Bug 313759

Summary:	Kate crashes when repeatedly triggering scripting functions (move up and down)
Product:	[Applications] kate	Reporter:	Gerald Senarclens de Grancy <oss>
Component:	general	Assignee:	KWrite Developers <kwrite-bugs-null>
Status:	RESOLVED FIXED
Severity:	crash	CC:	christoph, crissi99, forest, marek.omelka, michel.ludwig, oss, sbaynes, smpl90s, spamer
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Ubuntu
OS:	Linux
Latest Commit:	http://commits.kde.org/kate/a677dfbe3073ca5155d225e3b7fc33808c6b5950	Version Fixed In:	4.10.2
Sentry Crash Report:
Attachments:	New crash information added by DrKonqi output of running valgrind against the test valgrind output including Christoph's fixes up to now

Description Gerald Senarclens de Grancy 2013-01-23 13:17:04 UTC

Application: kate (3.9.5)
KDE Platform Version: 4.9.5
Qt Version: 4.8.3
Operating System: Linux 3.5.0-22-generic x86_64
Distribution: Ubuntu 12.10

-- Information about the crash:
- What I was doing when the application crashed:

repeatedly used the 'move line up' function provided by the scripting interface (placed the cursor in the middle of a line and repeatedly hit Ctrl+Shift+Up

The crash can be reproduced some of the time.

-- Backtrace:
Application: Kate (kate), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f87e6883780 (LWP 4662))]

Thread 4 (Thread 0x7f87cf6ca700 (LWP 4665)):
#0  0x00007f87e616c303 in __GI___poll (fds=<optimized out>, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f87e32ead84 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f87e32eaea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f87e40b2c16 in QEventDispatcherGlib::processEvents (this=0x7f87c80008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#4  0x00007f87e40832bf in QEventLoop::processEvents (this=this@entry=0x7f87cf6c9dd0, flags=...) at kernel/qeventloop.cpp:149
#5  0x00007f87e4083548 in QEventLoop::exec (this=0x7f87cf6c9dd0, flags=...) at kernel/qeventloop.cpp:204
#6  0x00007f87e3f84b10 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#7  0x00007f87e40639af in QInotifyFileSystemWatcherEngine::run (this=0x246d980) at io/qfilesystemwatcher_inotify.cpp:248
#8  0x00007f87e3f87aec in QThreadPrivate::start (arg=0x246d980) at thread/qthread_unix.cpp:338
#9  0x00007f87e37b9e9a in start_thread (arg=0x7f87cf6ca700) at pthread_create.c:308
#10 0x00007f87e6177cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x7f87cedd9700 (LWP 4666)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007f87d4109cd7 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#2  0x00007f87d4109d09 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#3  0x00007f87e37b9e9a in start_thread (arg=0x7f87cedd9700) at pthread_create.c:308
#4  0x00007f87e6177cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#5  0x0000000000000000 in ?? ()

Thread 2 (Thread 0x7f87cd3d7700 (LWP 4675)):
#0  0x00007f87e616a8bd in read () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f87e332715f in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f87e32ea914 in g_main_context_check () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f87e32ead22 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007f87e32eaea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007f87e40b2c16 in QEventDispatcherGlib::processEvents (this=0x7f87c00008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#6  0x00007f87e40832bf in QEventLoop::processEvents (this=this@entry=0x7f87cd3d6dd0, flags=...) at kernel/qeventloop.cpp:149
#7  0x00007f87e4083548 in QEventLoop::exec (this=0x7f87cd3d6dd0, flags=...) at kernel/qeventloop.cpp:204
#8  0x00007f87e3f84b10 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#9  0x00007f87e40639af in QInotifyFileSystemWatcherEngine::run (this=0x1e94f20) at io/qfilesystemwatcher_inotify.cpp:248
#10 0x00007f87e3f87aec in QThreadPrivate::start (arg=0x1e94f20) at thread/qthread_unix.cpp:338
#11 0x00007f87e37b9e9a in start_thread (arg=0x7f87cd3d7700) at pthread_create.c:308
#12 0x00007f87e6177cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f87e6883780 (LWP 4662)):
[KCrash Handler]
#6  0x00000000000000ea in ?? ()
#7  0x00007f87d46eec7e in Kate::TextBuffer::rangesForLine (this=<optimized out>, line=48, view=0x2666bd0, rangesWithAttributeOnly=false) at ../../part/buffer/katetextbuffer.cpp:820
#8  0x00007f87d47c41b1 in KateView::updateRangesIn (this=0x2666bd0, activationType=activationType@entry=KTextEditor::Attribute::ActivateMouseIn) at ../../part/view/kateview.cpp:2845
#9  0x00007f87d47c4747 in KateView::slotDelayedUpdateOfView (this=0x2666bd0) at ../../part/view/kateview.cpp:2810
#10 0x00007f87e409943e in QObject::event (this=0x2666bd0, e=<optimized out>) at kernel/qobject.cpp:1195
#11 0x00007f87e55f30da in QWidget::event (this=0x2666bd0, event=0x28abcd0) at kernel/qwidget.cpp:8830
#12 0x00007f87e55a3e9c in QApplicationPrivate::notify_helper (this=this@entry=0x171f570, receiver=receiver@entry=0x2666bd0, e=e@entry=0x28abcd0) at kernel/qapplication.cpp:4562
#13 0x00007f87e55a830a in QApplication::notify (this=0x7fff6c8cbe00, receiver=0x2666bd0, e=0x28abcd0) at kernel/qapplication.cpp:4423
#14 0x00007f87e48801f6 in KApplication::notify (this=0x7fff6c8cbe00, receiver=0x2666bd0, event=0x28abcd0) at ../../kdeui/kernel/kapplication.cpp:311
#15 0x00007f87e408456e in QCoreApplication::notifyInternal (this=0x7fff6c8cbe00, receiver=receiver@entry=0x2666bd0, event=event@entry=0x28abcd0) at kernel/qcoreapplication.cpp:915
#16 0x00007f87e40883f1 in sendEvent (event=0x28abcd0, receiver=0x2666bd0) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#17 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x16e6670) at kernel/qcoreapplication.cpp:1539
#18 0x00007f87e40b2a63 in sendPostedEvents () at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:236
#19 postEventSourceDispatch (s=0x1721640) at kernel/qeventdispatcher_glib.cpp:279
#20 0x00007f87e32eaab5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#21 0x00007f87e32eade8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007f87e32eaea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007f87e40b2bf6 in QEventDispatcherGlib::processEvents (this=0x16e7b30, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#24 0x00007f87e5648c1e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#25 0x00007f87e40832bf in QEventLoop::processEvents (this=this@entry=0x7fff6c8cb990, flags=...) at kernel/qeventloop.cpp:149
#26 0x00007f87e4083548 in QEventLoop::exec (this=0x7fff6c8cb990, flags=...) at kernel/qeventloop.cpp:204
#27 0x00007f87e4088708 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1187
#28 0x00007f87e64764bd in kdemain (argc=<optimized out>, argv=0x7fff6c8cbf00) at ../../../kate/app/katemain.cpp:377
#29 0x00007f87e60a576d in __libc_start_main (main=0x400690 <main(int, char**)>, argc=3, ubp_av=0x7fff6c8cbf88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff6c8cbf78) at libc-start.c:226
#30 0x00000000004006c1 in _start ()

Possible duplicates by query: bug 282034, bug 279465, bug 276435, bug 273140, bug 269263.

Reported using DrKonqi

Comment 1 Dominik Haumann 2013-01-23 14:20:02 UTC

> The crash can be reproduced some of the time.

@Gerald: Can you be more specific about this? Because this is a bug that exists for a loong time now, and we have no idea how to reproduce. So any hints are welcome. Best would be a reliable way to reproduce.

Comment 2 Gerald Senarclens de Grancy 2013-01-23 16:16:18 UTC

I've been having this bug since I started using the scripted functions. Unfortunately, I've never managed to willingly reproduce it... so I never filed it in the past. Finally, I thought I'd file it as a first step and will try to create a reliable way to reproduce it.
The only thing I noted in the past was that it occurred on multiple executions of a script within very short time. This gave me the fear of a race condition...

As soon as I have additional information I'll add it to this bug.

Comment 3 Gerald Senarclens de Grancy 2013-01-23 16:27:39 UTC

Playing around w/ it now, I could actually reproduce it three times. The following instructions circumvent a regression created by http://commits.kde.org/kate/32da84eea27a461215624cc52da019392a08889e (I'll eventually look into that one as well).

reproduce (almost 100% of the time):
- start kate with a new and empty file
- hit enter once
- type "a"
- press and hold Ctrl+Alt+Down until the document has at least 200 lines
- press and hold Ctrl+Shift+Up to move the last line as far up as possible

expected:
- the last line is moved until the top

actual:
- crash after a series of moves (> 50 on my machine)

note:
with the instructions above I was just able to reproduce the issue 2 out of 3 times; the third time, I simply re-started at the top and held Ctrl+Shift+Down and also got a crash

Comment 4 Gerald Senarclens de Grancy 2013-01-23 16:29:21 UTC

PS: The last stack trace may not be extremely useful, but also gives a hint that it relates to moc_katescriptview.cpp;

PPS: Is there actually a way to edit the description of my own bugs instead of adding more and more comments?

 <snip>
Thread 1 (Thread 0x7f79f4160780 (LWP 7011)):
[KCrash Handler]
#6  0x0000000000000000 in ?? ()
#7  0x00007f79e1fcbc7e in Kate::TextBuffer::rangesForLine (this=<optimized out>, line=65, view=0x1bb86d0, rangesWithAttributeOnly=false) at ../../part/buffer/katetextbuffer.cpp:820
#8  0x00007f79e20a11b1 in KateView::updateRangesIn (this=0x1bb86d0, activationType=KTextEditor::Attribute::ActivateCaretIn) at ../../part/view/kateview.cpp:2845
#9  0x00007f79e20b1972 in KateViewInternal::cursorMoved (this=0x1bc27d0) at ../../part/view/kateviewinternal.cpp:3413
#10 0x00007f79e20b1adf in KateViewInternal::updateCursor (this=0x1bc27d0, newCursor=..., force=<optimized out>, center=<optimized out>, calledExternally=<optimized out>) at ../../part/view/kateviewinternal.cpp:1889
#11 0x00007f79e209b6af in KateView::setCursorPositionInternal (this=0x1bb86d0, position=..., tabwidth=1, calledExternally=<optimized out>) at ../../part/view/kateview.cpp:1158
#12 0x00007f79e204b570 in KateScriptView::setCursorPosition (this=0x1c18a40, cursor=...) at ../../part/script/katescriptview.cpp:56
#13 0x00007f79e1fc6b39 in qt_static_metacall (_a=<optimized out>, _id=<optimized out>, _o=<optimized out>, _c=<optimized out>) at moc_katescriptview.cpp:75
#14 KateScriptView::qt_static_metacall (_o=0x1fc1900, _c=4090599232, _id=33666288, _a=0x7f79f3d19748 <main_arena+8>) at moc_katescriptview.cpp:66
#15 0x00007f79e1fc6ccb in KateScriptView::qt_metacall (this=0x1c18a40, _c=QMetaObject::InvokeMetaMethod, _id=<optimized out>, _a=0x7fff426a70d0) at moc_katescriptview.cpp:130
#16 0x00007f79e1a557d5 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#17 0x00007f79e1a5712d in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#18 0x00007f79e1a57359 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#19 0x00007f79e19591d0 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#20 0x00007f79e19362c6 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#21 0x00007f79f3d384e8 in ?? ()
#22 0x0000000000000000 in ?? ()

Comment 5 Gerald Senarclens de Grancy 2013-01-23 16:44:22 UTC

And another stack trace:

Application: Kate (kate), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f4db1bfc780 (LWP 7001))]

Thread 4 (Thread 0x7f4d9aa43700 (LWP 7002)):
#0  0x00007f4db14e38bd in read () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f4dae6a015f in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f4dae663914 in g_main_context_check () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f4dae663d22 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007f4dae663ea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007f4daf42bc16 in QEventDispatcherGlib::processEvents (this=0x7f4d940008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#6  0x00007f4daf3fc2bf in QEventLoop::processEvents (this=this@entry=0x7f4d9aa42dd0, flags=...) at kernel/qeventloop.cpp:149
#7  0x00007f4daf3fc548 in QEventLoop::exec (this=0x7f4d9aa42dd0, flags=...) at kernel/qeventloop.cpp:204
#8  0x00007f4daf2fdb10 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#9  0x00007f4daf3dc9af in QInotifyFileSystemWatcherEngine::run (this=0x28c4b80) at io/qfilesystemwatcher_inotify.cpp:248
#10 0x00007f4daf300aec in QThreadPrivate::start (arg=0x28c4b80) at thread/qthread_unix.cpp:338
#11 0x00007f4daeb32e9a in start_thread (arg=0x7f4d9aa43700) at pthread_create.c:308
#12 0x00007f4db14f0cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x7f4d9a152700 (LWP 7003)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007f4d9f482cd7 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#2  0x00007f4d9f482d09 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#3  0x00007f4daeb32e9a in start_thread (arg=0x7f4d9a152700) at pthread_create.c:308
#4  0x00007f4db14f0cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#5  0x0000000000000000 in ?? ()

Thread 2 (Thread 0x7f4d93fff700 (LWP 7005)):
#0  0x00007f4db14e5303 in __GI___poll (fds=<optimized out>, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f4dae663d84 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f4dae663ea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f4daf42bc16 in QEventDispatcherGlib::processEvents (this=0x7f4d8c0008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#4  0x00007f4daf3fc2bf in QEventLoop::processEvents (this=this@entry=0x7f4d93ffedd0, flags=...) at kernel/qeventloop.cpp:149
#5  0x00007f4daf3fc548 in QEventLoop::exec (this=0x7f4d93ffedd0, flags=...) at kernel/qeventloop.cpp:204
#6  0x00007f4daf2fdb10 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#7  0x00007f4daf3dc9af in QInotifyFileSystemWatcherEngine::run (this=0x2dbeb50) at io/qfilesystemwatcher_inotify.cpp:248
#8  0x00007f4daf300aec in QThreadPrivate::start (arg=0x2dbeb50) at thread/qthread_unix.cpp:338
#9  0x00007f4daeb32e9a in start_thread (arg=0x7f4d93fff700) at pthread_create.c:308
#10 0x00007f4db14f0cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f4db1bfc780 (LWP 7001)):
[KCrash Handler]
#6  0x0000000000000000 in ?? ()
#7  0x00007f4d9fa67c7e in Kate::TextBuffer::rangesForLine (this=<optimized out>, line=179, view=0x2abc430, rangesWithAttributeOnly=false) at ../../part/buffer/katetextbuffer.cpp:820
#8  0x00007f4d9fb3d1b1 in KateView::updateRangesIn (this=0x2abc430, activationType=activationType@entry=KTextEditor::Attribute::ActivateMouseIn) at ../../part/view/kateview.cpp:2845
#9  0x00007f4d9fb3d747 in KateView::slotDelayedUpdateOfView (this=0x2abc430) at ../../part/view/kateview.cpp:2810
#10 0x00007f4daf41243e in QObject::event (this=0x2abc430, e=<optimized out>) at kernel/qobject.cpp:1195
#11 0x00007f4db096c0da in QWidget::event (this=0x2abc430, event=0x2ee3740) at kernel/qwidget.cpp:8830
#12 0x00007f4db091ce9c in QApplicationPrivate::notify_helper (this=this@entry=0x1b7cad0, receiver=receiver@entry=0x2abc430, e=e@entry=0x2ee3740) at kernel/qapplication.cpp:4562
#13 0x00007f4db092130a in QApplication::notify (this=0x7ffffd650480, receiver=0x2abc430, e=0x2ee3740) at kernel/qapplication.cpp:4423
#14 0x00007f4dafbf91f6 in KApplication::notify (this=0x7ffffd650480, receiver=0x2abc430, event=0x2ee3740) at ../../kdeui/kernel/kapplication.cpp:311
#15 0x00007f4daf3fd56e in QCoreApplication::notifyInternal (this=0x7ffffd650480, receiver=receiver@entry=0x2abc430, event=event@entry=0x2ee3740) at kernel/qcoreapplication.cpp:915
#16 0x00007f4daf4013f1 in sendEvent (event=0x2ee3740, receiver=0x2abc430) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#17 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x1b3c670) at kernel/qcoreapplication.cpp:1539
#18 0x00007f4daf42ba63 in sendPostedEvents () at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:236
#19 postEventSourceDispatch (s=0x1b6c260) at kernel/qeventdispatcher_glib.cpp:279
#20 0x00007f4dae663ab5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#21 0x00007f4dae663de8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007f4dae663ea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007f4daf42bbf6 in QEventDispatcherGlib::processEvents (this=0x1b3db30, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#24 0x00007f4db09c1c1e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#25 0x00007f4daf3fc2bf in QEventLoop::processEvents (this=this@entry=0x7ffffd650010, flags=...) at kernel/qeventloop.cpp:149
#26 0x00007f4daf3fc548 in QEventLoop::exec (this=0x7ffffd650010, flags=...) at kernel/qeventloop.cpp:204
#27 0x00007f4daf401708 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1187
#28 0x00007f4db17ef4bd in kdemain (argc=<optimized out>, argv=0x7ffffd650600) at ../../../kate/app/katemain.cpp:377
#29 0x00007f4db141e76d in __libc_start_main (main=0x400690 <main(int, char**)>, argc=1, ubp_av=0x7ffffd650608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffffd6505f8) at libc-start.c:226
#30 0x00000000004006c1 in _start ()

Comment 6 Gerald Senarclens de Grancy 2013-01-23 16:55:37 UTC

Not sure if this is helpful... but on the shell, I got

QSocketNotifier: Invalid socket 13 and type 'Read', disabling...
QSocketNotifier: Invalid socket 18 and type 'Read', disabling...

when Kate died.

Comment 7 Dominik Haumann 2013-02-20 11:38:43 UTC

Cannot reproduce, it already fails here:
> start kate with a new and empty file
>- hit enter once
>- type "a"
>- press and hold Ctrl+Alt+Down until the document has at least 200 lines

The last step does not work. I first have to go to the first line and then proceed. Still no crashes. Can you still reproduce with KDE 4.10?

Comment 8 Gerald Senarclens de Grancy 2013-02-20 19:56:15 UTC

The good news is that w/ KDE 4.10 and a fresh build from git I cannot reproduce either. The reason for the instructions to fail is that the actions "Duplicate selected lines down" and "...up" behave slightly different in 4.10. It's about time I get the time to create a series of tests for these scripts ;)

Comment 9 Gerald Senarclens de Grancy 2013-03-14 15:19:48 UTC

Created attachment 78066 [details]
New crash information added by DrKonqi

kate (3.10.1) on KDE Platform 4.10.1 using Qt 4.8.3

- What I was doing when the application crashed:
tried to reproduce the bug as described in this report after having pulled kate today (2013-03-14)

-- Backtrace (Reduced):
#7  0x00007fa0c42a459e in Kate::TextBuffer::rangesForLine (this=<optimized out>, line=185, view=0x2fcf2f0, rangesWithAttributeOnly=true) at ../../part/buffer/katetextbuffer.cpp:888
#8  0x00007fa0c43354d9 in KateRenderer::decorationsForLine (this=this@entry=0x2fcd7c0, textLine=..., line=185, selectionsOnly=selectionsOnly@entry=false, completionHighlight=0x37b9058, completionHighlight@entry=0x0, completionSelected=completionSelected@entry=false) at ../../part/render/katerenderer.cpp:333
#9  0x00007fa0c4336770 in KateRenderer::layoutLine (this=0x2fcd7c0, lineLayout=..., maxwidth=821, cacheLayout=<optimized out>) at ../../part/render/katerenderer.cpp:911
#10 0x00007fa0c433b09b in KateLayoutCache::line (this=this@entry=0x2fce2d0, realLine=realLine@entry=185, virtualLine=virtualLine@entry=185) at ../../part/render/katelayoutcache.cpp:322
#11 0x00007fa0c433bfcc in KateLayoutCache::updateViewCache (this=0x2fce2d0, startPos=..., newViewLineCount=<optimized out>, viewLinesScrolled=<optimized out>) at ../../part/render/katelayoutcache.cpp:270

Comment 10 Gerald Senarclens de Grancy 2013-03-14 15:38:32 UTC

So far, I can only reproduce this "manually". The automatic TC using scripting I just created does not reproduce the problem. Hence this may be related to updating the view;

Dominik: I'll have a look at the other TCs actually showing a kate window and will try to make this reproducible automatically.

Comment 11 Dominik Haumann 2013-03-14 21:31:23 UTC

In contrast to the previous backtraces, this time your backtrace contains KateOnTheFlyChecker::textRemoved, which implies it may be a bug in the on-the-fly spellchecking code.

In fact, there are 3 different backtraces:
- on-the-fly spellchecking
- the one with KateScriptView::setCursorPosition(), could you check in KateScriptView::setCursorPosition() what line/column the cursor is set to? And is it a valid position?
- KateView::slotDelayedUpdateOfView

Maybe these crashes are related, but this is not obvious from the backtraces...

Comment 12 Gerald Senarclens de Grancy 2013-03-16 00:02:04 UTC

Git commit eece008cb60627d23b2e65f5eae498b10721e92a by Gerald Senarclens de Grancy.
Committed on 16/03/2013 at 00:59.
Pushed by geralds into branch 'master'.

added TC for Bug 313759

the test requires a visible window and on the fly spell checking
enabled; it tests if kate crashes when moving lines up/ down repeatedly

M  +17   -1    part/tests/CMakeLists.txt
A  +102  -0    part/tests/bug313759.cpp     [License: LGPL (v2+)]
A  +40   -0    part/tests/bug313759.h     [License: LGPL (v2+)]
A  +10   -0    part/tests/data/bug313759.js
A  +503  -0    part/tests/data/bug313759.txt

http://commits.kde.org/kate/eece008cb60627d23b2e65f5eae498b10721e92a

Comment 13 Gerald Senarclens de Grancy 2013-03-16 00:03:37 UTC

Dominik: thanks for the insight. This seems indeed very affected by on the fly spell checking. W/out OTF

Comment 14 Gerald Senarclens de Grancy 2013-03-16 00:06:09 UTC

(In reply to comment #13)
Dominik: thanks for the insight. This seems indeed very affected by on the
fly spell checking. With OTF spell checking disabled, I couldn't reproduce the crasher. Given this information I could create an automated TC. Maybe you could have a look. On my system it reliably reproduces the crash.

Comment 15 Dominik Haumann 2013-03-16 08:21:21 UTC

Can you reproduce the crash when running in valgrind please? That may give us some further hints about where the real issue is.

Comment 16 Gerald Senarclens de Grancy 2013-03-16 10:08:58 UTC

Alas, there's nothing obvious (let me know if you want it run w/ other options):

./run.sh  valgrind --leak-check=yes  kate/build/part/tests/bug313759_test.shell
QDEBUG : BugTest::tryCrash() qttest(5784)/Kate (On-The-Fly Spellcheck) KateOnTheFlyChecker::removeRangeFromEverything: [ (119, 0)  ->  (119, 0) ]  ( [ (119, 0)  ->  (119, 0) ]  )
QFATAL : BugTest::tryCrash() Received signal 11
FAIL!  : BugTest::tryCrash() Received a fatal error.
   Loc: [Unknown file(0)]
Totals: 1 passed, 1 failed, 0 skipped
********* Finished testing of BugTest *********
Aborted (core dumped)
==5781== 
==5781== HEAP SUMMARY:
==5781==     in use at exit: 2,450 bytes in 73 blocks
==5781==   total heap usage: 78 allocs, 5 frees, 3,204 bytes allocated
==5781== 
==5781== LEAK SUMMARY:
==5781==    definitely lost: 0 bytes in 0 blocks
==5781==    indirectly lost: 0 bytes in 0 blocks
==5781==      possibly lost: 0 bytes in 0 blocks
==5781==    still reachable: 2,450 bytes in 73 blocks
==5781==         suppressed: 0 bytes in 0 blocks
==5781== Reachable blocks (those to which a pointer was found) are not shown.
==5781== To see them, rerun with: --leak-check=full --show-reachable=yes
==5781== 
==5781== For counts of detected and suppressed errors, rerun with: -v
==5781== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)


./run.sh  valgrind --leak-check=full --show-reachable=yes -v  kate/build/part/tests/bug313759_test.shell
QDEBUG : BugTest::tryCrash() qttest(5755)/Kate (On-The-Fly Spellcheck) KateOnTheFlyChecker::removeRangeFromEverything: [ (119, 0)  ->  (119, 0) ]  ( [ (119, 0)  ->  (119, 0) ]  )
QFATAL : BugTest::tryCrash() Received signal 11
FAIL!  : BugTest::tryCrash() Received a fatal error.
   Loc: [Unknown file(0)]
Totals: 1 passed, 1 failed, 0 skipped
********* Finished testing of BugTest *********
--5752-- REDIR: 0x4ebb2f0 (__GI_strncmp) redirected to 0x4c2c1d0 (__GI_strncmp)
--5752-- REDIR: 0x4ebecd0 (__GI_stpcpy) redirected to 0x4c2da50 (__GI_stpcpy)
Aborted (core dumped)
==5752== 
==5752== HEAP SUMMARY:
==5752==     in use at exit: 2,450 bytes in 73 blocks
==5752==   total heap usage: 78 allocs, 5 frees, 3,204 bytes allocated
==5752== 
==5752== Searching for pointers to 73 not-freed blocks
==5752== Checked 89,424 bytes
==5752== 
==5752== 23 bytes in 1 blocks are still reachable in loss record 1 of 5
==5752==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x4EBAD71: strdup (strdup.c:43)
==5752==    by 0x40A968: ??? (in /bin/dash)
==5752==    by 0x403227: ??? (in /bin/dash)
==5752==    by 0x411BC3: ??? (in /bin/dash)
==5752==    by 0x4020D2: ??? (in /bin/dash)
==5752==    by 0x4E5376C: (below main) (libc-start.c:226)
==5752== 
==5752== 27 bytes in 1 blocks are still reachable in loss record 2 of 5
==5752==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x40A928: ??? (in /bin/dash)
==5752==    by 0x411439: ??? (in /bin/dash)
==5752==    by 0x411BC3: ??? (in /bin/dash)
==5752==    by 0x4020D2: ??? (in /bin/dash)
==5752==    by 0x4E5376C: (below main) (libc-start.c:226)
==5752== 
==5752== 32 bytes in 1 blocks are still reachable in loss record 3 of 5
==5752==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x40A928: ??? (in /bin/dash)
==5752==    by 0x4112F8: ??? (in /bin/dash)
==5752==    by 0x411BA0: ??? (in /bin/dash)
==5752==    by 0x4020D2: ??? (in /bin/dash)
==5752==    by 0x4E5376C: (below main) (libc-start.c:226)
==5752== 
==5752== 160 bytes in 1 blocks are still reachable in loss record 4 of 5
==5752==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x4C2B472: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x40A948: ??? (in /bin/dash)
==5752==    by 0x409F56: ??? (in /bin/dash)
==5752==    by 0x404AD7: ??? (in /bin/dash)
==5752==    by 0x403B8E: ??? (in /bin/dash)
==5752==    by 0x40A6FD: ??? (in /bin/dash)
==5752==    by 0x402137: ??? (in /bin/dash)
==5752==    by 0x4E5376C: (below main) (libc-start.c:226)
==5752== 
==5752== 2,208 bytes in 69 blocks are still reachable in loss record 5 of 5
==5752==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5752==    by 0x40A928: ??? (in /bin/dash)
==5752==    by 0x4112F8: ??? (in /bin/dash)
==5752==    by 0x411B66: ??? (in /bin/dash)
==5752==    by 0x4020D2: ??? (in /bin/dash)
==5752==    by 0x4E5376C: (below main) (libc-start.c:226)
==5752== 
==5752== LEAK SUMMARY:
==5752==    definitely lost: 0 bytes in 0 blocks
==5752==    indirectly lost: 0 bytes in 0 blocks
==5752==      possibly lost: 0 bytes in 0 blocks
==5752==    still reachable: 2,450 bytes in 73 blocks
==5752==         suppressed: 0 bytes in 0 blocks
==5752== 
==5752== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
--5752-- 
--5752-- used_suppression:      2 dl-hack3-cond-1
==5752== 
==5752== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)

Comment 17 Dominik Haumann 2013-03-16 10:18:55 UTC

No, it doesn't provide useful infos, but it might be that the wrong process was tracked. Can you put valgrind into the .shell file? Or run the binary without the ".shell" extension?

Comment 18 Gerald Senarclens de Grancy 2013-03-16 15:34:08 UTC

Created attachment 78110 [details]
output of running valgrind against the test

You're right Dominik... and I was already wondering why the test would run so fast with valgrind "enabled" ;)

Now, the crasher wasn't reproduces... but valgrind did suggest that there's something fishy going on; eg:

==10276==    at 0x4C2AF8E: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10276==    by 0x6029ED7: KTextEditor::Attribute::Attribute(KTextEditor::Attribute const&) (attribute.cpp:45)
==10276==    by 0x63D99D4: KateHighlighting::attributes(QString const&) (katehighlight.cpp:2109)
==10276==    by 0x63D4A0F: KateHighlighting::attributeRequiresSpellchecking(int) (katehighlight.cpp:1007)
==10276==    by 0x64763BA: KateSpellCheckManager::spellCheckWrtHighlightingRanges(KateDocument*, KTextEditor::Range const&, QString const&, bool, bool) (spellcheck.cpp:178)
==10276==    by 0x647681A: KateSpellCheckManager::spellCheckRanges(KateDocument*, KTextEditor::Range const&, bool) (spellcheck.cpp:234)
==10276==    by 0x6472805: KateOnTheFlyChecker::queueLineSpellCheck(KateDocument*, int) (ontheflycheck.cpp:811)
==10276==    by 0x64723F0: KateOnTheFlyChecker::updateInstalledMovingRanges(KateView*) (ontheflycheck.cpp:754)
==10276==    by 0x6471ABC: KateOnTheFlyChecker::addView(KTextEditor::Document*, KTextEditor::View*) (ontheflycheck.cpp:697)
==10276==    by 0x646CF96: KateOnTheFlyChecker::KateOnTheFlyChecker(KateDocument*) (ontheflycheck.cpp:67)
==10276==    by 0x636D703: KateDocument::onTheFlySpellCheckingEnabled(bool) (katedocument.cpp:5112)
==10276==    by 0x40747B: BugTest::tryCrash() (bug313759.cpp:79)
==10276== 
==10276== 16 bytes in 1 blocks are still reachable in loss record 2,069 of 13,57

...

==10276== ERROR SUMMARY: 8105 errors from 673 contexts (suppressed: 2 from 2)

The file is quite big, so I gzipped it...

Comment 19 Christoph Cullmann 2013-03-16 20:05:06 UTC

Please try after that commit:

Git commit 8f1f188b07328eec388ed5bc7ecb76db67d84c3e by Christoph Cullmann.
Committed on 16/03/2013 at 20:59.
Pushed by cullmann into branch 'master'.

perhaps found some missing updateRange call
if the range stays in both blocks, only for the current one, updateRange was called
this is an error, if we have this line caching ranges

M  +19   -15   part/buffer/katetextblock.cpp

http://commits.kde.org/kate/8f1f188b07328eec388ed5bc7ecb76db67d84c3e

diff --git a/part/buffer/katetextblock.cpp b/part/buffer/katetextblock.cpp
index ad6b310..6406ce6 100644
--- a/part/buffer/katetextblock.cpp
+++ b/part/buffer/katetextblock.cpp
@@ -249,11 +249,15 @@ void TextBlock::unwrapLine (int line, TextBlock *previousBlock)
     previousBlock->m_cursors = newPreviousCursors;
 
     foreach (TextRange *range, rangesMoved) {
-        // either now only in new block
+        // either now only in new block, remove it from previous block
         if (range->start().line () >= startLine())
           previousBlock->removeRange (range);
 
-        // or now in both
+        // or now in both, update it in previous block, too
+        else
+          previousBlock->updateRange (range);
+
+        // update in current block anyway!
         updateRange (range);
     }

Comment 20 Gerald Senarclens de Grancy 2013-03-16 20:19:28 UTC

Unfortunately, the crash still reproduces:
QDEBUG : BugTest::tryCrash() qttest(26679)/Kate (On-The-Fly Spellcheck) KateOnTheFlyChecker::removeRangeFromEverything: [ (119, 0)  ->  (119, 0) ]  ( [ (119, 0)  ->  (119, 0) ]  )
QFATAL : BugTest::tryCrash() Received signal 11
FAIL!  : BugTest::tryCrash() Received a fatal error.
   Loc: [Unknown file(0)]
Totals: 1 passed, 1 failed, 0 skipped
********* Finished testing of BugTest *********
Aborted (core dumped)

W/ valgrind's memcheck, the summary is
==26720== ERROR SUMMARY: 8051 errors from 673 contexts (suppressed: 2 from 2)
so unless it's a coincidence, your fix did help reduce the errors.

Comment 21 Christoph Cullmann 2013-03-16 20:54:25 UTC

Git commit aaac237c9ad9bee21c49c4a527dd927777c95a41 by Christoph Cullmann.
Committed on 16/03/2013 at 21:41.
Pushed by cullmann into branch 'master'.

next try to fix crash, better updateRange
will handle remove, too, if needed

M  +22   -25   part/buffer/katetextblock.cpp

http://commits.kde.org/kate/aaac237c9ad9bee21c49c4a527dd927777c95a41

Comment 22 Christoph Cullmann 2013-03-16 20:54:25 UTC

Git commit 019e7c3b225589c695dabba643dde360b33ef896 by Christoph Cullmann.
Committed on 16/03/2013 at 21:53.
Pushed by cullmann into branch 'master'.

more fixes for unwrapLine, still this doesn't really help :/

M  +5    -10   part/buffer/katetextblock.cpp

http://commits.kde.org/kate/019e7c3b225589c695dabba643dde360b33ef896

Comment 23 Gerald Senarclens de Grancy 2013-03-16 23:08:05 UTC

(In reply to comment #22)
> more fixes for unwrapLine, still this doesn't really help :/

Christoph: may I ask why you set this bug to resolved?

Comment 24 Dominik Haumann 2013-03-16 23:54:24 UTC

Gerald, can you provide another valgrind and DrKonqi backtrace with Christophs commits?

Comment 25 Christoph Cullmann 2013-03-17 12:14:36 UTC

Sorry, I wanted to use CCBUG ;)

Comment 26 Christoph Cullmann 2013-03-17 13:43:20 UTC

Git commit 7a5b471ddb500297cfbd8a55c8e254ceedfad38a by Christoph Cullmann.
Committed on 17/03/2013 at 14:14.
Pushed by cullmann into branch 'master'.

try to have safer fixLookup
still crashs here

M  +65   -23   part/buffer/katetextrange.cpp
M  +24   -17   part/buffer/katetextrange.h

http://commits.kde.org/kate/7a5b471ddb500297cfbd8a55c8e254ceedfad38a

Comment 27 Christoph Cullmann 2013-03-17 16:23:49 UTC

Git commit 3c18a063d436f781495692e4b56be25e0244831f by Christoph Cullmann.
Committed on 17/03/2013 at 17:22.
Pushed by cullmann into branch 'master'.

fix [Bug 313759] Kate crashes when repeatedly triggering scripting functions (move up and down)
tricky beast, wrong since ever :/
not sure if my other fixes of the last days are needed, the REAL problem was, that the startlines of all blocks
were not updated early enough
unittest works here now, please reopen if that is not the case for you ;)

M  +22   -2    part/buffer/katetextblock.cpp
M  +9    -8    part/buffer/katetextblock.h
M  +22   -22   part/buffer/katetextbuffer.cpp
M  +3    -2    part/buffer/katetextbuffer.h

http://commits.kde.org/kate/3c18a063d436f781495692e4b56be25e0244831f

Comment 28 Christoph Cullmann 2013-03-17 16:37:15 UTC

Works for me here, please test ;)
And thanks a lot for the good testcase!

Comment 29 Gerald Senarclens de Grancy 2013-03-17 16:59:06 UTC

Created attachment 78135 [details]
valgrind output including Christoph's fixes up to now

Christoph, thanks for the excellent work. Wasn't able to reproduce even though I just tried pretty hard :)
Valgrind still complains about possible leaks though...

Comment 30 Christoph Cullmann 2013-03-17 18:17:45 UTC

Git commit bd9f1bae393b9680811a44383f64e2aaf2ac274c by Christoph Cullmann.
Committed on 16/03/2013 at 21:41.
Pushed by cullmann into branch 'KDE/4.10'.

next try to fix crash, better updateRange
will handle remove, too, if needed

M  +22   -25   part/buffer/katetextblock.cpp

http://commits.kde.org/kate/bd9f1bae393b9680811a44383f64e2aaf2ac274c

Comment 31 Christoph Cullmann 2013-03-17 18:17:45 UTC

Git commit 8f3c3ff21c932e61ca139b561d0fd8f91fed6367 by Christoph Cullmann.
Committed on 16/03/2013 at 21:53.
Pushed by cullmann into branch 'KDE/4.10'.

more fixes for unwrapLine, still this doesn't really help :/

M  +5    -10   part/buffer/katetextblock.cpp

http://commits.kde.org/kate/8f3c3ff21c932e61ca139b561d0fd8f91fed6367

Comment 32 Christoph Cullmann 2013-03-17 18:17:45 UTC

Git commit ee7387113e7101d9f699107135901e6a716345da by Christoph Cullmann.
Committed on 17/03/2013 at 14:14.
Pushed by cullmann into branch 'KDE/4.10'.

try to have safer fixLookup
still crashs here

M  +65   -23   part/buffer/katetextrange.cpp
M  +24   -17   part/buffer/katetextrange.h

http://commits.kde.org/kate/ee7387113e7101d9f699107135901e6a716345da

Comment 33 Christoph Cullmann 2013-03-17 18:17:45 UTC

Git commit a677dfbe3073ca5155d225e3b7fc33808c6b5950 by Christoph Cullmann.
Committed on 17/03/2013 at 17:22.
Pushed by cullmann into branch 'KDE/4.10'.

fix [Bug 313759] Kate crashes when repeatedly triggering scripting functions (move up and down)
tricky beast, wrong since ever :/
not sure if my other fixes of the last days are needed, the REAL problem was, that the startlines of all blocks
were not updated early enough
unittest works here now, please reopen if that is not the case for you ;)

M  +22   -2    part/buffer/katetextblock.cpp
M  +9    -8    part/buffer/katetextblock.h
M  +22   -22   part/buffer/katetextbuffer.cpp
M  +3    -2    part/buffer/katetextbuffer.h

http://commits.kde.org/kate/a677dfbe3073ca5155d225e3b7fc33808c6b5950

Comment 34 Christoph Cullmann 2013-03-17 18:24:46 UTC

*** Bug 265426 has been marked as a duplicate of this bug. ***

Comment 35 Christoph Cullmann 2013-03-17 18:25:02 UTC

Fix backported

Comment 36 Christoph Cullmann 2013-03-17 18:25:47 UTC

*** Bug 315745 has been marked as a duplicate of this bug. ***

Comment 37 Jekyll Wu 2013-04-13 10:30:56 UTC

*** Bug 318282 has been marked as a duplicate of this bug. ***

Comment 38 Jekyll Wu 2013-05-14 04:39:01 UTC

*** Bug 319810 has been marked as a duplicate of this bug. ***

Comment 39 Jekyll Wu 2013-06-09 02:43:34 UTC

*** Bug 320931 has been marked as a duplicate of this bug. ***

Comment 40 Jekyll Wu 2013-09-03 13:46:16 UTC

*** Bug 324454 has been marked as a duplicate of this bug. ***