Bug 494826

Summary: segfault in ktexteditor 6.7.0
Product: [Frameworks and Libraries] frameworks-ktexteditor Reporter: Mark Harmstone <mark>
Component: generalAssignee: KWrite Developers <kwrite-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: 1293660441, bugs.kde.org, bugs.kde.org, christoph, julien.dlq, jvoss, mark, pederick, waqar.17a
Priority: NOR    
Version: 6.7.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: https://invent.kde.org/frameworks/ktexteditor/-/commit/0cd45a976b6d04f223c4bbcbdf72185f547645e9 Version Fixed In: 6.9.0
Sentry Crash Report:
Attachments: The file used to trigger the crash
A few backtraces yielded by crashes on different situations

Description Mark Harmstone 2024-10-15 20:35:56 UTC 
SUMMARY
ktexteditor 6.7.0 can cause a segfault in kwrite due to an invalid this pointer.

STEPS TO REPRODUCE
1. Open file with many lines in kwrite
2. Do find and replace of "\n" to " ", to put everything on one line
3. Select all
4. Segfault

SOFTWARE/OS VERSIONS
Operating System: Gentoo Linux 2.15
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.116.0
Qt Version: 5.15.14
Kernel Version: 6.11.0-gentoo (64-bit)
Graphics Platform: offscreen
Processors: 32 × AMD Ryzen 9 9950X 16-Core Processor
Memory: 60.5 GiB of RAM
Graphics Processor: NVIDIA GeForce RTX 4070/PCIe/SSE2
Comment 1 Mark Harmstone 2024-10-15 20:36:11 UTC 
Thread 1 "kwrite" received signal SIGSEGV, Segmentation fault.
0x00007ffff776469a in Kate::TextBlock::startLine (this=0x22500000000) at /tmp/ktexteditor/src/buffer/katetextblock.cpp:34
34          return m_buffer->m_startLines[m_blockIndex];
(gdb) bt
#0  0x00007ffff776469a in Kate::TextBlock::startLine (this=0x22500000000) at /tmp/ktexteditor/src/buffer/katetextblock.cpp:34
#1  0x00007ffff775520f in Kate::TextCursor::lineInternal (this=0x555555c2ccc0) at /tmp/ktexteditor/src/buffer/katetextcursor.h:127
#2  0x00007ffff77516d7 in Kate::TextBuffer::rangesForLine (this=0x555555f60360, line=0, view=0x555555b51cf0, rangesWithAttributeOnly=false, outRanges=Python Exception <class 'gdb.error'>: cannot resolve overloaded method `end': no arguments supplied
)
    at /tmp/ktexteditor/src/buffer/katetextbuffer.cpp:1007
#3  0x00007ffff790a23f in Kate::TextBuffer::rangesForLine (this=0x555555f60360, line=0, view=0x555555b51cf0, rangesWithAttributeOnly=false)
    at /tmp/ktexteditor/src/buffer/katetextbuffer.h:495
#4  0x00007ffff79b0496 in KTextEditor::ViewPrivate::updateRangesIn (this=0x555555b51cf0, activationType=KTextEditor::Attribute::ActivateMouseIn)
    at /tmp/ktexteditor/src/view/kateview.cpp:4797
#5  0x00007ffff79b0214 in KTextEditor::ViewPrivate::slotDelayedUpdateOfView (this=0x555555b51cf0) at /tmp/ktexteditor/src/view/kateview.cpp:4761
#6  0x00007ffff79ccb88 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (KTextEditor::ViewPrivate::*)()>::call(void (KTextEditor::ViewPrivate::*)(), KTextEditor::ViewPrivate*, void**)
    (f=(void (KTextEditor::ViewPrivate::*)(KTextEditor::ViewPrivate * const)) 0x7ffff79b01f2 <KTextEditor::ViewPrivate::slotDelayedUpdateOfView()>, o=0x555555b51cf0, arg=0x555556009348) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:145
#7  0x00007ffff79ca062 in QtPrivate::FunctionPointer<void (KTextEditor::ViewPrivate::*)()>::call<QtPrivate::List<>, void>(void (KTextEditor::ViewPrivate::*)(), KTextEditor::ViewPrivate*, void**)
    (f=(void (KTextEditor::ViewPrivate::*)(KTextEditor::ViewPrivate * const)) 0x7ffff79b01f2 <KTextEditor::ViewPrivate::slotDelayedUpdateOfView()>, o=0x555555b51cf0, arg=0x555556009348) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:182
#8  0x00007ffff79c6fe5 in QtPrivate::QCallableObject<void (KTextEditor::ViewPrivate::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x555555b102d0, r=0x555555b51cf0, a=0x555556009348, ret=0x0) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:553
#9  0x00007ffff500a21b in QObject::event(QEvent*) () at /usr/lib64/libQt6Core.so.6
#10 0x00007ffff79b00a3 in KTextEditor::ViewPrivate::event (this=0x555555b51cf0, e=0x555556009300) at /tmp/ktexteditor/src/view/kateview.cpp:4712
#11 0x00007ffff6221439 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt6Widgets.so.6
#12 0x00007ffff5083bd8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib64/libQt6Core.so.6
#13 0x00007ffff50a970e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt6Core.so.6
#14 0x00007ffff4e47a37 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) () at /usr/lib64/libQt6Core.so.6
#15 0x00007ffff1dfab1b in g_main_dispatch () at /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff1dfdea7 in g_main_context_iterate_unlocked.isra () at /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff1dfe500 in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0
#18 0x00007ffff4e45be3 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt6Core.so.6
#19 0x00007ffff50ae3fa in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt6Core.so.6
#20 0x00007ffff50ae595 in QCoreApplication::exec() () at /usr/lib64/libQt6Core.so.6
#21 0x000055555555796d in main (argc=2, argv=0x7fffffffd1d8) at /var/tmp/portage/kde-apps/kwrite-24.08.2/work/kate-24.08.2/apps/kwrite/main.cpp:162
Comment 2 Mark Harmstone 2024-10-15 20:36:43 UTC 
Bisected to a65e18369bc6043577131dd43d4b3092400d5d5e:

commit a65e18369bc6043577131dd43d4b3092400d5d5e (HEAD)
Author: Waqar Ahmed <waqar.17a@gmail.com>
Date:   Mon Sep 16 18:11:58 2024 +0500

    Store multiline ranges spanning multiple blocks in TextBuffer

 autotests/src/movingrange_test.cpp | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 autotests/src/movingrange_test.h   |  1 +
 src/buffer/katetextblock.cpp       | 20 ++++++++++++++++++++
 src/buffer/katetextbuffer.cpp      | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 src/buffer/katetextbuffer.h        | 24 ++++++++++++++++--------
 src/buffer/katetextrange.cpp       | 26 +++++++++++++++++++++++++-
 src/buffer/katetextrange.h         |  5 +++++
 7 files changed, 177 insertions(+), 9 deletions(-)
Comment 3 Waqar Ahmed 2024-10-16 05:33:04 UTC 
Git commit 2c7e0711efd65e68687d530240bb46a1cf8de122 by Waqar Ahmed.
Committed on 16/10/2024 at 05:32.
Pushed by waqar into branch 'master'.

Fix multiblock range handling when unwrapping line

M  +23   -0    autotests/src/movingrange_test.cpp
M  +1    -0    autotests/src/movingrange_test.h
M  +12   -5    src/buffer/katetextblock.cpp

https://invent.kde.org/frameworks/ktexteditor/-/commit/2c7e0711efd65e68687d530240bb46a1cf8de122
Comment 4 Waqar Ahmed 2024-11-12 08:22:03 UTC 
*** Bug 496163 has been marked as a duplicate of this bug. ***
Comment 5 Waqar Ahmed 2024-11-18 08:34:22 UTC 
*** Bug 496409 has been marked as a duplicate of this bug. ***
Comment 6 Huanyu Liu 2024-11-30 04:09:06 UTC 
I am afraid that this segfault crash has not been totally fixed. I can still reproduce the crash in KDE Framework 6.8.0. Furthermore, the crash behavior is quite complicated. It is not reproducible every time. I have managed to find a method to reproduce the crash with 90% probability:

1. Open the attached file "crash.txt" (consisting of 100 lines of "1234567890") with Kwrite (or Kate).
2. Do a regex "Replace All" of "\n" (linefeed) to "" (empty string).

Then Kwrite will crash 90% of the time. If it does not crash:

3. Press Ctrl+Z to undo the replace, then click on the "Replace All" button again.
4. Repeat Step 3 as fast as possible.

Then Kwrite will crash 60% of the time.

If you replace from "\n" to "\n" (i.e. leave the linefeed unchanged), then Kwrite will not crash on the first replace, but still has a probability to crash on subsequent undo-and-replaces.

Crash on the first replace will yield a fixed backtrace (see Backtrace 1 in the attached file), while crash on subsequent undo-and-replaces will yield different backtraces randomly (see Backtraces 2 to 4).

Operating System: Arch Linux 
KDE Plasma Version: 6.2.3
KDE Frameworks Version: 6.8.0
Qt Version: 6.8.0
Kernel Version: 6.12.1-arch1-1 (64-bit)
Graphics Platform: Wayland
Comment 7 Huanyu Liu 2024-11-30 04:10:05 UTC 
Created attachment 176231 [details]
The file used to trigger the crash
Comment 8 Huanyu Liu 2024-11-30 04:10:59 UTC 
Created attachment 176232 [details]
A few backtraces yielded by crashes on different situations
Comment 9 Waqar Ahmed 2024-11-30 06:33:14 UTC 
Indeed there was one more case related to this. Just merged a fix for this, can you try latest master?
Comment 10 Huanyu Liu 2024-12-01 11:19:58 UTC 
(In reply to Waqar Ahmed from comment #9)
> Indeed there was one more case related to this. Just merged a fix for this,
> can you try latest master?

I tried the AppImage version of Daily Build 8537 (last modified 2024-12-01 07:31 UTC+8) of Kate at https://cdn.kde.org/ci-builds/utilities/kate/master/linux/ and the crash is still reproducible.
Comment 11 Christoph Cullmann 2024-12-01 13:43:50 UTC 
(In reply to Huanyu Liu from comment #10)
> (In reply to Waqar Ahmed from comment #9)
> > Indeed there was one more case related to this. Just merged a fix for this,
> > can you try latest master?
> 
> I tried the AppImage version of Daily Build 8537 (last modified 2024-12-01
> 07:31 UTC+8) of Kate at
> https://cdn.kde.org/ci-builds/utilities/kate/master/linux/ and the crash is
> still reproducible.

I don't think that image includes the fix as that will still just use the last stable frameworks release.
Comment 12 Christoph Cullmann 2024-12-01 13:45:05 UTC 
Which framework version is shown in the about dialog?
Comment 13 Huanyu Liu 2024-12-02 07:06:41 UTC 
(In reply to Christoph Cullmann from comment #12)
> Which framework version is shown in the about dialog?

It is built with KDE Framework 6.8.0. Not the latest version indeed.

I am trying to compile from source. It seems that Kate/Kwrite requires tons of dependencies, so the compilation process might be lengthy...
Comment 14 Christoph Cullmann 2024-12-02 08:37:21 UTC 
I think the commit below is in 6.8, let's just re-open atm.
Comment 15 Huanyu Liu 2024-12-02 09:40:05 UTC 
I built Kate from source just now. The crash is no longer reproducible in the latest master. Specifically, it was fixed by the following commit:
https://invent.kde.org/frameworks/ktexteditor/-/commit/0cd45a976b6d04f223c4bbcbdf72185f547645e9

Just 14 hours before my report :( Close as fixed.
Comment 16 Waqar Ahmed 2024-12-02 10:28:55 UTC 
Thanks for testing :)

It was a tricky one.
Comment 17 Waqar Ahmed 2024-12-13 10:52:20 UTC 
*** Bug 497388 has been marked as a duplicate of this bug. ***
Comment 18 Waqar Ahmed 2024-12-17 18:07:58 UTC 
*** Bug 497618 has been marked as a duplicate of this bug. ***