Bug 318468

Summary: Kate crashed while editing a php file with highlighting set to xml
Product: [Applications] kate Reporter: Gerald Senarclens de Grancy <oss>
Component: generalAssignee: KWrite Developers <kwrite-bugs-null>
Status: VERIFIED FIXED    
Severity: crash CC: dima
Priority: HI    
Version: Git   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: http://commits.kde.org/kate/7f9ea56ea8d6140d586e93426c8ad243cc8fd2b5 Version Fixed In: 4.11.1
Attachments: manual TC
New crash information added by DrKonqi

Description Gerald Senarclens de Grancy 2013-04-16 21:55:09 UTC 
Application: kate (3.10.2)
KDE Platform Version: 4.10.2
Qt Version: 4.8.3
Operating System: Linux 3.5.0-27-generic x86_64
Distribution: Ubuntu 12.10

-- Information about the crash:
- What I was doing when the application crashed:

1) started kate (compiled from sources) with an existing php file
2) klicked away errors caused by Bug 318465
3) set syntax highlighting to xml
4) typed a single character

- expected
character appears; no crash

- actual
kate crashed

The crash can be reproduced every time.

-- Backtrace:
Application: Kate (kate), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fa15e3f4780 (LWP 9231))]

Thread 4 (Thread 0x7fa13fae8700 (LWP 9232)):
#0  0x00007fffcd7ff827 in clock_gettime ()
#1  0x00007fa156b3815d in __GI_clock_gettime (clock_id=<optimized out>, tp=<optimized out>) at ../sysdeps/unix/clock_gettime.c:116
#2  0x00007fa15bb2c9f4 in do_gettime (frac=0x7fa13fae7b28, sec=0x7fa13fae7b20) at tools/qelapsedtimer_unix.cpp:123
#3  qt_gettime () at tools/qelapsedtimer_unix.cpp:140
#4  0x00007fa15bc0244d in QTimerInfoList::updateCurrentTime (this=this@entry=0x7fa138002860) at kernel/qeventdispatcher_unix.cpp:343
#5  0x00007fa15bc02793 in QTimerInfoList::timerWait (this=0x7fa138002860, tm=...) at kernel/qeventdispatcher_unix.cpp:450
#6  0x00007fa15bc012fc in timerSourcePrepareHelper (src=<optimized out>, timeout=0x7fa13fae7c14) at kernel/qeventdispatcher_glib.cpp:136
#7  0x00007fa15bc013a5 in timerSourcePrepare (source=<optimized out>, timeout=<optimized out>) at kernel/qeventdispatcher_glib.cpp:169
#8  0x00007fa15ae39618 in g_main_context_prepare () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9  0x00007fa15ae39cab in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007fa15ae39ea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007fa15bc01c46 in QEventDispatcherGlib::processEvents (this=0x7fa1380008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#12 0x00007fa15bbd22ef in QEventLoop::processEvents (this=this@entry=0x7fa13fae7dd0, flags=...) at kernel/qeventloop.cpp:149
#13 0x00007fa15bbd2578 in QEventLoop::exec (this=0x7fa13fae7dd0, flags=...) at kernel/qeventloop.cpp:204
#14 0x00007fa15bad3b40 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#15 0x00007fa15bbb29df in QInotifyFileSystemWatcherEngine::run (this=0x2727910) at io/qfilesystemwatcher_inotify.cpp:248
#16 0x00007fa15bad6b1c in QThreadPrivate::start (arg=0x2727910) at thread/qthread_unix.cpp:338
#17 0x00007fa15b308e9a in start_thread (arg=0x7fa13fae8700) at pthread_create.c:308
#18 0x00007fa15dcf2cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#19 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x7fa13f1f7700 (LWP 9233)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007fa14b976cd7 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#2  0x00007fa14b976d09 in ?? () from /usr/lib/x86_64-linux-gnu/libQtScript.so.4
#3  0x00007fa15b308e9a in start_thread (arg=0x7fa13f1f7700) at pthread_create.c:308
#4  0x00007fa15dcf2cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#5  0x0000000000000000 in ?? ()

Thread 2 (Thread 0x7fa137fff700 (LWP 9242)):
#0  0x00007fa15ae76ba0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007fa15ae76e49 in g_mutex_unlock () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007fa15ae39eae in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007fa15bc01c46 in QEventDispatcherGlib::processEvents (this=0x7fa1300008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#4  0x00007fa15bbd22ef in QEventLoop::processEvents (this=this@entry=0x7fa137ffedd0, flags=...) at kernel/qeventloop.cpp:149
#5  0x00007fa15bbd2578 in QEventLoop::exec (this=0x7fa137ffedd0, flags=...) at kernel/qeventloop.cpp:204
#6  0x00007fa15bad3b40 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:501
#7  0x00007fa15bbb29df in QInotifyFileSystemWatcherEngine::run (this=0x2e07bb0) at io/qfilesystemwatcher_inotify.cpp:248
#8  0x00007fa15bad6b1c in QThreadPrivate::start (arg=0x2e07bb0) at thread/qthread_unix.cpp:338
#9  0x00007fa15b308e9a in start_thread (arg=0x7fa137fff700) at pthread_create.c:308
#10 0x00007fa15dcf2cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7fa15e3f4780 (LWP 9231)):
[KCrash Handler]
#6  QString::operator== (this=0x78, other=...) at tools/qstring.cpp:2192
#7  0x00007fa14c05b446 in KateHlManager::nameForIdentifier (this=0x1338e40, identifier=...) at /home/gerald/repos/kde/kate/part/syntax/katesyntaxmanager.cpp:395
#8  0x00007fa14bffd136 in KateDocument::highlightingModeAt (this=0x1574730, position=...) at /home/gerald/repos/kde/kate/part/document/katedocument.cpp:5324
#9  0x00007fa14c15aa5a in SnippetCompletionModel::initData (this=0x26eabe0, view=0x295ae90) at /home/gerald/repos/kde/kate/part/snippet/snippetcompletionmodel.cpp:94
#10 0x00007fa14c15a992 in SnippetCompletionModel::completionInvoked (this=0x26eabe0, view=0x295ae90, range=..., invocationType=KTextEditor::CodeCompletionModel::AutomaticInvocation) at /home/gerald/repos/kde/kate/part/snippet/snippetcompletionmodel.cpp:85
#11 0x00007fa14bf921ac in KateCompletionWidget::startCompletion (this=0x2a5d4b0, word=..., modelsToStart=..., invocationType=KTextEditor::CodeCompletionModel::AutomaticInvocation) at /home/gerald/repos/kde/kate/part/completion/katecompletionwidget.cpp:389
#12 0x00007fa14bf919db in KateCompletionWidget::startCompletion (this=0x2a5d4b0, invocationType=KTextEditor::CodeCompletionModel::AutomaticInvocation, models=...) at /home/gerald/repos/kde/kate/part/completion/katecompletionwidget.cpp:292
#13 0x00007fa14bf975d5 in KateCompletionWidget::automaticInvocation (this=0x2a5d4b0) at /home/gerald/repos/kde/kate/part/completion/katecompletionwidget.cpp:1316
#14 0x00007fa14bf97b7d in KateCompletionWidget::qt_static_metacall (_o=0x2a5d4b0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0x7fffcd6bd8a0) at /home/gerald/repos/kde/kate/build/part/katecompletionwidget.moc:100
#15 0x00007fa15bbe8f8f in QMetaObject::activate (sender=0x2ab6dd0, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3547
#16 0x00007fa15bbe829c in QObject::event (this=0x2ab6dd0, e=<optimized out>) at kernel/qobject.cpp:1157
#17 0x00007fa15d11ee9c in QApplicationPrivate::notify_helper (this=this@entry=0x10cc5e0, receiver=receiver@entry=0x2ab6dd0, e=e@entry=0x7fffcd6bdf90) at kernel/qapplication.cpp:4562
#18 0x00007fa15d12330a in QApplication::notify (this=0x7fffcd6be4f0, receiver=0x2ab6dd0, e=0x7fffcd6bdf90) at kernel/qapplication.cpp:4423
#19 0x00007fa15c3cfad6 in KApplication::notify (this=0x7fffcd6be4f0, receiver=0x2ab6dd0, event=0x7fffcd6bdf90) at ../../kdeui/kernel/kapplication.cpp:311
#20 0x00007fa15bbd359e in QCoreApplication::notifyInternal (this=0x7fffcd6be4f0, receiver=0x2ab6dd0, event=0x7fffcd6bdf90) at kernel/qcoreapplication.cpp:915
#21 0x00007fa15bc04492 in sendEvent (event=0x7fffcd6bdf90, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#22 QTimerInfoList::activateTimers (this=0x10d0860) at kernel/qeventdispatcher_unix.cpp:611
#23 0x00007fa15bc015b4 in timerSourceDispatch (source=<optimized out>) at kernel/qeventdispatcher_glib.cpp:186
#24 timerSourceDispatch (source=<optimized out>) at kernel/qeventdispatcher_glib.cpp:180
#25 0x00007fa15bc015d1 in idleTimerSourceDispatch (source=<optimized out>) at kernel/qeventdispatcher_glib.cpp:233
#26 0x00007fa15ae39ab5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#27 0x00007fa15ae39de8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#28 0x00007fa15ae39ea4 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#29 0x00007fa15bc01c26 in QEventDispatcherGlib::processEvents (this=0x1091b30, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#30 0x00007fa15d1c3c1e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#31 0x00007fa15bbd22ef in QEventLoop::processEvents (this=this@entry=0x7fffcd6be210, flags=...) at kernel/qeventloop.cpp:149
#32 0x00007fa15bbd2578 in QEventLoop::exec (this=0x7fffcd6be210, flags=...) at kernel/qeventloop.cpp:204
#33 0x00007fa15bbd7738 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1187
#34 0x00007fa15dfe560a in kdemain (argc=2, argv=0x7fffcd6be698) at /home/gerald/repos/kde/kate/kate/app/katemain.cpp:380
#35 0x00000000004007ce in main (argc=2, argv=0x7fffcd6be698) at /home/gerald/repos/kde/kate/build/kate/app/kate_dummy.cpp:3

Possible duplicates by query: bug 308578.

Reported using DrKonqi
Comment 1 Dominik Haumann 2013-04-17 07:17:00 UTC 
Gerald, Can you attach a test case?
And if you can reproduce a crash, it always helps to have a valgrind trace. Please start
./run.sh valgrind kate
and then paste the ~3 blocks of relevant valgrind trace here.
Comment 2 Gerald Senarclens de Grancy 2013-04-17 10:00:17 UTC 
Context: kate was pulled 2013-04-16 at around 5pm CET; I tried the crash on both on a KDE 4.9.5 as well as on KDE 4.10.2 on Kubuntu 12.10). The valgrind output below is created on 4.9.5.

Right after starting with (even before the crash)
~/repos/kde >./run.sh valgrind --leak-check=full kate ~/318468.php

there is (unfortunately not very helpful location information; if there's something to improve the output, let me know; debug packages suggested by Dr. Konqui are installed and kate is compiled w/ -DCMAKE_BUILD_TYPE=DebugFull)
"""
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
Hspell: can't open /usr/share/hspell/hebrew.wgz.sizes.
Enchant dict for "en_US" 0x183c6150 
Object::connect: No such signal KateBuffer::respellCheckBlock(KateDocument*,int,int) in /home/gerald/repos/kde/kate/part/spellcheck/ontheflycheck.cpp:61
Enchant dict for "en_US" 0x185846d0 
==17384== Conditional jump or move depends on uninitialised value(s)
==17384==    at 0x19627465: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x1962835C: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x19628417: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196299B3: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x1962AB48: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x1962AC1F: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x1960B5D3: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x218D87FF: ???
==17384==    by 0x195C2FC0: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196234A3: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x421C1B3: ???
==17384==    by 0x195C39AD: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)

...

==17384== Conditional jump or move depends on uninitialised value(s)
==17384==    at 0x1962ABCB: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x1960A355: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x212792EF: ???
==17384==    by 0x195C39AD: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x195C3C12: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196F1641: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196F82B8: QScriptEngine::evaluate(QString const&, QString const&, int) (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x18EE45F2: Kate::Script::require(QScriptContext*, QScriptEngine*) (katescripthelpers.cpp:139)
==17384==    by 0x19714AE7: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196271CF: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x196042C5: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==17384==    by 0x421C4B5: ???

...

Enchant dict for "en_US" 0x186bb3a0 
kate(17384)/Kate (XML/Syntax) KateHighlighting::makeContextList: Unknown highlighting description referenced: "Modelines/PHP" in "/home/gerald/repos/kde/usr/share/apps/katepart/syntax/html-php.xml" 
QFSFileEngine::open: No file name specified
"""

then I set 'tools->highlighting->markup->xml' and get

"""
==17384== Invalid read of size 8
==17384==    at 0x55C2DB0: qt_blend_argb32_on_argb32_ssse3(unsigned char*, int, unsigned char const*, int, int, int, int) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x579168C: QRasterPaintEngine::drawImage(QPointF const&, QImage const&) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x579B1C5: QRasterPaintEngine::drawPixmap(QPointF const&, QPixmap const&) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x571DADC: QPainter::drawPixmap(QPointF const&, QPixmap const&) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x12142CAE: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x12155AB2: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x12138243: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x5A05E03: QMenu::paintEvent(QPaintEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x561A801: QWidget::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x5A0A96A: QMenu::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x55CAE9B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x55CF309: QApplication::notify(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==  Address 0x126fd560 is 1,760 bytes inside a block of size 1,764 alloc'd
==17384==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17384==    by 0x5685D55: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x568628A: QImage::QImage(int, int, QImage::Format) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x56AD5C6: QRasterPixmapData::resize(int, int) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x56A5B6E: QPixmapData::create(int, int, QPixmapData::PixelType) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x569E2D6: QPixmap::init(int, int, int) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x569F6FC: QPixmap::QPixmap(int, int) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x1216592C: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x12142C68: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x12155AB2: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x12138243: ??? (in /usr/lib/kde4/plugins/styles/oxygen.so)
==17384==    by 0x5A05E03: QMenu::paintEvent(QPaintEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
"""

then I type a single char, Kate crashes and a storm of valgrind output is created

"""
==17384== Invalid read of size 8
==17384==    at 0x718E930: QString::operator==(QString const&) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==17384==    by 0x18F1B3D5: KateHlManager::nameForIdentifier(QString const&) (katesyntaxmanager.cpp:395)
==17384==    by 0x18EBD0C5: KateDocument::highlightingModeAt(KTextEditor::Cursor const&) (katedocument.cpp:5324)
==17384==    by 0x1DA95628: KTextEditor::CodesnippetsCore::SnippetCompletionModel::shouldStartCompletion(KTextEditor::View*, QString const&, bool, KTextEditor::Cursor const&) (completionmodel.cpp:456)
==17384==    by 0x18E506BA: _shouldStartCompletion(KTextEditor::CodeCompletionModel*, KTextEditor::View*, QString, bool, KTextEditor::Cursor const&) (katecompletionwidget.cpp:94)
==17384==    by 0x18E57488: KateCompletionWidget::automaticInvocation() (katecompletionwidget.cpp:1306)
==17384==    by 0x18E57B0C: KateCompletionWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (katecompletionwidget.moc:100)
==17384==    by 0x725BF5E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==17384==    by 0x725B26B: QObject::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==17384==    by 0x55CAE9B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x55CF309: QApplication::notify(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.3)
==17384==    by 0x6A351F5: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:311)
==17384==  Address 0x78 is not stack'd, malloc'd or (recently) free'd
==17384== 
KCrash: Application 'kate' crashing...

...

==17384== LEAK SUMMARY:
==17384==    definitely lost: 11,140 bytes in 33 blocks
==17384==    indirectly lost: 38,432 bytes in 1,197 blocks
==17384==      possibly lost: 2,785,492 bytes in 48,106 blocks
==17384==    still reachable: 19,363,005 bytes in 252,134 blocks
==17384==         suppressed: 0 bytes in 0 blocks
==17384== Reachable blocks (those to which a pointer was found) are not shown.
==17384== To see them, rerun with: --leak-check=full --show-reachable=yes
==17384== 
==17384== For counts of detected and suppressed errors, rerun with: -v
==17384== Use --track-origins=yes to see where uninitialised values come from
==17384== ERROR SUMMARY: 2567 errors from 1676 contexts (suppressed: 2 from 2)
"""

I'll try to create an automated TC by the end of the week.
Comment 3 Dominik Haumann 2013-04-17 10:37:18 UTC 
Christoph moved the snipped code for KDE 4.10 into the Kate Part, it's not a plugin anymore. Besides that, he simplified quite a bit. Therefore, it's questionable wheter the valgrind trace is usefule.

Can you provide a valgrind trace for git master? Btw, only the very last part
 ==17384== Invalid read of size 8
is of interest. You can omit the rest ;) Thanks so far!
Comment 4 Gerald Senarclens de Grancy 2013-04-17 11:10:35 UTC 
Created attachment 78983 [details]
manual TC

For now, a manual TC should do; instructions:
1) ./run.sh kate ~/318468.php
2) type "s" (or any other letter)
Comment 5 Gerald Senarclens de Grancy 2013-04-17 19:00:57 UTC 
Curious, `find -name completionmodel.cpp` doesn't find the file in my source tree. I had pulled and built right before generating the valgrind output. Maybe sth had gone wrong w/ the build and I didn't realize.

Either way. Pulled again tonight and couldn't reproduce the crash w/ the same steps. Valgrind kept spitting out invalid reads though and when I tried to close kate, a crash is what I got. Hope this output is of better use:

==6181== Invalid write of size 8
==6181==    at 0x197E0284: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1978C9D7: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1984B87B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x19823141: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1982338B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F55BF: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F5C38: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x726002B: QObject::~QObject() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x198E3B38: QScriptEngine::~QScriptEngine() (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x190CB45A: KateScript::~KateScript() (katescript.cpp:100)
==6181==    by 0x190CD557: KateCommandLineScript::~KateCommandLineScript() (katecommandlinescript.cpp:40)
==6181==    by 0x190CD5A3: KateCommandLineScript::~KateCommandLineScript() (katecommandlinescript.cpp:43)
==6181==  Address 0x29bfacc5 is not stack'd, malloc'd or (recently) free'd
==6181== 
KCrash: Application 'kate' crashing...
KCrash: Attempting to start /usr/lib/kde4/libexec/drkonqi from kdeinit
==6181== Invalid read of size 4
==6181==    at 0x6A94F70: startFromKdeinit(int, char const**) (kcrash.cpp:781)
==6181==    by 0x6A95A75: KCrash::startProcess(int, char const**, bool) (kcrash.cpp:537)
==6181==    by 0x6A95E80: KCrash::defaultCrashHandler(int) (kcrash.cpp:435)
==6181==    by 0x507649F: ??? (in /lib/x86_64-linux-gnu/libc-2.15.so)
==6181==    by 0x197E0283: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1978C9D7: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1984B87B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x19823141: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1982338B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F55BF: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F5C38: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x726002B: QObject::~QObject() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==  Address 0xf6d4080 is 0 bytes inside a block of size 3 alloc'd
==6181==    at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6181==    by 0x6A94ED0: startFromKdeinit(int, char const**) (kcrash.cpp:660)
==6181==    by 0x6A95A75: KCrash::startProcess(int, char const**, bool) (kcrash.cpp:537)
==6181==    by 0x6A95E80: KCrash::defaultCrashHandler(int) (kcrash.cpp:435)
==6181==    by 0x507649F: ??? (in /lib/x86_64-linux-gnu/libc-2.15.so)
==6181==    by 0x197E0283: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1978C9D7: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1984B87B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x19823141: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x1982338B: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F55BF: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181==    by 0x198F5C38: ??? (in /usr/lib/x86_64-linux-gnu/libQtScript.so.4.8.3)
==6181== 
sock_file=/home/gerald/.kde/socket-obelix/kdeinit4__0
QSocketNotifier: Invalid socket 18 and type 'Read', disabling...
QSocketNotifier: Invalid socket 13 and type 'Read', disabling...
==6181== Thread 2:
==6181== Invalid read of size 2
==6181==    at 0x72774C3: socketNotifierSourceCheck(_GSource*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7F5B88B: g_main_context_check (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BD21: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BEA3: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7277C45: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72482EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7248577: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7149B3F: QThread::exec() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72289DE: QInotifyFileSystemWatcherEngine::run() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x714CB1B: QThreadPrivate::start(void*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7AE6E99: start_thread (pthread_create.c:308)
==6181==    by 0x5133CBC: clone (clone.S:112)
==6181==  Address 0x1c11bfe6 is 6 bytes inside a block of size 16 free'd
==6181==    at 0x4C2A44B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6181==    by 0x72774C2: socketNotifierSourceCheck(_GSource*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7F5B88B: g_main_context_check (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BD21: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BEA3: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7277C45: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72482EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7248577: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7149B3F: QThread::exec() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72289DE: QInotifyFileSystemWatcherEngine::run() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x714CB1B: QThreadPrivate::start(void*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7AE6E99: start_thread (pthread_create.c:308)
==6181== 
==6181== Invalid read of size 2
==6181==    at 0x72774CB: socketNotifierSourceCheck(_GSource*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7F5B88B: g_main_context_check (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BD21: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BEA3: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7277C45: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72482EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7248577: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7149B3F: QThread::exec() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72289DE: QInotifyFileSystemWatcherEngine::run() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x714CB1B: QThreadPrivate::start(void*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7AE6E99: start_thread (pthread_create.c:308)
==6181==    by 0x5133CBC: clone (clone.S:112)
==6181==  Address 0x1c11bfe4 is 4 bytes inside a block of size 16 free'd
==6181==    at 0x4C2A44B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6181==    by 0x72774C2: socketNotifierSourceCheck(_GSource*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7F5B88B: g_main_context_check (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BD21: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7F5BEA3: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3400.1)
==6181==    by 0x7277C45: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72482EE: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7248577: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7149B3F: QThread::exec() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x72289DE: QInotifyFileSystemWatcherEngine::run() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x714CB1B: QThreadPrivate::start(void*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.3)
==6181==    by 0x7AE6E99: start_thread (pthread_create.c:308)
==6181== 
==6181== 
==6181== HEAP SUMMARY:
==6181==     in use at exit: 26,046,629 bytes in 227,983 blocks
==6181==   total heap usage: 2,549,011 allocs, 2,321,028 frees, 312,927,250 bytes allocated
==6181== 
==6181== LEAK SUMMARY:
==6181==    definitely lost: 11,236 bytes in 43 blocks
==6181==    indirectly lost: 43,674 bytes in 1,225 blocks
==6181==      possibly lost: 4,424,091 bytes in 49,358 blocks
==6181==    still reachable: 21,567,628 bytes in 177,357 blocks
==6181==         suppressed: 0 bytes in 0 blocks
==6181== Rerun with --leak-check=full to see details of leaked memory
==6181== 
==6181== For counts of detected and suppressed errors, rerun with: -v
==6181== Use --track-origins=yes to see where uninitialised values come from
==6181== ERROR SUMMARY: 2374 errors from 163 contexts (suppressed: 2 from 2)
Comment 6 Dima Ryazanov 2013-04-24 05:57:48 UTC 
Created attachment 79407 [details]
New crash information added by DrKonqi

kate (3.10.2) on KDE Platform 4.10.2 using Qt 4.8.4

- What I was doing when the application crashed:

I was editing a CoffeeScript file and pressed Ctrl-Z.

-- Backtrace (Reduced):
#6  QString::operator== (this=0x78, other=...) at tools/qstring.cpp:2192
#7  0x00007f981d4e41f0 in KateHlManager::nameForIdentifier (this=0x20778b0, identifier=...) at ../../part/syntax/katesyntaxmanager.cpp:395
#8  0x00007f981d4875f9 in KateDocument::highlightingModeAt (this=0x51d4e20, position=...) at ../../part/document/katedocument.cpp:5379
#9  0x00007f981d5c9311 in SnippetCompletionModel::initData (this=0x26dbda0, view=0x54b38a0) at ../../part/snippet/snippetcompletionmodel.cpp:94
#10 0x00007f981d44a3c7 in KateCompletionWidget::startCompletion (this=this@entry=0x553b350, word=..., modelsToStart=..., invocationType=invocationType@entry=KTextEditor::CodeCompletionModel::AutomaticInvocation) at ../../part/completion/katecompletionwidget.cpp:389
Comment 7 Dima Ryazanov 2013-05-01 03:34:23 UTC 
I took a look a the code in katesyntaxmanager.cpp. This function looks up "name" in "hlDict":

QString KateHlManager::identifierForName(const QString& name)
{
  KateHighlighting *hl = 0;

  if ((hl = hlDict[name]))
    return hl->getIdentifier ();

  return QString();
}

According to the QHash documentation, if the key does not exist, it will be created with a default value:

"If the hash contains no item with the key, the function inserts a default-constructed value into the hash with the key, and returns a reference to it. If the hash contains multiple items with the key, this function returns a reference to the most recently inserted value."

So if name wasn't in hlDict, then hlDict[name] will now contain a NULL.

Then, the "nameForIdentifier" function will dereference the NULL pointer:

   if ( (*it)->getIdentifier() == identifier ) {
      return it.key();
   }

Wouldn't this explain the crash?
Comment 8 Dominik Haumann 2013-08-09 12:55:03 UTC 
Git commit 6516cb8e272eebebdeb4c090f4e177f5dc803534 by Dominik Haumann.
Committed on 09/08/2013 at 12:54.
Pushed by dhaumann into branch 'master'.

fix crash in KateHlManager::identifierForName

Thanks to Gerald for lots of testing + valgrind trace :)
Thanks to Dima Ryazanov <dima@gmail.com> for the patch!

FIXED-IN: 4.11.1

M  +2    -4    part/syntax/katesyntaxmanager.cpp

http://commits.kde.org/kate/6516cb8e272eebebdeb4c090f4e177f5dc803534
Comment 9 Dominik Haumann 2013-08-09 12:55:23 UTC 
Git commit 7f9ea56ea8d6140d586e93426c8ad243cc8fd2b5 by Dominik Haumann.
Committed on 09/08/2013 at 12:54.
Pushed by dhaumann into branch 'KDE/4.11'.

fix crash in KateHlManager::identifierForName

Thanks to Gerald for lots of testing + valgrind trace :)
Thanks to Dima Ryazanov <dima@gmail.com> for the patch!

FIXED-IN: 4.11.1

M  +2    -4    part/syntax/katesyntaxmanager.cpp

http://commits.kde.org/kate/7f9ea56ea8d6140d586e93426c8ad243cc8fd2b5
Comment 10 Gerald Senarclens de Grancy 2013-08-11 17:33:36 UTC 
Issue doesn't reproduce anymore. Thanks for the fix!