Bug 245663

Summary: [TESTCASE] Crash after consuming all memory
Product: [Applications] kate Reporter: Valery Yundin <yu.valery+bugzilla>
Component: partAssignee: KWrite Developers <kwrite-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: awen, bill, g2spot
Priority: VHI    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: http://commits.kde.org/kate/5e5cf873b55e84a76d6425f96db0a8d4ee513507 Version Fixed In:
Sentry Crash Report:
Attachments: Crash testcase
Patch fixing the issue

Description Valery Yundin 2010-07-24 17:59:49 UTC 
Application: kate (3.4.4)
KDE Platform Version: 4.4.4 (KDE 4.4.4) "release 2"
Qt Version: 4.6.3
Operating System: Linux 2.6.34-12-pae i686
Distribution: "openSUSE 11.3 (i586)"

-- Information about the crash:
Problem handling documents which use syntax highlighter with "dynamic" contexts.

Steps:
- open file with big amount of dynamically highlighted parts
- scroll it down (to create all contexts)
- open some file of different type with rich highlighting (to trigger resetDynamicCtxs in doHighlight function)
- crash or runaway memory allocation

Additional info:
There is a threshold for number of active dynamic contexts equal to 512 which is rarely exceeded. Therefore the KateHlManager::resetDynamicCtxs is almost never called, because typical documents have less than 512 dynamic contexts.

But if you reach above this limit, this function is called and the result is total mess.

As a workaround I patched my katepart.so to increase KATE_MAX_DYNAMIC_CONTEXTS to current maximum 0x7FFF.

This is another possible source of problem in kate/syntax/katehighlight.h (and similar in katehighlight.cpp in makeDynamicContext function)
QMap< QPair<KateHlContext *, QString>, short> dynamicCtxs;
Note that map value is "short", but it is assigned from startctx++ which is "int" and may overflow.

The crash can be reproduced every time.

 -- Backtrace:
Application: Kate (kdeinit4), signal: Segmentation fault
[KCrash Handler]
#6  0xafc3a29a in KateHighlighting::dropDynamicContexts (this=0x8251af0) at /usr/src/debug/kdelibs-4.4.4/kate/syntax/katehighlight.cpp:233
#7  0xafc30940 in KateHlManager::resetDynamicCtxs (this=0x81ee1a8) at /usr/src/debug/kdelibs-4.4.4/kate/syntax/katesyntaxmanager.cpp:410
#8  0xafbe8ce7 in KateBuffer::doHighlight (this=0x828e348, startLine=2077, endLine=2141, invalidate=false) at /usr/src/debug/kdelibs-4.4.4/kate/document/katebuffer.cpp:1101
#9  0xafbea24a in KateBuffer::ensureHighlighted (this=0x828e348, line=2077) at /usr/src/debug/kdelibs-4.4.4/kate/document/katebuffer.cpp:847
#10 0xafbd3a4c in KateDocument::kateTextLine (this=0x8288a38, i=2077) at /usr/src/debug/kdelibs-4.4.4/kate/document/katedocument.cpp:5041
#11 0xafc135b1 in KateLineLayout::textLine (this=0x8d352e8, reloadForce=false) at /usr/src/debug/kdelibs-4.4.4/kate/render/katelinelayout.cpp:67
#12 0xafc08e0d in KateRenderer::layoutLine (this=0x8364010, lineLayout=..., maxwidth=-1, cacheLayout=true) at /usr/src/debug/kdelibs-4.4.4/kate/render/katerenderer.cpp:807
#13 0xafc0f1d1 in KateLayoutCache::line (this=0x82e8cb0, realLine=2077, virtualLine=2077) at /usr/src/debug/kdelibs-4.4.4/kate/render/katelayoutcache.cpp:312
#14 0xafc10d3f in KateLayoutCache::updateViewCache (this=0x82e8cb0, startPos=..., newViewLineCount=32, viewLinesScrolled=0) at /usr/src/debug/kdelibs-4.4.4/kate/render/katelayoutcache.cpp:265
#15 0xafc707b5 in KateViewInternal::doUpdateView (this=0x85ba690, changed=false, viewLinesScrolled=0) at /usr/src/debug/kdelibs-4.4.4/kate/view/kateviewinternal.cpp:598
#16 0xafc7103e in KateViewInternal::updateView (this=0x85ba690, changed=false, viewLinesScrolled=0) at /usr/src/debug/kdelibs-4.4.4/kate/view/kateviewinternal.cpp:574
#17 0xafc723c0 in KateViewInternal::scrollPos (this=0x85ba690, c=..., force=false, calledExternally=false) at /usr/src/debug/kdelibs-4.4.4/kate/view/kateviewinternal.cpp:533
#18 0xafc72592 in KateViewInternal::scrollLines (this=0x85ba690, line=2068) at /usr/src/debug/kdelibs-4.4.4/kate/view/kateviewinternal.cpp:383
#19 0xafc7cba0 in KateViewInternal::qt_metacall (this=0x85ba690, _c=QMetaObject::InvokeMetaMethod, _id=<value optimized out>, _a=0xbfb0e8c8)
    at /usr/src/debug/kdelibs-4.4.4/build/kate/kateviewinternal.moc:133
#20 0xb6b9fefd in QMetaObject::metacall (object=0x85ba690, cl=QMetaObject::InvokeMetaMethod, idx=35, argv=0xbfb0e8c8) at kernel/qmetaobject.cpp:237
#21 0xb6baefe8 in QMetaObject::activate (sender=0x836f308, m=0xb6a15974, local_signal_index=2, argv=0xbfb0e8c8) at kernel/qobject.cpp:3295
#22 0xb67db8a5 in QAbstractSlider::sliderMoved (this=0x836f308, _t1=2068) at .moc/release-shared/moc_qabstractslider.cpp:195
#23 0xb64de92f in QAbstractSlider::setSliderPosition (this=0x836f308, position=<value optimized out>) at widgets/qabstractslider.cpp:494
#24 0xb657eb9d in QScrollBar::mouseMoveEvent (this=0x836f308, e=0xbfb0f064) at widgets/qscrollbar.cpp:673
#25 0xafc8003a in KateScrollBar::mouseMoveEvent (this=0x836f308, e=0xbfb0f064) at /usr/src/debug/kdelibs-4.4.4/kate/view/kateviewhelpers.cpp:114
#26 0xb612cf3c in QWidget::event (this=0x836f308, event=0xbfb0f064) at kernel/qwidget.cpp:8029
#27 0xb64df043 in QAbstractSlider::event (this=0x836f308, e=0xbfb0f064) at widgets/qabstractslider.cpp:930
#28 0xb657dde9 in QScrollBar::event (this=0x836f308, event=0xbfb0f064) at widgets/qscrollbar.cpp:545
#29 0xb60d3c64 in QApplicationPrivate::notify_helper (this=0x80cda98, receiver=0x836f308, e=0xbfb0f064) at kernel/qapplication.cpp:4302
#30 0xb60dc750 in QApplication::notify (this=0xbfb0ed7c, receiver=0x836f308, e=0xbfb0f064) at kernel/qapplication.cpp:3867
#31 0xb6ddd9d1 in KApplication::notify (this=0xbfb0f914, receiver=0x836f308, event=0xbfb0f064) at /usr/src/debug/kdelibs-4.4.4/kdeui/kernel/kapplication.cpp:302
#32 0xb6b99e0e in QCoreApplication::notifyInternal (this=0xbfb0f914, receiver=0x836f308, event=0xbfb0f064) at kernel/qcoreapplication.cpp:726
#33 0xb60d4c4c in sendSpontaneousEvent (receiver=0x836f308, event=0xbfb0f064, alienWidget=0x0, nativeWidget=0x836f308, buttonDown=0xb6a1e078, lastMouseReceiver=..., spontaneous=true)
    at ../../src/corelib/kernel/qcoreapplication.h:218
#34 QApplicationPrivate::sendMouseEvent (receiver=0x836f308, event=0xbfb0f064, alienWidget=0x0, nativeWidget=0x836f308, buttonDown=0xb6a1e078, lastMouseReceiver=..., spontaneous=true)
    at kernel/qapplication.cpp:2965
#35 0xb615c58c in QETWidget::translateMouseEvent (this=0x836f308, event=0xbfb0f57c) at kernel/qapplication_x11.cpp:4380
#36 0xb615b73e in QApplication::x11ProcessEvent (this=0xbfb0f914, event=0xbfb0f57c) at kernel/qapplication_x11.cpp:3391
#37 0xb6184570 in x11EventSourceDispatch (s=0x80cfc38, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#38 0xb581cb49 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#39 0xb581d350 in ?? () from /usr/lib/libglib-2.0.so.0
#40 0xb581d60e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#41 0xb6bc5d4b in QEventDispatcherGlib::processEvents (this=0x80cc768, flags=...) at kernel/qeventdispatcher_glib.cpp:412
#42 0xb618419a in QGuiEventDispatcherGlib::processEvents (this=0x80cc768, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#43 0xb6b9911d in QEventLoop::processEvents (this=0xbfb0f834, flags=...) at kernel/qeventloop.cpp:149
#44 0xb6b99319 in QEventLoop::exec (this=0xbfb0f834, flags=...) at kernel/qeventloop.cpp:201
#45 0xb6b9dc70 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1003
#46 0xb60d1164 in QApplication::exec () at kernel/qapplication.cpp:3581
#47 0xb5015fed in kdemain (argc=2, argv=0x805ed98) at /usr/src/debug/kdesdk-4.4.4/kate/app/katemain.cpp:377
#48 0x0804e5b1 in launch (argc=2, _name=0x80b0264 "/usr/bin/kate", args=<value optimized out>, cwd=0x0, envc=1, envs=<value optimized out>, reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x80b028a "wwhisp20;1279983632;670241;5363_TIME1159290") at /usr/src/debug/kdelibs-4.4.4/kinit/kinit.cpp:718
#49 0x0804f0e7 in handle_launcher_request (sock=8, who=<value optimized out>) at /usr/src/debug/kdelibs-4.4.4/kinit/kinit.cpp:1210
#50 0x0804f78c in handle_requests (waitForPid=<value optimized out>) at /usr/src/debug/kdelibs-4.4.4/kinit/kinit.cpp:1403
#51 0x08050609 in main (argc=) at /usr/src/debug/kdelibs-4.4.4/kinit/kinit.cpp:1882

Possible duplicates by query: bug 225345, bug 197313.

Reported using DrKonqi
Comment 1 Valery Yundin 2010-07-24 18:09:34 UTC 
Created attachment 49457 [details]
Crash testcase

Open this file, scroll down, then open a few other files of different types (e.g. xml, html, cpp). Scroll, search for some things. It will eventually crash
Comment 2 bill 2010-10-05 03:10:51 UTC 
Kate crashed while keeping disk busy after I started a search with CTL-F.  Crashed before finishing whatever it was doing with this large (600 MB) file (email inbox).  Checking the Monitor, I see that RAM (1.5 G) and Swap (2 G) seem full.  Trace is:

Application: Kate (kate), signal SIGABRT
[Current thread is 1 (Thread 0xb53039e0 (LWP 14540))]

Thread 1 (Thread 0xb53039e0 (LWP 14540)):
[KCrash Handler]
#6  0xffffe430 in __kernel_vsyscall ()
#7  0xb5756990 in raise () from /lib/libc.so.6
#8  0xb57582c8 in abort () from /lib/libc.so.6
#9  0xb597daf8 in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/libstdc++.so.6
#10 0xb597b445 in ?? () from /usr/lib/libstdc++.so.6
#11 0xb597b482 in std::terminate() () from /usr/lib/libstdc++.so.6
#12 0xb597b53b in __cxa_rethrow () from /usr/lib/libstdc++.so.6
#13 0xb5bcb2ec in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#14 0xb5bcd895 in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#15 0xb5dd3777 in QApplication::exec() () from /usr/lib/libQtGui.so.4
#16 0xb77929dd in kdemain () from /usr/lib/libkdeinit4_kate.so
#17 0x08048862 in _start ()

Is it not possible to search very large files?

Thanks.
Comment 3 Dominik Haumann 2011-09-09 13:27:13 UTC 
*** Bug 280991 has been marked as a duplicate of this bug. ***
Comment 4 Valery Yundin 2012-04-03 13:59:22 UTC 
Created attachment 70115 [details]
Patch fixing the issue

The bug is still present in current stable and trunk.
The problem is in dropDynamicContexts and the fact that base_startctx is initialized only in "init()" (see below valgrind messages).

The proposed patch fixes dropDynamicContexts by adding guards against unused highlights and "normal text" highlight.

valgrind --memcheck output (before fix)
Conditional jump or move depends on uninitialised value(s)
   at 0x17C2CF0B: KateHighlighting::dropDynamicContexts() (qvector.h:343)
   by 0x17C25A0E: KateHlManager::resetDynamicCtxs() (katesyntaxmanager.cpp:412)
   by 0x17BE0510: KateBuffer::doHighlight(int, int, bool) (katebuffer.cpp:435)
   by 0x17BB9779: KateDocument::kateTextLine(unsigned int) (katedocument.cpp:4786)
   by 0x17C138C7: KateLineLayout::textLine(bool) const (katelinelayout.cpp:67)
   by 0x17C0B5FC: KateRenderer::layoutLine(KSharedPtr<KateLineLayout>, int, bool) const (katerenderer.cpp:843)
   by 0x17C10165: KateLayoutCache::line(int, int) (katelayoutcache.cpp:318)
   by 0x17C10DC9: KateLayoutCache::updateViewCache(KTextEditor::Cursor const&, int, int) (katelayoutcache.cpp:233)
   by 0x17C67DC4: KateViewInternal::doUpdateView(bool, int) (kateviewinternal.cpp:550)
   by 0x17C6804B: KateViewInternal::updateView(bool, int) (kateviewinternal.cpp:524)
   by 0x17C692BE: KateViewInternal::scrollPos(KTextEditor::Cursor&, bool, bool) (kateviewinternal.cpp:490)
   by 0x17C69B29: KateViewInternal::scrollLines(int) (kateviewinternal.cpp:347)
 Uninitialised value was created by a heap allocation
   at 0x4A06C8E: operator new(unsigned long) (vg_replace_malloc.c:261)
   by 0x17C264F1: KateHlManager::KateHlManager() (katesyntaxmanager.cpp:89)
   by 0x17D02EE1: KateGlobal::KateGlobal() (kateglobal.cpp:136)
   by 0x17D032D9: KateGlobal::self() (kateglobal.cpp:442)
   by 0x9396258: KTextEditor::editor(char const*) (ktexteditor.cpp:186)
   by 0x939E5E1: KTextEditor::EditorChooser::editor(QString const&, bool) (editorchooser.cpp:135)
   by 0x4E4B609: KateDocManager::KateDocManager(QObject*) (katedocmanager.cpp:64)
   by 0x4E457B1: KateApp::KateApp(KCmdLineArgs*) (kateapp.cpp:60)
   by 0x4C11A5F: kdemain (katemain.cpp:373)
   by 0x320861ECDC: (below main) (in /lib64/libc-2.12.so)

Conditional jump or move depends on uninitialised value(s)
   at 0x17C2CECA: KateHighlighting::dropDynamicContexts() (katehighlight.cpp:247)
   by 0x17C25A0E: KateHlManager::resetDynamicCtxs() (katesyntaxmanager.cpp:412)
   by 0x17BE0510: KateBuffer::doHighlight(int, int, bool) (katebuffer.cpp:435)
   by 0x17BB9779: KateDocument::kateTextLine(unsigned int) (katedocument.cpp:4786)
   by 0x17C138C7: KateLineLayout::textLine(bool) const (katelinelayout.cpp:67)
   by 0x17C0B5FC: KateRenderer::layoutLine(KSharedPtr<KateLineLayout>, int, bool) const (katerenderer.cpp:843)
   by 0x17C10165: KateLayoutCache::line(int, int) (katelayoutcache.cpp:318)
   by 0x17C10DC9: KateLayoutCache::updateViewCache(KTextEditor::Cursor const&, int, int) (katelayoutcache.cpp:233)
   by 0x17C67D94: KateViewInternal::doUpdateView(bool, int) (kateviewinternal.cpp:550)
   by 0x17C6801B: KateViewInternal::updateView(bool, int) (kateviewinternal.cpp:524)
   by 0x17C6928E: KateViewInternal::scrollPos(KTextEditor::Cursor&, bool, bool) (kateviewinternal.cpp:490)
   by 0x17C69AF9: KateViewInternal::scrollLines(int) (kateviewinternal.cpp:347)
 Uninitialised value was created by a heap allocation
   at 0x4A06C8E: operator new(unsigned long) (vg_replace_malloc.c:261)
   by 0x17C262E2: KateHlManager::KateHlManager() (katesyntaxmanager.cpp:71)
   by 0x17D02EB1: KateGlobal::KateGlobal() (kateglobal.cpp:136)
   by 0x17D032A9: KateGlobal::self() (kateglobal.cpp:442)
   by 0x9396258: KTextEditor::editor(char const*) (ktexteditor.cpp:186)
   by 0x939E5E1: KTextEditor::EditorChooser::editor(QString const&, bool) (editorchooser.cpp:135)
   by 0x4E4B609: KateDocManager::KateDocManager(QObject*) (katedocmanager.cpp:64)
   by 0x4E457B1: KateApp::KateApp(KCmdLineArgs*) (kateapp.cpp:60)
   by 0x4C11A5F: kdemain (katemain.cpp:373)
   by 0x320861ECDC: (below main) (in /lib64/libc-2.12.so)
Comment 5 Dominik Haumann 2012-04-10 20:56:50 UTC 
*** Bug 297710 has been marked as a duplicate of this bug. ***
Comment 6 Dominik Haumann 2012-04-10 20:58:34 UTC 
The review request fixes the issue: https://git.reviewboard.kde.org/r/104482/
Should be committed in time for KDE 4.8.3.
Comment 7 Christoph Cullmann 2012-05-01 09:35:06 UTC 
Git commit 5e5cf873b55e84a76d6425f96db0a8d4ee513507 by Christoph Cullmann.
Committed on 01/05/2012 at 11:34.
Pushed by cullmann into branch 'master'.

Patch by Valery Yundin

Description:

Memory corruption in dropDynamicContexts due to undefined value of base_startctx. The patch adds to dropDynamicContexts guards against unused highlights and "normal text" highlight.

Testing Done:

valgrind --tool=memcheck reports access to uninitialized memory when using test case from bug 245663

M  +7    -5    part/syntax/katehighlight.cpp

http://commits.kde.org/kate/5e5cf873b55e84a76d6425f96db0a8d4ee513507