Bug 202293

Summary: XFree bug in Qt message processing
Product: [Unmaintained] kdelibs Reporter: Octavian Voicu <octavian.voicu>
Component: qtAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED UPSTREAM    
Severity: crash CC: andresbajotierra, denis.dzyubenko, leonyd.b, rakuco
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Octavian Voicu 2009-08-02 14:40:35 UTC 
Application that crashed: konsole
Version of the application: 2.3
KDE Version: 4.2.98 (KDE 4.2.98 (KDE 4.3 RC3))
Qt Version: 4.5.0
Operating System: Linux 2.6.28-14-generic x86_64
Distribution: Ubuntu 9.04

What I was doing when the application crashed:
The crash occured while I was dragging a file from an Ark window, while alt+tabbing to search for where to drop it. I had the mouse button pressed when it crashed (still dragging).

 -- Backtrace:
Application: Konsole (konsole), signal: Aborted
[Current thread is 0 (LWP 4289)]

Thread 2 (Thread 0x7f77b2f7d950 (LWP 4290)):
#0  __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:91
#1  0x00007f77b99f0025 in _L_lock_4783 () from /lib/libc.so.6
#2  0x00007f77b99ec26b in *__GI___libc_free (mem=0x7f77b9cdfa00) at malloc.c:3623
#3  0x00007f77b72c9b2a in g_source_unref_internal (source=0x1189000, context=0x1188540, have_lock=0) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:1193
#4  0x00007f77bc608932 in ~QEventDispatcherGlib (this=0x11883e0) at kernel/qeventdispatcher_glib.cpp:285
#5  0x00007f77bc4f5a1c in QThreadPrivate::finish (arg=<value optimized out>) at thread/qthread_unix.cpp:213
#6  0x00007f77bc4f595a in QThreadPrivate::start (arg=0xe86d20) at /usr/include/pthread.h:533
#7  0x00007f77b85ac3ba in start_thread (arg=<value optimized out>) at pthread_create.c:297
#8  0x00007f77b9a57fcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f77beaf2750 (LWP 4289)):
[KCrash Handler]
#5  0x00007f77b99a4fb5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#6  0x00007f77b99a6bc3 in *__GI_abort () at abort.c:88
#7  0x00007f77b99e4228 in __libc_message (do_abort=2, fmt=0x7f77b9aae488 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#8  0x00007f77b99e9cb8 in malloc_printerr (action=2, str=0x7f77b9aaba86 "free(): invalid pointer", ptr=<value optimized out>) at malloc.c:5994
#9  0x00007f77b99ec276 in *__GI___libc_free (mem=0x7f77b9aa48a0) at malloc.c:3625
#10 0x00007f77baf08999 in XFree (data=0x10c1) at ../../src/XlibInt.c:3049
#11 0x00007f77bb84508d in QX11Data::xdndHandleEnter (this=<value optimized out>, xe=<value optimized out>) at kernel/qdnd_x11.cpp:826
#12 0x00007f77bb8256d3 in QApplication::x11ClientMessage (this=<value optimized out>, w=0x18e5b20, event=0x7fffc6b2fe60, passive_only=255) at kernel/qapplication_x11.cpp:3114
#13 0x00007f77bb838b66 in QApplication::x11ProcessEvent (this=0x7fffc6b30240, event=0x7fffc6b2fe60) at kernel/qapplication_x11.cpp:3675
#14 0x00007f77bb861464 in x11EventSourceDispatch (s=0xe81e20, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#15 0x00007f77b72ca20a in IA__g_main_context_dispatch (context=0xe81920) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:1814
#16 0x00007f77b72cd8e0 in g_main_context_iterate (context=0xe81920, block=1, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:2448
#17 0x00007f77b72cda7c in IA__g_main_context_iteration (context=0xe81920, may_block=1) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:2511
#18 0x00007f77bc607e6f in QEventDispatcherGlib::processEvents (this=0xe46f40, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:323
#19 0x00007f77bb860bef in QGuiEventDispatcherGlib::processEvents (this=0x10c1, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:202
#20 0x00007f77bc5dd002 in QEventLoop::processEvents (this=<value optimized out>, flags={i = -961347248}) at kernel/qeventloop.cpp:149
#21 0x00007f77bc5dd3cd in QEventLoop::exec (this=0x7fffc6b30190, flags={i = -961347168}) at kernel/qeventloop.cpp:200
#22 0x00007f77bc5df694 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:880
#23 0x00007f77be70d2f4 in kdemain () from /usr/lib/libkdeinit4_konsole.so
#24 0x00007f77b99905a6 in __libc_start_main (main=0x400870 <_start+240>, argc=7, ubp_av=0x7fffc6b30498, init=0x4008a0 <__libc_csu_init>, fini=<value optimized out>, rtld_fini=<value optimized out>, 
    stack_end=0x7fffc6b30488) at libc-start.c:220
#25 0x00000000004007a9 in _start ()

Reported using DrKonqi
Comment 1 Dario Andres 2009-08-02 18:20:39 UTC 
Are you using compositing / effects ? This could also be a Qt4 bug.
Thanks
Comment 2 Octavian Voicu 2009-08-03 00:28:07 UTC 
Yes, compositing/effects are on and I'm using the "cover switch" effect (if it's relevant -- I was alt+tabbing).

It looks like a Qt bug, there's no app function except main in the call stack. Also, I'm almost sure this crash happened for another app (I think it was Dolphin).
Comment 3 Octavian Voicu 2009-08-03 00:36:35 UTC 
Just got same crash in kdeinit4, see below.

Application: Plasma Workspace (kdeinit4), signal: Aborted
[Current thread is 0 (LWP 4100)]

Thread 3 (Thread 0x7f87f88d6950 (LWP 4103)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
#1  0x00007f8818ed6939 in QWaitCondition::wait (this=0x25c9480, mutex=0x25c9478, time=18446744073709551615) at thread/qwaitcondition_unix.cpp:87
#2  0x00007f8817d514cc in QHostInfoAgent::run (this=0x25c9460) at kernel/qhostinfo.cpp:260
#3  0x00007f8818ed5952 in QThreadPrivate::start (arg=0x25c9460) at thread/qthread_unix.cpp:189
#4  0x00007f8814d553ba in start_thread (arg=<value optimized out>) at pthread_create.c:297
#5  0x00007f8815939fcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6  0x0000000000000000 in ?? ()

Thread 2 (Thread 0x7f87edf01950 (LWP 4283)):
#0  __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:91
#1  0x00007f88158d2025 in _L_lock_4783 () from /lib/libc.so.6
#2  0x00007f88158ce26b in *__GI___libc_free (mem=0x7f8815bc1a00) at malloc.c:3623
#3  0x00007f8814fa3b2a in g_source_unref_internal (source=0x3934a20, context=0x3910dd0, have_lock=0) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:1193
#4  0x00007f8818fe8932 in ~QEventDispatcherGlib (this=0x392abc0) at kernel/qeventdispatcher_glib.cpp:285
#5  0x00007f8818ed5a1c in QThreadPrivate::finish (arg=<value optimized out>) at thread/qthread_unix.cpp:213
#6  0x00007f8818ed595a in QThreadPrivate::start (arg=0x1e15c40) at /usr/include/pthread.h:533
#7  0x00007f8814d553ba in start_thread (arg=<value optimized out>) at pthread_create.c:297
#8  0x00007f8815939fcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f8819497750 (LWP 4100)):
[KCrash Handler]
#5  0x00007f8815886fb5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#6  0x00007f8815888bc3 in *__GI_abort () at abort.c:88
#7  0x00007f88158c6228 in __libc_message (do_abort=2, fmt=0x7f8815990488 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#8  0x00007f88158cbcb8 in malloc_printerr (action=2, str=0x7f8815990570 "double free or corruption (out)", ptr=<value optimized out>) at malloc.c:5994
#9  0x00007f88158ce276 in *__GI___libc_free (mem=0x7f88159868a0) at malloc.c:3625
#10 0x00007f88184e8999 in XFree (data=0x1004) at ../../src/XlibInt.c:3049
#11 0x00007f88165c308d in QX11Data::xdndHandleEnter (this=<value optimized out>, xe=<value optimized out>) at kernel/qdnd_x11.cpp:826
#12 0x00007f88165a36d3 in QApplication::x11ClientMessage (this=<value optimized out>, w=0x2266060, event=0x7fff214d4d20, passive_only=255) at kernel/qapplication_x11.cpp:3114
#13 0x00007f88165b6b66 in QApplication::x11ProcessEvent (this=0x1e45cc0, event=0x7fff214d4d20) at kernel/qapplication_x11.cpp:3675
#14 0x00007f88165df464 in x11EventSourceDispatch (s=0x1e880a0, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#15 0x00007f8814fa420a in IA__g_main_context_dispatch (context=0x1e87120) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:1814
#16 0x00007f8814fa78e0 in g_main_context_iterate (context=0x1e87120, block=1, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:2448
#17 0x00007f8814fa7a7c in IA__g_main_context_iteration (context=0x1e87120, may_block=1) at /build/buildd/glib2.0-2.20.1/glib/gmain.c:2511
#18 0x00007f8818fe7e6f in QEventDispatcherGlib::processEvents (this=0x1e84660, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:323
#19 0x00007f88165debef in QGuiEventDispatcherGlib::processEvents (this=0x1004, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:202
#20 0x00007f8818fbd002 in QEventLoop::processEvents (this=<value optimized out>, flags={i = 558714896}) at kernel/qeventloop.cpp:149
#21 0x00007f8818fbd3cd in QEventLoop::exec (this=0x7fff214d5050, flags={i = 558714976}) at kernel/qeventloop.cpp:200
#22 0x00007f8818fbf694 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:880
#23 0x00007f880ce8f6bb in kdemain (argc=1, argv=0x1e36540) at /build/buildd/kdebase-workspace-4.2.98/plasma/shells/desktop/main.cpp:50
#24 0x0000000000407215 in launch (argc=1, _name=0x1e38bc8 "/usr/bin/plasma-desktop", args=<value optimized out>, cwd=0x0, envc=0, envs=0x1e38be8 "", reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x40a3c9 "0") at /build/buildd/kde4libs-4.2.98a/kinit/kinit.cpp:676
#25 0x0000000000407a38 in handle_launcher_request (sock=7, who=<value optimized out>) at /build/buildd/kde4libs-4.2.98a/kinit/kinit.cpp:1168
#26 0x0000000000407fe5 in handle_requests (waitForPid=0) at /build/buildd/kde4libs-4.2.98a/kinit/kinit.cpp:1361
#27 0x0000000000408b26 in main (argc=2, argv=0x7fff214d5ef8, envp=0x7fff214d5f10) at /build/buildd/kde4libs-4.2.98a/kinit/kinit.cpp:1788
Comment 4 Octavian Voicu 2009-08-03 02:10:55 UTC 
I think I found the cause of the bug. Look in QX11Data::xdndHandleEnter. There is only one XFree call so it doesn't matter if the line numbers don't match:
http://qt.gitorious.org/qt/qt/blobs/5aed3db0a4084f470769ad4b965001f17b878c79/src/gui/kernel/qdnd_x11.cpp#line814

The bug could be triggered if the call to XGetWindowProperty fails. In that case retval would remain uninitialized, and although there is no SEGV (most likely the uninitialized value points to some valid memory), the call to XFree fails with a "double free or corruption (out)". There is a simple fix for this I guess: initialize retval to NULL before the call and make sure data is not accessed if it's NULL.

Should I report it on the Qt bug tracker?
Comment 5 Dario Andres 2009-08-03 02:32:12 UTC 
Yes, this should be reported upstream. Anyways, let's reassign to kdelibs/qt.
Thanks for your investigation
Comment 6 Raphael Kubo da Costa 2009-08-03 17:57:49 UTC 
Octavian, if you're sure the fix you've proposed is right, you can speed things up and send a patch do Qt yourself, now that its development model is open.
Comment 7 Octavian Voicu 2009-08-06 15:13:23 UTC 
FYI: http://qt.gitorious.org/qt/qt/merge_requests/1119
Comment 8 Dario Andres 2009-08-06 15:19:39 UTC 
Thanks ! (and it got merged already!)
Comment 9 Dario Andres 2010-04-05 14:42:54 UTC 
*** Bug 223319 has been marked as a duplicate of this bug. ***