Bug 417697

Summary: trojita crashing when attachment is saved
Product: [Applications] trojita Reporter: Stefan de Konink <stefan>
Component: CoreAssignee: Trojita default assignee <trojita-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: mail, vidra.jonas
Priority: NOR    
Version First Reported In: git   
Target Milestone: ---   
Platform: Other   
OS: Linux   
URL: https://bugreports.qt.io/browse/QTBUG-82184
Latest Commit: https://commits.kde.org/trojita/cf2364b80fa8ae844df8350cd5833d47cce235f2 Version Fixed/Implemented In:
Sentry Crash Report:

Description Stefan de Konink 2020-02-15 11:40:36 UTC 
SUMMARY

I can consistently crash Trojita when saving any attachment. The attachment is written to disk, but the application terminates.

STEPS TO REPRODUCE
1. find an e-mail with an attachment
2. save the attachment via the popup menu
3. observe crash

OBSERVED RESULT
Written attachment, crashed application.

EXPECTED RESULT
Written attachment, application continues to function.

SOFTWARE/OS VERSIONS
Linux: Gentoo Linux 
Qt Version: dev-qt/qtcore-5.14.1-r1, compiled with LTO

ADDITIONAL INFORMATION
#0  0x00007ffff42e9455 in QNetworkRequest::attribute(QNetworkRequest::Attribute, QVariant const&) const () at /usr/lib64/libQt5Network.so.5
#1  0x00007ffff43beab7 in  () at /usr/lib64/libQt5Network.so.5
#2  0x00007ffff38ab3c0 in  () at /usr/lib64/libQt5Core.so.5
#3  0x000000000062078d in Imap::Network::MsgPartNetworkReply::slotMyDataChanged() (this=0x13dfa60)
    at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Imap/Network/MsgPartNetworkReply.cpp:112
#4  0x00000000005d1fed in Imap::Network::MsgPartNetworkReply::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)
    (_o=0x13dfa60, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x13d21e8) at Imap_autogen/PC4PHZCFTR/moc_MsgPartNetworkReply.cpp:81
#5  0x00007ffff38a2746 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5
#6  0x00007ffff7b79295 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#7  0x00007ffff7b6e8d0 in QApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#8  0x00007ffff38ca118 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#9  0x00007ffff38ca2b0 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#10 0x00007ffff3886cc0 in  () at /usr/lib64/libQt5Core.so.5
#11 0x00007ffff13b17ad in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0
#12 0x00007ffff13b24e8 in  () at /usr/lib64/libglib-2.0.so.0
#13 0x00007ffff13b5f29 in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff3880c0e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#15 0x00007ffff3804fd6 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#16 0x00007ffff38d0106 in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#17 0x000000000047a357 in main(int, char**) (argc=1, argv=0x7fffffffdd98)
    at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Gui/main.cpp:218
(gdb) up 3
#3  0x000000000062078d in Imap::Network::MsgPartNetworkReply::slotMyDataChanged (this=0x13dfa60)
    at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Imap/Network/MsgPartNetworkReply.cpp:112
112	    emit finished();
(gdb) list
107	    } else {
108	        setHeader(QNetworkRequest::ContentTypeHeader, mimeType);
109	    }
110	    setFinished(true);
111	    emit readyRead();
112	    emit finished();
113	}
114	
115	/** @short QIODevice compatibility */
116	void MsgPartNetworkReply::abort()

Now obviously this could actually be a crash in QT. I'll investigate.
Comment 1 Stefan de Konink 2020-02-15 11:56:23 UTC 
A few extra details:

0x00007ffff425915c in QHash<QNetworkRequest::Attribute, QVariant>::value (this=0x18, akey=@0x7fffffffce8c: QNetworkRequest::AutoDeleteReplyOnFinishAttribute, adefaultValue=...) at ../../include/QtCore/../../src/corelib/tools/qhash.h:651
651	    if (d->size == 0 || (node = *findNode(akey)) == e) {
(gdb) bt
#0  0x00007ffff425915c in QHash<QNetworkRequest::Attribute, QVariant>::value(QNetworkRequest::Attribute const&, QVariant const&) const
    (this=0x18, akey=@0x7fffffffce8c: QNetworkRequest::AutoDeleteReplyOnFinishAttribute, adefaultValue=...) at ../../include/QtCore/../../src/corelib/tools/qhash.h:651
#1  0x00007ffff42559c8 in QNetworkRequest::attribute(QNetworkRequest::Attribute, QVariant const&) const (this=0x7fffffffced8, code=QNetworkRequest::AutoDeleteReplyOnFinishAttribute, defaultValue=...) at access/qnetworkrequest.cpp:689
#2  0x00007ffff4239d48 in QNetworkAccessManagerPrivate::_q_replyFinished() (this=0x9cf270) at access/qnetworkaccessmanager.cpp:1723
#3  0x00007ffff423c130 in QNetworkAccessManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=0xa39cf0, _c=QMetaObject::InvokeMetaMethod, _id=9, _a=0x7fffffffd0b0) at .moc/moc_qnetworkaccessmanager.cpp:192
#4  0x00007ffff37f43c0 in  () at /usr/lib64/libQt5Core.so.5
#5  0x00007ffff4378213 in QNetworkReply::finished() (this=0x1475770) at .moc/moc_qnetworkreply.cpp:385
#6  0x000000000062078d in Imap::Network::MsgPartNetworkReply::slotMyDataChanged() (this=0x1475770) at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Imap/Network/MsgPartNetworkReply.cpp:112
#7  0x00000000005d1fed in Imap::Network::MsgPartNetworkReply::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=0x1475770, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xb5dd08)
    at Imap_autogen/PC4PHZCFTR/moc_MsgPartNetworkReply.cpp:81
#8  0x00007ffff37eb746 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5
#9  0x00007ffff7b79295 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#10 0x00007ffff7b6e8d0 in QApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#11 0x00007ffff3813118 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#12 0x00007ffff38132b0 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#13 0x00007ffff37cfcc0 in  () at /usr/lib64/libQt5Core.so.5
#14 0x00007ffff12fa7ad in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff12fb4e8 in  () at /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff12fef29 in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff37c9c0e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#18 0x00007ffff374dfd6 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#19 0x00007ffff3819106 in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#20 0x000000000047a357 in main(int, char**) (argc=1, argv=0x7fffffffdd98) at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Gui/main.cpp:218
(gdb) up
#1  0x00007ffff42559c8 in QNetworkRequest::attribute (this=0x7fffffffced8, code=QNetworkRequest::AutoDeleteReplyOnFinishAttribute, defaultValue=...) at access/qnetworkrequest.cpp:689
689	    return d->attributes.value(code, defaultValue);
(gdb) up
#2  0x00007ffff4239d48 in QNetworkAccessManagerPrivate::_q_replyFinished (this=0x9cf270) at access/qnetworkaccessmanager.cpp:1723
1723	        if (reply->request().attribute(QNetworkRequest::AutoDeleteReplyOnFinishAttribute, false).toBool())
(gdb) up
#3  0x00007ffff423c130 in QNetworkAccessManager::qt_static_metacall (_o=0xa39cf0, _c=QMetaObject::InvokeMetaMethod, _id=9, _a=0x7fffffffd0b0) at .moc/moc_qnetworkaccessmanager.cpp:192
192	        case 9: _t->d_func()->_q_replyFinished(); break;
(gdb) up
#4  0x00007ffff37f43c0 in ?? () from /usr/lib64/libQt5Core.so.5
(gdb) up
#5  0x00007ffff4378213 in QNetworkReply::finished (this=0x1475770) at .moc/moc_qnetworkreply.cpp:385
385	    QMetaObject::activate(this, &staticMetaObject, 1, nullptr);
(gdb) up
#6  0x000000000062078d in Imap::Network::MsgPartNetworkReply::slotMyDataChanged (this=0x1475770) at /var/tmp/portage/mail-client/trojita-9999/work/trojita-9999/src/Imap/Network/MsgPartNetworkReply.cpp:112
112	    emit finished();



#1  0x00007ffff42559c8 in QNetworkRequest::attribute (this=0x7fffffffced8, code=QNetworkRequest::AutoDeleteReplyOnFinishAttribute, defaultValue=...) at access/qnetworkrequest.cpp:689
689	    return d->attributes.value(code, defaultValue);
(gdb) print d
$2 = {d = 0x0}
(gdb) print code
$3 = QNetworkRequest::AutoDeleteReplyOnFinishAttribute
(gdb) print defaultValue
$4 = (const QVariant &) @0x7fffffffcef0: {d = {data = {c = 0 '\000', uc = 0 '\000', s = -12544, sc = 0 '\000', us = 52992, i = -12544, u = 4294954752, l = 140737488342784, ul = 140737488342784, b = false, d = 6.9533558072152484e-310, 
      f = -nan(0x7fcf00), real = 6.9533558072152484e-310, ll = 140737488342784, ull = 140737488342784, o = 0x7fffffffcf00, ptr = 0x7fffffffcf00, shared = 0x7fffffffcf00}, type = 1, is_shared = 0, is_null = 0}}



#2  0x00007ffff4239d48 in QNetworkAccessManagerPrivate::_q_replyFinished (this=0x9cf270) at access/qnetworkaccessmanager.cpp:1723
1723	        if (reply->request().attribute(QNetworkRequest::AutoDeleteReplyOnFinishAttribute, false).toBool())
(gdb) list
1718	    Q_Q(QNetworkAccessManager);
1719	
1720	    QNetworkReply *reply = qobject_cast<QNetworkReply *>(q->sender());
1721	    if (reply) {
1722	        emit q->finished(reply);
1723	        if (reply->request().attribute(QNetworkRequest::AutoDeleteReplyOnFinishAttribute, false).toBool())
1724	            QMetaObject::invokeMethod(reply, [reply] { reply->deleteLater(); }, Qt::QueuedConnection);
1725	    }
1726	
1727	#ifndef QT_NO_BEARERMANAGEMENT
(gdb) print reply
$5 = (QNetworkReply *) 0x1475770
(gdb) print reply->request()
[Thread 0x7fff45ffb700 (LWP 553683) exited]
$6 = {d = {d = 0x0}}
Comment 2 Stefan de Konink 2020-02-18 21:59:08 UTC 
According to the upstream QT bugtracker: "They should not delete reply in a slot, connected to 'finished'. This is documented."
Comment 3 Jan Kundrát 2020-03-09 15:30:26 UTC 
Acked, thanks, patch at https://gerrit.vesnicky.cesnet.cz/r/1031 .
Comment 4 Jan Kundrát 2020-03-13 17:57:23 UTC 
Git commit cf2364b80fa8ae844df8350cd5833d47cce235f2 by Jan Kundrát.
Committed on 09/03/2020 at 15:30.
Pushed by gerrit into branch 'master'.

Fix possible crash when downloading attachments

Turns out we've been happily deleting network replies from the
QNetworkReply::finished(). That was never a good thing to do, but it did
not use to crash with older Qt. Now it does.

After changing to deleteLater(), there's a window for
already-deregistered replies to generate events, therefore the assert
has to go, too, otherwise Bad Things happen:

 (gdb) bt
 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1  0x00007ffff16bdcd2 in __GI_abort () at abort.c:89
 #2  0x00007ffff2400bcb in qt_message_fatal (context=..., message=<synthetic pointer>...) at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qlogging.cpp:1904
 #3  QMessageLogger::fatal (this=this@entry=0x7fffffffc990, msg=msg@entry=0x7ffff2690b10 "ASSERT: \"%s\" in file %s, line %d") at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qlogging.cpp:888
 #4  0x00007ffff23fff7c in qt_assert (assertion=assertion@entry=0x5555558451d7 "reply", file=file@entry=0x555555841a38 "/home/jkt/work/prog/trojita/src/Imap/Network/FileDownloadManager.cpp", line=line@entry=142)
     at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qglobal.cpp:3247
 #5  0x00005555555da840 in Imap::Network::FileDownloadManager::onPartDataTransfered (this=0x555556a20990)
 #6  0x00007ffff25f1bdf in QtPrivate::QSlotObjectBase::call (a=0x7fffffffcaa0, r=0x555556a20990, this=0x5555569f99c0) at ../../include/QtCore/../../../qtcore-5.13.9999/src/corelib/kernel/qobjectdefs_impl.h:394
 #7  QMetaObject::activate(QObject*, int, int, void**) () at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/kernel/qobject.cpp:3787
 #8  0x00007ffff25f20b7 in QMetaObject::activate (sender=sender@entry=0x555556a21370, m=m@entry=0x7ffff3f96b00 <QNetworkReply::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x0)
     at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/kernel/qobject.cpp:3658
 #9  0x00007ffff3d3cbf3 in QNetworkReply::finished (this=this@entry=0x555556a21370) at .moc/moc_qnetworkreply.cpp:385
 #10 0x0000555555709485 in Imap::Network::MsgPartNetworkReply::slotMyDataChanged() () at /home/jkt/work/prog/trojita/src/Imap/Network/MsgPartNetworkReply.cpp:112
Reported-by: Stefan de Konink <stefan@konink.de>
Change-Id: I79f340c5a471430a14474472513d0a055c7238d6

M  +6    -4    src/Imap/Network/FileDownloadManager.cpp

https://commits.kde.org/trojita/cf2364b80fa8ae844df8350cd5833d47cce235f2
Comment 5 Jan Kundrát 2020-04-17 12:38:45 UTC 
*** Bug 420194 has been marked as a duplicate of this bug. ***
Comment 6 Andreas Baumann 2021-02-12 08:46:36 UTC 
Actually fixed long time ago in 2869c385e72932cbed7398742b8a4d5e3feda765

Sorry for the noise.
Comment 7 Andreas Baumann 2021-02-12 08:47:34 UTC 
Sorry, wrong bug report, disregard my last comment.