Bug 398412

Summary: Discover crashes at startup with memory corruption ("corrupted size vs. prev_size")
Product: [Applications] Discover Reporter: Patrick Silva <bugseforuns>
Component: discoverAssignee: Aleix Pol <aleixpol>
Status: RESOLVED FIXED    
Severity: critical CC: ajcm73, aleks.lecha, blackisle, claylson.martins, elrefaei.omar, gabr0, gabrielmasquediez, genesoo77072, hnrbesing, j.l.vanderzwan, jr, kde, khalid.zubair, klaussemmler, kristopher.ives, lusierra77, nate, nimbosa, sevaor, stefanperales, thecyberd3m0n, wdd5988
Priority: VHI    
Version: 5.13.5   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: valgrind log
valgrind log
New crash information added by DrKonqi
New crash information added by DrKonqi
New crash information added by DrKonqi
New crash information added by DrKonqi

Description Patrick Silva 2018-09-09 03:00:12 UTC 
Plasma shows crash notitication immediately when I try to open Discover on neon dev unstable.

#0  0x00007ffff311e428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff312002a in __GI_abort () at abort.c:89
#2  0x00007ffff31607ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff3279ed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff31679dc in malloc_consolidate (ar_ptr=0x7ffff34adb20 <main_arena>, ptr=0xf0a250, str=0x7ffff3276c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#4  0x00007ffff31679dc in malloc_consolidate (av=av@entry=0x7ffff34adb20 <main_arena>) at malloc.c:4183
#5  0x00007ffff316acde in _int_malloc (av=av@entry=0x7ffff34adb20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
#6  0x00007ffff316d184 in __GI___libc_malloc (bytes=4096) at malloc.c:2913
#7  0x00007ffff312e89f in __realpath (name=0xf1f0e8 "/etc/xdg/kwinscripts.knsrc", resolved=resolved@entry=0x0) at canonicalize.c:78
#8  0x00007ffff3d4cd7e in QFileSystemEngine::canonicalName(QFileSystemEntry const---Type <return> to continue, or q <return> to quit---
&, QFileSystemMetaData&) (__resolved=0x0, __name=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/stdlib.h:48
#9  0x00007ffff3d4cd7e in QFileSystemEngine::canonicalName(QFileSystemEntry const&, QFileSystemMetaData&) (entry=..., data=...) at io/qfilesystemengine_unix.cpp:760
#10 0x00007ffff3ce2ba8 in QFileInfo::canonicalFilePath() const (name=QAbstractFileEngine::CanonicalName, this=0xf1fd10) at io/qfileinfo.cpp:59
#11 0x00007ffff3ce2ba8 in QFileInfo::canonicalFilePath() const (this=<optimized out>)
    at io/qfileinfo.cpp:567
#12 0x00007ffff5dba6c0 in  () at /usr/lib/x86_64-linux-gnu/libKF5ConfigCore.so.5
#13 0x00007ffff5dbbef1 in KConfig::KConfig(QString const&, QFlags<KConfig::OpenFlag>, QStandardPaths::StandardLocation) () at /usr/lib/x86_64-linux-gnu/libKF5ConfigCore.so.5
#14 0x00007fffa5bbd6bc in KNSBackend::KNSBackend(QObject*, QString const&, QString const&) (this=0xf13700, parent=<optimized out>, iconName=..., knsrc=...)
    at /workspace/build/libdiscover/backends/KNSBackend/KNSBackend.cpp:99
#15 0x00007fffa5bc11ce in KNSBackendFactory::newInstance(QObject*, QString const&) const (this=this@entry=0xe5cb50, parent=0x831290) at /workspace/build/libdiscover/backends/KNSBackend/KNSBackend.cpp:73
#16 0x00007ffff6cd1d60 in DiscoverBackendsFactory::backendForFile(QString const&, QString const&) const (this=this@entry=0x7fffffffd52f, libname=..., name=...)
    at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:65
#17 0x00007ffff6cd23e2 in DiscoverBackendsFactory::backend(QString const&) const (this=this@entry=0x7fffffffd52f, name=...) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:51
#18 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (name=..., __closure=<synthetic pointer>) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:99
#19 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (op=..., input=...)
    at /workspace/build/libdiscover/utils.h:48
---Type <return> to continue, or q <return> to quit---
#20 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (this=this@entry=0x7fffffffd52f) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:99
#21 0x00007ffff6cbcd17 in ResourcesModel::registerAllBackends() (this=0x831290)
    at /workspace/build/libdiscover/resources/ResourcesModel.cpp:208
#22 0x00007ffff6ce1315 in ResourcesModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>)
    at /workspace/build/obj-x86_64-linux-gnu/libdiscover/moc_ResourcesModel.cpp:291
#23 0x00007ffff3ddbfb9 in QObject::event(QEvent*) (this=0x831290, e=<optimized out>)
    at kernel/qobject.cpp:1251
#24 0x00007ffff540839c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
    at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff540fab0 in QApplication::notify(QObject*, QEvent*) ()
    at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff3dae228 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x831290, event=event@entry=0x831640) at kernel/qcoreapplication.cpp:1048
#27 0x00007ffff3db0e2e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (event=0x831640, receiver=<optimized out>)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#28 0x00007ffff3db0e2e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=receiver@entry=0x0, event_type=event_type@entry=0, data=0x7179f0)
    at kernel/qcoreapplication.cpp:1745
#29 0x00007ffff3db12a8 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=receiver@entry=0x0, event_type=event_type@entry=0) at kernel/qcoreapplication.cpp:1599
#30 0x00007ffff3e05a93 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x75e360)
    at kernel/qeventdispatcher_glib.cpp:276
---Type <return> to continue, or q <return> to quit---
#31 0x00007fffede23197 in g_main_context_dispatch (context=0x7fffe00016f0)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3154
#32 0x00007fffede23197 in g_main_context_dispatch (context=context@entry=0x7fffe00016f0)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3769
#33 0x00007fffede233f0 in g_main_context_iterate (context=context@entry=0x7fffe00016f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3840
#34 0x00007fffede2349c in g_main_context_iteration (context=0x7fffe00016f0, may_block=may_block@entry=1) at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3901
#35 0x00007ffff3e0509f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x75cc50, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#36 0x00007fffe7c089a1 in  () at /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#37 0x00007ffff3dac5ba in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fffffffdb60, flags=..., flags@entry=...) at kernel/qeventloop.cpp:214
#38 0x00007ffff3db56c4 in QCoreApplication::exec() () at kernel/qcoreapplication.cpp:1336
#39 0x00000000004133ff in main(int, char**) (argc=1, argv=<optimized out>)
    at /workspace/build/discover/main.cpp:156
Comment 1 Christoph Feck 2018-09-13 00:09:41 UTC 
*** Bug 398373 has been marked as a duplicate of this bug. ***
Comment 2 Christoph Feck 2018-09-13 00:10:19 UTC 
*** Bug 398398 has been marked as a duplicate of this bug. ***
Comment 3 Christoph Feck 2018-09-13 00:10:47 UTC 
*** Bug 398461 has been marked as a duplicate of this bug. ***
Comment 4 Christoph Feck 2018-09-13 00:11:07 UTC 
*** Bug 398463 has been marked as a duplicate of this bug. ***
Comment 5 Christoph Feck 2018-09-13 00:11:27 UTC 
*** Bug 398464 has been marked as a duplicate of this bug. ***
Comment 6 Christoph Feck 2018-09-13 00:11:46 UTC 
*** Bug 398488 has been marked as a duplicate of this bug. ***
Comment 7 Christoph Feck 2018-09-13 00:12:14 UTC 
*** Bug 398549 has been marked as a duplicate of this bug. ***
Comment 8 Christoph Feck 2018-09-13 00:14:26 UTC 
This is a memory corruption, most likely a double-free(). A valgrind log would be nice if anyone can reproduce it.
Comment 9 Patrick Silva 2018-09-13 01:22:48 UTC 
Created attachment 114923 [details]
valgrind log
Comment 10 Patrick Silva 2018-09-13 01:30:32 UTC 
Created attachment 114924 [details]
valgrind log
Comment 11 Nate Graham 2018-09-13 16:45:25 UTC 
*** Bug 398562 has been marked as a duplicate of this bug. ***
Comment 12 Nate Graham 2018-09-13 16:45:50 UTC 
*** Bug 398564 has been marked as a duplicate of this bug. ***
Comment 13 Stefan 2018-09-14 02:23:53 UTC 
Created attachment 114946 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
Opening Discover results in a crash, as does attempting to install any packages.

-- Backtrace (Reduced):
#6  0x00007fb43d70b428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007fb43d70d02a in __GI_abort () at abort.c:89
[...]
#9  0x00007fb43d7549dc in malloc_printerr (ar_ptr=0x7fb43da9ab20 <main_arena>, ptr=0x32038c0, str=0x7fb43d863c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 malloc_consolidate (av=av@entry=0x7fb43da9ab20 <main_arena>) at malloc.c:4183
#11 0x00007fb43d757cde in _int_malloc (av=av@entry=0x7fb43da9ab20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
Comment 14 Stefan 2018-09-14 02:33:10 UTC 
Created attachment 114947 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

Opening Discover or attempting to install any packages results in a crash.

-- Backtrace (Reduced):
#6  0x00007faa23972428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007faa2397402a in __GI_abort () at abort.c:89
[...]
#9  0x00007faa239c0781 in malloc_printerr (ar_ptr=0x7faa23d01b20 <main_arena>, ptr=0x37a4c60, str=0x7faa23acac75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 _int_realloc (av=av@entry=0x7faa23d01b20 <main_arena>, oldp=oldp@entry=0x37a4c10, oldsize=oldsize@entry=80, nb=nb@entry=144) at malloc.c:4298
#11 0x00007faa239c1839 in __GI___libc_realloc (oldmem=0x37a4c20, bytes=128) at malloc.c:3045
Comment 15 Patrick Silva 2018-09-14 12:01:40 UTC 
*** Bug 398597 has been marked as a duplicate of this bug. ***
Comment 16 Patrick Silva 2018-09-14 12:02:01 UTC 
*** Bug 398602 has been marked as a duplicate of this bug. ***
Comment 17 Nate Graham 2018-09-14 16:25:09 UTC 
*** Bug 398607 has been marked as a duplicate of this bug. ***
Comment 18 David Edmundson 2018-09-14 16:51:12 UTC 
Most likely source of something with that trace is an ABI break in KNS.

Can you rebuild plasma-discover from source (from the package is fine) and see if it magically fixes itself?
Comment 19 David Edmundson 2018-09-14 16:54:10 UTC 
Certainly looks that way:

Provider::SearchRequest changed

Engine has an instance of that as one of it's member vars directly and not as a pointer:
    Provider::SearchRequest m_currentRequest;


Adding an entry to SearchRequest changes sizeof(Engine) everything is off *kaboom*
Comment 20 Patrick Silva 2018-09-15 03:44:26 UTC 
*** Bug 398639 has been marked as a duplicate of this bug. ***
Comment 21 Jonathan Riddell 2018-09-15 09:54:14 UTC 
ABI break is in Git so it will be in neon dev unstable, but it has not been in a released version of KDE Frameworks.
Comment 22 Patrick Silva 2018-09-15 11:08:27 UTC 
*** Bug 398653 has been marked as a duplicate of this bug. ***
Comment 23 Dima 2018-09-15 19:41:07 UTC 
Created attachment 114983 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
tried to open updates from KDE tray. Always crashes last time

-- Backtrace (Reduced):
#6  0x00007f229cdf6428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007f229cdf802a in __GI_abort () at abort.c:89
[...]
#9  0x00007f229ce4137a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7f229cf51fe8 "double free or corruption (out)", action=3) at malloc.c:5006
#10 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#11 0x00007f229ce4553c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
Comment 24 Patrick Silva 2018-09-17 03:36:08 UTC 
crash is already fixed on neon dev unstable.
Comment 25 Nate Graham 2018-09-17 03:42:26 UTC 
Yep, we reverted the offending commit. We'll come up with another way to do this.
Comment 26 Nate Graham 2018-09-18 19:56:27 UTC 
*** Bug 398708 has been marked as a duplicate of this bug. ***
Comment 27 Kristopher Ives 2018-09-18 22:07:36 UTC 
Nate,

May I ask which commit was reverted? I'm sorry if this information is easy to find in Phabricator I am still learning how to navigate it.
Comment 28 Christoph Feck 2018-09-19 00:14:07 UTC 
Commit 2ad3e66d81b63495a59d012f673af7bd854b53d7 was reverted in knewstuff.git repo. See history at https://cgit.kde.org/knewstuff.git/log/
Comment 29 nimbosa 2018-11-20 02:35:20 UTC 
Created attachment 116417 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
Opening Discovery app after update

- Unusual behavior I noticed:
crashes everytime after an update

-- Backtrace (Reduced):
#6  0x00007fbf7b3ac428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007fbf7b3ae02a in __GI_abort () at abort.c:89
[...]
#9  0x00007fbf7b3f59dc in malloc_printerr (ar_ptr=0x7fbf7b73bb20 <main_arena>, ptr=0x3192a00, str=0x7fbf7b504c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 malloc_consolidate (av=av@entry=0x7fbf7b73bb20 <main_arena>) at malloc.c:4183
#11 0x00007fbf7b3f8cde in _int_malloc (av=av@entry=0x7fbf7b73bb20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
Comment 30 Nate Graham 2019-10-07 00:34:04 UTC 
*** Bug 412625 has been marked as a duplicate of this bug. ***