Bug 342229

Created attachment 90125 [details]
New crash information added by DrKonqi

digikam (4.6.0) on KDE Platform 4.14.3 using Qt 4.8.6

- What I was doing when the application crashed:

Trying to open an offending jpg image. The previous crash report was *not* due to an empty thumbnail (as console output had led me to believe), but to loading this particular image.

-- Backtrace (Reduced):

It's not clear why it crash here.

Can you run digiKam in DGB to have abetter backtrace.

Also, can you identify which image crash application.

Gilles Caulier

Sorry, I can only run it in lldb, and doing so doesn't give a better backtrace:

```
(lldb) bt
* thread #1: tid = 0x2f7da0, 0x00000001000e451a libdigikamcore.4.6.0.dylib`Digikam::DImg::rotate(this=<unavailable>, angle=<unavailable>) + 794 at dimg.cpp:2395, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x11b5b1000)
  * frame #0: 0x00000001000e451a libdigikamcore.4.6.0.dylib`Digikam::DImg::rotate(this=<unavailable>, angle=<unavailable>) + 794 at dimg.cpp:2395
    frame #1: 0x00000001000e4a54 libdigikamcore.4.6.0.dylib`Digikam::DImg::rotateAndFlip(this=<unavailable>, orientation=<unavailable>) + 100 at dimg.cpp:2669
    frame #2: 0x000000010038f225 libdigikamcore.4.6.0.dylib`Digikam::EditorCore::slotImageLoaded(this=0x000000010b5680c0, loadingDescription=<unavailable>, img=<unavailable>) + 357 at editorcore.cpp:292
    frame #3: 0x000000010038ecae libdigikamcore.4.6.0.dylib`Digikam::EditorCore::qt_static_metacall(_o=0x000000010b5680c0, _c=<unavailable>, _id=<unavailable>, _a=<unavailable>) + 398 at editorcore.moc:88
    frame #4: 0x00000001033d2eae QtCore`QObject::event(this=0x000000010b5680c0, e=<unavailable>) + 638 at qobject.cpp:1222
    frame #5: 0x000000010216637b QtGui`QApplicationPrivate::notify_helper(this=<unavailable>, receiver=0x000000010b5680c0, e=0x0000000116a44320) + 251 at qapplication.cpp:4565
    frame #6: 0x0000000102167899 QtGui`QApplication::notify(this=<unavailable>, receiver=<unavailable>, e=0x0000000116a44320) + 905 at qapplication.cpp:3947
    frame #7: 0x00000001033bee46 QtCore`QCoreApplication::notifyInternal(this=<unavailable>, receiver=<unavailable>, event=<unavailable>) + 118 at qcoreapplication.cpp:953
    frame #8: 0x00000001033bf9ae QtCore`QCoreApplicationPrivate::sendPostedEvents(receiver=0x0000000116a44320, event_type=0, data=0x000000010b300fb0) + 686 at qcoreapplication.h:231
    frame #9: 0x00007fff924905b1 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #10: 0x00007fff92481c62 CoreFoundation`__CFRunLoopDoSources0 + 242
    frame #11: 0x00007fff924813ef CoreFoundation`__CFRunLoopRun + 831
    frame #12: 0x00007fff92480e75 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #13: 0x00007fff8a987a0d HIToolbox`RunCurrentEventLoopInMode + 226
    frame #14: 0x00007fff8a9877b7 HIToolbox`ReceiveNextEventCommon + 479
    frame #15: 0x00007fff8a9875bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
    frame #16: 0x00007fff8eb7e24e AppKit`_DPSNextEvent + 1434
    frame #17: 0x00007fff8eb7d89b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #18: 0x00007fff8eb7199c AppKit`-[NSApplication run] + 553
    frame #19: 0x000000010211cecb QtGui`QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2059
    frame #20: 0x00000001033bc1df QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) + 9 at qglobal.h:2359
    frame #21: 0x00000001033bc1d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) at qglobal.h:2359
    frame #22: 0x00000001033bc1d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::operator|(f=<unavailable>) const + 59 at qeventloop.cpp:149
    frame #23: 0x00000001033bc19b QtCore`QEventLoop::exec(this=0x00007fff5fbff010, flags=(i = 0)) + 427 at qeventloop.cpp:204
    frame #24: 0x00000001033bf3f7 QtCore`QCoreApplication::exec() + 199 at qcoreapplication.cpp:1225
    frame #25: 0x000000010003a78e showfoto`main(argc=<unavailable>, argv=<unavailable>) + 2350 at main.cpp:90
    frame #26: 0x00007fff888d25fd libdyld.dylib`start + 1
```

When I declare all the local variables of interest static so they are not optimised away, line1 and line2 appear to be null pointers when the crash occurs. I don't trust this, though; their value doesn't change when I step through the loop in the debugger.

I'll upload the image on which this crash occurs. If you cannot reproduce the crash we may me dealing with a bug in the compiler or optimiser/vectoriser...

Created attachment 90127 [details]
image that crashes digikam 4.6 (and 4.4!) on OS X 10.9

Created attachment 90133 [details]
I think the code should do this

Salut Gilles,

I think the calculation of line2 is incorrect: the very first time it is effectively initialised to `data + h * w`, which is just outside the valid image data. I've attached a patch that makes this correction for 180° rotations, but maybe you ought to double-check the other cases too ... ;)
In any case I'm no longer seeing crashes with this patch.

And I stand corrected: as usual this (probably) wasn't a compiler bug but just another proof how testing with other compilers and on other platforms is an almost perfect way to find errors that somehow slip through on your usual platform.

Bug is confirmed by valgrind on Linux:

==9153== Thread 1:
==9153== Invalid read of size 4
==9153==    at 0x730A0A2: Digikam::DImg::rotate(Digikam::DImg::ANGLE) (dimg.cpp:2395)
==9153==    by 0x730A1A9: Digikam::DImg::rotateAndFlip(int) (dimg.cpp:2642)
==9153==    by 0x75AC8AA: Digikam::EditorCore::slotImageLoaded(Digikam::LoadingDescription const&, Digikam::DImg const&) (editorcore.cpp:292)
==9153==    by 0xEACA59D: QObject::event(QEvent*) (qobject.cpp:1231)
==9153==    by 0xD72A76B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4565)
==9153==    by 0xD730CAC: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4351)
==9153==    by 0xD127BA9: KApplication::notify(QObject*, QEvent*) (in /usr/lib64/libkdeui.so.5.14.3)
==9153==    by 0xEAB22AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:953)
==9153==    by 0xEAB557C: sendEvent (qcoreapplication.h:231)
==9153==    by 0xEAB557C: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1577)
==9153==    by 0xEADF8FD: sendPostedEvents (qcoreapplication.h:236)
==9153==    by 0xEADF8FD: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:300)
==9153==    by 0x13044A03: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==    by 0x13044C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==  Address 0x4a85d040 is 0 bytes after a block of size 31,961,088 alloc'd
==9153==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9153==    by 0x732D25C: new_failureTolerant<unsigned char> (dimgloader.h:183)
==9153==    by 0x732D25C: Digikam::DImgLoader::new_failureTolerant(unsigned long) (dimgloader.cpp:432)
==9153==    by 0x7301C76: Digikam::DImg::allocateData() (dimg.cpp:319)
==9153==    by 0x7306701: Digikam::DImg::detach() (dimg.cpp:224)
==9153==    by 0x73068D5: Digikam::DImg::copy() const (dimg.cpp:1520)
==9153==    by 0x74CFAFA: Digikam::SharedLoadingTask::execute() (loadsavetask.cpp:251)
==9153==    by 0x74BFB25: Digikam::LoadSaveThread::run() (loadsavethread.cpp:136)
==9153==    by 0x74EE7AD: Digikam::DynamicThread::DynamicThreadPriv::run() (dynamicthread.cpp:186)
==9153==    by 0xE9A46AD: QThreadPoolThread::run() (qthreadpool.cpp:108)
==9153==    by 0xE9B079E: QThreadPrivate::start(void*) (qthread_unix.cpp:349)
==9153==    by 0xEE220A3: start_thread (in /lib64/libpthread-2.19.so)
==9153==    by 0xF8B87FC: clone (in /lib64/libc-2.19.so)
==9153== 
==9153== Invalid write of size 4
==9153==    at 0x730A0B1: Digikam::DImg::rotate(Digikam::DImg::ANGLE) (dimg.cpp:2396)
==9153==    by 0x730A1A9: Digikam::DImg::rotateAndFlip(int) (dimg.cpp:2642)
==9153==    by 0x75AC8AA: Digikam::EditorCore::slotImageLoaded(Digikam::LoadingDescription const&, Digikam::DImg const&) (editorcore.cpp:292)
==9153==    by 0xEACA59D: QObject::event(QEvent*) (qobject.cpp:1231)
==9153==    by 0xD72A76B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4565)
==9153==    by 0xD730CAC: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4351)
==9153==    by 0xD127BA9: KApplication::notify(QObject*, QEvent*) (in /usr/lib64/libkdeui.so.5.14.3)
==9153==    by 0xEAB22AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:953)
==9153==    by 0xEAB557C: sendEvent (qcoreapplication.h:231)
==9153==    by 0xEAB557C: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1577)
==9153==    by 0xEADF8FD: sendPostedEvents (qcoreapplication.h:236)
==9153==    by 0xEADF8FD: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:300)
==9153==    by 0x13044A03: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==    by 0x13044C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==  Address 0x4a85d040 is 0 bytes after a block of size 31,961,088 alloc'd
==9153==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9153==    by 0x732D25C: new_failureTolerant<unsigned char> (dimgloader.h:183)
==9153==    by 0x732D25C: Digikam::DImgLoader::new_failureTolerant(unsigned long) (dimgloader.cpp:432)
==9153==    by 0x7301C76: Digikam::DImg::allocateData() (dimg.cpp:319)
==9153==    by 0x7306701: Digikam::DImg::detach() (dimg.cpp:224)
==9153==    by 0x73068D5: Digikam::DImg::copy() const (dimg.cpp:1520)
==9153==    by 0x74CFAFA: Digikam::SharedLoadingTask::execute() (loadsavetask.cpp:251)
==9153==    by 0x74BFB25: Digikam::LoadSaveThread::run() (loadsavethread.cpp:136)
==9153==    by 0x74EE7AD: Digikam::DynamicThread::DynamicThreadPriv::run() (dynamicthread.cpp:186)
==9153==    by 0xE9A46AD: QThreadPoolThread::run() (qthreadpool.cpp:108)
==9153==    by 0xE9B079E: QThreadPrivate::start(void*) (qthread_unix.cpp:349)
==9153==    by 0xEE220A3: start_thread (in /lib64/libpthread-2.19.so)
==9153==    by 0xF8B87FC: clone (in /lib64/libc-2.19.so)
==9153==

The fix is confirmed by valgrind as well. It's a one-byte-over mistake. Probably, the relevant buffer is usually a bit larger on Linux so that no crash occurs.

Git commit 94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d by Marcel Wiesweg.
Committed on 28/12/2014 at 19:11.
Pushed by mwiesweg into branch 'master'.

Apply fix by RJVB <rjvbertin@gmail.com>: Correct incorrect read of one single byte beyond the buffer in the DImg 180°-rotation code

Thanks for your help.

M  +2    -2    libs/dimg/dimg.cpp

http://commits.kde.org/digikam/94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d

Yes, the patch is correct. Rotation180 worked incorrectly, a column of pixels at the edge of the image has been copied to the other side. Now rotation180 working correctly.

Git commit 68cdaee316491cb81a9e217ed25a2d6b77cf6332 by Gilles Caulier.
Committed on 28/12/2014 at 20:53.
Pushed by cgilles into branch 'frameworks'.

backport patch #94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d from git/master to git/frameworks branch

M  +2    -2    libs/dimg/dimg.cpp

http://commits.kde.org/digikam/68cdaee316491cb81a9e217ed25a2d6b77cf6332