189069 – QGArray::at: Absolute index xxx out of range filling up disk and kopete unresponsitive

Bug 189069 - QGArray::at: Absolute index xxx out of range filling up disk and kopete unresponsitive

Summary: QGArray::at: Absolute index xxx out of range filling up disk and kopete unres...

Status:	RESOLVED LATER

Alias:	None

Product:	kopete
Classification:	Unmaintained
Component:	general (other bugs)
Version First Reported In:	0.12.7
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Kopete Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-04-07 21:06 UTC by Elan Ruusamäe
Modified:	2009-09-06 05:16 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Elan Ruusamäe 2009-04-07 21:06:12 UTC

Version:           0.12.7 (using 3.5.10, PLD Linux Distribution)
Compiler:          Target: x86_64-pld-linux
OS:                Linux (x86_64) release 2.6.27.15-1

I had kopete looping and filling up disk.

I tried to make as much possible from backtrace as i believe it's not easily reproducible as I don't know how it happened (but it has happened few times earlier too). So if you don't find this trace useful, please provide hints what to debug next time this bug happens (maybe some element needs to be inspected more deeeply).



....
QGArray::at: Absolute index 280952899 out of range
QGArray::at: Absolute index 280952900 out of range
QGArray::at: Absolute index 280952901 out of range
QGArray::at: Absolute index 280952902 out of range
QGArray::at: Absolute index 280952903 out of range
QGArray::at: Absolute index 280952904 out of range
QGArray::at: Absolute index 280952905 out of range
QGArray::at: Absolute index 280952906 out of range
QGArray::at: Absolute index 280952907 out of range
QGArray::at: Absolute index 280952908 out of range
QGArray::at: Absolute index 280952909 out of range
QGArray::at: Absolute index 280952910 out of range
QGArray::at: Absolute index 280952911 out of range
QGArray::at: Absolute index 280952912 out of range
QGArray::at: Absolute index 280952913 out of range
QGArray::at: Absolute index 280952914 out of range
QGArray::at: Absolute index 280952915 out of range
...


"/usr/include/qt/qgarray.h" :
122 inline char *QGArray::at( uint index ) const
123 {
124 #if defined(QT_CHECK_RANGE)
125     if ( index >= size() ) {
126         msg_index( index );
127         index = 0;
128     }
129 #endif
130     return &shd->data[index];
131 }
132
133
134 #endif // QGARRAY_H



and here follows some play from gdb

(gdb) bt
#0  0x00007f85e9fe180b in write () from /lib64/libc.so.6
#1  0x00007f85e9f8cbea in _IO_file_write () from /lib64/libc.so.6
#2  0x00007f85e9f8c83a in ?? () from /lib64/libc.so.6
#3  0x00007f85e9f8cb2e in _IO_file_xsputn () from /lib64/libc.so.6
#4  0x00007f85e9f655be in ?? () from /lib64/libc.so.6
#5  0x00007f85e9f60956 in vfprintf () from /lib64/libc.so.6
#6  0x00007f85e9f6a5f8 in fprintf () from /lib64/libc.so.6
#7  0x00007f85ead3435b in qWarning(char const*, ...) () from /usr/lib64/libqt-mt.so.3
#8  0x00007f85da3ebf65 in P2P::Dispatcher::slotReadMessage (this=0xca53a0, from=<value optimized out>, stream=<value optimized out>)
    at /usr/include/qt/qgarray.h:126
#9  0x00007f85da3d8bc6 in MSNSwitchBoardSocket::slotReadMessage (this=0x28fe850, bytes=@0x7ffff5144610) at msnswitchboardsocket.cpp:452
#10 0x00007f85da3ddab4 in MSNSwitchBoardSocket::qt_invoke (this=0x28fe850, _id=23, _o=0x7ffff51445b0) at msnswitchboardsocket.moc:273
#11 0x00007f85eaac63ec in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/lib64/libqt-mt.so.3
#12 0x00007f85da3b79bd in MSNSocket::blockRead (this=0x28fe850, t0=@0x7ffff5144610) at msnsocket.moc:179
#13 0x00007f85da3bce41 in MSNSocket::pollReadBlock (this=0x28fe850) at msnsocket.cpp:497
#14 0x00007f85da3be458 in MSNSocket::readBlock (this=0x2, len=4111724912) at msnsocket.cpp:477
#15 0x00007f85da3db3eb in MSNSwitchBoardSocket::parseCommand (this=0x28fe850, cmd=<value optimized out>, id=<value optimized out>, data=@0x7ffff5144900)
    at msnswitchboardsocket.cpp:237
#16 0x00007f85da3b8d66 in MSNSocket::parseLine (this=0x28fe850, str=@0x7ffff51448a0) at msnsocket.cpp:526
#17 0x00007f85da3bcfdf in MSNSocket::slotReadLine (this=0x28fe850) at msnsocket.cpp:456
#18 0x00007f85da3bd6a9 in MSNSocket::slotDataReceived (this=0x28fe850) at msnsocket.cpp:411
#19 0x00007f85da3be308 in MSNSocket::qt_invoke (this=0x28fe850, _id=9, _o=0x7ffff5144dd0) at msnsocket.moc:231
#20 0x00007f85eaac63ec in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/lib64/libqt-mt.so.3
#21 0x00007f85eaac7234 in QObject::activate_signal(int) () from /usr/lib64/libqt-mt.so.3
#22 0x00007f85eb81c196 in KNetwork::KBufferedSocket::qt_invoke(int, QUObject*) () from /usr/lib64/libkdecore.so.4
#23 0x00007f85eaac63ec in QObject::activate_signal(QConnectionList*, QUObject*) () from /usr/lib64/libqt-mt.so.3
#24 0x00007f85eaac716e in QObject::activate_signal(int, int) () from /usr/lib64/libqt-mt.so.3
#25 0x00007f85eaae08fb in QSocketNotifier::event(QEvent*) () from /usr/lib64/libqt-mt.so.3
#26 0x00007f85eaa708cd in QApplication::internalNotify(QObject*, QEvent*) () from /usr/lib64/libqt-mt.so.3
#27 0x00007f85eaa71424 in QApplication::notify(QObject*, QEvent*) () from /usr/lib64/libqt-mt.so.3
#28 0x00007f85eb6b1153 in KApplication::notify(QObject*, QEvent*) () from /usr/lib64/libkdecore.so.4
#29 0x00007f85eaa66413 in QEventLoop::activateSocketNotifiers() () from /usr/lib64/libqt-mt.so.3
#30 0x00007f85eaa25ee6 in QEventLoop::processEvents(unsigned int) () from /usr/lib64/libqt-mt.so.3
#31 0x00007f85eaa84643 in QEventLoop::enterLoop() () from /usr/lib64/libqt-mt.so.3
#32 0x00007f85eaa844f2 in QEventLoop::exec() () from /usr/lib64/libqt-mt.so.3
#33 0x000000000042c455 in main (argc=<value optimized out>, argv=<value optimized out>) at main.cpp:107
(gdb) print this
$1 = (P2P::Dispatcher * const) 0xca53a0
(gdb) print *this
$2 = {
  <> = {<No data fields>},
  members of P2P::Dispatcher:
  static metaObj = 0x2828b80,
  m_pictureUrl = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x13a7df0,
    static shared_null = 0x6ff9e0
  },
  objectList = {
    sh = 0x21eac30
  },
  m_messageFormatter = {
    <> = {<No data fields>},
    members of P2P::MessageFormatter:
    static metaObj = 0x0
  },
  m_sessions = {
    sh = 0x27aad70
  },
  m_messageBuffer = {
    sh = 0x269ac00
  },
  m_contact = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0xc80250,
    static shared_null = 0x6ff9e0
  },
  m_callbackChannel = 0x225ea80,
  m_ip = {
    <QValueList<QString>> = {
      sh = 0x1e7d220
    }, <No data fields>}
}
(gdb)  


(gdb) up
#9  0x00007f85da3d8bc6 in MSNSwitchBoardSocket::slotReadMessage (this=0x28fe850, bytes=@0x7ffff5144610) at msnswitchboardsocket.cpp:452
452                     PeerDispatcher()->slotReadMessage(m_msgHandle, bytes);
(gdb) print *this
$3 = {
  <MSNSocket> = {
    <> = {<No data fields>},
    members of MSNSocket:
    static metaObj = 0xbc8f80,
    m_id = 385,
    m_sendQueue = {
      sh = 0x2611270
    },
    m_socket = 0x1edb7c0,
    m_onlineStatus = MSNSocket::Connected,
    m_server = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x28792f0,
      static shared_null = 0x6ff9e0
    },
    m_port = 1863,
    m_waitBlockSize = 0,
    m_buffer = {
      <QMemArray<char>> = {
        <> = {<No data fields>}, <No data fields>}, <No data fields>},
    m_useHttp = false,
    m_bCanPoll = 255,
    m_bIsFirstInTransaction = 255,
    m_gateway = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_gwip = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_sessionId = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_timer = 0x0,
    m_type = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
---Type <return> to continue, or q <return> to quit---
      static shared_null = 0x6ff9e0
    },
    m_pending = 255,
    m_remaining = -1
  },
  members of MSNSwitchBoardSocket:
  static metaObj = 0x2880720,
  m_dispatcher = 0xca53a0,
  m_account = 0xb97620,
  m_myHandle = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0xc80250,
    static shared_null = 0x6ff9e0
  },
  m_msgHandle = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x7f85d00a3420,
    static shared_null = 0x6ff9e0
  },
  m_ID = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x233ecd0,
    static shared_null = 0x6ff9e0
  },
  m_auth = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x222c1a0,
    static shared_null = 0x6ff9e0
  },
  m_chatMembers = {
    <QValueList<QString>> = {
      sh = 0x278aba0
    }, <No data fields>},
  m_msgQueue = {
    sh = 0x22f6da0
  },
  m_recvIcons = 0,
  m_emoticons = {
    sh = 0x2a1d440
  },
  m_emoticonTimer = 0x0,
  m_typewrited = {
    <QGList> = {
      <> = {<No data fields>},
      members of QGList:
      firstNode = 0x0,
      lastNode = 0x0,
---Type <return> to continue, or q <return> to quit---
      curNode = 0x0,
      curIndex = -1,
      numNodes = 0,
      iterators = 0x0
    }, <No data fields>},
  m_inkMessageBuffer = {
    sh = 0x2a1d4a0
  },
  m_chunks = 0,
  m_clientcapsSent = false,
  m_keepAlive = 0x0,
  m_keepAliveNb = -360
}

(gdb) print bytes
$4 = (const QByteArray &) @0x7ffff5144610: {
  <> = {<No data fields>}, <No data fields>}

(gdb) up
#10 0x00007f85da3ddab4 in MSNSwitchBoardSocket::qt_invoke (this=0x28fe850, _id=23, _o=0x7ffff51445b0) at msnswitchboardsocket.moc:273
273         case 6: slotReadMessage((const QByteArray&)*((const QByteArray*)static_QUType_ptr.get(_o+1))); break;
(gdb) print *this
$5 = {
  <MSNSocket> = {
    <> = {<No data fields>},
    members of MSNSocket:
    static metaObj = 0xbc8f80,
    m_id = 385,
    m_sendQueue = {
      sh = 0x2611270
    },
    m_socket = 0x1edb7c0,
    m_onlineStatus = MSNSocket::Connected,
    m_server = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x28792f0,
      static shared_null = 0x6ff9e0
    },
    m_port = 1863,
    m_waitBlockSize = 0,
    m_buffer = {
      <QMemArray<char>> = {
        <> = {<No data fields>}, <No data fields>}, <No data fields>},
    m_useHttp = false,
    m_bCanPoll = 255,
    m_bIsFirstInTransaction = 255,
    m_gateway = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_gwip = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_sessionId = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    m_timer = 0x0,
    m_type = {
      static null = {
        static null = <same as static member of an already seen type>,
        d = 0x6ff9e0,
        static shared_null = 0x6ff9e0
      },
      d = 0x6ff9e0,
---Type <return> to continue, or q <return> to quit---
      static shared_null = 0x6ff9e0
    },
    m_pending = 255,
    m_remaining = -1
  },
  members of MSNSwitchBoardSocket:
  static metaObj = 0x2880720,
  m_dispatcher = 0xca53a0,
  m_account = 0xb97620,
  m_myHandle = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0xc80250,
    static shared_null = 0x6ff9e0
  },
  m_msgHandle = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x7f85d00a3420,
    static shared_null = 0x6ff9e0
  },
  m_ID = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x233ecd0,
    static shared_null = 0x6ff9e0
  },
  m_auth = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x222c1a0,
    static shared_null = 0x6ff9e0
  },
  m_chatMembers = {
    <QValueList<QString>> = {
      sh = 0x278aba0
    }, <No data fields>},
  m_msgQueue = {
    sh = 0x22f6da0
  },
  m_recvIcons = 0,
  m_emoticons = {
    sh = 0x2a1d440
  },
  m_emoticonTimer = 0x0,
  m_typewrited = {
    <QGList> = {
      <> = {<No data fields>},
      members of QGList:
      firstNode = 0x0,
      lastNode = 0x0,
---Type <return> to continue, or q <return> to quit---
      curNode = 0x0,
      curIndex = -1,
      numNodes = 0,
      iterators = 0x0
    }, <No data fields>},
  m_inkMessageBuffer = {
    sh = 0x2a1d4a0
  },
  m_chunks = 0,
  m_clientcapsSent = false,
  m_keepAlive = 0x0,
  m_keepAliveNb = -360
}
(gdb)    

(gdb) up
#12 0x00007f85da3b79bd in MSNSocket::blockRead (this=0x28fe850, t0=@0x7ffff5144610) at msnsocket.moc:179
179         activate_signal( clist, o );
(gdb) print *this
$6 = {
  <> = {<No data fields>},
  members of MSNSocket:
  static metaObj = 0xbc8f80,
  m_id = 385,
  m_sendQueue = {
    sh = 0x2611270
  },
  m_socket = 0x1edb7c0,
  m_onlineStatus = MSNSocket::Connected,
  m_server = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x28792f0,
    static shared_null = 0x6ff9e0
  },
  m_port = 1863,
  m_waitBlockSize = 0,
  m_buffer = {
    <QMemArray<char>> = {
      <> = {<No data fields>}, <No data fields>}, <No data fields>},
  m_useHttp = false,
  m_bCanPoll = 255,
  m_bIsFirstInTransaction = 255,
  m_gateway = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_gwip = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_sessionId = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_timer = 0x0,
  m_type = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
---Type <return> to continue, or q <return> to quit---
  },
  m_pending = 255,
  m_remaining = -1
}
(gdb) print t0
$7 = (const QByteArray &) @0x7ffff5144610: {
  <> = {<No data fields>}, <No data fields>}
(gdb)

(gdb) up
#13 0x00007f85da3bce41 in MSNSocket::pollReadBlock (this=0x28fe850) at msnsocket.cpp:497
497             emit blockRead( block);
(gdb) print *this
$8 = {
  <> = {<No data fields>},
  members of MSNSocket:
  static metaObj = 0xbc8f80,
  m_id = 385,
  m_sendQueue = {
    sh = 0x2611270
  },
  m_socket = 0x1edb7c0,
  m_onlineStatus = MSNSocket::Connected,
  m_server = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x28792f0,
    static shared_null = 0x6ff9e0
  },
  m_port = 1863,
  m_waitBlockSize = 0,
  m_buffer = {
    <QMemArray<char>> = {
      <> = {<No data fields>}, <No data fields>}, <No data fields>},
  m_useHttp = false,
  m_bCanPoll = 255,
  m_bIsFirstInTransaction = 255,
  m_gateway = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_gwip = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_sessionId = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
  },
  m_timer = 0x0,
  m_type = {
    static null = {
      static null = <same as static member of an already seen type>,
      d = 0x6ff9e0,
      static shared_null = 0x6ff9e0
    },
    d = 0x6ff9e0,
    static shared_null = 0x6ff9e0
---Type <return> to continue, or q <return> to quit---
  },
  m_pending = 255,
  m_remaining = -1
}
(gdb)    

(gdb) up
#14 0x00007f85da3be458 in MSNSocket::readBlock (this=0x2, len=4111724912) at msnsocket.cpp:477
477             pollReadBlock();
(gdb) print *this
Cannot access memory at address 0x2
(gdb) print len
$9 = 4111724912
(gdb)

Comment 1 Dario Andres 2009-04-07 22:10:43 UTC

Thanks for the analysis.
However I don't know if this is going to be addressed as KDE3 is not going to get more releases. And KDE4.2+ Kopete uses "libmsn" for the MSN protocol.

Comment 2 Matt Rogers 2009-09-06 05:16:40 UTC

Wow! Can you report bugs more often? The in depth analysis you provided is awesome. 

Dario is right though, this is only a problem for KDE 3. With KDE 4, we've made a ton of changes that make this bug obsolete, so I'll close it.