Bug 281217

Summary: bluetooth crashed after profile A2DP
Product: [Unmaintained] kdelibs Reporter: oleg <oleg_zak>
Component: kshareddatacacheAssignee: Michael Pyne <mpyne>
Status: RESOLVED FIXED    
Severity: crash CC: mpyne
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: http://commits.kde.org/kdelibs/d6f72354807a0d79939ecaf0d127004473c03dea Version Fixed In: 4.8.4
Sentry Crash Report:

Description oleg 2011-09-02 13:00:26 UTC 
Application: bluedevil-audio (0.1)
KDE Platform Version: 4.6.2 (4.6.2)
Qt Version: 4.7.2
Operating System: Linux 2.6.38-11-generic i686
Distribution: Ubuntu 11.04

-- Information about the crash:
- What I was doing when the application crashed:
In setting change bluetooth profile for headset BSH10 to A2DP

The crash can be reproduced every time.

-- Backtrace:
Application: Инструмент для настройки аудиослужбы Bluetooth (bluedevil-audio), signal: Segmentation fault
[KCrash Handler]
#7  0x00994c92 in ?? () from /lib/i386-linux-gnu/libc.so.6
#8  0x00996925 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9  0x00998f53 in malloc () from /lib/i386-linux-gnu/libc.so.6
#10 0x00b9fb8d in qMalloc (size=3403) at global/qmalloc.cpp:55
#11 0x00ba7ee9 in QByteArray::QByteArray (this=0xbf914204, data=0xb6db0020 "", size=3383) at tools/qbytearray.cpp:1306
#12 0x008e300a in KSharedDataCache::find(QString const&, QByteArray*) const () from /usr/lib/libkdecore.so.5
#13 0x0029c480 in ?? () from /usr/lib/libkdeui.so.5
#14 0x0029f3d7 in KIconLoader::loadIcon(QString const&, KIconLoader::Group, int, int, QStringList const&, QString*, bool) const () from /usr/lib/libkdeui.so.5
#15 0x00296d76 in ?? () from /usr/lib/libkdeui.so.5
#16 0x00fbd712 in QIcon::pixmap (this=0xbf91458c, size=..., mode=QIcon::Normal, state=QIcon::Off) at image/qicon.cpp:676
#17 0x01994a4b in ?? () from /usr/lib/kde4/bluedevilaudioactionplugin.so
#18 0x01994198 in ?? () from /usr/lib/kde4/bluedevilaudioactionplugin.so
#19 0x00ca06ba in QMetaObject::metacall (object=0x85ebc98, cl=QMetaObject::InvokeMetaMethod, idx=6, argv=0xbf91469c) at kernel/qmetaobject.cpp:237
#20 0x00cb04ff in QMetaObject::activate (sender=0x85dd738, m=0xdd4188, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3287
#21 0x00cb64d7 in QSingleShotTimer::timeout (this=0x85dd738) at .moc/release-shared/qtimer.moc:82
#22 0x00cb658c in QSingleShotTimer::timerEvent (this=0x85dd738) at kernel/qtimer.cpp:308
#23 0x00caf214 in QObject::event (this=0x85dd738, e=0xbf914bbc) at kernel/qobject.cpp:1190
#24 0x00f04d24 in QApplicationPrivate::notify_helper (this=0x85438a8, receiver=0x85dd738, e=0xbf914bbc) at kernel/qapplication.cpp:4462
#25 0x00f098ce in QApplication::notify (this=0xbf914ef0, receiver=0x85dd738, e=0xbf914bbc) at kernel/qapplication.cpp:3862
#26 0x002f13ca in KApplication::notify(QObject*, QEvent*) () from /usr/lib/libkdeui.so.5
#27 0x00c9a0bb in QCoreApplication::notifyInternal (this=0xbf914ef0, receiver=0x85dd738, event=0xbf914bbc) at kernel/qcoreapplication.cpp:731
#28 0x00cca1e4 in sendEvent (this=0x8548594) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#29 QTimerInfoList::activateTimers (this=0x8548594) at kernel/qeventdispatcher_unix.cpp:604
#30 0x00cc6df4 in timerSourceDispatch (source=0x8548560) at kernel/qeventdispatcher_glib.cpp:184
#31 0x0646daa8 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#32 0x0646e270 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#33 0x0646e524 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#34 0x00cc753c in QEventDispatcherGlib::processEvents (this=0x8512458, flags=...) at kernel/qeventdispatcher_glib.cpp:422
#35 0x00fbb1e5 in QGuiEventDispatcherGlib::processEvents (this=0x8512458, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#36 0x00c99289 in QEventLoop::processEvents (this=0xbf914e54, flags=...) at kernel/qeventloop.cpp:149
#37 0x00c99522 in QEventLoop::exec (this=0xbf914e54, flags=...) at kernel/qeventloop.cpp:201
#38 0x00c9decc in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1008
#39 0x00f028e7 in QApplication::exec () at kernel/qapplication.cpp:3736
#40 0x0804a2b0 in _start ()

Possible duplicates by query: bug 280936.

Reported using DrKonqi
Comment 1 Christoph Feck 2011-09-03 11:11:52 UTC 
Memory corruption could happen anywhere, so if possible, please add a valgrind log. For more information, see http://techbase.kde.org/Development/Tutorials/Debugging/How_to_create_useful_crash_reports#Retrieving_a_backtrace_with_Valgrind

See also bug 280936.
Comment 2 Michael Pyne 2012-05-21 03:22:24 UTC 
Git commit 561e6494bdd9a02cc8feef649f7dbbd40a1456c3 by Michael Pyne.
Committed on 20/05/2012 at 00:13.
Pushed by mpyne into branch 'KDE/4.8'.

kshareddatacache: Validate cache page size.

This commit ensures that the cache page size is actually a power-of-2
and within the band of possible sizes that could possibly have been set.

If this is not the case the cache is assumed corrupted and reset.

This should help with any cache-corruption bugs caused by a wrong cache
page size (although these don't exactly make themselves obvious). More
fixes to follow...

This one /should/ fix 274252 outright and may be of interest to several
others.
Related: bug 274252, bug 249362, bug 253665, bug 243573, bug 297815, bug 293954, bug 293447, bug 270915, bug 255233
FIXED-IN:4.8.4

M  +26   -1    kdecore/util/kshareddatacache.cpp

http://commits.kde.org/kdelibs/561e6494bdd9a02cc8feef649f7dbbd40a1456c3
Comment 3 Michael Pyne 2012-05-21 03:22:30 UTC 
Git commit ca2a6a59784232857a35b313adc9599efb87bd5e by Michael Pyne.
Committed on 21/05/2012 at 01:19.
Pushed by mpyne into branch 'KDE/4.8'.

kshareddatacache: Adopt KSDCCorrupted for exceptional errors.

This involves converting many present assertions (which crash no matter
what) and error-code return values (which have to be checked everywhere
the return value is used at) into using the KSDCCorrupted exception.

The nice thing about using the exception is that it can be trapped and
handled so that it does not cause an application crash.

There's still a bit more to do -- the end goal is that all accesses to
shm, no matter how minor, are vetted beforehand to ensure it won't cause
a page fault or bus violation.
Related: bug 249362, bug 253665, bug 243573, bug 297815, bug 293954, bug 293447, bug 270915, bug 255233

M  +49   -34   kdecore/util/kshareddatacache.cpp

http://commits.kde.org/kdelibs/ca2a6a59784232857a35b313adc9599efb87bd5e
Comment 4 Michael Pyne 2012-05-21 03:22:31 UTC 
Git commit d6f72354807a0d79939ecaf0d127004473c03dea by Michael Pyne.
Committed on 21/05/2012 at 03:38.
Pushed by mpyne into branch 'KDE/4.8'.

kshareddatacache: Length-checking for memcpy.

Previous commits added exception support if we tried to read from or
write to individual pages that were invalid.

This doesn't fully cover the cases where memcpy is used across page
boundaries (when reading an entry or writing an entry to the cache),
which requires verifying the length.

It also missed checking the return value of page() in defragment, where
the returned pointer was used inline in memcpy().

Now we throw a corrupt-cache exception if we would violate the
boundaries established in mmap().

Passes the relevant unit tests and limited fuzz tests mentioned in my
last commit. Hopefully this should fix the majority of extant "cache is
corrupt" crashers.
Related: bug 255233, bug 293954
FIXED-IN:4.8.4

M  +52   -7    kdecore/util/kshareddatacache.cpp

http://commits.kde.org/kdelibs/d6f72354807a0d79939ecaf0d127004473c03dea