Bug 283321

Summary: photolayoutseditor crashes on exit
Product: [Applications] digikam Reporter: nucleo <nucleo>
Component: Plugin-Generic-PhotoLayoutEditorAssignee: Digikam Developers <digikam-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: caulier.gilles, kevin.kofler, lukasz.spas
Priority: HI    
Version: unspecified   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In: 2.3.0
Sentry Crash Report:
Attachments: output of "valgrind photolayoutseditor"

Description nucleo 2011-10-04 14:43:42 UTC 
Version:           2.2.0 (using KDE 4.7.1) 
OS:                Linux

photolayoutseditor crashes after I added image, added image effect and close application 

Reproducible: Always

Steps to Reproduce:
1. Start photolayoutseditor and create new layout
2. Add image in Canvas
3. Add image effect (for exapmle blur)
4. Close application (answer No on saving changes)

Actual Results:  
Crash in _start()

Expected Results:  
Should be just terminated.

Application: Photo Layouts Editor (photolayoutseditor), signal: Segmentation fault
Using host libthread_db library "/lib/libthread_db.so.1".
[KCrash Handler]
#7  0x0809c425 in KIPIPhotoLayoutsEditor::AbstractPhoto::refresh (this=0x9401730) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/items/AbstractPhoto.cpp:515
#8  0x080bb798 in KIPIPhotoLayoutsEditor::PhotoEffectsGroup::emitEffectsChanged (this=0x953e728, effect=0x0) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/effects/PhotoEffectsGroup.cpp:369
#9  0x080bc146 in KIPIPhotoLayoutsEditor::PhotoEffectsGroup::removeRows (this=0x953e728, row=0, count=<optimized out>, parent=...) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/effects/PhotoEffectsGroup.cpp:360
#10 0x080e9934 in removeRow (aparent=..., arow=<optimized out>, this=<optimized out>) at /usr/include/QtCore/qabstractitemmodel.h:319
#11 removeChoosed (this=0x95a6ea0) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/AbstractItemsListViewTool.cpp:181
#12 KIPIPhotoLayoutsEditor::AbstractItemsListViewTool::chooserCancelled (this=0x95d2078) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/AbstractItemsListViewTool.cpp:342
#13 0x080e9ac7 in KIPIPhotoLayoutsEditor::AbstractItemsListViewTool::~AbstractItemsListViewTool (this=0x95d2078, __in_chrg=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/AbstractItemsListViewTool.cpp:256
#14 0x080e20c3 in ~EffectsEditorTool (this=0x95d2078, __in_chrg=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/EffectsEditorTool.h:35
#15 KIPIPhotoLayoutsEditor::EffectsEditorTool::~EffectsEditorTool (this=0x95d2078, __in_chrg=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/EffectsEditorTool.h:35
#16 0x02219e52 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#17 0x0672132c in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#18 0x06721623 in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#19 0x02219e52 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#20 0x0672132c in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#21 0x06b3f150 in QFrame::~QFrame() () from /usr/lib/libQtGui.so.4
#22 0x06bd2f35 in QAbstractScrollArea::~QAbstractScrollArea() () from /usr/lib/libQtGui.so.4
#23 0x06bd7fa0 in QScrollArea::~QScrollArea() () from /usr/lib/libQtGui.so.4
#24 0x06bd7fe3 in QScrollArea::~QScrollArea() () from /usr/lib/libQtGui.so.4
#25 0x02219e52 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#26 0x0672132c in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#27 0x06721623 in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#28 0x02219e52 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#29 0x0672132c in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#30 0x06b280f0 in QDockWidget::~QDockWidget() () from /usr/lib/libQtGui.so.4
#31 0x080aac78 in KIPIPhotoLayoutsEditor::ToolsDockWidget::~ToolsDockWidget (this=0x92153a0, __in_chrg=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/ToolsDockWidget.cpp:234
#32 0x080aacc3 in KIPIPhotoLayoutsEditor::ToolsDockWidget::~ToolsDockWidget (this=0x92153a0, __in_chrg=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/widgets/tools/ToolsDockWidget.cpp:238
#33 0x02219e52 in QObjectPrivate::deleteChildren() () from /usr/lib/libQtCore.so.4
#34 0x0672132c in QWidget::~QWidget() () from /usr/lib/libQtGui.so.4
#35 0x06b5af20 in QMainWindow::~QMainWindow() () from /usr/lib/libQtGui.so.4
#36 0x01124a69 in KMainWindow::~KMainWindow() () from /usr/lib/libkdeui.so.5
#37 0x0116ec4d in KXmlGuiWindow::~KXmlGuiWindow() () from /usr/lib/libkdeui.so.5
#38 0x0806c234 in KIPIPhotoLayoutsEditor::PhotoLayoutsEditor::~PhotoLayoutsEditor (this=0x9186ec0, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/plugin/photolayoutseditor.cpp:151
#39 0x0806c313 in KIPIPhotoLayoutsEditor::PhotoLayoutsEditor::~PhotoLayoutsEditor (this=0x9186ec0, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/plugin/photolayoutseditor.cpp:163
#40 0x02219c04 in qDeleteInEventHandler(QObject*) () from /usr/lib/libQtCore.so.4
#41 0x02220d98 in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4
#42 0x067270b2 in QWidget::event(QEvent*) () from /usr/lib/libQtGui.so.4
#43 0x06b5d304 in QMainWindow::event(QEvent*) () from /usr/lib/libQtGui.so.4
#44 0x01125554 in KMainWindow::event(QEvent*) () from /usr/lib/libkdeui.so.5
#45 0x0116e7a3 in KXmlGuiWindow::event(QEvent*) () from /usr/lib/libkdeui.so.5
#46 0x066cc6d4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#47 0x066d1c1b in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#48 0x01046752 in KApplication::notify(QObject*, QEvent*) () from /usr/lib/libkdeui.so.5
#49 0x02205f4e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4
#50 0x02209ea8 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4
#51 0x0220a1dd in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/lib/libQtCore.so.4
#52 0x022387f5 in ?? () from /usr/lib/libQtCore.so.4
#53 0x0133a60f in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#54 0x0133ad50 in ?? () from /lib/libglib-2.0.so.0
#55 0x0133afff in g_main_context_iteration () from /lib/libglib-2.0.so.0
#56 0x02238bf8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#57 0x06780b5b in ?? () from /usr/lib/libQtGui.so.4
#58 0x02204e3e in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#59 0x022050e9 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#60 0x0220a28b in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#61 0x066ca4d5 in QApplication::exec() () from /usr/lib/libQtGui.so.4
#62 0x08068f99 in main (argc=1, argv=0xbfebe024) at /usr/src/debug/digikam-2.2.0/extra/kipi-plugins/photolayoutseditor/plugin/main.cpp:68
Comment 1 nucleo 2011-10-04 21:22:57 UTC 
Created attachment 64216 [details]
output of "valgrind photolayoutseditor"
Comment 2 Kevin Kofler 2011-10-04 21:33:04 UTC 
So the source of the crash appears to be this use-after-free bug:

==1363== Invalid read of size 4
==1363==    at 0x809C41F: KIPIPhotoLayoutsEditor::AbstractPhoto::refresh() (AbstractPhoto.cpp:515)
==1363==    by 0x80BB797: KIPIPhotoLayoutsEditor::PhotoEffectsGroup::emitEffectsChanged(KIPIPhotoLayoutsEditor::AbstractPhotoEffectInterface*) (PhotoEffectsGroup.cpp:369)
==1363==    by 0x80BC145: KIPIPhotoLayoutsEditor::PhotoEffectsGroup::removeRows(int, int, QModelIndex const&) (PhotoEffectsGroup.cpp:360)
==1363==    by 0x80E9933: KIPIPhotoLayoutsEditor::AbstractItemsListViewTool::chooserCancelled() (qabstractitemmodel.h:319)
==1363==    by 0xFFFFFFFE: ???
==1363==  Address 0x7ba34a0 is 16 bytes inside a block of size 48 free'd
==1363==    at 0x4029B7D: operator delete(void*) (vg_replace_malloc.c:387)
==1363==    by 0x80A193A: KIPIPhotoLayoutsEditor::PhotoItem::~PhotoItem() (PhotoItem.cpp:198)
==1363==    by 0x535C8E4: QGraphicsScene::clear() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x535C95F: QGraphicsScene::~QGraphicsScene() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x8082C63: KIPIPhotoLayoutsEditor::Scene::~Scene() (Scene.cpp:528)
==1363==    by 0x8082CB2: KIPIPhotoLayoutsEditor::Scene::~Scene() (Scene.cpp:531)
==1363==    by 0x5B01E51: QObjectPrivate::deleteChildren() (in /usr/lib/libQtCore.so.4.8.0)
==1363==    by 0x4D0E32B: QWidget::~QWidget() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x512C14F: QFrame::~QFrame() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x51BFF34: QAbstractScrollArea::~QAbstractScrollArea() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x5392FF5: QGraphicsView::~QGraphicsView() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x8075DE5: KIPIPhotoLayoutsEditor::Canvas::~Canvas() (Canvas.cpp:78)

Valgrind continues execution from there because it keeps freed blocks reserved so it can track use-after-free bugs, and thus the access doesn't cause a segfault right away, and the code hits a NULL pointer dereference later. But outside of Valgrind, the above is the fatal bug.
Comment 3 Łukasz Spas 2011-10-16 13:32:44 UTC 
Git commit c7518fe3a8fc6f005125a8c496a9334e5f08a02d by Łukasz Spas.
Committed on 16/10/2011 at 15:32.
Pushed by lukaszspas into branch 'master'.

BUG: 283321

M  +1    -1    CMakeLists.txt

http://commits.kde.org/kipi-plugins/c7518fe3a8fc6f005125a8c496a9334e5f08a02d
Comment 4 nucleo 2011-10-16 16:30:10 UTC 
(In reply to comment #3)
> Git commit c7518fe3a8fc6f005125a8c496a9334e5f08a02d by Łukasz Spas.
> Committed on 16/10/2011 at 15:32.
> Pushed by lukaszspas into branch 'master'.
> 
> BUG: 283321
> 
> M  +1    -1    CMakeLists.txt
> 
> http://commits.kde.org/kipi-plugins/c7518fe3a8fc6f005125a8c496a9334e5f08a02d

So where is actual fix of this bug at link above or this one:

http://quickgit.kde.org/?p=kipi-plugins.git&a=commit&h=2b5ed81d9d378f439f51f4319d62ef69fd8c40e7
Comment 5 Łukasz Spas 2011-10-16 16:39:57 UTC 
definitely this is the fix:
http://quickgit.kde.org/?p=kipi-plugins.git&a=commit&h=2b5ed81d9d378f439f51f4319d62ef69fd8c40e7

The second one was my mistake which turns off some parts of kipiplugins (for compilation & testing speed):
http://commits.kde.org/kipi-plugins/c7518fe3a8fc6f005125a8c496a9334e5f08a02d

Sorry for this misunderstanding.