Bug 363881

Summary: akonadi_control fails with memory corruption
Product: [Frameworks and Libraries] Akonadi Reporter: Andreas Schneider <asn>
Component: serverAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: amantia, bugs.kde.org-1, eveith, evgom.sid, opuetz
Priority: NOR    
Version: 5.2.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Andreas Schneider 2016-06-03 06:49:28 UTC 
When starting akonadi, akonadi_control offen fails with a memory corruption

*** Error in `/usr/bin/akonadi_control': malloc(): memory corruption (fast): 0x00000000023ff191 ***

I wasn't able to catch it with valgrind, I only have a backtrace till now.

(gdb) bt
#0  0x00007f594194e56b in __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1  0x00007f59418da914 in _L_lock_8340 () at malloc.c:5203
#2  0x00007f59418d7717 in malloc_check (sz=140021331916320, caller=<optimized out>) at hooks.c:278
#3  0x00007f59437107ee in _dl_map_object_deps (map=map@entry=0x7f59438ed9b8, preloads=preloads@entry=0x0, npreloads=npreloads@entry=0, trace_mode=trace_mode@entry=0, open_mode=open_mode@entry=-2147483648) at dl-deps.c:511
#4  0x00007f594371693c in dl_open_worker (a=a@entry=0x7ffd3a54d228) at dl-open.c:261
#5  0x00007f59437127a4 in _dl_catch_error (objname=objname@entry=0x7ffd3a54d218, errstring=errstring@entry=0x7ffd3a54d220, mallocedp=mallocedp@entry=0x7ffd3a54d217, operate=operate@entry=0x7f5943716830 <dl_open_worker>, args=args@entry=0x7ffd3a54d228) at dl-error.c:187
#6  0x00007f59437162fb in _dl_open (file=0x7f59419bc666 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=1, argv=0x7ffd3a54e778, env=0x7ffd3a54e788)
    at dl-open.c:650
#7  0x00007f59419773b2 in do_dlopen (ptr=ptr@entry=0x7ffd3a54d450) at dl-libc.c:87
#8  0x00007f59437127a4 in _dl_catch_error (objname=0x7ffd3a54d430, errstring=0x7ffd3a54d438, mallocedp=0x7ffd3a54d42f, operate=0x7f5941977370 <do_dlopen>, args=0x7ffd3a54d450)
    at dl-error.c:187
#9  0x00007f594197744f in dlerror_run (operate=operate@entry=0x7f5941977370 <do_dlopen>, args=args@entry=0x7ffd3a54d450) at dl-libc.c:46
#10 0x00007f59419774c1 in __GI___libc_dlopen_mode (name=name@entry=0x7f59419bc666 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#11 0x00007f594194ee15 in init () at ../sysdeps/x86_64/backtrace.c:52
#12 0x00007f594164d400 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:103
#13 0x00007f594194ef2c in __GI___backtrace (array=array@entry=0x7ffd3a54d4f0, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#14 0x00007f594187cd52 in backtrace_and_maps (do_abort=<optimized out>, do_abort@entry=2, written=<optimized out>, fd=fd@entry=2) at ../sysdeps/unix/sysv/linux/libc_fatal.c:47
#15 0x00007f59418cf75f in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f59419c1ad0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:172
#16 0x00007f59418d4fce in malloc_printerr (action=3, str=0x7f59419c1e70 "malloc(): memory corruption (fast)", ptr=<optimized out>) at malloc.c:4993
#17 0x00007f59418d737b in _int_malloc (av=av@entry=0x7f5941bff620 <main_arena>, bytes=bytes@entry=65) at malloc.c:3358
#18 0x00007f59418d7732 in malloc_check (sz=64, caller=<optimized out>) at hooks.c:279
#19 0x00007f5942250044 in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) () at /usr/lib64/libQt5Core.so.5
#20 0x00007f59422d932a in QString::reallocData(unsigned int, bool) () at /usr/lib64/libQt5Core.so.5
#21 0x00007f5942fd6843 in  () at /usr/lib64/libQt5DBus.so.5
#22 0x00007f5942fd6fa0 in  () at /usr/lib64/libQt5DBus.so.5
#23 0x00007f5942fd96fe in  () at /usr/lib64/libQt5DBus.so.5
#24 0x00007f594243b1f6 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5
#25 0x00007f59424100cc in QCoreApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#26 0x00007f5942410005 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#27 0x00007f5942411dea in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#28 0x00007f5942460d53 in  () at /usr/lib64/libQt5Core.so.5
#29 0x00007f593f8fcc84 in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0
#30 0x00007f593f8fced8 in  () at /usr/lib64/libglib-2.0.so.0
#31 0x00007f593f8fcf7c in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0
#32 0x00007f59424603fb in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#33 0x00007f594240e04b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#34 0x00007f5942415f56 in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#35 0x00000000004275e5 in AkApplicationBase::exec() (this=<optimized out>) at /usr/src/debug/akonadi-16.04.1/src/shared/akapplication.cpp:117
#36 0x00000000004097eb in main(int, char**) (argc=1, argv=<optimized out>) at /usr/src/debug/akonadi-16.04.1/src/akonadicontrol/main.cpp:91

Reproducible: Sometimes
Comment 1 Andreas Schneider 2016-06-09 07:36:22 UTC 
I think there is a race condition. If I start akonadi and then kontact, akonadi 8 out of 10 times doesn't work and react. I have to kill all akonadi processes. However if I run start akonadi_control with valgrind, everything starts to work.
Comment 2 O. Puetz 2016-06-12 17:41:11 UTC 
I can confirm this malloc crash happening in different akonadi modules at first. Running a test system without akonadi, kded crashed with the same malloc error after a while (run time varies).
Test system config and tested software versions:
- AMD Phenom II with 16GB RAM
- openSUSE Leap 42.1
- Qt 5.6.0 and now 5.6.1
- KDE Frameworks 5.2.1 and now 5.2.2
- Plasma 5.6.3 and now 5.6.4
- KDE:Applications 16.04.1

To me it seems this is no KDE PIM bug, it should be in some of the underlying software layers. And may be related with specific hardware config.
Wiping /tmp seems to help at first, but it just allowed akonadi to start successfully and after an undetermined time a malloc error appeared again (e.g. in akonadi imap resource).

BTW, an identical setup in a VirtualBox machine runs without these malloc crashes.

Some other users are faced with the same or similar problem, see https://forums.opensuse.org/showthread.php/516850-After-Updating-KDE-FW-to-5-20-and-Plasma-to-5-6-(with-Qt-to-5-6-as-well)-Akonadi-quot-doesn-t-work-quot
Comment 3 Andreas Schneider 2016-06-13 14:04:56 UTC 
Yes, after further debugging it seems to be an issue in Qt serializing a buffer. I opened https://bugreports.qt.io/browse/QTBUG-53957 but I'm not able to provide any useful valgrind output till now.
Comment 4 Eric MSP Veith 2016-06-28 06:25:41 UTC 
I am also facing this bug. I have tried to make akonadi_control create a core dump when it crashes, but adding "ulimit -c 52428800" to ~/.Xprofile didn't help. Andreas, how did you attach valgrind/gdb to akonadi_control?
Comment 5 Eric MSP Veith 2016-07-22 10:57:57 UTC 
It took me a bit of fiddeling and much patience to encouter this bug with GDB. But here it is. I've got a backtrace and a core dump. The core dump file is quite big, so I've uploaded it to an external source (6,7 MB > 4000kB; sorry, self-signed cert...): 

- https://oc.veith-m.de/index.php/s/fK7kcbw7mYQORPg
- https://oc.veith-m.de/index.php/s/pLRB5I0VBPE2rdl

I'm not sure whether this is actually a KDE-specific bug? Perhaps only something in KDE triggers it, I don't see any KDE libs in the backtrace. But I'm by no means an expert here; I hope this helps somebody.

Here are the last few lines before emitting a SIGSEGV:

[...]
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_followupreminder_agent_28779_PP6Fkp" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_ical_resource_3_28781_zVEkXR" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_davgroupware_resource_2_28778_uaMY6p" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_archivemail_agent_28775_ubx5xw" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_mailfilter_agent_28801_MpmVCD" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_maildir_resource_5_28794_K6eQWS" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_maildispatcher_agent_28799_xR5u02" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_imap_resource_6_28790_7aAYVF" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_sendlater_agent_28806_FPSn8U" false
Cannot pause an inactive timer
Cannot pause an inactive timer
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_imap_resource_5_28786_7wZJ5V" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_newmailnotifier_agent_28804_e4MqgF" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_notes_agent_28805_lXx6g1" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_invitations_agent_0_28792_q6189K" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_indexing_agent_28791_GC7RfJ" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_migration_agent_28803_YOhJyk" false
QDBusObjectPath Akonadi::Server::NotificationManager::subscribe(const QString&, bool) Akonadi::Server::NotificationManager(0x85b830) "akonadi_ical_resource_4_28783_srS5ST" false
*** Error in `/usr/bin/akonadi_control': malloc(): memory corruption (fast): 0x00007fffd8018e3c ***
[New Thread 0x7fffde0b0700 (LWP 28765)]
[New Thread 0x7fffecb6d700 (LWP 28764)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5aebb2e in _dbus_counter_notify (counter=0x7fffd800dae0) at dbus-resources.c:187
187     dbus-resources.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0x00007ffff5aebb2e in _dbus_counter_notify (counter=0x7fffd800dae0) at dbus-resources.c:187
#1  0x00007ffff5ae4bc2 in free_counter (element=0x7fffd800dae0, data=0x7fffd800f0e0) at dbus-message.c:639
#2  0x00007ffff5ae50d2 in dbus_message_unref (message=0x7fffd800f0e0) at dbus-message.c:661
#3  0x00007ffff5ae50d2 in dbus_message_unref (message=0x7fffd800f0e0) at dbus-message.c:1707
#4  0x00007ffff76b72a7 in  () at /usr/lib64/libQt5DBus.so.5
#5  0x00007ffff76b747b in QDBusMessage::~QDBusMessage() () at /usr/lib64/libQt5DBus.so.5
#6  0x00007ffff76a970c in  () at /usr/lib64/libQt5DBus.so.5
#7  0x00007ffff76a9779 in  () at /usr/lib64/libQt5DBus.so.5
#8  0x00007ffff6ae7da3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#9  0x00007ffff6b36ca3 in  () at /usr/lib64/libQt5Core.so.5
#10 0x00007ffff3fd0c84 in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0
#11 0x00007ffff3fd0ed8 in  () at /usr/lib64/libglib-2.0.so.0
#12 0x00007ffff3fd0f7c in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0
#13 0x00007ffff6b3632c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#14 0x00007ffff6ae3fcb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#15 0x00007ffff6aebeb6 in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#16 0x00000000004097eb in  ()
#17 0x00007ffff5f52b25 in __libc_start_main () at /lib64/libc.so.6
#18 0x00000000004099e7 in _start ()
Comment 6 András Manţia 2016-10-09 08:51:50 UTC 
akonadiconsole also crashes in a similar way after a while (can't run in valgrind so far as it crashes in webengine that way on startup):

#0  0x00007fffeb6f20c7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56                                                  
#1  0x00007fffeb6f3478 in __GI_abort () at abort.c:78                                                                                                 
#2  0x00007fffeb72f784 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fffeb821b78 "*** Error in `%s': %s: 0x%s ***\n")                
    at ../sysdeps/posix/libc_fatal.c:175                                                                                                              
#3  0x00007fffeb735026 in malloc_printerr (action=3, str=0x7fffeb822240 "malloc(): memory corruption (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5037                                                                                                                                 
#4  0x00007fffeb7375d5 in _int_malloc (av=av@entry=0x7fffbc000020, bytes=bytes@entry=70) at malloc.c:3392                                             
#5  0x00007fffeb73895c in __GI___libc_malloc (bytes=70) at malloc.c:2908                                                                              
#6  0x00007fffec3b286f in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (objectSize=objectSize@entry=2, alignment=alignment@entry=8, capacity=capacity@entry=23, options=..., options@entry=...) at tools/qarraydata.cpp:114                      
#7  0x00007fffec434b23 in QString::QString(int, Qt::Initialization) (options=..., capacity=23) at ../../src/corelib/tools/qarraydata.h:222            
#8  0x00007fffec434b23 in QString::QString(int, Qt::Initialization) (this=0x7fffc3ffe570, size=22) at tools/qstring.cpp:1565                          
#9  0x00007fffec5be29d in QUtf8::convertToUnicode(char const*, int) (chars=chars@entry=0x137ad0c "Akonadi::ItemCreateJob", len=22)                    
    at codecs/qutfcodec.cpp:264                                                                                                                       
#10 0x00007fffec43b3ce in QString::fromUtf8_helper(char const*, int) (str=str@entry=0x137ad0c "Akonadi::ItemCreateJob", size=<optimized out>)         
    at tools/qstring.cpp:4785                                                                                                                         
#11 0x00007fffeeafbf2d in QDBusDemarshaller::toVariantInternal() (size=-1, str=0x137ad0c "Akonadi::ItemCreateJob")                                    
    at ../../src/corelib/tools/qstring.h:543                                                                                                          
#12 0x00007fffeeafbf2d in QDBusDemarshaller::toVariantInternal() (this=0x7fffc3ffe610) at qdbusdemarshaller.cpp:133                                   
#13 0x00007fffeeafbf2d in QDBusDemarshaller::toVariantInternal() (this=this@entry=0x7fffc3ffe620) at qdbusdemarshaller.cpp:261
#14 0x00007fffeead21db in QDBusMessagePrivate::fromDBusMessage(DBusMessage*, QFlags<QDBusConnection::ConnectionCapability>) (dmsg=<optimized out>, capabilities=...) at qdbusmessage.cpp:251
#15 0x00007fffeeaca8ce in qDBusSignalFilter(DBusConnection*, DBusMessage*, void*) (connection=<optimized out>, message=<optimized out>, data=0x7fffbc0030f0) at qdbusintegrator.cpp:510
#16 0x00007fffdcd9e6a6 in dbus_connection_dispatch (connection=0x7fffbc00e140) at dbus-connection.c:4677
#17 0x00007fffeeaca4f1 in QDBusConnectionPrivate::doDispatch() (connection=<optimized out>) at qdbus_symbols_p.h:195
#18 0x00007fffeeaca4f1 in QDBusConnectionPrivate::doDispatch() (this=this@entry=0x7fffbc0030f0) at qdbusintegrator.cpp:1177
#19 0x00007fffeeaca7e9 in QDBusConnectionPrivate::socketRead(int) (this=0x7fffbc0030f0, fd=17) at qdbusintegrator.cpp:1203
#20 0x00007fffec590cfc in QMetaObject::activate(QObject*, int, int, void**) (a=0x7fffc3ffea50, r=0x7fffbc0030f0, this=0x7fffbc010300)
    at ../../src/corelib/kernel/qobject_impl.h:130
#21 0x00007fffec590cfc in QMetaObject::activate(QObject*, int, int, void**) (sender=sender@entry=0x7fffbc00deb0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffc3ffea50) at kernel/qobject.cpp:3723
#22 0x00007fffec591247 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=sender@entry=0x7fffbc00deb0, m=m@entry=0x7fffec9ad620 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffc3ffea50) at kernel/qobject.cpp:3602
#23 0x00007fffec60816e in QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (this=this@entry=0x7fffbc00deb0, _t1=17)
    at .moc/moc_qsocketnotifier.cpp:135
#24 0x00007fffec59d7f9 in QSocketNotifier::event(QEvent*) (this=0x7fffbc00deb0, e=0x7fffc3ffeb90) at kernel/qsocketnotifier.cpp:266
#25 0x00007fffec5685f1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (event=0x7fffc3ffeb90, receiver=0x7fffbc00deb0)
    at kernel/qcoreapplication.cpp:1063
#26 0x00007fffec5685f1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x7fffbc00deb0, event=event@entry=0x7fffc3ffeb90)
    at kernel/qcoreapplication.cpp:987
#27 0x00007fffec5b7b3e in socketNotifierSourceDispatch(GSource*, GSourceFunc, gpointer) (event=0x7fffc3ffeb90, receiver=<optimized out>)
    at ../../src/corelib/kernel/qcoreapplication.h:231
#28 0x00007fffec5b7b3e in socketNotifierSourceDispatch(GSource*, GSourceFunc, gpointer) (source=0x7fffbc002e00)
---Type <return> to continue, or q <return> to quit---
    at kernel/qeventdispatcher_glib.cpp:106
#29 0x00007fffdab04c84 in g_main_context_dispatch (context=0x7fffbc000990) at gmain.c:3122
#30 0x00007fffdab04c84 in g_main_context_dispatch (context=context@entry=0x7fffbc000990) at gmain.c:3737
#31 0x00007fffdab04ed8 in g_main_context_iterate (context=context@entry=0x7fffbc000990, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3808
#32 0x00007fffdab04f7c in g_main_context_iteration (context=0x7fffbc000990, may_block=1) at gmain.c:3869
#33 0x00007fffec5b6f4b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7fffbc0008c0, flags=...)
    at kernel/qeventdispatcher_glib.cpp:425
#34 0x00007fffec56689b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fffc3ffeda0, flags=..., flags@entry=...)
    at kernel/qeventloop.cpp:210
#35 0x00007fffec3ad02a in QThread::exec() (this=this@entry=0x7fffeed22d00 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>)
    at thread/qthread.cpp:507
#36 0x00007fffeeab9465 in QDBusConnectionManager::run() (this=0x7fffeed22d00 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>)
    at qdbusconnection.cpp:196
#37 0x00007fffec3b1859 in QThreadPrivate::start(void*) (arg=0x7fffeed22d00 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>)
    at thread/qthread_unix.cpp:344
#38 0x00007ffff21330a4 in start_thread (arg=0x7fffc3fff700) at pthread_create.c:309
#39 0x00007fffeb7a202d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Comment 7 Andreas Schneider 2016-10-10 06:06:36 UTC 
András, you might want to look at the QT bug I created. Hopefully this happend for you with QT 5.7 :)

https://bugreports.qt.io/browse/QTBUG-53957