b483b21ee13b6bf9539a1cb7e529102a

*** Bug 291443 has been marked as a duplicate of this bug. ***