Bug 359758

Summary: Dolphin crashes on exit when you specify the --icon command line parameter
Product: [Frameworks and Libraries] frameworks-frameworkintegration Reporter: Wolfgang Bauer <wbauer1>
Component: generalAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED UPSTREAM    
Severity: crash CC: aspotashev, cpigat242, crglasoe, elvis.angelaccio, frank78ac, inssecure, montel, mrbm74, ohtf.xqr
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Add some debug output to KIconLoader

Description Wolfgang Bauer 2016-02-24 16:30:14 UTC 
When you specify a window icon via the --icon parameter, dolphin crashes on exit with the following backtrace:
Application: dolphin (dolphin), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[KCrash Handler]
#5  0x00007f96a8e963d4 in QHash<QString, QHashDummyValue>::deleteNode2(QHashData::Node*) (node=0x2514240) at /usr/include/qt5/QtCore/qbasicatomic.h:118
#6  0x00007f96a59a96b9 in QHashData::free_helper(void (*)(QHashData::Node*)) (this=0x20128b0, node_delete=0x7f96a8e963d0 <QHash<QString, QHashDummyValue>::deleteNode2(QHashData::Node*)>) at tools/qhash.cpp:491
#7  0x00007f96a8e9304d in KIconLoader::~KIconLoader() (this=<optimized out>, x=<optimized out>) at /usr/include/qt5/QtCore/qhash.h:621
#8  0x00007f96a8e9304d in KIconLoader::~KIconLoader() (this=0x1fdb170, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qhash.h:342
#9  0x00007f96a8e9304d in KIconLoader::~KIconLoader() (this=0x1fdb170, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qset.h:46
#10 0x00007f96a8e9304d in KIconLoader::~KIconLoader() (this=0x1fdb100, __in_chrg=<optimized out>) at /usr/src/debug/kiconthemes-5.19.0/src/kiconloader.cpp:147
#11 0x00007f96a8e9304d in KIconLoader::~KIconLoader() (this=0x7f96a90a8bb0 <(anonymous namespace)::Q_QGS_globalIconLoader::innerFunction()::holder>, __in_chrg=<optimized out>) at /usr/src/debug/kiconthemes-5.19.0/src/kiconloader.cpp:560
#12 0x00007f96a8e931e9 in (anonymous namespace)::Q_QGS_globalIconLoader::innerFunction()::Holder::~Holder() () at /usr/src/debug/kiconthemes-5.19.0/src/kiconloader.cpp:1624
#13 0x00007f96ab788b19 in __run_exit_handlers () at /lib64/libc.so.6
#14 0x00007f96ab788b65 in  () at /lib64/libc.so.6
#15 0x00007f96ab772b0c in __libc_start_main () at /lib64/libc.so.6
#16 0x00000000004007be in _start ()

This is with dolphin 15.12.2 (but it also happens with 15.12.1 and 15.12.0), Qt 5.5.1 and KDE Frameworks 5.19.0.

Reproducible: Always

Steps to Reproduce:
1. run e.g. "dolphin --icon system-file-manager"
2. close dolphin

Actual Results:  
Dolphin crashes with the mentioned backtrace.

Expected Results:  
Dolphin should exit cleanly.

I cannot reproduce the crash with any other KF5 application, so it seems to be something specific to dolphin.

Downgrading KDE Frameworks to 5.16.0 eliminates the crash, so it seems to be caused by some change in Frameworks between 5.16.0 and 5.19.0.
http://bugzilla.opensuse.org/show_bug.cgi?id=965514 would suggest it started with 5.18.0.

Only downgrading kiconthemes does not help though.

I'll try to find out which change exactly causes this.
Comment 1 Frank Reininghaus 2016-02-25 23:26:32 UTC 
I can confirm this. I wonder if this is related to the recent QString -> QStringLiteral changes.

It crashes in the destructor of KIconLoader's mAvailableIcons member, which is a QSet<QString>. Maybe the global static KIconLoader gets destoyed after the library that has the read-only QStringLiteral data has already been unloaded? In that case, it seems likely that the application will crash.

This makes me wonder if using QStringLiteral everywhere is really a good idea, since you never know if the QString will end up in a global static object at some point.

(In reply to Wolfgang Bauer from comment #0)
> I'll try to find out which change exactly causes this.

That would be great!
Comment 2 Frank Reininghaus 2016-02-26 00:02:24 UTC 
Created attachment 97559 [details]
Add some debug output to KIconLoader
Comment 3 Frank Reininghaus 2016-02-26 00:12:25 UTC 
I hacked some debug output into KIconLoader::hasIcon(const QString&), to see the address of the internal data for each string, and to the KIconLoader destructor, where I first print the address of a string and then try to print the string itself.

This way, I found that the string "dialog-close" is the culprit, which I found with grep in frameworkintegration (src/kstyle/kstyle.cpp). It was made a QStringLiteral in this commit, which was made between 5.16 and 5.17:

https://quickgit.kde.org/?p=frameworkintegration.git&a=commit&h=7bbc6c98222eb6db988ed78fc334ad9eef0bb6fb

Reverting that commit fixes the crash for me.

I'll assign to frameworkintegration and CC Laurent, who committed this change. It seems that we have to think about whether

a) Everyone who makes QString -> QStringLiteral replacements should be EXTREMELY careful (which is very difficult, since it is not always obvious if passing a QString to a function will result in the string being stored in a global static object),

b) Classes like KIconLoader, which are used as global static objects, should copy all strings that they get to the heap in order to prevent such crashes (which might also be difficult to do consistently).
Comment 4 Wolfgang Bauer 2016-02-26 14:09:10 UTC 
(In reply to Frank Reininghaus from comment #3)
> https://quickgit.kde.org/?p=frameworkintegration.
> git&a=commit&h=7bbc6c98222eb6db988ed78fc334ad9eef0bb6fb
> 
> Reverting that commit fixes the crash for me.
Yes, I found this out myself too meanwhile.

Btw, I was wrong, sorry. The crash does not only happen with dolphin, but also other applications (not all though, I couldn't reproduce it with the ones I tried earlier).
Comment 5 Alexander Potashev 2016-03-27 16:44:49 UTC 
I've just got a similar stacktrace from Lokalize-15.12.2 with KF 5.20.0.
Comment 6 Alexander Potashev 2016-03-27 18:54:44 UTC 
(In reply to Alexander Potashev from comment #5)
> I've just got a similar stacktrace from Lokalize-15.12.2 with KF 5.20.0.

=====

Application: lokalize (lokalize), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f2caa9f57c0 (LWP 8907))]

Thread 2 (Thread 0x7f2ca3fff700 (LWP 8909)):
#0  0x00007f2cb6c6baed in poll () from /lib64/libc.so.6
#1  0x00007f2cb22c3f14 in g_main_context_iterate.isra () from /usr/lib64/libglib-2.0.so.0
#2  0x00007f2cb22c402c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#3  0x00007f2cb7853dcb in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#4  0x00007f2cb77fe79b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#5  0x00007f2cb764da9c in QThread::exec() () from /usr/lib64/libQt5Core.so.5
#6  0x00007f2cbbaad2c8 in QDBusConnectionManager::run() () from /usr/lib64/libQt5DBus.so.5
#7  0x00007f2cb7653430 in QThreadPrivate::start(void*) () from /usr/lib64/libQt5Core.so.5
#8  0x00007f2cb3d87314 in start_thread () from /lib64/libpthread.so.0
#9  0x00007f2cb6c746dd in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7f2caa9f57c0 (LWP 8907)):
[KCrash Handler]
#6  0x00007f2cb646bc64 in QHash<QString, QHashDummyValue>::deleteNode2(QHashData::Node*) () from /usr/lib64/libKF5IconThemes.so.5
#7  0x00007f2cb76abd19 in QHashData::free_helper(void (*)(QHashData::Node*)) () from /usr/lib64/libQt5Core.so.5
#8  0x00007f2cb6468b9c in KIconLoader::~KIconLoader() () from /usr/lib64/libKF5IconThemes.so.5
#9  0x00007f2cb6468bf9 in (anonymous namespace)::Q_QGS_globalIconLoader::innerFunction()::Holder::~Holder() () from /usr/lib64/libKF5IconThemes.so.5
#10 0x00007f2cb6bc38f9 in __run_exit_handlers () from /lib64/libc.so.6
#11 0x00007f2cb6bc3945 in exit () from /lib64/libc.so.6
#12 0x00007f2cb6bae85c in __libc_start_main () from /lib64/libc.so.6
#13 0x00000000004790f9 in _start ()
Comment 7 Wolfgang Bauer 2016-09-01 12:06:46 UTC 
*** Bug 365794 has been marked as a duplicate of this bug. ***
Comment 8 Wolfgang Bauer 2016-09-01 12:09:59 UTC 
*** Bug 365163 has been marked as a duplicate of this bug. ***
Comment 9 Wolfgang Bauer 2016-09-27 09:53:40 UTC 
Sounds related to https://bugreports.qt.io/browse/QTBUG-50829.

In any case, the mentioned patch there fixes the crash for me.
Comment 10 Christoph Feck 2017-01-09 23:00:36 UTC 
*** Bug 374733 has been marked as a duplicate of this bug. ***
Comment 11 Christoph Feck 2017-01-09 23:01:19 UTC 
*** Bug 369798 has been marked as a duplicate of this bug. ***
Comment 12 Elvis Angelaccio 2017-06-16 21:19:13 UTC 
Isn't this fixed upstream? I can't reproduce with Qt 5.9
Comment 13 Wolfgang Bauer 2017-06-17 10:13:18 UTC 
(In reply to Elvis Angelaccio from comment #12)
> Isn't this fixed upstream? I can't reproduce with Qt 5.9

Yes, it should be fixed since 5.8.0 AFAIK.
5.6.2 does not have the fix AFAICS, I have no idea about the upcoming 5.6.3.

https://codereview.qt-project.org/#/c/140750/