Bug 249362

Summary: KImageCache crashes on loading (presumably) corrupt cache
Product: [Frameworks and Libraries] kdelibs Reporter: Parker Coates <coates>
Component: kshareddatacacheAssignee: Michael Pyne <mpyne>
Status: RESOLVED UNMAINTAINED    
Severity: crash CC: abdhulk, andrew, asraniel, barnettedward, george, mikey.horton, mpyne, qaim.ali.jaffarson, roels.jorick, samantha.april.davis, schwarzer, scott.neville
Priority: NOR    
Version: SVN   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:

Description Parker Coates 2010-08-28 23:40:48 UTC 
Version:           SVN (using Devel) 
OS:                Linux

I recently ported LibKCardGame (part of KPat) from KPixmapCache to KImageCache. Occasionally it seems that the cache messes up and returns the same pixmap for several different keys. I'm still working on tracking down the exact problem and/or steps to reproduce.

Anyway, after one such mess up I restarted KPat and found it to crash. It continued to crash until I manually deleted the cache file. My understanding is that K(Image|SharedData)Cache is supposed to be able to handle corrupt caches without crashing, so this is most likely a bug in it's own right.

Reproducible: Always

Steps to Reproduce:
1) Switch to the "Nicu White" theme.
2) Shutdown KPat.
3) Replace your .kcache file with the one attached.
4) Fire up KPat.

Actual Results:  
Crash.

Expected Results:  
No crash. :)

Backtrace:

Application: KPatience (kpat), signal: Segmentation fault
[KCrash Handler]
#5  0x00007f3e759cac96 in strcmp () from /lib/libc.so.6
#6  0x00007f3e76708177 in qstrcmp (str1=0x7f3f68653000 <Address 0x7f3f68653000 out of bounds>, str2=0xb43f68 "libkcardgame_lastusedsize")
    at /home/parker/kde-devel/source/qt-copy/src/corelib/tools/qbytearray.cpp:216
#7  0x00007f3e77079a8c in SharedMemory::findNamedEntry (this=0x7f3e6864f000, key=...) at /home/parker/kde-devel/source/KDE/kdelibs/kdecore/util/kshareddatacache.cpp:604
#8  0x00007f3e7707888d in KSharedDataCache::find (this=0xb06c00, key=..., destination=0x7fff8a25fc00) at /home/parker/kde-devel/source/KDE/kdelibs/kdecore/util/kshareddatacache.cpp:1369
#9  0x00007f3e79cfbb13 in KAbstractCardDeck::setTheme (this=0xb45f40, theme=...) at /home/parker/kde-devel/source/KDE/kdegames/kpat/libkcardgame/kabstractcarddeck.cpp:461
#10 0x00007f3e79cfac63 in KAbstractCardDeck (this=0xb45f40, theme=..., parent=0xa029a0) at /home/parker/kde-devel/source/KDE/kdegames/kpat/libkcardgame/kabstractcarddeck.cpp:315
#11 0x00007f3e79d154d9 in KStandardCardDeck (this=0xb45f40, theme=..., parent=0xa029a0) at /home/parker/kde-devel/source/KDE/kdegames/kpat/libkcardgame/kstandardcarddeck.cpp:58
#12 0x0000000000436210 in MainWindow::setGameType (this=0xa029a0, id=11) at /home/parker/kde-devel/source/KDE/kdegames/kpat/mainwindow.cpp:505
#13 0x00000000004380e4 in MainWindow::openGame (this=0xa029a0, url=..., addToRecentFiles=false) at /home/parker/kde-devel/source/KDE/kdegames/kpat/mainwindow.cpp:828
#14 0x000000000041985c in main (argc=1, argv=0x7fff8a260a88) at /home/parker/kde-devel/source/KDE/kdegames/kpat/main.cpp:274
Comment 1 Parker Coates 2010-08-28 23:46:40 UTC 
It turns out the kcache file is too big to attach here, so I'll mail it directly to you Michael.
Comment 2 Frederik Schwarzer 2010-09-18 17:36:47 UTC 
I experienced the same crash. Here it happened when resizing the window with the "Congratulations" screen shown.



Application: KPatience (kpat), signal: Segmentation fault
[Current thread is 1 (Thread 0xb4d50710 (LWP 14421))]

Thread 2 (Thread 0xb25a1b70 (LWP 14538)):
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb56b1482 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:179
#2  0xb5b81e64 in __pthread_cond_timedwait (cond=0x908e298, mutex=0x908e280, abstime=0xb25a12a0) at forward.c:152
#3  0xb5d9b41f in wait (this=0x908e1e4, mutex=0x908e1e0, time=30000) at thread/qwaitcondition_unix.cpp:86
#4  QWaitCondition::wait (this=0x908e1e4, mutex=0x908e1e0, time=30000) at thread/qwaitcondition_unix.cpp:160
#5  0xb5d8f1d3 in QThreadPoolThread::run (this=0x92545b8) at concurrent/qthreadpool.cpp:140
#6  0xb5d9a8d9 in QThreadPrivate::start (arg=0x92545b8) at thread/qthread_unix.cpp:266
#7  0xb56ac955 in start_thread (arg=0xb25a1b70) at pthread_create.c:300
#8  0xb5b74e7e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 1 (Thread 0xb4d50710 (LWP 14421)):
[KCrash Handler]
#7  memcpy () at ../sysdeps/i386/i686/memcpy.S:61
#8  0xb6299b11 in SharedMemory::removeUsedPages(unsigned int) () from /usr/lib/libkdecore.so.5
#9  0xb6297419 in KSharedDataCache::insert (this=0x908d6e8, key=..., data=...) at ../../kdecore/util/kshareddatacache.cpp:1309
#10 0xb7202ea2 in KImageCache::insertImage (this=0x908d6e8, key=..., image=...) at ../../kdeui/util/kimagecache.cpp:80
#11 0xb77152e6 in KGameRendererPrivate::jobFinished(KGRInternal::Job*, bool) () from /home/fs/usr/lib/libkdegames.so.5
#12 0xb7715bf8 in KGameRendererPrivate::qt_metacall(QMetaObject::Call, int, void**) () from /home/fs/usr/lib/libkdegames.so.5
#13 0xb5ea05da in QMetaObject::metacall (object=0x908e020, cl=15, idx=4, argv=0xb012b458) at kernel/qmetaobject.cpp:237
#14 0xb5eab996 in QMetaCallEvent::placeMetaCall (this=0xb0602de0, object=0x908e020) at kernel/qobject.cpp:534
#15 0xb5eacac2 in QObject::event (this=0x908e020, e=0x12c) at kernel/qobject.cpp:1219
#16 0xb643a1fc in QApplicationPrivate::notify_helper (this=0x8f5ba58, receiver=0x908e020, e=0xb0602de0) at kernel/qapplication.cpp:4396
#17 0xb64412be in QApplication::notify (this=0xbfedc9a8, receiver=0x908e020, e=0xb0602de0) at kernel/qapplication.cpp:3798
#18 0xb717e6da in KApplication::notify (this=0xbfedc9a8, receiver=0x908e020, event=0xb0602de0) at ../../kdeui/kernel/kapplication.cpp:310
#19 0xb5e9a93b in QCoreApplication::notifyInternal (this=0xbfedc9a8, receiver=0x908e020, event=0xb0602de0) at kernel/qcoreapplication.cpp:732
#20 0xb5e9dadb in sendEvent (receiver=0x0, event_type=0, data=0x8f48848) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#21 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x8f48848) at kernel/qcoreapplication.cpp:1373
#22 0xb5e9dc9d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1266
#23 0xb5ec9484 in sendPostedEvents (s=0x8f87690) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:220
#24 postEventSourceDispatch (s=0x8f87690) at kernel/qeventdispatcher_glib.cpp:277
#25 0xb55d4305 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#26 0xb55d7fe8 in ?? () from /lib/libglib-2.0.so.0
#27 0xb55d81c8 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#28 0xb5ec8f75 in QEventDispatcherGlib::processEvents (this=0x8f482f8, flags=...) at kernel/qeventdispatcher_glib.cpp:415
#29 0xb64fb755 in QGuiEventDispatcherGlib::processEvents (this=0x8f482f8, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#30 0xb5e993e9 in QEventLoop::processEvents (this=0xbfedc8e4, flags=) at kernel/qeventloop.cpp:149
#31 0xb5e9986a in QEventLoop::exec (this=0xbfedc8e4, flags=...) at kernel/qeventloop.cpp:201
#32 0xb5e9dd5f in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#33 0xb643a297 in QApplication::exec () at kernel/qapplication.cpp:3672
#34 0x0805cd5c in main ()
Comment 3 Parker Coates 2010-09-18 17:58:15 UTC 
Note that KPat uses two separate KImageCaches: one (used via LibKCardGame) for the card graphics and one (used via KGameRenderer) for the theme graphics. My original crash was in the former, while Frederik's is in the latter.

Michael, during an earlier conversation on IRC you claimed that you weren't able to reproduce this crash. It seems that Frederik can reproduce it regularly just by drag resizing the window. On my system that works only sometimes. You might want to try that out. Also if the issue is overworking the cache, using a simpler card deck/theme which will render faster should mean more insertions/retrievals per second. The "Standard" deck on a "Clean Green" theme would probably be the fastest combination.
Comment 4 Michael Pyne 2010-09-18 19:13:06 UTC 
Thanks, I'll try out the other themes. It seems to me that the removeUsedPages method has the flaw so maybe I'll attach a patch with a ton of assertions to catch the bug as early as possible.
Comment 5 Michael Pyne 2010-09-19 05:46:17 UTC 
Tried Clean Green with Standard today, no crash (not even a warning at the console, just occasional messages about defragmenting).

The "findNamedEntry" crash might be fixed already, by Manuel Mommertz, which would fix the first bug reported here. I'll keep looking into the second one.

I wonder if there's a way to coordinate with the OS to trap signals before diving into the cache and just failing (but not crashing!) if a signal occurs...
Comment 6 Michael Pyne 2010-10-07 03:37:33 UTC 
If you or Frederik are able to reproduce this crash please ping this bug again, else I think I might have fixed it with my 4.5.2 defragment() fix.
Comment 7 Frederik Schwarzer 2010-10-09 03:53:28 UTC 
Will do, as soon as I get my hands on 4.5.2 packages.
Comment 8 Beat Wolf 2010-10-19 16:23:16 UTC 
*** Bug 254567 has been marked as a duplicate of this bug. ***
Comment 9 Beat Wolf 2010-10-25 09:23:00 UTC 
*** Bug 255141 has been marked as a duplicate of this bug. ***
Comment 10 Beat Wolf 2010-10-25 09:23:29 UTC 
the last duplicate crashed on 4.5.2
Reopening this bug.
Comment 11 Nicolas L. 2010-12-27 18:37:02 UTC 
*** Bug 261394 has been marked as a duplicate of this bug. ***
Comment 12 Edward 2010-12-28 00:13:48 UTC 
Thanks for the quick response.
Hate to just sit around; build computers for hobby and can't admit defeat.  
Tried all obvious reinstall, update, etc.  After the obvious, went to Google for 
help.
This fixed it:
sudo rm 
/usr/share/kubuntu-default-settings/kde4-profile/default/share/config/plasma-appletsrc

rm ~/.kde/share/config/plasma-desktop-appletsrc
rm ~/.kde/share/config/plasma-desktoprc
Found here:
http://ubuntuforums.org/archive/index.php/t-1397870.html

Seems to be working now.  If not on reboot, will let you know!





________________________________
From: Nicolas L. <neoclust.kde@free.fr>
To: barnettedward@sbcglobal.net
Sent: Mon, December 27, 2010 11:37:07 AM
Subject: [Bug 249362] KImageCache crashes on loading (presumably) corrupt cache

https://bugs.kde.org/show_bug.cgi?id=249362


Nicolas L. <neoclust.kde@free.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |barnettedward@sbcglobal.net




--- Comment #11 from Nicolas L. <neoclust kde free fr>  2010-12-27 18:37:02 ---
*** Bug 261394 has been marked as a duplicate of this bug. ***
Comment 13 Michael Pyne 2012-05-21 03:22:24 UTC 
Git commit 561e6494bdd9a02cc8feef649f7dbbd40a1456c3 by Michael Pyne.
Committed on 20/05/2012 at 00:13.
Pushed by mpyne into branch 'KDE/4.8'.

kshareddatacache: Validate cache page size.

This commit ensures that the cache page size is actually a power-of-2
and within the band of possible sizes that could possibly have been set.

If this is not the case the cache is assumed corrupted and reset.

This should help with any cache-corruption bugs caused by a wrong cache
page size (although these don't exactly make themselves obvious). More
fixes to follow...

This one /should/ fix 274252 outright and may be of interest to several
others.
Related: bug 274252, bug 253665, bug 243573, bug 281217, bug 297815, bug 293954, bug 293447, bug 270915, bug 255233
FIXED-IN:4.8.4

M  +26   -1    kdecore/util/kshareddatacache.cpp

http://commits.kde.org/kdelibs/561e6494bdd9a02cc8feef649f7dbbd40a1456c3
Comment 14 Michael Pyne 2012-05-21 03:22:30 UTC 
Git commit ca2a6a59784232857a35b313adc9599efb87bd5e by Michael Pyne.
Committed on 21/05/2012 at 01:19.
Pushed by mpyne into branch 'KDE/4.8'.

kshareddatacache: Adopt KSDCCorrupted for exceptional errors.

This involves converting many present assertions (which crash no matter
what) and error-code return values (which have to be checked everywhere
the return value is used at) into using the KSDCCorrupted exception.

The nice thing about using the exception is that it can be trapped and
handled so that it does not cause an application crash.

There's still a bit more to do -- the end goal is that all accesses to
shm, no matter how minor, are vetted beforehand to ensure it won't cause
a page fault or bus violation.
Related: bug 253665, bug 243573, bug 281217, bug 297815, bug 293954, bug 293447, bug 270915, bug 255233

M  +49   -34   kdecore/util/kshareddatacache.cpp

http://commits.kde.org/kdelibs/ca2a6a59784232857a35b313adc9599efb87bd5e
Comment 15 Dominik Haumann 2016-09-06 12:19:21 UTC 
*** Bug 304314 has been marked as a duplicate of this bug. ***
Comment 16 Dominik Haumann 2016-09-06 12:19:48 UTC 
*** Bug 309663 has been marked as a duplicate of this bug. ***
Comment 17 Dominik Haumann 2016-09-06 12:20:13 UTC 
*** Bug 311273 has been marked as a duplicate of this bug. ***
Comment 18 Dominik Haumann 2016-09-06 12:20:28 UTC 
*** Bug 311735 has been marked as a duplicate of this bug. ***
Comment 19 Dominik Haumann 2016-09-06 12:20:49 UTC 
*** Bug 311920 has been marked as a duplicate of this bug. ***
Comment 20 Dominik Haumann 2016-09-06 12:21:06 UTC 
*** Bug 317595 has been marked as a duplicate of this bug. ***
Comment 21 Dominik Haumann 2016-09-06 12:24:11 UTC 
Looks like this could be fixed, since the duplicates are all also very old.

Still, a related issue may be bug #361426, which exists in 2016-09-06, KDE Frameworks 5.26.