In UMLPackage::removeAllObjects() there is the following code fragment ... removeObject(o); //delete o; // CHECK: Direct usage of the destructor crashes on associations. o->deleteLater(); While doing a research related to bug 73847 I stumpled over this comment. Uncommenting the code fragment to delete o; // CHECK: Direct usage of the destructor crashes on associations. //o->deleteLater(); still let umbrello crash on document close because of accessing a dangling pointer. Reproducible: Always Steps to Reproduce: 1. change code mentioned above 2. compile umbrello 3. start umbrello 4. click on "new document" Actual Results: umbrello crashes Expected Results: umbrello should not crash
Created attachment 91680 [details] Crash exploit
Created attachment 91681 [details] Crash exploit (update)
Created attachment 91682 [details] Crash fix on umbrello start This patch is required to be able to see the mentioned crash behavior
Created attachment 91683 [details] test xmi file
Update on steps to Reproduce: 1. apply attachment 91681 [details] and attachment 91682 [details] 2. compile umbrello 3. start umbrello 4. open attachment 91683 [details]
(In reply to Ralf Habacker from comment #5) > Update on steps to Reproduce: > > 1. apply attachment 91681 [details] and attachment 91682 [details] > 2. compile umbrello > 3. start umbrello > 4. open attachment 91683 [details] 5. click new document
back trace Application: Umbrello UML Modeller (umbrello), signal: Segmentation fault Using host libthread_db library "/lib64/libthread_db.so.1". [KCrash Handler] #6 0x00007fd1d788f273 in __dynamic_cast () from /usr/lib64/libstdc++.so.6 #7 0x00000000006a3fbb in UMLCanvasObject::removeAllAssociationEnds (this=this@entry=0x3b260c0) at /home/ralf/src/umbrello-15.04/umbrello/umlcanvasobject.cpp:151 #8 0x00000000006a4405 in UMLCanvasObject::removeAllChildObjects (this=0x3b260c0) at /home/ralf/src/umbrello-15.04/umbrello/umlcanvasobject.cpp:169 #9 0x0000000000682610 in UMLPackage::removeAllObjects (this=0x3b260c0) at /home/ralf/src/umbrello-15.04/umbrello/package.cpp:213 #10 0x0000000000682674 in UMLPackage::removeAllObjects (this=0x1b1e740) at /home/ralf/src/umbrello-15.04/umbrello/package.cpp:219 #11 0x0000000000682674 in UMLPackage::removeAllObjects (this=0x18ef5c0) at /home/ralf/src/umbrello-15.04/umbrello/package.cpp:219 #12 0x00000000006a8b7e in removeAllObjects (this=0x184ed60) at /home/ralf/src/umbrello-15.04/umbrello/umldoc.cpp:2531 #13 UMLDoc::closeDocument (this=this@entry=0x184ed60) at /home/ralf/src/umbrello-15.04/umbrello/umldoc.cpp:345 #14 0x00000000006ab313 in UMLDoc::newDocument (this=0x184ed60) at /home/ralf/src/umbrello-15.04/umbrello/umldoc.cpp:368 #15 0x0000000000699bc6 in UMLApp::slotFileNew (this=0x16a1ca0) at /home/ralf/src/umbrello-15.04/umbrello/uml.cpp:1188 #16 0x00007fd1d7eeab38 in QMetaObject::activate (sender=sender@entry=0x18ee730, m=m@entry=0x7fd1d9861e80 <QAction::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x7fffbb4c91d0) at kernel/qobject.cpp:3576 #17 0x00007fd1d8db58f2 in QAction::triggered (this=this@entry=0x18ee730, _t1=false) at .moc/release-shared/moc_qaction.cpp:276 #18 0x00007fd1d8db72c3 in QAction::activate (this=0x18ee730, event=<optimized out>) at kernel/qaction.cpp:1257 #19 0x00007fd1d916a9e2 in QAbstractButtonPrivate::click (this=this@entry=0x197b730) at widgets/qabstractbutton.cpp:530 #20 0x00007fd1d916ab0c in QAbstractButton::mouseReleaseEvent (this=0x1954410, e=0x7fffbb4c96d0) at widgets/qabstractbutton.cpp:1123 #21 0x00007fd1d9221c4a in QToolButton::mouseReleaseEvent (this=<optimized out>, e=<optimized out>) at widgets/qtoolbutton.cpp:723 #22 0x00007fd1d8e0afee in QWidget::event (this=0x1954410, event=0x7fffbb4c96d0) at kernel/qwidget.cpp:8389 #23 0x00007fd1d8dbba4c in QApplicationPrivate::notify_helper (this=this@entry=0x14cfa20, receiver=receiver@entry=0x1954410, e=e@entry=0x7fffbb4c96d0) at kernel/qapplication.cpp:4565 #24 0x00007fd1d8dc210a in QApplication::notify (this=this@entry=0x7fffbb4c9f20, receiver=receiver@entry=0x1954410, e=e@entry=0x7fffbb4c96d0) at kernel/qapplication.cpp:4108 #25 0x00007fd1d9ad756a in KApplication::notify (this=0x7fffbb4c9f20, receiver=0x1954410, event=0x7fffbb4c96d0) at /usr/src/debug/kdelibs-4.14.4/kdeui/kernel/kapplication.cpp:311 #26 0x00007fd1d7ed6bcd in QCoreApplication::notifyInternal (this=0x7fffbb4c9f20, receiver=receiver@entry=0x1954410, event=event@entry=0x7fffbb4c96d0) at kernel/qcoreapplication.cpp:953 #27 0x00007fd1d8dc1903 in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../src/corelib/kernel/qcoreapplication.h:231 #28 QApplicationPrivate::sendMouseEvent (receiver=receiver@entry=0x1954410, event=event@entry=0x7fffbb4c96d0, alienWidget=alienWidget@entry=0x1954410, nativeWidget=nativeWidget@entry=0x1977050, buttonDown=buttonDown@entry=0x7fd1d989e298 <qt_button_down>, lastMouseReceiver=..., spontaneous=spontaneous@entry=true) at kernel/qapplication.cpp:3173 #29 0x00007fd1d8e3313b in QETWidget::translateMouseEvent (this=this@entry=0x1977050, event=event@entry=0x7fffbb4c9a40) at kernel/qapplication_x11.cpp:4530 #30 0x00007fd1d8e31bac in QApplication::x11ProcessEvent (this=0x7fffbb4c9f20, event=event@entry=0x7fffbb4c9a40) at kernel/qapplication_x11.cpp:3653 #31 0x00007fd1d8e58a62 in x11EventSourceDispatch (s=0x14c15a0, callback=0x0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146 #32 0x00007fd1d3ac3316 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0 #33 0x00007fd1d3ac3668 in ?? () from /usr/lib64/libglib-2.0.so.0 #34 0x00007fd1d3ac370c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0 #35 0x00007fd1d7f03aae in QEventDispatcherGlib::processEvents (this=0x147baf0, flags=...) at kernel/qeventdispatcher_glib.cpp:450 #36 0x00007fd1d8e58b16 in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204 #37 0x00007fd1d7ed579f in QEventLoop::processEvents (this=this@entry=0x7fffbb4c9e20, flags=...) at kernel/qeventloop.cpp:149 #38 0x00007fd1d7ed5a95 in QEventLoop::exec (this=this@entry=0x7fffbb4c9e20, flags=...) at kernel/qeventloop.cpp:204 #39 0x00007fd1d7edaf1b in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225 #40 0x00007fd1d8dba20c in QApplication::exec () at kernel/qapplication.cpp:3823 #41 0x0000000000440555 in main (argc=<optimized out>, argv=<optimized out>) at /home/ralf/src/umbrello-15.04/umbrello/main.cpp:123
Git commit 49aaa21f7f0b859253768dc2e4fc57cd7f1ba8f9 by Ralf Habacker. Committed on 22/03/2015 at 12:42. Pushed by habacker into branch 'Applications/15.04'. Fix 'Dangling pointer issue on document close'. Guard access to UMLObject::m_pSecondary with QPointer. Also use dynamic_cast instead of static_cast for access to m_pSecondary to make sure the cast returns zero on invalid types. Using static_casts may result into invalid casted objects. FIXED-IN:2.15.97 (KDE 15.03.97) M +1 -1 umbrello/classifier.cpp M +1 -1 umbrello/classifierlistitem.cpp M +1 -3 umbrello/package.cpp M +2 -0 umbrello/umldoc.cpp M +1 -1 umbrello/umlobject.cpp M +2 -1 umbrello/umlobject.h http://commits.kde.org/umbrello/49aaa21f7f0b859253768dc2e4fc57cd7f1ba8f9