Bug 288591

Summary: Dolphin crash on tag or comment edit [ QApplication::x11ProcessEvent ]
Product: [Unmaintained] nepomuk Reporter: nightwing666
Component: widgets - TagWidgetAssignee: Nepomuk Bugs Coordination <nepomuk-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: frank78ac, kyledevans
Priority: NOR    
Version: git master   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: http://commits.kde.org/nepomuk-widgets/7aea36dd860938db4a928a81503f33017a3ad272 Version Fixed In: 4.11.2
Sentry Crash Report:

Description nightwing666 2011-12-09 20:20:30 UTC 
Application: dolphin (1.7)
KDE Platform Version: 4.7.3 (4.7.3)
Qt Version: 4.7.4
Operating System: Linux 3.0.0-14-generic i686
Distribution: Ubuntu 11.10

-- Information about the crash:
- What I was doing when the application crashed:
Open dolphin
Try to add tag or comment
It crashed!
Setting rating works well.

-- Backtrace:
Application: Dolphin (dolphin), signal: Segmentation fault
[Current thread is 1 (Thread 0xb78a4710 (LWP 2079))]

Thread 3 (Thread 0xb6966b70 (LWP 2080)):
#0  0x00b8e416 in __kernel_vsyscall ()
#1  0x0032a40e in poll () from /lib/i386-linux-gnu/libc.so.6
#2  0x0900e34b in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0
#3  0x08fff896 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#4  0x08fffc2a in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#5  0x03c67b37 in QEventDispatcherGlib::processEvents (this=0x9d09810, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#6  0x03c381dd in QEventLoop::processEvents (this=0xb69662b0, flags=...) at kernel/qeventloop.cpp:149
#7  0x03c38421 in QEventLoop::exec (this=0xb69662b0, flags=...) at kernel/qeventloop.cpp:201
#8  0x03b3b90b in QThread::exec (this=0x9d07390) at thread/qthread.cpp:498
#9  0x03c18e2d in QInotifyFileSystemWatcherEngine::run (this=0x9d07390) at io/qfilesystemwatcher_inotify.cpp:248
#10 0x03b3e7b3 in QThreadPrivate::start (arg=0x9d07390) at thread/qthread_unix.cpp:331
#11 0x00971d31 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#12 0x003390ce in clone () from /lib/i386-linux-gnu/libc.so.6
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 2 (Thread 0xb4b1fb70 (LWP 2082)):
#0  0x0082ed10 in clock_gettime () from /lib/i386-linux-gnu/librt.so.1
#1  0x03b957d5 in do_gettime (frac=0xb4b1f020, sec=0xb4b1f018) at tools/qelapsedtimer_unix.cpp:123
#2  qt_gettime () at tools/qelapsedtimer_unix.cpp:140
#3  0x03c684b6 in QTimerInfoList::updateCurrentTime (this=0xa0ccfc4) at kernel/qeventdispatcher_unix.cpp:339
#4  0x03c6880a in QTimerInfoList::timerWait (this=0xa0ccfc4, tm=...) at kernel/qeventdispatcher_unix.cpp:442
#5  0x03c67053 in timerSourcePrepareHelper (src=<optimized out>, timeout=0xb4b1f12c) at kernel/qeventdispatcher_glib.cpp:136
#6  0x03c670ed in timerSourcePrepare (source=0xa0ccf90, timeout=<optimized out>) at kernel/qeventdispatcher_glib.cpp:169
#7  0x08ffe88c in g_main_context_prepare () from /lib/i386-linux-gnu/libglib-2.0.so.0
#8  0x08fff637 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#9  0x08fffc2a in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#10 0x03c67b37 in QEventDispatcherGlib::processEvents (this=0x9fe5520, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#11 0x03c381dd in QEventLoop::processEvents (this=0xb4b1f2b0, flags=...) at kernel/qeventloop.cpp:149
#12 0x03c38421 in QEventLoop::exec (this=0xb4b1f2b0, flags=...) at kernel/qeventloop.cpp:201
#13 0x03b3b90b in QThread::exec (this=0xa03a150) at thread/qthread.cpp:498
#14 0x03c18e2d in QInotifyFileSystemWatcherEngine::run (this=0xa03a150) at io/qfilesystemwatcher_inotify.cpp:248
#15 0x03b3e7b3 in QThreadPrivate::start (arg=0xa03a150) at thread/qthread_unix.cpp:331
#16 0x00971d31 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#17 0x003390ce in clone () from /lib/i386-linux-gnu/libc.so.6
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 1 (Thread 0xb78a4710 (LWP 2079)):
[KCrash Handler]
#7  QApplication::x11ProcessEvent (this=0xbffb98d4, event=0xbffb953c) at kernel/qapplication_x11.cpp:3679
#8  0x04b2624c in x11EventSourceDispatch (s=0x9bcb2e8, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#9  0x08fff25f in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#10 0x08fff990 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#11 0x08fffc2a in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#12 0x03c67ada in QEventDispatcherGlib::processEvents (this=0x9bb0bb0, flags=...) at kernel/qeventdispatcher_glib.cpp:422
#13 0x04b25e3a in QGuiEventDispatcherGlib::processEvents (this=0x9bb0bb0, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#14 0x03c381dd in QEventLoop::processEvents (this=0xbffb9844, flags=...) at kernel/qeventloop.cpp:149
#15 0x03c38421 in QEventLoop::exec (this=0xbffb9844, flags=...) at kernel/qeventloop.cpp:201
#16 0x03c3d19d in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1064
#17 0x04a6b8f4 in QApplication::exec () at kernel/qapplication.cpp:3760
#18 0x006fb433 in kdemain () from /usr/lib/kde4/libkdeinit/libkdeinit4_dolphin.so
#19 0x0804850b in ?? ()
#20 0x00280113 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#21 0x08048531 in _start ()

This bug may be a duplicate of or related to bug 286401.

Possible duplicates by query: bug 288397, bug 288396, bug 288393, bug 288358, bug 288321.

Reported using DrKonqi
Comment 1 Kyle Evans 2012-07-01 00:05:15 UTC 
I'll confirm that dolphin crashes when trying to tag.  I believe I've found out how to reproduce it:

1) Select large (or a lot) of files.
2) Try to tag (or rate, or comment) before the information pane has a chance to update the number of items selected or the size.

Currently tagging crashes dolphin.  Ratings will go away once the information pane has updated.  Adding a comment will simply make the edit comment dialog vanish(no crash).

This happens to me on Fedora 17 (KDE 4.8.4) and whatever version of openSuse comes with the KDE Plasma Daily virtual machine image (http://susestudio.com/a/tAWYe6/kde-plasma-daily) from June 20th 2012.
Comment 2 Jeroen van Meeuwen (Kolab Systems) 2012-08-24 16:19:36 UTC 
Resetting assignee to default as per bug #305719
Comment 3 Frank Reininghaus 2013-05-12 20:50:20 UTC 
Can you still reproduce this crash in more recent versions?
Comment 4 Kyle Evans 2013-06-13 00:52:57 UTC 
I just tried it again on my Fedora 18 system and it still crashes.  Though my system is still on KDE SC 4.9.5.  I'll update to 4.10 tonight but it'll take a while to download all of the updates.

I looked into the code a while ago to find the problem and I'm about 90% certain I've found the cause.  Unfortunately I don't have the source code downloaded anymore to point out the exact files in questions.  However the problem is in KDE libs in the information widget.

Each time a user selects files / folders there is a delay while the system fetches the information from disc for the selection.  If you click on one of those links (outlined in my previous comment) during this scanning period then the system will still be holding a list pointers for the objects from your previous selection.  However those objects are deleted as soon as the system finishes scanning the new selection. At this point there are dangling pointers to the elements that were previously selected.

A little more on reproducing this:

1)  Create a bunch of large files (large enough that will slow down the information widget when it scans your current selection).  I had 20 GiB of garbage files, but it seems recent performance improvements might make this harder to reproduce.

2)  Don't select anything in the folder.

3)  Hover your mouse over the "Add Tags..." link in the information panel.

4)  Press CTRL + A

5)  Immediately click on "Add Tags..."

6)  Crash.

I hope my explanation on what i believe is going on made sense.  But again I'm fairly certain this is an issue of deleting pointers that are still in use.
Comment 5 Christoph Feck 2013-06-24 10:50:25 UTC 
I could not reproduce a crash using the steps from comment #4 on today's master. Can you confirm it is fixed in KDE 4.10.x?
Comment 6 Kyle Evans 2013-06-26 12:46:42 UTC 
This still happens on 4.10.4.  The key is to click on "Add Tags..." after selecting items but before the information panel is updated.
Comment 7 Frank Reininghaus 2013-06-26 19:46:56 UTC 
Thanks for the update. I can reproduce in current master. The Valgrind log looks like it might be a Nepumuk issue.

==20490== Invalid read of size 8
==20490==    at 0x86C02A4: QWidget::internalWinId() const (qwidget.h:241)
==20490==    by 0x875A43E: QApplication::x11ProcessEvent(_XEvent*) (qapplication_x11.cpp:3614)
==20490==    by 0x879473F: x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qguieventdispatcher_glib.cpp:146)
==20490==    by 0xF5CC7D4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCB07: ??? (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCBC3: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xA39DDC2: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:424)
==20490==    by 0x8794ADF: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)
==20490==    by 0xA35F06B: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)
==20490==    by 0xA35F1F5: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:204)
==20490==    by 0xA3621B1: QCoreApplication::exec() (qcoreapplication.cpp:1187)
==20490==    by 0x86BA73D: QApplication::exec() (qapplication.cpp:3812)
==20490==  Address 0x1fc01a30 is 32 bytes inside a block of size 48 free'd
==20490==    at 0x4C2AA9C: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20490==    by 0x637FEDF: Nepomuk2::TagWidget::~TagWidget() (tagwidget.cpp:288)
==20490==    by 0x6387C02: Nepomuk2::FileMetaDataWidget::Private::deleteRows() (filemetadatawidget.cpp:122)
==20490==    by 0x6387CAF: Nepomuk2::FileMetaDataWidget::Private::slotLoadingFinished() (filemetadatawidget.cpp:130)
==20490==    by 0x6389093: Nepomuk2::FileMetaDataWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (filemetadatawidget.moc:66)
==20490==    by 0xA37FEF9: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3547)
==20490==    by 0x638E28A: Nepomuk2::FileMetaDataProvider::loadingFinished() (filemetadataprovider_p.moc:109)
==20490==    by 0x638C656: Nepomuk2::FileMetaDataProvider::Private::insertBasicData() (filemetadataprovider.cpp:300)
==20490==    by 0x638E163: Nepomuk2::FileMetaDataProvider::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (filemetadataprovider_p.moc:61)
==20490==    by 0xA379876: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:525)
==20490==    by 0xA37AAFC: QObject::event(QEvent*) (qobject.cpp:1195)
==20490==    by 0x86BD517: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4551)
==20490== 
==20490== Invalid read of size 8
==20490==    at 0x86C02A8: QWidget::internalWinId() const (qwidget.h:241)
==20490==    by 0x875A43E: QApplication::x11ProcessEvent(_XEvent*) (qapplication_x11.cpp:3614)
==20490==    by 0x879473F: x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qguieventdispatcher_glib.cpp:146)
==20490==    by 0xF5CC7D4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCB07: ??? (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCBC3: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xA39DDC2: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:424)
==20490==    by 0x8794ADF: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)
==20490==    by 0xA35F06B: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149)
==20490==    by 0xA35F1F5: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:204)
==20490==    by 0xA3621B1: QCoreApplication::exec() (qcoreapplication.cpp:1187)
==20490==    by 0x86BA73D: QApplication::exec() (qapplication.cpp:3812)
==20490==  Address 0x1fc01bc8 is 328 bytes inside a block of size 496 free'd
==20490==    at 0x4C2AA9C: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20490==    by 0x870DB11: QWidgetPrivate::~QWidgetPrivate() (qwidget.cpp:362)
==20490==    by 0xA322817: QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) (qscopedpointer.h:62)
==20490==    by 0xA382944: QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() (qscopedpointer.h:100)
==20490==    by 0xA37A54B: QObject::~QObject() (qobject.cpp:817)
==20490==    by 0x87100D7: QWidget::~QWidget() (qwidget.cpp:1552)
==20490==    by 0x637FE98: Nepomuk2::TagWidget::~TagWidget() (tagwidget.cpp:285)
==20490==    by 0x637FED3: Nepomuk2::TagWidget::~TagWidget() (tagwidget.cpp:288)
==20490==    by 0x6387C02: Nepomuk2::FileMetaDataWidget::Private::deleteRows() (filemetadatawidget.cpp:122)
==20490==    by 0x6387CAF: Nepomuk2::FileMetaDataWidget::Private::slotLoadingFinished() (filemetadatawidget.cpp:130)
==20490==    by 0x6389093: Nepomuk2::FileMetaDataWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (filemetadatawidget.moc:66)
==20490==    by 0xA37FEF9: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3547)
==20490== 
==20490== Invalid read of size 8
==20490==    at 0x86AE3DE: QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::operator->() const (qscopedpointer.h:112)
==20490==    by 0x86AE1AB: QObject::parent() const (qobject.h:273)
==20490==    by 0x86C0445: QWidget::parentWidget() const (qwidget.h:1033)
==20490==    by 0x8716A89: QWidget::window() const (qwidget.cpp:4343)
==20490==    by 0x86B83EA: QApplicationPrivate::dispatchEnterLeave(QWidget*, QWidget*) (qapplication.cpp:2745)
==20490==    by 0x875A48E: QApplication::x11ProcessEvent(_XEvent*) (qapplication_x11.cpp:3621)
==20490==    by 0x879473F: x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qguieventdispatcher_glib.cpp:146)
==20490==    by 0xF5CC7D4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCB07: ??? (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xF5CCBC3: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.3400.3)
==20490==    by 0xA39DDC2: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:424)
==20490==    by 0x8794ADF: QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204)
==20490==  Address 0x1fc01a18 is 8 bytes inside a block of size 48 free'd
==20490==    at 0x4C2AA9C: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20490==    by 0x637FEDF: Nepomuk2::TagWidget::~TagWidget() (tagwidget.cpp:288)
==20490==    by 0x6387C02: Nepomuk2::FileMetaDataWidget::Private::deleteRows() (filemetadatawidget.cpp:122)
==20490==    by 0x6387CAF: Nepomuk2::FileMetaDataWidget::Private::slotLoadingFinished() (filemetadatawidget.cpp:130)
==20490==    by 0x6389093: Nepomuk2::FileMetaDataWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (filemetadatawidget.moc:66)
==20490==    by 0xA37FEF9: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3547)
==20490==    by 0x638E28A: Nepomuk2::FileMetaDataProvider::loadingFinished() (filemetadataprovider_p.moc:109)
==20490==    by 0x638C656: Nepomuk2::FileMetaDataProvider::Private::insertBasicData() (filemetadataprovider.cpp:300)
==20490==    by 0x638E163: Nepomuk2::FileMetaDataProvider::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (filemetadataprovider_p.moc:61)
==20490==    by 0xA379876: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:525)
==20490==    by 0xA37AAFC: QObject::event(QEvent*) (qobject.cpp:1195)
==20490==    by 0x86BD517: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4551)
==20490== 
ASSERT: "d" in file ../../include/QtCore/../../src/corelib/tools/qscopedpointer.h, line 112
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = dolphin path = /home/kde-devel/kde/bin pid = 20490
KCrash: Arguments: /home/kde-devel/kde/bin/dolphin --nocrashhandler 
KCrash: Attempting to start /home/kde-devel/kde/lib/kde4/libexec/drkonqi from kdeinit
Comment 8 Simeon Bird 2013-09-11 05:53:38 UTC 
Git commit 7aea36dd860938db4a928a81503f33017a3ad272 by Simeon Bird.
Committed on 11/09/2013 at 05:48.
Pushed by sbird into branch 'master'.

Fix crash if you clicked "add tag" too fast, due to the widget getting
deleted from under you. Fixed by using deleteLater().

I could only reproduce this under valgrind - everything else was faster
than I could click.
FIXED-IN: 4.11.2

M  +1    -1    ui/filemetadatawidget.cpp

http://commits.kde.org/nepomuk-widgets/7aea36dd860938db4a928a81503f33017a3ad272