Bug 335382

Summary: Segmentation fault when creating or opening a file
Product: [Applications] krita Reporter: Gerald Young <supersayoyin>
Component: GeneralAssignee: Krita Bugs <krita-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: halla, johan.thelmen
Priority: NOR Keywords: drkonqi
Version: 2.8.1   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: http://commits.kde.org/calligra/f4be845f49f81579807501fa036778a96d2dfd97 Version Fixed In:
Sentry Crash Report:
Attachments: Patch which fixes the issue

Description Gerald Young 2014-05-26 18:44:18 UTC 
Application: krita (2.8.1)
KDE Platform Version: 4.13.0
Qt Version: 4.8.6
Operating System: Linux 3.8.11 armv7l
Distribution: Ubuntu 14.04 LTS

-- Information about the crash:
- What I was doing when the application crashed:
Launched Krita and either create or open a file then crash. This happens on Samsung ARM Chromebook (2012 model) running Chrubuntu distribution.

The crash can be reproduced every time.

-- Backtrace:
Application: Krita (krita), signal: Segmentation fault
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[Current thread is 1 (Thread 0xb44f3000 (LWP 2420))]

Thread 7 (Thread 0xb210b410 (LWP 2421)):
#0  0xb6db6932 in read () at ../sysdeps/unix/syscall-template.S:81
#1  0xb4d709e6 in ?? () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 6 (Thread 0xb17ff410 (LWP 2422)):
#0  0xb6db6932 in read () at ../sysdeps/unix/syscall-template.S:81
#1  0xb4d709e6 in ?? () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 5 (Thread 0xb0dff410 (LWP 2426)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:43
#1  0xb4df51d8 in __pthread_cond_wait (cond=0x126a5f8, mutex=0x126a5e0) at pthread_cond_wait.c:187
#2  0xb5d089fc in QWaitCondition::wait (this=0x126a5e0, mutex=0x126a5a8, time=<unknown type>) at thread/qwaitcondition_unix.cpp:86
#3  0xb5d05dfe in QSemaphore::acquire (this=0x126a3e0, n=1) at thread/qsemaphore.cpp:144
#4  0xb595b0ce in KisTileDataPooler::waitForWork (this=this@entry=0x126a3d8) at /build/buildd/calligra-2.8.1-1/krita/image/tiles3/kis_tile_data_pooler.cc:162
#5  0xb595b38a in KisTileDataPooler::run (this=0x126a3d8) at /build/buildd/calligra-2.8.1-1/krita/image/tiles3/kis_tile_data_pooler.cc:184
#6  0xb5d08662 in QThreadPrivate::start(void*) () at thread/qthread_unix.cpp:349
#7  0xb4df1fbc in start_thread (arg=0xb0dff410) at pthread_create.c:314
#8  0xb6dc0b3c in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 4 (Thread 0xae671410 (LWP 2427)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:43
#1  0xb4df51d8 in __pthread_cond_wait (cond=0x126e8b8, mutex=0x126e8a0) at pthread_cond_wait.c:187
#2  0xb5d089fc in QWaitCondition::wait (this=0x126e8a0, mutex=0x126a9d0, time=<unknown type>) at thread/qwaitcondition_unix.cpp:86
#3  0xb5d060dc in QSemaphore::tryAcquire (this=0x126a9a8, n=1, timeout=-1) at thread/qsemaphore.cpp:221
#4  0xb596ee72 in KisTileDataSwapper::run (this=0x126a3f8) at /build/buildd/calligra-2.8.1-1/krita/image/tiles3/swap/kis_tile_data_swapper.cpp:92
#5  0xb5d08662 in QThreadPrivate::start(void*) () at thread/qthread_unix.cpp:349
#6  0xb4df1fbc in start_thread (arg=0xae671410) at pthread_create.c:314
#7  0xb6dc0b3c in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 3 (Thread 0xade3f410 (LWP 2438)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:43
#1  0xb4df51d8 in __pthread_cond_wait (cond=0x1c166a8, mutex=0x1c16690) at pthread_cond_wait.c:187
#2  0xb5d089fc in QWaitCondition::wait (this=0x1c16690, mutex=0x1c16380, time=<unknown type>) at thread/qwaitcondition_unix.cpp:86
#3  0xb64e57b8 in QFileInfoGatherer::run (this=0x1c16378) at dialogs/qfileinfogatherer.cpp:214
#4  0xb5d08662 in QThreadPrivate::start(void*) () at thread/qthread_unix.cpp:349
#5  0xb4df1fbc in start_thread (arg=0xade3f410) at pthread_create.c:314
#6  0xb6dc0b3c in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 2 (Thread 0xa96ff410 (LWP 2439)):
#0  0xb4d70fdc in ?? () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
#1  0xb4d7124e in g_mutex_lock () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
#2  0xb0f63410 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 1 (Thread 0xb44f3000 (LWP 2420)):
[KCrash Handler]
#6  0xaba63646 in KisColor::initRGB (this=this@entry=0x1c35cc0, type=KisColor::HSY, r=r@entry=0, g=g@entry=0, b=b@entry=0, a=2.80259693e-45, a@entry=0) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/kis_color.cpp:141
#7  0xaba6369c in KisColor::KisColor (this=0x1c35cc0, type=<optimized out>) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/kis_color.cpp:79
#8  0xaba69d48 in ColorRing (this=0x1c35cc0) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/kis_color_selector.h:42
#9  QVector<KisColorSelector::ColorRing>::realloc (this=this@entry=0x1c35b30, asize=asize@entry=9, aalloc=<optimized out>) at /usr/include/qt4/QtCore/qvector.h:537
#10 0xaba66e20 in resize (asize=9, this=0x1c35b30) at /usr/include/qt4/QtCore/qvector.h:343
#11 KisColorSelector::recalculateRings (this=this@entry=0x1c35a30, numRings=numRings@entry=9 '\t', numPieces=numPieces@entry=12 '\f') at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/kis_color_selector.cpp:317
#12 0xaba699f2 in KisColorSelector::KisColorSelector (this=0x1c35a30, parent=<optimized out>, type=<optimized out>) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/kis_color_selector.cpp:53
#13 0xaba6288a in Ui_wdgArtisticColorSelector::setupUi (this=0x1c34ca4, wdgArtisticColorSelector=0x1c34c90) at /build/buildd/calligra-2.8.1-1/obj-arm-linux-gnueabihf/krita/plugins/extensions/dockers/artisticcolorselector/ui_wdgArtisticColorSelector.h:70
#14 0xaba61b5a in ArtisticColorSelectorDock::ArtisticColorSelectorDock (this=0x1bfe110) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/artisticcolorselector_dock.cpp:36
#15 0xaba615a6 in ArtisticColorSelectorDockFactory::createDockWidget (this=0x1370870) at /build/buildd/calligra-2.8.1-1/krita/plugins/extensions/dockers/artisticcolorselector/artisticcolorselector_plugin.cpp:41
#16 0xb6a54870 in KoMainWindow::createDockWidget (this=0x14ae220, factory=factory@entry=0x1370870) at /build/buildd/calligra-2.8.1-1/libs/main/KoMainWindow.cpp:1818
#17 0xb6a709ac in KoView::KoView (this=0x1883398, part=<optimized out>, document=0xfa2eb0, parent=<optimized out>) at /build/buildd/calligra-2.8.1-1/libs/main/KoView.cpp:193
#18 0xb6c25fb0 in KisView2::KisView2 (this=0x1883398, part=<optimized out>, doc=0xfa2eb0, parent=<optimized out>) at /build/buildd/calligra-2.8.1-1/krita/ui/kis_view2.cpp:229
#19 0xb6bcee68 in KisPart2::createViewInstance (this=0xf4bf18, document=0xfa2eb0, parent=0x14ae220) at /build/buildd/calligra-2.8.1-1/krita/ui/kis_part2.cpp:77
#20 0xb6a9c2b2 in KoPart::createView (this=0xf4bf18, document=document@entry=0xfa2eb0, parent=parent@entry=0x14ae220) at /build/buildd/calligra-2.8.1-1/libs/main/KoPart.cpp:136
#21 0xb6a4ecb4 in KoMainWindow::setRootDocument (this=0x14ae220, doc=0xfa2eb0, part=part@entry=0xf4bf18, deletePrevious=deletePrevious@entry=true) at /build/buildd/calligra-2.8.1-1/libs/main/KoMainWindow.cpp:547
#22 0xb6a9bd92 in KoPart::deleteOpenPane (this=0xf4bf18, closing=<optimized out>) at /build/buildd/calligra-2.8.1-1/libs/main/KoPart.cpp:342
#23 0xb5dc49a8 in QMetaObject::activate (sender=0x165ae10, m=0x0, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3539
#24 0xb5dc49a8 in QMetaObject::activate (sender=0x16cdb98, m=0x0, local_signal_index=0, argv=0xbea54de8) at kernel/qobject.cpp:3539
#25 0xb65dd330 in QAbstractButton::clicked (this=0x16cdb98, _t1=False) at .moc/release-shared/moc_qabstractbutton.cpp:219
#26 0xb641cc0a in QAbstractButtonPrivate::emitClicked (this=0x16cdbb0) at widgets/qabstractbutton.cpp:548
#27 0xb641d756 in QAbstractButtonPrivate::click (this=0x16cdbb0) at widgets/qabstractbutton.cpp:541
#28 0xb641d7f2 in QAbstractButton::mouseReleaseEvent (this=0x16cdb98, e=0xbea5512c) at widgets/qabstractbutton.cpp:1123
#29 0xb61e7cb0 in QWidget::event (this=0x16cdb98, event=0xbea5512c) at kernel/qwidget.cpp:8376
#30 0xb61b25d4 in QApplicationPrivate::notify_helper (this=0x0, receiver=0x16cdb98, e=0xbea5512c) at kernel/qapplication.cpp:4567
#31 0xb61b7232 in QApplication::notify (this=0xbea54f80, receiver=0x16cdb98, e=0xbea5512c) at kernel/qapplication.cpp:4110
#32 0xbea5507c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Reported using DrKonqi
Comment 1 Halla Rempt 2014-05-26 18:58:37 UTC 
Hi,

I'm guessing this is an arm-related bug and that you're the first to actually try to run Krita on arm :-). I'm not sure _what_'s going on, though!
Comment 2 Gerald Young 2014-05-26 19:33:35 UTC 
Reproduced crash under gdb, and then did:
(gdb) p *(Core *)(this->m_coreData + this->m_offset)
$6 = {_vptr.Core = 0x0, rgb = {<Eigen::MatrixBase<Eigen::Matrix<float, 3, 1, 2, 3, 1> >> = {<No data fields>}, m_storage = {m_data = {array = {0, 0, 0}}}}, 
  hsx = {<Eigen::MatrixBase<Eigen::Matrix<float, 4, 1, 2, 4, 1> >> = {<No data fields>}, m_storage = {m_data = {array = {-1.34243398e-12, 0, 0, 0}}}}, type = KisColor::HSY}
(gdb) p ((Core *)(this->m_coreData + this->m_offset))->setRGB(0,0,0,0)
Cannot access memory at address 0x8
Comment 3 Halla Rempt 2014-05-26 19:36:01 UTC 
That would suggest it's a bug in Eigen... Did you build krita yourself? If so... Could you apply the patch from this review request and build against eigen3 and see if that fixes something? https://git.reviewboard.kde.org/r/116611/
Comment 4 Gerald Young 2014-05-27 17:18:35 UTC 
Applied patch from above link but crash still happens.

I think I found what happens. The problem happens is when this line:
        m_offset = quint8(16 - (reinterpret_cast<size_t>(m_coreData) % 16));
Evaluates to 16.
When that happens the assignment:
    core()->type = type;
Overflows the m_coreData buffer and overwrites the m_offset with zero, causing the following line:
    core()->setRGB(r, g, b, a);
To segfault (since reinterpret_cast<Core*>(m_coreData + m_offset) no longer points to a valid Core structure).
Comment 5 Halla Rempt 2014-05-27 17:45:55 UTC 
Okay, then it's not an eigen issue indeed. I think your analysis is quite correct!
Comment 6 Gerald Young 2014-05-28 01:11:57 UTC 
Created attachment 86873 [details]
Patch which fixes the issue

Attached patch which fixes the issue. It runs now and can paint stuff in canvas. :-)
Comment 7 Halla Rempt 2014-05-28 07:19:58 UTC 
Git commit f4be845f49f81579807501fa036778a96d2dfd97 by Boudewijn Rempt.
Committed on 28/05/2014 at 07:17.
Pushed by rempt into branch 'master'.

Patch by Supersayonin. Thanks!
CCMAIL:supersayoyin@gmail.com

A  +1077169 -0    callgrind.out.3413
M  +2    -2    krita/plugins/extensions/dockers/artisticcolorselector/kis_color.cpp

http://commits.kde.org/calligra/f4be845f49f81579807501fa036778a96d2dfd97
Comment 8 Halla Rempt 2015-10-25 13:58:32 UTC 
*** Bug 354345 has been marked as a duplicate of this bug. ***