355172 – Crash if I quit Okular when the properties dialog is being displayed

Bug 355172 - Crash if I quit Okular when the properties dialog is being displayed

Summary: Crash if I quit Okular when the properties dialog is being displayed

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	okular
Classification:	Applications
Component:	general (show other bugs)
Version:	0.23.60
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Okular developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-11 05:01 UTC by Santhiar
Modified:	2020-12-26 04:34 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Santhiar 2015-11-11 05:01:37 UTC

Open a document using okular. In my repro, I opened a text file. Open the properties dialog, as 
File --> Properties. Close okular from a shell using dbus with the command
qdbus `qdbus | grep okular` /okular/okular__Shell_1/actions/file_quit trigger

Note: I was originally using a command line script to drive okular when the crash occurred.
I narrowed down the repro to the scenario above.

Reproducible: Always

Steps to Reproduce:
1. Open a document using okular
2. Click on File --> Properties
3. From the shell, issue qdbus `qdbus | grep okular` /okular/okular__Shell_1/actions/file_quit trigger

Actual Results:  
Okular crashes with a segmentation fault

Expected Results:  
Okular should close smoothly

Application: okular (0.23.60)
KDE Platform Version: 4.14.13
Qt Version: 4.8.7
Operating System: Linux 3.8.0-29-generic x86_64
Distribution: Ubuntu 12.04.5 LTS

-- Backtrace:
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[KCrash Handler]
#6  0x00007f8b7b9e8b17 in QPointer<Okular::FontExtractionThread>::operator Okular::FontExtractionThread* (this=0x7fff00000188) at /home/anirudh/software/install/qt4/include/QtCore/qpointer.h:78
#7  0x00007f8b7b9cae9e in Okular::Document::stopFontReading (this=0x26fc4e0) at KDE/kde/kdegraphics/okular/core/document.cpp:2815
#8  0x00007f8b7c031d4e in PropertiesDialog::~PropertiesDialog (this=0x2ecb000) at KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:178
#9  0x00007f8b7c031df0 in PropertiesDialog::~PropertiesDialog (this=0x2ecb000) at KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:177
#10 0x00007f8b86c16dd4 in QObjectPrivate::deleteChildren (this=0x26edf00) at kernel/qobject.cpp:1937
#11 0x00007f8b883f3113 in QWidget::~QWidget (this=0x2677180) at kernel/qwidget.cpp:1679
#12 0x00007f8b7c03cda9 in Sidebar::~Sidebar (this=0x2677180) at KDE/kde/kdegraphics/okular/ui/sidebar.cpp:514
#13 0x00007f8b7c03ce70 in Sidebar::~Sidebar (this=0x2677180) at KDE/kde/kdegraphics/okular/ui/sidebar.cpp:512
#14 0x00007f8b8be7b42b in KParts::Part::~Part (this=0x2672110, vtt=0x7f8b7c4eaa68 <VTT for Okular::Part+24>) at KDE/kde/kdelibs/kparts/part.cpp:209
#15 0x00007f8b8be7d045 in KParts::ReadOnlyPart::~ReadOnlyPart (this=0x2672110, vtt=<optimized out>) at KDE/kde/kdelibs/kparts/part.cpp:463
#16 0x00007f8b8be7f9ba in KParts::ReadWritePart::~ReadWritePart (this=0x7fff00000188, vtt=<optimized out>) at KDE/kde/kdelibs/kparts/part.cpp:780
#17 0x00007f8b7bf06b56 in Okular::Part::~Part (this=0x2672110, vtt=<optimized out>) at KDE/kde/kdegraphics/okular/part.cpp:891
#18 0x00007f8b7bf07937 in Okular::Part::~Part (this=0x2672110) at KDE/kde/kdegraphics/okular/part.cpp:857
#19 0x00007f8b7bf07b30 in Okular::Part::~Part (this=0x2672110) at KDE/kde/kdegraphics/okular/part.cpp:857
#20 0x00007f8b86c16dd4 in QObjectPrivate::deleteChildren (this=0x2640000) at kernel/qobject.cpp:1937
#21 0x00007f8b883f3113 in QWidget::~QWidget (this=0x263d1b0) at kernel/qwidget.cpp:1679
#22 0x00007f8b88a295e5 in QMainWindow::~QMainWindow (this=0x263d1b0) at widgets/qmainwindow.cpp:389
#23 0x00007f8b898c1c0d in KMainWindow::~KMainWindow (this=0x263d1b0) at KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
#24 0x00007f8b89951098 in KXmlGuiWindow::~KXmlGuiWindow (this=0x263d1b0, vtt=<optimized out>) at KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
#25 0x00007f8b8be98bcf in KParts::MainWindow::~MainWindow (this=0x263d1b0, vtt=<optimized out>) at KDE/kde/kdelibs/kparts/mainwindow.cpp:79
#26 0x0000000000413443 in Shell::~Shell() ()
#27 0x000000000041380f in Shell::~Shell() ()
#28 0x0000000000413998 in Shell::~Shell() ()
#29 0x00007f8b86c17e3e in qDeleteInEventHandler (o=0x263d1b0) at kernel/qobject.cpp:4310
#30 0x00007f8b86c179a8 in QObject::event (this=0x263d1b0, e=0x2e958f0) at kernel/qobject.cpp:1203
#31 0x00007f8b8840a346 in QWidget::event (this=0x263d1b0, event=0x2e958f0) at kernel/qwidget.cpp:8859
#32 0x00007f8b88a2bf73 in QMainWindow::event (this=0x263d1b0, event=0x2e958f0) at widgets/qmainwindow.cpp:1478
#33 0x00007f8b898c58f4 in KMainWindow::event (this=0x263d1b0, ev=0x2e958f0) at KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
#34 0x00007f8b8995143e in KXmlGuiWindow::event (this=0x263d1b0, ev=0x2e958f0) at KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
#35 0x00007f8b8837f48f in QApplicationPrivate::notify_helper (this=0x2564840, receiver=0x263d1b0, e=0x2e958f0) at kernel/qapplication.cpp:4565
#36 0x00007f8b8838532c in QApplication::notify (this=0x7fffbe79a9b8, receiver=0x263d1b0, e=0x2e958f0) at kernel/qapplication.cpp:4530
#37 0x00007f8b89722f7b in KApplication::notify (this=0x7fffbe79a9b8, receiver=0x263d1b0, event=0x2e958f0) at KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#38 0x00007f8b86bf6dc6 in QCoreApplication::notifyInternal (this=0x7fffbe79a9b8, receiver=0x263d1b0, event=0x2e958f0) at kernel/qcoreapplication.cpp:955
#39 0x00007f8b86bfb54a in QCoreApplication::sendEvent (receiver=0x263d1b0, event=0x2e958f0) at /home/anirudh/software/qt/src/corelib/../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#40 0x00007f8b86bf83f4 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x25344e0) at kernel/qcoreapplication.cpp:1609
#41 0x00007f8b86c492f7 in QEventDispatcherUNIX::processEvents (this=0x253bcb0, flags=...) at kernel/qeventdispatcher_unix.cpp:908
#42 0x00007f8b8849766a in QEventDispatcherX11::processEvents (this=0x253bcb0, flags=...) at kernel/qeventdispatcher_x11.cpp:179
#43 0x00007f8b86bf1f6c in QEventLoop::processEvents (this=0x7fffbe797230, flags=...) at kernel/qeventloop.cpp:149
#44 0x00007f8b86bf2332 in QEventLoop::exec (this=0x7fffbe797230, flags=...) at kernel/qeventloop.cpp:225
#45 0x00007f8b88b33c8b in QDialog::exec (this=0x2ecb000) at dialogs/qdialog.cpp:562
#46 0x00007f8b7bf14f7c in Okular::Part::slotShowProperties (this=<optimized out>) at KDE/kde/kdegraphics/okular/part.cpp:2528
#47 0x00007f8b7bf16da9 in Okular::Part::qt_static_metacall (_o=0x2672110, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at KDE/build/kde/kdegraphics/okular/part.moc:234
#48 0x00007f8b86c1e607 in QMetaObject::activate (sender=0x28a2490, m=0x7f8b8938d540 <QAction::staticMetaObject>, local_signal_index=1, argv=0x7fffbe7975e0) at kernel/qobject.cpp:3569
#49 0x00007f8b8836f41d in QAction::triggered (this=0x28a2490, _t1=false) at .moc/debug-shared/moc_qaction.cpp:277
#50 0x00007f8b8836f232 in QAction::activate (this=0x28a2490, event=QAction::Trigger) at kernel/qaction.cpp:1257
#51 0x00007f8b88a66717 in QMenuPrivate::activateCausedStack (this=0x2643b80, causedStack=..., action=0x28a2490, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1037
#52 0x00007f8b88a645d6 in QMenuPrivate::activateAction (this=0x2643b80, action=0x28a2490, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1129
#53 0x00007f8b88a6ba02 in QMenu::mouseReleaseEvent (this=0x291f630, e=0x7fffbe799348) at widgets/qmenu.cpp:2371
#54 0x00007f8b898cba8e in KMenu::mouseReleaseEvent (this=0x291f630, e=0x7fffbe799348) at KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
#55 0x00007f8b8840897e in QWidget::event (this=0x291f630, event=0x7fffbe799348) at kernel/qwidget.cpp:8389
#56 0x00007f8b88a6c34a in QMenu::event (this=0x291f630, e=0x7fffbe799348) at widgets/qmenu.cpp:2480
#57 0x00007f8b8837f48f in QApplicationPrivate::notify_helper (this=0x2564840, receiver=0x291f630, e=0x7fffbe799348) at kernel/qapplication.cpp:4565
#58 0x00007f8b88382893 in QApplication::notify (this=0x7fffbe79a9b8, receiver=0x291f630, e=0x7fffbe799348) at kernel/qapplication.cpp:4108
#59 0x00007f8b89722f7b in KApplication::notify (this=0x7fffbe79a9b8, receiver=0x291f630, event=0x7fffbe799348) at KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#60 0x00007f8b86bf6dc6 in QCoreApplication::notifyInternal (this=0x7fffbe79a9b8, receiver=0x291f630, event=0x7fffbe799348) at kernel/qcoreapplication.cpp:955
#61 0x00007f8b8838a02f in QCoreApplication::sendSpontaneousEvent (receiver=0x291f630, event=0x7fffbe799348) at /home/anirudh/software/qt/src/gui/../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#62 0x00007f8b88380531 in QApplicationPrivate::sendMouseEvent (receiver=0x291f630, event=0x7fffbe799348, alienWidget=0x0, nativeWidget=0x291f630, buttonDown=0x7f8b893d3050 <qt_button_down>, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3171
#63 0x00007f8b88451229 in QETWidget::translateMouseEvent (this=0x291f630, event=0x7fffbe79a5c8) at kernel/qapplication_x11.cpp:4459
#64 0x00007f8b8844cff6 in QApplication::x11ProcessEvent (this=0x7fffbe79a9b8, event=0x7fffbe79a5c8) at kernel/qapplication_x11.cpp:3520
#65 0x00007f8b88497456 in QEventDispatcherX11::processEvents (this=0x253bcb0, flags=...) at kernel/qeventdispatcher_x11.cpp:151
#66 0x00007f8b86bf1f6c in QEventLoop::processEvents (this=0x7fffbe79a8c0, flags=...) at kernel/qeventloop.cpp:149
#67 0x00007f8b86bf2332 in QEventLoop::exec (this=0x7fffbe79a8c0, flags=...) at kernel/qeventloop.cpp:225
#68 0x00007f8b86bf75ee in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1229
#69 0x00007f8b88381526 in QApplication::exec () at kernel/qapplication.cpp:3823
#70 0x000000000040b336 in main ()

Comment 1 Santhiar 2015-11-16 06:31:13 UTC

On further investigation, this is a use-after-free bug.
I built okular with ASAN [http://clang.llvm.org/docs/AddressSanitizer.html] 
and here is the report from ASAN on triggering the steps to repro.

==4455==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004d300 at pc 0x7f5079e3e5bc bp 0x7fff0630a230 sp 0x7fff0630a228
READ of size 8 at 0x60300004d300 thread T0
    #0 0x7f5079e3e5bb in Okular::Document::stopFontReading() KDE/kde/kdegraphics/okular/core/document.cpp:2815:11
    #1 0x7f507a51a7ae in ~PropertiesDialog KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:178
    #2 0x7f507a51a7ae in PropertiesDialog::~PropertiesDialog() KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:177
    #3 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3)
    #4 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #5 0x7f507a52f7e8 in Sidebar::~Sidebar() KDE/kde/kdegraphics/okular/ui/sidebar.cpp:514
    #6 0x7f507a52f65e in Sidebar::~Sidebar() KDE/kde/kdegraphics/okular/ui/sidebar.cpp:512
    #7 0x7f508db5cf0b in KParts::Part::~Part() KDE/kde/kdelibs/kparts/part.cpp:209:38
    #8 0x7f508db66132 in ~ReadOnlyPart KDE/kde/kdelibs/kparts/part.cpp:463
    #9 0x7f508db66132 in KParts::ReadWritePart::~ReadWritePart() KDE/kde/kdelibs/kparts/part.cpp:780
    #10 0x7f507a2e23f8 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:891
    #11 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857
    #12 0x7f507a2e14c5 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:857
    #13 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3)
    #14 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #15 0x7f508aa0a314 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df314)
    #16 0x7f508bf36b5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #17 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #18 0x7f508db8bd2c in KParts::MainWindow::~MainWindow() KDE/kde/kdelibs/kparts/mainwindow.cpp:79
    #19 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93)
    #20 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3)
    #21 0x7f50890e6f2d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24df2d)
    #22 0x7f50890e6a97 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24da97)
    #23 0x7f508a3eb095 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0095)
    #24 0x7f508aa0cca2 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1ca2)
    #25 0x7f508bf42133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #26 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #27 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #28 0x7f508a36607b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b07b)
    #29 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #30 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #31 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x231639)
    #32 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e)
    #33 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22d6a7)
    #34 0x7f5089114f07 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtCore.so.4+0x27bf07)
    #35 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtCore.so.4+0x27ae1a)
    #36 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
    #37 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f)
    #38 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123)
    #39 0x7f5089112d81 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x279d81)
    #40 0x7f508a476a43 in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ba43)
    #41 0x7f50890c13fb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2283fb)
    #42 0x7f50890c174d in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x22874d)
    #43 0x7f508ab149ba in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e99ba)
    #44 0x7f507a30f36a in Okular::Part::slotShowProperties() KDE/kde/kdegraphics/okular/part.cpp:2528
    #45 0x7f507a30f36a in Okular::Part::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdegraphics/okular/part.moc:234
    #46 0x7f50890ed6f6 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x2546f6)
    #47 0x7f508a35016c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22516c)
    #48 0x7f508a34ff81 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x224f81)
    #49 0x7f508aa47446 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c446)
    #50 0x7f508aa45305 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a305)
    #51 0x7f508aa4c731 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921731)
    #52 0x7f508bf4bf3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #53 0x7f508a3e96cd in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be6cd)
    #54 0x7f508aa4d079 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922079)
    #55 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #56 0x7f508a3635e2 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2385e2)
    #57 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #58 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #59 0x7f508a36ad7e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fd7e)
    #60 0x7f508a361280 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236280)
    #61 0x7f508a431f78 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x306f78)
    #62 0x7f508a42dd45 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302d45)
    #63 0x7f508a476f7f in x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtGui.so.4+0x34bf7f)
    #64 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
    #65 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f)
    #66 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123)
    #67 0x7f5089112d81 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x279d81)
    #68 0x7f508a476a43 in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ba43)
    #69 0x7f50890c13fb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2283fb)
    #70 0x7f50890c174d in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x22874d)
    #71 0x7f50890c690e in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22d90e)
    #72 0x7f508a362275 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237275)
    #73 0x45100b in main (KDE/install-asan/bin/okular+0x45100b)
    #74 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #75 0x44f01c in _start (KDE/install-asan/bin/okular+0x44f01c)
0x60300004d300 is located 16 bytes inside of 24-byte region [0x60300004d2f0,0x60300004d308)
freed by thread T0 here:
    #0 0x43a63a in operator delete(void*) (KDE/install-asan/bin/okular+0x43a63a)
    #1 0x7f5079e2d9a6 in Okular::Document::~Document() KDE/kde/kdegraphics/okular/core/document.cpp:2202
    #2 0x7f507a2e1ee2 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:880
    #3 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857
    #4 0x7f507a2e14c5 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:857
    #5 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3)
    #6 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #7 0x7f508aa0a314 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df314)
    #8 0x7f508bf36b5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #9 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #10 0x7f508db8bd2c in KParts::MainWindow::~MainWindow() KDE/kde/kdelibs/kparts/mainwindow.cpp:79
    #11 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93)
    #12 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3)
    #13 0x7f50890e6f2d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24df2d)
    #14 0x7f50890e6a97 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24da97)
    #15 0x7f508a3eb095 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0095)
    #16 0x7f508aa0cca2 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1ca2)
    #17 0x7f508bf42133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #18 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #19 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #20 0x7f508a36607b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b07b)
    #21 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #22 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #23 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x231639)
    #24 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e)
    #25 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22d6a7)
    #26 0x7f5089114f07 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtCore.so.4+0x27bf07)
    #27 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtCore.so.4+0x27ae1a)
    #28 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
previously allocated by thread T0 here:
    #0 0x43a3ba in operator new(unsigned long) (KDE/install-asan/bin/okular+0x43a3ba)
    #1 0x7f507a2c4975 in Okular::Part::Part(QWidget*, QObject*, QList<QVariant> const&, KComponentData) KDE/kde/kdegraphics/okular/part.cpp:355
    #2 0x7f507a2c36dc in Okular::PartFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) KDE/kde/kdegraphics/okular/part.cpp:171
    #3 0x472c94 in KParts::ReadWritePart* KPluginFactory::create<KParts::ReadWritePart>(QObject*, QList<QVariant> const&) (KDE/install-asan/bin/okular+0x472c94)
    #4 0x45f135 in Shell::Shell(QString const&) (KDE/install-asan/bin/okular+0x45f135)
    #5 0x45ab67 in Okular::main(QStringList const&, QString const&) (KDE/install-asan/bin/okular+0x45ab67)
    #6 0x4513f5 in main (KDE/install-asan/bin/okular+0x4513f5)
    #7 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdegraphics/okular/core/document.cpp:2815 Okular::Document::stopFontReading()
Shadow bytes around the buggy address:
  0x0c0680001a10: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c0680001a20: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fd fd
  0x0c0680001a30: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
  0x0c0680001a40: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c0680001a50: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
=>0x0c0680001a60:[fd]fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680001a70: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680001a80: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c0680001a90: fd fd fa fa fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0680001aa0: fd fd fd fd fa fa fd fd fd fa fa fa fa fa fa fa
  0x0c0680001ab0: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4455==ABORTING

The properties dialog spins a nested event loop, and the close event destroys the property dialog that is subsequently accessed by the handler still on stack.
I shall be happy to supply any other information to help fix this UAF vulnerability.

Comment 2 Santhiar 2015-11-29 04:18:03 UTC

Note that quitting the application with a print dialog open also leads to a crash (also a use-after-free)

Comment 3 Justin Zobel 2020-11-26 08:43:39 UTC

I've just tested this and I can't quit okular while print or properties dialogs are open.

Can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved. I've set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved" when you respond, thanks.

Comment 4 Bug Janitor Service 2020-12-11 04:33:59 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 5 Bug Janitor Service 2020-12-26 04:34:24 UTC

This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!