356052 – Crash if I close kolourpaint when the acquire screenshot dialog is open

Bug 356052 - Crash if I close kolourpaint when the acquire screenshot dialog is open

Summary: Crash if I close kolourpaint when the acquire screenshot dialog is open

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	kolourpaint
Classification:	Applications
Component:	general (show other bugs)
Version:	4.13.1
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	kolourpaint-support

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-29 05:01 UTC by Santhiar
Modified:	2021-01-16 04:34 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Screenshot showing that dialogs are not application modal (126.55 KB, image/png) 2015-11-30 03:35 UTC, Santhiar	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Santhiar 2015-11-29 05:01:42 UTC

Kolourpaint crashes if you say File->quit when the dialog displayed by File-> acquire screenshot is open

Reproducible: Always

Steps to Reproduce:
1. Open kolourpaint
2. Say File->Acquire Screenshot
3. Without closing the former, say File->Quit

Actual Results:  
The KDE crash handler came up, displaying a back-trace

Expected Results:  
The software should have closed smoothly

With a later version of kolourpaint (4.14.13), use qdbus to quit the application instead of saying File->Quit (say "qdbus `qdbus | grep kolourpaint` /kolourpaint/MainWindow_1/actions/file_quit trigger")
We also obtain a crash on quitting the application with the print dialog open

Here is a back trace from KCrash:
[KCrash Handler]
#6  0x00000000011fbbe1 in ?? ()
#7  0x000000000049cadb in kpMainWindow::slotScreenshot (this=<optimized out>) at KDE/kde/kdegraphics/kolourpaint/mainWindow/kpMainWindow_File.cpp:670
#8  0x00000000004922fa in kpMainWindow::qt_static_metacall (_o=0xe08510, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at KDE/build/kde/kdegraphics/kolourpaint/kpMainWindow.moc:270
#9  0x00007f37912a1607 in QMetaObject::activate (sender=0xe45cc0, m=0x7f3793946540 <QAction::staticMetaObject>, local_signal_index=1, argv=0x7fffaaa43940) at kernel/qobject.cpp:3569
#10 0x00007f379292841d in QAction::triggered (this=0xe45cc0, _t1=false) at .moc/debug-shared/moc_qaction.cpp:277
#11 0x00007f3792928232 in QAction::activate (this=0xe45cc0, event=QAction::Trigger) at kernel/qaction.cpp:1257
#12 0x00007f379301f717 in QMenuPrivate::activateCausedStack (this=0xf4de80, causedStack=..., action=0xe45cc0, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1037
#13 0x00007f379301d5d6 in QMenuPrivate::activateAction (this=0xf4de80, action=0xe45cc0, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1129
#14 0x00007f3793024a02 in QMenu::mouseReleaseEvent (this=0xf6ba00, e=0x7fffaaa456a8) at widgets/qmenu.cpp:2371
#15 0x00007f3793e84a8e in KMenu::mouseReleaseEvent (this=0xf6ba00, e=0x7fffaaa456a8) at KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
#16 0x00007f37929c197e in QWidget::event (this=0xf6ba00, event=0x7fffaaa456a8) at kernel/qwidget.cpp:8389
#17 0x00007f379302534a in QMenu::event (this=0xf6ba00, e=0x7fffaaa456a8) at widgets/qmenu.cpp:2480
#18 0x00007f379293848f in QApplicationPrivate::notify_helper (this=0xd27af0, receiver=0xf6ba00, e=0x7fffaaa456a8) at kernel/qapplication.cpp:4565
#19 0x00007f379293b893 in QApplication::notify (this=0x7fffaaa46ca0, receiver=0xf6ba00, e=0x7fffaaa456a8) at kernel/qapplication.cpp:4108
#20 0x00007f3793cdbf7b in KApplication::notify (this=0x7fffaaa46ca0, receiver=0xf6ba00, event=0x7fffaaa456a8) at KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#21 0x00007f3791279dc6 in QCoreApplication::notifyInternal (this=0x7fffaaa46ca0, receiver=0xf6ba00, event=0x7fffaaa456a8) at kernel/qcoreapplication.cpp:955
#22 0x00007f379294302f in QCoreApplication::sendSpontaneousEvent (receiver=0xf6ba00, event=0x7fffaaa456a8) at src/corelib/kernel/qcoreapplication.h:234
#23 0x00007f3792939531 in QApplicationPrivate::sendMouseEvent (receiver=0xf6ba00, event=0x7fffaaa456a8, alienWidget=0x0, nativeWidget=0xf6ba00, buttonDown=0x7f379398c050 <qt_button_down>, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3171
#24 0x00007f3792a0a229 in QETWidget::translateMouseEvent (this=0xf6ba00, event=0x7fffaaa46928) at kernel/qapplication_x11.cpp:4459
#25 0x00007f3792a05ff6 in QApplication::x11ProcessEvent (this=0x7fffaaa46ca0, event=0x7fffaaa46928) at kernel/qapplication_x11.cpp:3520
#26 0x00007f3792a50456 in QEventDispatcherX11::processEvents (this=0xcffe10, flags=...) at kernel/qeventdispatcher_x11.cpp:151
#27 0x00007f3791274f6c in QEventLoop::processEvents (this=0x7fffaaa46c20, flags=...) at kernel/qeventloop.cpp:149
#28 0x00007f3791275332 in QEventLoop::exec (this=0x7fffaaa46c20, flags=...) at kernel/qeventloop.cpp:225
#29 0x00007f379127a5ee in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1229
#30 0x00007f379293a526 in QApplication::exec () at kernel/qapplication.cpp:3823
#31 0x000000000046ec14 in main (argc=<optimized out>, argv=<optimized out>) at KDE/kde/kdegraphics/kolourpaint/kolourpaint.cpp:118

The error is a heap use-after-free. The following debug information was reported by address sanitizer (some line number information is missing)
==5042==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040001f3250 at pc 0x54b855 bp 0x7fffa819bef0 sp 0x7fffa819bee8
READ of size 8 at 0x6040001f3250 thread T0
    #0 0x54b854 in kpMainWindow::slotScreenshot() (KDE/install-asan/bin/kolourpaint+0x54b854)
    #1 0x539ce4 in kpMainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/kolourpaint+0x539ce4)
    #2 0x7f7f512576f6 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x2546f6)
    #3 0x7f7f4f94416c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22516c)
    #4 0x7f7f4f943f81 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x224f81)
    #5 0x7f7f5003b446 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c446)
    #6 0x7f7f50039305 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a305)
    #7 0x7f7f50040731 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921731)
    #8 0x7f7f530f3f3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #9 0x7f7f4f9dd6cd in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be6cd)
    #10 0x7f7f50041079 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922079)
    #11 0x7f7f4f9541de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #12 0x7f7f4f9575e2 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2385e2)
    #13 0x7f7f52dca340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #14 0x7f7f51230135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #15 0x7f7f4f95ed7e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fd7e)
    #16 0x7f7f4f955280 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236280)
    #17 0x7f7f4fa25f78 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x306f78)
    #18 0x7f7f4fa21d45 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302d45)
    #19 0x7f7f4fa6af7f in x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtGui.so.4+0x34bf7f)
    #20 0x7f7f4ad49d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
    #21 0x7f7f4ad4a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f)
    #22 0x7f7f4ad4a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123)
    #23 0x7f7f5127cd81 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x279d81)
    #24 0x7f7f4fa6aa43 in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ba43)
    #25 0x7f7f5122b3fb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2283fb)
    #26 0x7f7f5122b74d in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x22874d)
    #27 0x7f7f5123090e in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22d90e)
    #28 0x7f7f4f956275 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237275)
    #29 0x4f6cdf in main (KDE/install-asan/bin/kolourpaint+0x4f6cdf)
    #30 0x7f7f4e54376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #31 0x464c1c in _start (KDE/install-asan/bin/kolourpaint+0x464c1c)
0x6040001f3250 is located 0 bytes inside of 48-byte region [0x6040001f3250,0x6040001f3280)
freed by thread T0 here:
    #0 0x45023a in operator delete(void*) (KDE/install-asan/bin/kolourpaint+0x45023a)
    #1 0x7f7f52b086f7 in KDialog::~KDialog() KDE/kde/kdelibs/kdeui/dialogs/kdialog.cpp:202
    #2 0x7f7f5124fec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3)
    #3 0x7f7f4f9c7e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #4 0x7f7f4fffe314 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df314)
    #5 0x7f7f530deb5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #6 0x7f7f531efee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #7 0x536fef in kpMainWindow::~kpMainWindow() (KDE/install-asan/bin/kolourpaint+0x536fef)
    #8 0x536b13 in kpMainWindow::~kpMainWindow() (KDE/install-asan/bin/kolourpaint+0x536b13)
    #9 0x7f7f51250f2d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24df2d)
    #10 0x7f7f51250a97 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24da97)
    #11 0x7f7f4f9df095 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0095)
    #12 0x7f7f50000ca2 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1ca2)
    #13 0x7f7f530ea133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #14 0x7f7f531f00b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #15 0x7f7f4f9541de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #16 0x7f7f4f95a07b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b07b)
    #17 0x7f7f52dca340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #18 0x7f7f51230135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #19 0x7f7f51234639 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x231639)
    #20 0x7f7f5123173e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e)
    #21 0x7f7f512306a7 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22d6a7)
    #22 0x7f7f5127ef07 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtCore.so.4+0x27bf07)
    #23 0x7f7f5127de1a in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtCore.so.4+0x27ae1a)
    #24 0x7f7f4ad49d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
previously allocated by thread T0 here:
    #0 0x44ffba in operator new(unsigned long) (KDE/install-asan/bin/kolourpaint+0x44ffba)
    #1 0x54b108 in kpMainWindow::slotScreenshot() (KDE/install-asan/bin/kolourpaint+0x54b108)
    #2 0x539ce4 in kpMainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/kolourpaint+0x539ce4)
    #3 0x7f7f512576f6 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x2546f6)
    #4 0x7f7f4f94416c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22516c)
    #5 0x7f7f4f943f81 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x224f81)
    #6 0x7f7f5003b446 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c446)
    #7 0x7f7f50039305 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a305)
    #8 0x7f7f50040731 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921731)
    #9 0x7f7f530f3f3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #10 0x7f7f4f9dd6cd in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be6cd)
    #11 0x7f7f50041079 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922079)
    #12 0x7f7f4f9541de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de)
    #13 0x7f7f4f9575e2 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2385e2)
    #14 0x7f7f52dca340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #15 0x7f7f51230135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135)
    #16 0x7f7f4f95ed7e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fd7e)
    #17 0x7f7f4f955280 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236280)
    #18 0x7f7f4fa25f78 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x306f78)
    #19 0x7f7f4fa21d45 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302d45)
    #20 0x7f7f4fa6af7f in x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtGui.so.4+0x34bf7f)
    #21 0x7f7f4ad49d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 kpMainWindow::slotScreenshot()
Shadow bytes around the buggy address:
  0x0c08800365f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880036600: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c0880036610: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880036620: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c0880036630: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c0880036640: fa fa fd fd fd fd fd fd fa fa[fd]fd fd fd fd fd
  0x0c0880036650: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c0880036660: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880036670: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880036680: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880036690: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==5042==ABORTING

Comment 1 Martin Koller 2015-11-29 12:30:17 UTC

This scenario will crash kolourpaint with any open dialog.
But since the dialog is application modal, this scenario should never happen on normal usage, since you can not activate the application quit menu while the modal dialog is open.

How did you hit this problem ?
Or are you just testing what happens if you do nasty things ?
(I assume you can crash a lot of other applications this way)

Comment 2 Santhiar 2015-11-30 03:35:21 UTC

Created attachment 95813 [details]
Screenshot showing that dialogs are not application modal

Comment 3 Santhiar 2015-11-30 03:35:43 UTC

That's true, but usually the crash is because of a seg-fault/freeing memory that wasn't malloc'd.
The scenarios that lead to a use after free are quitting kolourpaint with a print dialog open or the acquire screenshot dialog open.

Weirdly enough, the kolourpaint () I installed via apt-get in Ubuntu 12.04 does not use application modal dialogs (please see the attached screenshot) -- which is how I ran into the problem. Here are its version details:
Qt: 4.8.6
KDE Development Platform: 4.13.3
KolourPaint: 4.13.1

I then investigated kolourpaint 4.14.13 built from source - here, the dialogs are application modal - I was curious to see whether I could still crash the app, which is why I quit it using qdbus.
And yes, you are right, you can crash a lot of other applications this way.

Comment 4 Justin Zobel 2020-12-17 05:21:36 UTC

Thank you for the crash report.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.

Comment 5 Bug Janitor Service 2021-01-01 04:35:23 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 6 Bug Janitor Service 2021-01-16 04:34:35 UTC

This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!