Bug 463864

Summary: Discover Crashes in ResultsStream::resourcesFound() when installing a Flatpak app
Product: [Applications] Discover Reporter: Carter Zhang <mcut17198>
Component: Flatpak BackendAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: 4wy78uwh, abd.m.jawed, aleixpol, aronkvh, brandan.yares, calanoypatrick, caseycattron, cenay, derwesermann, dimeptr, fabian, jacob.skoog, jalil.ghavidel, jgrulich, kde, masdrubal65, nate, postix, travier, Trevorkiprop, x123456789fy
Priority: VHI Keywords: drkonqi
Version: 5.26.4   
Target Milestone: ---   
Platform: Debian unstable   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=467027
https://bugs.kde.org/show_bug.cgi?id=495874
Latest Commit: https://invent.kde.org/plasma/discover/-/commit/cc38c6c3e19c15dce8fa0dd0de30c748c363eeb7 Version Fixed In: 6.1
Sentry Crash Report:

Description Carter Zhang 2023-01-05 07:17:26 UTC 
Application: plasma-discover (5.26.4)

Qt Version: 5.15.7
Frameworks Version: 5.101.0
Operating System: Linux 6.0.0-6-amd64 x86_64
Windowing System: X11
Distribution: Debian GNU/Linux bookworm/sid
DrKonqi: 5.26.4 [KCrashBackend]

-- Information about the crash:
Everytime when I was installing a Flatpak app, Discover crashes.

The crash can be reproduced every time.

-- Backtrace:
Application: Discover (plasma-discover), signal: Segmentation fault

[KCrash Handler]
#4  0x00007fc3a34e8abd in ?? () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#5  0x00007fc3a5713db2 in ResultsStream::resourcesFound(QVector<AbstractResource*> const&) () from /usr/lib/x86_64-linux-gnu/plasma-discover/libDiscoverCommon.so
#6  0x00007fc3640292f2 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/discover/flatpak-backend.so
#7  0x00007fc3a34dd770 in QObject::event(QEvent*) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#8  0x00007fc3a4762f5e in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#9  0x00007fc3a34b17c8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#10 0x00007fc3a34b4761 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#11 0x00007fc3a350a1d3 in ?? () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#12 0x00007fc3a1d1e7a9 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007fc3a1d1ea38 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007fc3a1d1eacc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007fc3a35098b6 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#16 0x00007fc3a34b024b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#17 0x00007fc3a34b83b6 in QCoreApplication::exec() () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#18 0x000055b8d3460217 in ?? ()
#19 0x00007fc3a304618a in __libc_start_call_main (main=main@entry=0x55b8d345f920, argc=argc@entry=1, argv=argv@entry=0x7ffeabc84608) at ../sysdeps/nptl/libc_start_call_main.h:58
#20 0x00007fc3a3046245 in __libc_start_main_impl (main=0x55b8d345f920, argc=1, argv=0x7ffeabc84608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffeabc845f8) at ../csu/libc-start.c:381
#21 0x000055b8d3460781 in ?? ()
[Inferior 1 (process 74930) detached]

The reporter indicates this bug may be a duplicate of or related to bug 460900, bug 462011.

Reported using DrKonqi
Comment 1 Nate Graham 2023-01-09 20:41:05 UTC 
Thank you for the bug report! Unfortunately the backtrace is incomplete and missing debug symbols for the following lines that we need to figure out exactly what's going wrong:

> #6  0x00007fc3640292f2 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/discover/flatpak-backend.so

Could you please install debug symbols for Discover's Flatpak backend package, reproduce the crash, and attach a new symbolicated backtrace? See https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports

Thanks again!
Comment 2 Fabian Vogt 2023-01-22 09:39:33 UTC 
This is probably the same use-after-free issue as I encountered and debugged in https://bugs.kde.org/show_bug.cgi?id=464517#c1 in 5.27 Beta.
Comment 3 Nate Graham 2023-05-15 19:11:14 UTC 
*** Bug 466955 has been marked as a duplicate of this bug. ***
Comment 4 Nate Graham 2023-05-15 19:11:17 UTC 
*** Bug 467027 has been marked as a duplicate of this bug. ***
Comment 5 Nate Graham 2023-08-22 20:58:25 UTC 
*** Bug 473611 has been marked as a duplicate of this bug. ***
Comment 6 Nate Graham 2023-09-05 21:00:08 UTC 
*** Bug 474068 has been marked as a duplicate of this bug. ***
Comment 7 Nate Graham 2023-09-07 22:00:20 UTC 
*** Bug 472673 has been marked as a duplicate of this bug. ***
Comment 8 Nate Graham 2023-10-16 19:48:27 UTC 
*** Bug 475602 has been marked as a duplicate of this bug. ***
Comment 9 David Edmundson 2023-10-23 10:25:32 UTC 
Hit something in valgrind, it implies memory corruption in unrelated code

==35441== Thread 1:
==35441== Invalid read of size 8
==35441==    at 0x76C2875: get (qscopedpointer.h:112)
==35441==    by 0x76C2875: qGetPtrHelper<QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> > > (qtclasshelpermacros.h:79)
==35441==    by 0x76C2875: d_func (qobject.h:95)
==35441==    by 0x76C2875: get (src/qtbase/src/corelib/kernel/qobject_p.h:153)
==35441==    by 0x76C2875: void doActivate<false>(QObject*, int, void**) (src/qtbase/src/corelib/kernel/qobject.cpp:3903)
==35441==    by 0x4A85CE2: ResultsStream::resourcesFound(QList<StreamResult> const&) (moc_AbstractResourcesBackend.cpp:187)
==35441==    by 0x21D55041: FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2::operator()() const (src/kde/workspace/discover/libdiscover/backends/FlatpakBackend/FlatpakBackend.cpp:1630)
==35441==    by 0x21D54855: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2>::call(FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2&, void**) (qobjectdefs_impl.h:137)
==35441==    by 0x21D547F0: void QtPrivate::Functor<FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2, 0>::call<QtPrivate::List<>, void>(FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2&, void*, void**) (qobjectdefs_impl.h:339)
==35441==    by 0x21D5473D: QtPrivate::QCallableObject<FlatpakBackend::search(AbstractResourcesBackend::Filters const&)::$_2, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:522)
==35441==    by 0x76B76F6: QObject::event(QEvent*) (src/qtbase/src/corelib/kernel/qobject.cpp:1437)
==35441==    by 0x506B8A3: QApplicationPrivate::notify_helper(QObject*, QEvent*) (src/qtbase/src/widgets/kernel/qapplication.cpp:3295)
==35441==    by 0x506C734: QApplication::notify(QObject*, QEvent*) (src/qtbase/src/widgets/kernel/qapplication.cpp:0)
==35441==    by 0x76717B2: QCoreApplication::notifyInternal2(QObject*, QEvent*) (src/qtbase/src/corelib/kernel/qcoreapplication.cpp:1119)
==35441==    by 0x767284B: sendEvent (src/qtbase/src/corelib/kernel/qcoreapplication.cpp:1537)
==35441==    by 0x767284B: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (src/qtbase/src/corelib/kernel/qcoreapplication.cpp:1899)
==35441==    by 0x78D6E02: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (src/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:243)
==35441==  Address 0x1f570f38 is 8 bytes inside a block of size 16 free'd
==35441==    at 0x484412F: free (vg_replace_malloc.c:974)
==35441==    by 0x88501C6: g_datalist_clear (gdataset.c:277)
==35441==    by 0xB2BB05C: as_image_finalize (as-image.c:65)
==35441==    by 0xB3508B3: UnknownInlinedFun (gobject.c:3941)
==35441==    by 0xB3508B3: g_object_unref (gobject.c:3805)
==35441==    by 0x883849D: ptr_array_free (garray.c:1942)
==35441==    by 0xB2D3333: as_screenshot_finalize (as-screenshot.c:89)
==35441==    by 0xB3508B3: UnknownInlinedFun (gobject.c:3941)
==35441==    by 0xB3508B3: g_object_unref (gobject.c:3805)
==35441==    by 0x883849D: ptr_array_free (garray.c:1942)
==35441==    by 0xB2A73BF: as_component_finalize (as-component.c:491)
==35441==    by 0xB3508B3: UnknownInlinedFun (gobject.c:3941)
==35441==    by 0xB3508B3: g_object_unref (gobject.c:3805)
==35441==    by 0x84BBFFF: AppStream::ComponentData::~ComponentData() (component.cpp:91)
==35441==    by 0x84BC416: QSharedDataPointer<AppStream::ComponentData>::~QSharedDataPointer() (qshareddata.h:56)
==35441==  Block was alloc'd at
==35441==    at 0x4841848: malloc (vg_replace_malloc.c:431)
==35441==    by 0x8879712: g_malloc (gmem.c:130)
==35441==    by 0xB342B37: g_object_notify_queue_freeze.lto_priv.0 (gobject.c:303)
==35441==    by 0xB3507D6: UnknownInlinedFun (gobject.c:3890)
==35441==    by 0xB3507D6: g_object_unref (gobject.c:3805)
==35441==    by 0x883849D: ptr_array_free (garray.c:1942)
==35441==    by 0xB2D3333: as_screenshot_finalize (as-screenshot.c:89)
==35441==    by 0xB3508B3: UnknownInlinedFun (gobject.c:3941)
==35441==    by 0xB3508B3: g_object_unref (gobject.c:3805)
==35441==    by 0x883849D: ptr_array_free (garray.c:1942)
==35441==    by 0xB2A73BF: as_component_finalize (as-component.c:491)
==35441==    by 0xB3508B3: UnknownInlinedFun (gobject.c:3941)
==35441==    by 0xB3508B3: g_object_unref (gobject.c:3805)
==35441==    by 0x84BBFFF: AppStream::ComponentData::~ComponentData() (component.cpp:91)
==35441==    by 0x84BC416: QSharedDataPointer<AppStream::ComponentData>::~QSharedDataPointer() (qshareddata.h:56)
Comment 10 Fabian Vogt 2023-10-23 11:17:10 UTC 
(In reply to David Edmundson from comment #9)
> Hit something in valgrind, it implies memory corruption in unrelated code

See comment #2.
Comment 11 David Edmundson 2023-10-24 08:05:27 UTC 
Yeah, I found other instances of the network cache being 0 for the same root cause. I've now plugged all of them and have local asserts on my Qt builds.

I'll backport those fixes, and we'll consider this closed until new information shows otherwise.
Comment 12 Bug Janitor Service 2023-10-24 08:07:19 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/discover/-/merge_requests/675
Comment 13 Nate Graham 2023-11-15 20:49:58 UTC 
*** Bug 476999 has been marked as a duplicate of this bug. ***
Comment 14 Nate Graham 2023-12-12 17:19:12 UTC 
*** Bug 478394 has been marked as a duplicate of this bug. ***
Comment 15 Nate Graham 2023-12-21 01:23:23 UTC 
*** Bug 478757 has been marked as a duplicate of this bug. ***
Comment 16 David Edmundson 2024-01-05 08:59:16 UTC 
*** Bug 479421 has been marked as a duplicate of this bug. ***
Comment 17 Nate Graham 2024-02-06 21:16:38 UTC 
*** Bug 480830 has been marked as a duplicate of this bug. ***
Comment 18 Fabian Vogt 2024-02-07 07:45:20 UTC 
(In reply to David Edmundson from comment #11)
> I'll backport those fixes, and we'll consider this closed until new
> information shows otherwise.

I think all those new duplicates require a reopening.
Comment 19 Nate Graham 2024-02-16 15:30:18 UTC 
This should be fixed with https://invent.kde.org/plasma/discover/-/merge_requests/751. Unfortunately it was a large refactor and had to be merged for Plasma 6.1 only, not 6.0.

We're also investigating targeted fixes we can make for 6.0, but no guarantees on that.
Comment 20 Nate Graham 2024-03-01 06:43:03 UTC 
*** Bug 482073 has been marked as a duplicate of this bug. ***
Comment 21 Nate Graham 2024-06-27 20:05:32 UTC 
*** Bug 489305 has been marked as a duplicate of this bug. ***
Comment 22 Nate Graham 2024-09-09 06:50:18 UTC 
*** Bug 492767 has been marked as a duplicate of this bug. ***