Summary: | energy info corrupts solid battery pointers | ||
---|---|---|---|
Product: | [Applications] kinfocenter | Reporter: | Ruben <ruben.carbonbased> |
Component: | Energy Information | Assignee: | Kai Uwe Broulik <kde> |
Status: | RESOLVED FIXED | ||
Severity: | crash | CC: | alandrei93, aspotashev, bonfostar, facufaka1885, freefreeno81, john4deidre2013, kde, L.Bonnaud, mariusz.libera, martin, matt.fagnani, meven29, nate, postix, rdieter, sitter, suhn, svivekkris, thesourcehim |
Priority: | NOR | Keywords: | drkonqi |
Version: | 5.17.5 | ||
Target Milestone: | --- | ||
Platform: | Fedora RPMs | ||
OS: | Linux | ||
See Also: | https://bugs.kde.org/show_bug.cgi?id=414200 | ||
Latest Commit: | https://commits.kde.org/kinfocenter/764fce4aefbe1567dc3bfc795f0232fef9df478c | Version Fixed In: | 5.18.0 |
Attachments: |
New crash information added by DrKonqi
valgrind log from kinfocenter run when clicking Energy Information, File Indexer Monitor, then Energy Information New crash information added by DrKonqi New crash information added by DrKonqi |
Description
Ruben
2019-10-15 20:34:41 UTC
Seems to related to https://cgit.kde.org/kinfocenter.git/commit/?id=95569a0eae884427c7f7ab11fd63ae577f0be16d Thi is easily reproductible : 1. Open kinfocenter > energy information 2. Switch to another tab in kinfocenter (for instance memory) 3. Return to energy information tab 4. Crash [KCrash Handler] #7 0x000055716942d120 in ?? () #8 0x00007fdb30a388de in QMetaObject::cast (this=this@entry=0x7fdb2a551a20 <Solid::Battery::staticMetaObject>, obj=0x5571698ea6f0) at kernel/qmetaobject.cpp:374 #9 0x00007fdb30a38919 in QMetaObject::cast (this=this@entry=0x7fdb2a551a20 <Solid::Battery::staticMetaObject>, obj=<optimized out>) at kernel/qmetaobject.cpp:363 #10 0x00007fdb219cc721 in qobject_cast<Solid::Battery*> (object=<optimized out>) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject.h:499 #11 Solid::Device::as<Solid::Battery> (this=0x7ffc2056ec90) at /home/meven/kde/usr/include/KF5/Solid/solid/device.h:233 #12 BatteryModel::data (this=<optimized out>, index=..., role=<optimized out>) at /home/meven/kde/src/kinfocenter/Modules/energy/batterymodel.cpp:76 #13 0x00007fdb2facc99c in QModelIndex::data (arole=256, this=0x7ffc2056ed10) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:458 #14 QQmlDMAbstractItemModelData::value (role=256, this=0x55716c74c1b0) at util/qqmladaptormodel.cpp:408 #15 QQmlDMCachedModelData::metaCall (this=0x55716c74c1b0, call=<optimized out>, id=<optimized out>, arguments=0x7ffc2056edc0) at util/qqmladaptormodel.cpp:276 #16 0x00007fdb2fbd69b4 in QQmlPropertyData::readProperty (property=0x7ffc2056eda0, target=0x55716c74c1b0, this=0x55716cae2038) at ../../include/QtQml/5.12.4/QtQml/private/../../../../../src/qml/qml/qqmlpropertycache_p.h:328 #17 loadProperty (v4=0x557169bc9220, object=0x55716c74c1b0, property=...) at jsr Created attachment 124235 [details]
New crash information added by DrKonqi
kinfocenter (5.17.3) using Qt 5.12.5
- What I was doing when the application crashed:
I was using Plasma 5.17.3 on Wayland in Fedora 31. I started kinfocenter. I clicked on Energy Information, File Indexer Monitor, then Energy Information. Dr. Konqi showed a segmentation fault in QMetaObject::cast at kernel/qmetaobject.cpp:381 in qt5-qtbase-5.12.5-1.fc31.x86_64. This crash happened 3/3 times I tried the steps above.
-- Backtrace (Reduced):
#8 0x00007fcdf8222ae1 in qobject_cast<Solid::Battery*> (object=<optimized out>) at /usr/include/qt5/QtCore/qobject.h:499
#9 Solid::Device::as<Solid::Battery> (this=0x7ffd448d5eb0) at /usr/include/KF5/Solid/solid/device.h:233
#10 BatteryModel::data (this=<optimized out>, index=..., role=<optimized out>) at /usr/src/debug/kinfocenter-5.17.3-1.fc31.x86_64/Modules/energy/batterymodel.cpp:75
#11 0x00007fce16fbd74b in QModelIndex::data (arole=256, this=0x7ffd448d5f30) at /usr/include/qt5/QtCore/qabstractitemmodel.h:458
#12 QQmlDMAbstractItemModelData::value (role=256, this=0x563ab03a4810) at util/qqmladaptormodel.cpp:414
Created attachment 124238 [details] valgrind log from kinfocenter run when clicking Energy Information, File Indexer Monitor, then Energy Information I ran valgrind --log-file=valgrind-kinfocenter-energy-index-1.txt --track-origins=yes kinfocenter & I reproduced the crash in the same way as in my previous comment. The valgrind log showed an invalid read in wl_proxy_unref at wayland-client.c:229 and an invalid write in wl_proxy_unref at wayland-client.c:230 in libwayland-client. They appeared to be use-after-free errors like those I've previously reported for kwin_wayland, plasmashell, konsole, powerdevil, etc. ( https://bugs.kde.org/show_bug.cgi?id=409688 ) 84 Conditional jump or move depends on uninitialised value(s) and 13 Use of uninitialised value messages were shown. An invalid read in QMetaObject::cast at qmetaobject.cpp:381 in freed memory was followed by an invalid read "Address 0x5300000000 is not stack'd, malloc'd or (recently) free'd" at the same line. This trace looks like that of the crashing thread. The use-after-free error might've led to the segmentation fault due to the invalid pointer. ==5320== Invalid read of size 8 ==5320== at 0x5CA7FA0: QMetaObject::cast(QObject const*) const (qmetaobject.cpp:381) ==5320== by 0x2880DAE0: qobject_cast<Solid::Battery*> (qobject.h:504) ==5320== by 0x2880DAE0: as<Solid::Battery> (device.h:233) ==5320== by 0x2880DAE0: BatteryModel::data(QModelIndex const&, int) const (batterymodel.cpp:75) ==5320== by 0x68F874A: data (qabstractitemmodel.h:458) ==5320== by 0x68F874A: value (qqmladaptormodel.cpp:414) ==5320== by 0x68F874A: QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) (qqmladaptormodel.cpp:282) ==5320== by 0x6A0A043: readProperty (qqmlpropertycache_p.h:328) ==5320== by 0x6A0A043: loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) (qv4qobjectwrapper.cpp:178) ==5320== by 0x6A0BB3B: QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) (qv4qobjectwrapper.cpp:877) ==5320== by 0x6A2A714: QV4::Moth::VME::interpret(QV4::CppStackFrame*, QV4::ExecutionEngine*, char const*) (qv4vme_moth.cpp:621) ==5320== by 0x6A2F556: QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) (qv4vme_moth.cpp:447) ==5320== by 0x69BC8FE: QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) (qv4function.cpp:68) ==5320== by 0x6B45C06: QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) (qqmljavascriptexpression.cpp:211) ==5320== by 0x6B4B9B2: QQmlBinding::evaluate(bool*) (qqmlbinding.cpp:209) ==5320== by 0x6B504E9: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:245) ==5320== by 0x6B4CC93: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:185) ==5320== Address 0x2ae6bf60 is 0 bytes inside a block of size 192 free'd ==5320== at 0x483AA0C: free (vg_replace_malloc.c:540) ==5320== by 0x68EEEAF: UnknownInlinedFun (qarraydata.h:239) ==5320== by 0x68EEEAF: ~QString (qstring.h:1135) ==5320== by 0x68EEEAF: node_destruct (qlist.h:499) ==5320== by 0x68EEEAF: dealloc (qlist.h:868) ==5320== by 0x68EEEAF: QList<QString>::~QList() (qlist.h:830) ==5320== by 0x692050E: ~QStringList (qstringlist.h:99) ==5320== by 0x692050E: QV4::CompiledData::CompilationUnit::loadFromDisk(QUrl const&, QDateTime const&, QString*) (qv4compileddata.cpp:658) ==5320== by 0x6B0C07F: QQmlScriptBlob::dataReceived(QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:3020) ==5320== by 0x6B04AB1: QQmlTypeLoader::setData(QQmlDataBlob*, QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:1302) ==5320== by 0x6B053DC: QQmlTypeLoader::setData(QQmlDataBlob*, QString const&) (qqmltypeloader.cpp:1292) ==5320== by 0x6B0550C: QQmlTypeLoader::loadThread(QQmlDataBlob*) (qqmltypeloader.cpp:1162) ==5320== by 0x6B134FB: loadThread (qqmltypeloader.cpp:1007) ==5320== by 0x6B134FB: void QQmlTypeLoader::doLoad<PlainLoader>(PlainLoader const&, QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1066) ==5320== by 0x6B05779: QQmlTypeLoader::load(QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1098) ==5320== by 0x6B05E6E: QQmlTypeLoader::getScript(QUrl const&) (qqmltypeloader.cpp:1760) ==5320== by 0x6B0896A: QQmlTypeLoader::Blob::addImport(QV4::CompiledData::Import const*, QList<QQmlError>*) (qqmltypeloader.cpp:1444) ==5320== by 0x6B09F6C: QQmlTypeData::tryLoadFromDiskCache() (qqmltypeloader.cpp:2215) ==5320== Block was alloc'd at ==5320== at 0x483980B: malloc (vg_replace_malloc.c:309) ==5320== by 0x5B02100: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:118) ==5320== by 0x5B71896: UnknownInlinedFun (qarraydata.h:224) ==5320== by 0x5B71896: QString::QString(int, Qt::Initialization) (qstring.cpp:2176) ==5320== by 0x691BF5A: convertTo<QString> (qstringbuilder.h:112) ==5320== by 0x691BF5A: operator QStringBuilder<QStringBuilder<QStringBuilder<QString, QString>, QLatin1Char>, QString>::ConvertTo (qstringbuilder.h:131) ==5320== by 0x691BF5A: QV4::CompiledData::CompilationUnit::localCacheFilePath(QUrl const&) (qv4compileddata.cpp:140) ==5320== by 0x6920382: QV4::CompiledData::CompilationUnit::loadFromDisk(QUrl const&, QDateTime const&, QString*) (qv4compileddata.cpp:658) ==5320== by 0x6B0C07F: QQmlScriptBlob::dataReceived(QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:3020) ==5320== by 0x6B04AB1: QQmlTypeLoader::setData(QQmlDataBlob*, QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:1302) ==5320== by 0x6B053DC: QQmlTypeLoader::setData(QQmlDataBlob*, QString const&) (qqmltypeloader.cpp:1292) ==5320== by 0x6B0550C: QQmlTypeLoader::loadThread(QQmlDataBlob*) (qqmltypeloader.cpp:1162) ==5320== by 0x6B134FB: loadThread (qqmltypeloader.cpp:1007) ==5320== by 0x6B134FB: void QQmlTypeLoader::doLoad<PlainLoader>(PlainLoader const&, QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1066) ==5320== by 0x6B05779: QQmlTypeLoader::load(QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1098) ==5320== by 0x6B05E6E: QQmlTypeLoader::getScript(QUrl const&) (qqmltypeloader.cpp:1760) ==5320== ==5320== ==5320== More than 100 errors detected. Subsequent errors ==5320== will still be recorded, but in less detail than before. ==5320== Invalid read of size 8 ==5320== at 0x5CA7FAC: QMetaObject::cast(QObject const*) const (qmetaobject.cpp:381) ==5320== by 0x2880DAE0: qobject_cast<Solid::Battery*> (qobject.h:504) ==5320== by 0x2880DAE0: as<Solid::Battery> (device.h:233) ==5320== by 0x2880DAE0: BatteryModel::data(QModelIndex const&, int) const (batterymodel.cpp:75) ==5320== by 0x68F874A: data (qabstractitemmodel.h:458) ==5320== by 0x68F874A: value (qqmladaptormodel.cpp:414) ==5320== by 0x68F874A: QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) (qqmladaptormodel.cpp:282) ==5320== by 0x6A0A043: readProperty (qqmlpropertycache_p.h:328) ==5320== by 0x6A0A043: loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) (qv4qobjectwrapper.cpp:178) ==5320== by 0x6A0BB3B: QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) (qv4qobjectwrapper.cpp:877) ==5320== by 0x6A2A714: QV4::Moth::VME::interpret(QV4::CppStackFrame*, QV4::ExecutionEngine*, char const*) (qv4vme_moth.cpp:621) ==5320== by 0x6A2F556: QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) (qv4vme_moth.cpp:447) ==5320== by 0x69BC8FE: QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) (qv4function.cpp:68) ==5320== by 0x6B45C06: QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) (qqmljavascriptexpression.cpp:211) ==5320== by 0x6B4B9B2: QQmlBinding::evaluate(bool*) (qqmlbinding.cpp:209) ==5320== by 0x6B504E9: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:245) ==5320== by 0x6B4CC93: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:185) ==5320== Address 0x5300000000 is not stack'd, malloc'd or (recently) free'd ==5320== Two further invalid reads were shown in socketNotifierSourceCheck at qeventdispatcher_glib.cpp:88 and 79 which looked like use-after-free errors. Those errors might be side-effects of the segmentation fault. I've seen this crash 4/4 times. I'm attaching the full valgrind log. *** Bug 414500 has been marked as a duplicate of this bug. *** *** Bug 414205 has been marked as a duplicate of this bug. *** *** Bug 414209 has been marked as a duplicate of this bug. *** *** Bug 415372 has been marked as a duplicate of this bug. *** *** Bug 414844 has been marked as a duplicate of this bug. *** *** Bug 414817 has been marked as a duplicate of this bug. *** *** Bug 414099 has been marked as a duplicate of this bug. *** Created attachment 125101 [details]
New crash information added by DrKonqi
kinfocenter (5.17.5) using Qt 5.13.2
- What I was doing when the application crashed:
I selected the energy view.
Those are the step to reproduce the crash (at least for me):
1) Open the info center.
2) Select the energy view.
3) Select any of the other view.
4) Select (again) the energy view.
5) The app now crash as soon as you select that view.
It happens every time i've tried (like 4 times).
-- Backtrace (Reduced):
#6 0x00007f2a2ad81a78 in vtable for QQuickShaderEffectSource () from /lib64/libQt5Quick.so.5
[...]
#8 0x00007f2a108f8ae1 in BatteryModel::data(QModelIndex const&, int) const () from /usr/lib64/qt5/plugins/kcms/kcm_energyinfo.so
#9 0x00007f2a2a48bd5b in QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) () from /lib64/libQt5Qml.so.5
#10 0x00007f2a2a59f904 in loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) () from /lib64/libQt5Qml.so.5
#11 0x00007f2a2a5a13fc in QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) () from /lib64/libQt5Qml.so.5
https://phabricator.kde.org/D26725 Essentially when leaving the energy module, qml will delete the Battery pointers we've passed it from the cpp side, those are however internal to solid and mustn't be deleted. So, solid would implode the next time we try to get the pointers. *** Bug 414200 has been marked as a duplicate of this bug. *** *** Bug 415021 has been marked as a duplicate of this bug. *** Git commit 764fce4aefbe1567dc3bfc795f0232fef9df478c by Harald Sitter. Committed on 17/01/2020 at 13:30. Pushed by sitter into branch 'Plasma/5.18'. make sure Solid::Battery is not deleted from QML Summary: Battery objects are casted DeviceInterface objects and those are owned by Solid. deleting them outside solid means they will end up as dangling pointers inside Solid's global static objects. when switching away from the energy KCM the qml engine would get cleaned up as part of the KCM destruction, qml would then sweep up the Battery object and corrupt the solid internal pointers. to prevent this, explicitly mark Battery objects we give to QML as owned on the c++ side. FIXED-IN: 5.18.0 Test Plan: open kinfocenter switch to energy switch away switch to energy no crash Reviewers: broulik, davidedmundson Reviewed By: davidedmundson Subscribers: plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D26725 M +6 -1 Modules/energy/batterymodel.cpp https://commits.kde.org/kinfocenter/764fce4aefbe1567dc3bfc795f0232fef9df478c *** Bug 416413 has been marked as a duplicate of this bug. *** *** Bug 416668 has been marked as a duplicate of this bug. *** *** Bug 416798 has been marked as a duplicate of this bug. *** Created attachment 125616 [details]
New crash information added by DrKonqi
kinfocenter (5.17.5) using Qt 5.13.2
- What I was doing when the application crashed:
Looked through battery and Graphical Information, and closed the app.
-- Backtrace (Reduced):
#6 QWeakPointer<QObject>::data (this=0x1e48) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:569
#7 QPointer<QObject>::data (this=0x1e48) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qpointer.h:86
#8 Solid::DeviceInterfacePrivate::backendObject (this=0x1e40) at ./src/solid/devices/frontend/deviceinterface.cpp:110
#9 0x00007f618ef61d08 in Solid::DevicePrivate::~DevicePrivate (this=0x5577d6ac3ae0, __in_chrg=<optimized out>) at ./src/solid/devices/frontend/device.cpp:222
#10 0x00007f618ef61e89 in Solid::DevicePrivate::~DevicePrivate (this=0x5577d6ac3ae0, __in_chrg=<optimized out>) at ./src/solid/devices/frontend/device.cpp:225
*** Bug 415474 has been marked as a duplicate of this bug. *** |