Bug 177790 - [testcase] kate crashes while deleting folded code
Summary: [testcase] kate crashes while deleting folded code
Status: RESOLVED FIXED
Alias: None
Product: kate
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: KWrite Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-14 17:54 UTC by Sergio Martins
Modified: 2009-07-08 12:45 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
testcase (14 bytes, text/html)
2008-12-14 17:55 UTC, Sergio Martins 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Sergio Martins 2008-12-14 17:54:03 UTC 
Version:            (using Devel)
OS:                Linux
Installed from:    Compiled sources

This one is different from other bug reports, its not hitting an assert.

Steps:
1- Open the attachement with kate.
2- Fold
3- Ctrl+A (to select all)
4- Press delete or backspace 


==4175== Invalid read of size 4 ==4175== at 0x7B290D2: KateCodeFoldingTree::removeOpening(KateCodeFoldingNode*, unsigned) (katecodefolding.cpp:553) ==4175== by 0x7B2964D: KateCodeFoldingTree::cleanupUnneededNodes(unsigned) (katecodefolding.cpp:1296) ==4175== by 0x7B29909: KateCodeFoldingTree::lineHasBeenRemoved(unsigned) (katecodefolding.cpp:1058) ==4175== by 0x7ABCFCA: KateBuffer::removeLine(int) (katebuffer.cpp:882) ==4175== by 0x7AB2E7D: KateDocument::editRemoveLine(int, Kate::EditSource) (katedocument.cpp:1567) ==4175== by 0x7AB4608: KateDocument::removeText(KTextEditor::Range const&, bool) (katedocument.cpp:824) ==4175== by 0x7B346E3: KateView::removeSelectedText() (kateview.cpp:1685) ==4175== by 0x7AB141F: KateDocument::backspace(KateView*, KTextEditor::Cursor const&) (katedocument.cpp:4129) ==4175== by 0x7B45A13: KateViewInternal::doBackspace() (kateviewinternal.cpp:802) ==4175== by 0x7B33D1A: KateView::backspace() (kateview.cpp:2447) ==4175== by 0x7B39920: KateView::qt_metacall(QMetaObject::Call, int, void**) (kateview.moc:357) ==4175== by 0x4FAB2AA: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3028) ==4175== Address 0x6bf83a0 is 0 bytes inside a block of size 32 free'd ==4175== at 0x402266C: operator delete(void*) (vg_replace_malloc.c:342) ==4175== by 0x7B291DE: KateCodeFoldingTree::removeOpening(KateCodeFoldingNode*, unsigned) (katecodefolding.cpp:577) ==4175== by 0x7B2964D: KateCodeFoldingTree::cleanupUnneededNodes(unsigned) (katecodefolding.cpp:1296) ==4175== by 0x7B2A0C8: KateCodeFoldingTree::updateLine(unsigned, QVector<int>*, bool*, bool, bool) (katecodefolding.cpp:530) ==4175== by 0x7ABFFA4: KateBuffer::doHighlight(int, int, bool) (katebuffer.cpp:1261) ==4175== by 0x7AC248D: KateBuffer::ensureHighlighted(int) (katebuffer.cpp:775) ==4175== by 0x7B2852F: KateCodeFoldingTree::toggleRegionVisibility(unsigned) (katecodefolding.cpp:1362) ==4175== by 0x7B29131: KateCodeFoldingTree::removeOpening(KateCodeFoldingNode*, unsigned) (katecodefolding.cpp:549) ==4175== by 0x7B2964D: KateCodeFoldingTree::cleanupUnneededNodes(unsigned) (katecodefolding.cpp:1296) ==4175== by 0x7B29909: KateCodeFoldingTree::lineHasBeenRemoved(unsigned) (katecodefolding.cpp:1058) ==4175== by 0x7ABCFCA: KateBuffer::removeLine(int) (katebuffer.cpp:882) ==4175== by 0x7AB2E7D: KateDocument::editRemoveLine(int, Kate::EditSource) (katedocument.cpp:1567) 

removeOpening calls toggleRegionVisibility which causes another removeOpening call which will read a freed pointer
Comment 1 Sergio Martins 2008-12-14 17:55:57 UTC 
Created attachment 29334 [details]
testcase
Comment 2 Dario Andres 2009-01-01 03:45:23 UTC 
Here using:

Qt: 4.4.3 + qt-copy-patches-889120
KDE: 4.1.86 (KDE 4.1.86 (KDE 4.2 >= 20081221))
kdelibs svn rev. 903705 / kdebase svn rev. 903706
on ArchLinux x86_64 - Kernel 2.6.27.10

I can reproduce this bug.

Backtrace:

Application: Kate (kate), signal SIGSEGV
0x00007f7f827ddfd0 in __nanosleep_nocancel () from /lib/libc.so.6

Thread 1 (Thread 0x7f7f863ea750 (LWP 5499)):
[KCrash Handler]
#5  0x00007f7f79e35281 in KateCodeFoldingTree::removeOpening (this=0x8fb730, node=0xf2e3c0, line=1) at /usr/include/QtCore/qvector.h:111
#6  0x00007f7f79e35546 in KateCodeFoldingTree::cleanupUnneededNodes (this=0x8fb730, line=1) at /home/kde-devel/kde/src/KDE/kdelibs/kate/syntax/katecodefolding.cpp:1308
#7  0x00007f7f79e359a7 in KateCodeFoldingTree::lineHasBeenRemoved (this=0x8fb730, line=1) at /home/kde-devel/kde/src/KDE/kdelibs/kate/syntax/katecodefolding.cpp:1058
#8  0x00007f7f79dc7935 in KateDocument::editRemoveLine (this=0x8eec50, line=1, editSource=<value optimized out>) at /home/kde-devel/kde/src/KDE/kdelibs/kate/document/katedocument.cpp:1569
#9  0x00007f7f79dc8284 in KateDocument::removeText (this=0x8eec50, _range=<value optimized out>, block=false) at /home/kde-devel/kde/src/KDE/kdelibs/kate/document/katedocument.cpp:826
#10 0x00007f7f79e3ce8b in KateView::removeSelectedText (this=0xa39a10) at /home/kde-devel/kde/src/KDE/kdelibs/kate/view/kateview.cpp:1703
#11 0x00007f7f79dca99c in KateDocument::del (this=0x8eec50, view=0xa39a10, c=@0xa35b28) at /home/kde-devel/kde/src/KDE/kdelibs/kate/document/katedocument.cpp:4223
#12 0x00007f7f79e3e75f in KateView::keyDelete (this=0xa39a10) at /home/kde-devel/kde/src/KDE/kdelibs/kate/view/kateview.cpp:2474
#13 0x00007f7f79e43235 in KateView::qt_metacall (this=0xa39a10, _c=QMetaObject::InvokeMetaMethod, _id=<value optimized out>, _a=0x7fff8e52bac0)
    at /home/kde-devel/kde/build/KDE/kdelibs/kate/kateview.moc:359
#14 0x00007f7f835a5ac0 in QMetaObject::activate (sender=0xc714c0, from_signal_index=<value optimized out>, to_signal_index=6, argv=0x0) at kernel/qobject.cpp:3028
#15 0x00007f7f840d3a57 in QAction::triggered (this=0x8fb730, _t1=false) at .moc/debug-shared/moc_qaction.cpp:216
#16 0x00007f7f840d4204 in QAction::activate (this=0xc714c0, event=<value optimized out>) at kernel/qaction.cpp:1125
#17 0x00007f7f840d7862 in QAction::event (this=0xc714c0, e=0x7fff8e52c050) at kernel/qaction.cpp:1044
#18 0x00007f7f85281523 in KAction::event (this=0x8fb730, event=0x7fff8e52c050) at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/actions/kaction.cpp:88
#19 0x00007f7f840d90ad in QApplicationPrivate::notify_helper (this=0x6b1820, receiver=0xc714c0, e=0x7fff8e52c050) at kernel/qapplication.cpp:3803
#20 0x00007f7f840e040e in QApplication::notify (this=0x7fff8e52d680, receiver=0xc714c0, e=0x7fff8e52c050) at kernel/qapplication.cpp:3768
#21 0x00007f7f8535850b in KApplication::notify (this=0x7fff8e52d680, receiver=0xc714c0, event=0x7fff8e52c050) at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:307
#22 0x00007f7f83590d90 in QCoreApplication::notifyInternal (this=0x7fff8e52d680, receiver=0xc714c0, event=0x7fff8e52c050) at kernel/qcoreapplication.cpp:583
#23 0x00007f7f8410e0fa in QShortcutMap::dispatchEvent (this=<value optimized out>, e=0x7fff8e52c540) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:209
#24 0x00007f7f8410fd3a in QShortcutMap::tryShortcutEvent (this=0x6b1930, w=<value optimized out>, e=0x7fff8e52c540) at kernel/qshortcutmap.cpp:362
#25 0x00007f7f840e1492 in QApplication::notify (this=<value optimized out>, receiver=0xa35aa0, e=0x7fff8e52c540) at kernel/qapplication.cpp:3430
#26 0x00007f7f8535850b in KApplication::notify (this=0x7fff8e52d680, receiver=0xa35aa0, event=0x7fff8e52c540) at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:307
#27 0x00007f7f83590d90 in QCoreApplication::notifyInternal (this=0x7fff8e52d680, receiver=0xa35aa0, event=0x7fff8e52c540) at kernel/qcoreapplication.cpp:583
#28 0x00007f7f8415de14 in QKeyMapper::sendKeyEvent (keyWidget=0xa35aa0, grab=<value optimized out>, type=QEvent::KeyPress, code=16777223, modifiers={i = -1907176864}, text=@0x7fff8e52ca50, 
    autorepeat=false, count=1, nativeScanCode=107, nativeVirtualKey=65535, nativeModifiers=16) at kernel/qkeymapper_x11.cpp:1652
#29 0x00007f7f8415fea7 in QKeyMapperPrivate::translateKeyEvent (this=0x6e17b0, keyWidget=0xa35aa0, event=0x7fff8e52d230, grab=224) at kernel/qkeymapper_x11.cpp:1623
#30 0x00007f7f8413c4a8 in QApplication::x11ProcessEvent (this=0x7fff8e52d680, event=0x7fff8e52d230) at kernel/qapplication_x11.cpp:3055
#31 0x00007f7f84161724 in x11EventSourceDispatch (s=0x6b4dc0, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:142
#32 0x00007f7f7e126aa2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#33 0x00007f7f7e12a21d in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#34 0x00007f7f7e12a3db in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#35 0x00007f7f835b7cdf in QEventDispatcherGlib::processEvents (this=0x685ee0, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:319
#36 0x00007f7f84160f7f in QGuiEventDispatcherGlib::processEvents (this=0x8fb730, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:198
#37 0x00007f7f8358f9c2 in QEventLoop::processEvents (this=<value optimized out>, flags={i = -1907174112}) at kernel/qeventloop.cpp:143
#38 0x00007f7f8358fb55 in QEventLoop::exec (this=0x7fff8e52d560, flags={i = -1907174032}) at kernel/qeventloop.cpp:190
#39 0x00007f7f835948f7 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:845
#40 0x00007f7f86111ca5 in kdemain (argc=1, argv=0x7fff8e52e868) at /home/kde-devel/kde/src/KDE/kdesdk/kate/app/katemain.cpp:250
#41 0x00007f7f8275d546 in __libc_start_main () from /lib/libc.so.6
#42 0x0000000000400749 in _start ()
Comment 3 Dario Andres 2009-01-01 19:27:09 UTC 
Bug 177790 has a similar backtrace, it may be the same crash.
Comment 4 Dario Andres 2009-01-01 19:27:45 UTC 
** I mean bug 179225
Comment 5 Christoph Cullmann 2009-07-08 12:45:14 UTC 
Fixes in revision r904337
Works here in 4.3 rc1