Bug 356647 - use-after-free crash on closing cervisia having opened a non-CVS folder
Summary: use-after-free crash on closing cervisia having opened a non-CVS folder
Status: RESOLVED WORKSFORME
Alias: None
Product: cervisia
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Christian Loose
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-14 04:36 UTC by Santhiar
Modified: 2018-12-01 03:50 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Santhiar 2015-12-14 04:36:57 UTC
Cervisia crashes with a use-after-free bug on closing the application after opening an non-CVS folder.
I ran into this problem on driving Cervisia via a command line script.
I opened a non CVS folder via the command line, and while the error dialog was being displayed, 
closed Cervisia using qdbus
The application crashed

Reproducible: Always

Steps to Reproduce:
1. From a terminal, say "cervisia nonCVSFolder"
2. When the error dialog is displayed, from another terminal, issue
3. "qdbus `qdbus | grep cervisia` /cervisia/MainWindow_1/actions/file_quit trigger"

Actual Results:  
Cervisia crashes

Expected Results:  
Cervisia closes smoothly

Application details:
Qt: 4.8.7
KDE Development Platform: 4.14.13
Cervisia: 3.10.0

KCrash Report:
Application: Cervisia (cervisia), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[KCrash Handler]
#6  0x00007fcea1956a81 in QMap<QAction*, KUrl>::constBegin (this=<optimized out>) at qt4/include/QtCore/qmap.h:374
#7  0x00007fcea19542c0 in KRecentFilesAction::removeUrl (this=<optimized out>, url=...) at KDE/kde/kdelibs/kdeui/actions/krecentfilesaction.cpp:234
#8  0x00007fce949c5074 in CervisiaPart::openSandbox (this=0xa97c40, url=...) at KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
#9  0x00007fce949c49a9 in CervisiaPart::openUrl (this=0xa97c40, u=...) at KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
#10 0x00007fcea43a4d8b in CervisiaShell::openURL (this=<optimized out>, url=...) at KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
#11 0x00007fcea43a15fe in kdemain (argc=<optimized out>, argv=<optimized out>) at KDE/kde/kdesdk/cervisia/main.cpp:196
#12 0x0000000000400a21 in main (argc=-1641208064, argv=0xffffffff) at KDE/build/kde/kdesdk/cervisia/cervisia_dummy.cpp:3

On investigating further using Cervisia built with Address Sanitizer, this is a use-after-free vulnerability. AddressSanitizer reported the following stack:

=================================================================
==12997==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100013e3f0 at pc 0x7fdd437ea9cd bp 0x7fffc88647b0 sp 0x7fffc88647a8
READ of size 8 at 0x61100013e3f0 thread T0
    #0 0x7fdd437ea9cc in CervisiaPart::openSandbox(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
    #1 0x7fdd437e80a9 in CervisiaPart::openUrl(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
    #2 0x7fdd571558b4 in CervisiaShell::openURL(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
    #3 0x7fdd5714cce1 in kdemain KDE/kde/kdesdk/cervisia/main.cpp:196
    #4 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #5 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #6 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
0x61100013e3f0 is located 112 bytes inside of 216-byte region [0x61100013e380,0x61100013e458)
freed by thread T0 here:
    #0 0x43120a in operator delete(void*) (KDE/install-asan/bin/cervisia+0x43120a)
    #1 0x7fdd437e6419 in CervisiaPart::~CervisiaPart() KDE/kde/kdesdk/cervisia/cervisiapart.cpp:180
    #2 0x7fdd5715528f in CervisiaShell::~CervisiaShell() KDE/kde/kdesdk/cervisia/cervisiashell.cpp:81
    #3 0x7fdd57154ca5 in ~CervisiaShell KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
    #4 0x7fdd57154ca5 in CervisiaShell::~CervisiaShell() KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
    #5 0x7fdd53509e3d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24ee3d)
    #6 0x7fdd535099a7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e9a7)
    #7 0x7fdd522ef345 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0345)
    #8 0x7fdd52910f72 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1f72)
    #9 0x7fdd553a4133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #10 0x7fdd554aa0b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #11 0x7fdd5226448e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #12 0x7fdd5226a32b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b32b)
    #13 0x7fdd55084340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #14 0x7fdd534e8dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #15 0x7fdd534ed549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #16 0x7fdd534ea3f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #17 0x7fdd5353b2f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #18 0x7fdd5237c669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #19 0x7fdd534e3f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #20 0x7fdd534e4331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #21 0x7fdd52a18c8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
    #22 0x7fdd54e109dc in KMessageBox::createKMessageBox(KDialog*, QIcon const&, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
    #23 0x7fdd54e0dfe1 in KMessageBox::createKMessageBox(KDialog*, QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
    #24 0x7fdd54e20f44 in KMessageBox::sorryWId(unsigned long, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:928
    #25 0x7fdd54e2090d in KMessageBox::sorry(QWidget*, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:907
    #26 0x7fdd437e9814 in CervisiaPart::openSandbox(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1807
    #27 0x7fdd437e80a9 in CervisiaPart::openUrl(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
    #28 0x7fdd571558b4 in CervisiaShell::openURL(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
    #29 0x7fdd5714cce1 in kdemain KDE/kde/kdesdk/cervisia/main.cpp:196
    #30 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #31 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #32 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
previously allocated by thread T0 here:
    #0 0x430f8a in operator new(unsigned long) (KDE/install-asan/bin/cervisia+0x430f8a)
    #1 0x7fdd437f58c9 in QObject* KPluginFactory::createPartInstance<CervisiaPart>(QWidget*, QObject*, QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:483
    #2 0x7fdd543410cc in KPluginFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) KDE/kde/kdelibs/kdecore/util/kpluginfactory.cpp:203
    #3 0x7fdd5715781e in KParts::ReadOnlyPart* KPluginFactory::create<KParts::ReadOnlyPart>(QObject*, QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:507
    #4 0x7fdd57151019 in CervisiaShell::CervisiaShell(char const*) KDE/kde/kdesdk/cervisia/cervisiashell.cpp:48
    #5 0x7fdd5714cbfa in kdemain KDE/kde/kdesdk/cervisia/main.cpp:190
    #6 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #7 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #8 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813 CervisiaPart::openSandbox(KUrl const&)
Shadow bytes around the buggy address:
  0x0c228001fc20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228001fc30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228001fc40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228001fc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228001fc60: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c228001fc70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c228001fc80: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c228001fc90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228001fca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228001fcb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c228001fcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12997==ABORTING
Comment 1 Santhiar 2015-12-14 04:40:57 UTC
A related use-after-free crash is obtained if you open a non CVS folder via the GUI, and as the error dialog is displayed, close the application from the command line as
"qdbus `qdbus | grep cervisia` /cervisia/MainWindow_1/actions/file_quit trigger".
Please find the KCrash and AddressSanitizer stacks below.
The free stack reported by AddressSanitizer exhibits a nested event loop - the free is within this loop.

============
KCrash stack:
============
Application: Cervisia (cervisia), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fb2454f3780 (LWP 10883))]

Thread 2 (Thread 0x7fb234710700 (LWP 10887)):
#0  0x00007fb23e6af4ac in send () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fb23e6aa020 in __vsyslog_chk () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007fb23e6aa3af in syslog () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007fb23f888c93 in QMutex::lock (this=0x11541d0) at thread/qmutex.cpp:180
#4  0x00007fb23f867645 in QMutex::lockInline (this=0x11541d0) at ../../include/QtCore/../../src/corelib/thread/qmutex.h:201
#5  0x00007fb23f8646c0 in QMutexLocker::QMutexLocker (this=0x7fb23470fa20, m=0x11541d0) at ../../include/QtCore/../../src/corelib/thread/qmutex.h:109
#6  0x00007fb23fa69e54 in QThreadData::canWaitLocked (this=0x1154180) at ../../include/QtCore/private/../../../src/corelib/thread/qthread_p.h:236
#7  0x00007fb23fa6d30b in QEventDispatcherUNIX::processEvents (this=0x7fb22c0008f0, flags=...) at kernel/qeventdispatcher_unix.cpp:911
#8  0x00007fb23fa15f6c in QEventLoop::processEvents (this=0x7fb23470fc78, flags=...) at kernel/qeventloop.cpp:149
#9  0x00007fb23fa16332 in QEventLoop::exec (this=0x7fb23470fc78, flags=...) at kernel/qeventloop.cpp:225
#10 0x00007fb23f88e0a0 in QThread::exec (this=0x11666e0) at thread/qthread.cpp:659
#11 0x00007fb23f9e5994 in QInotifyFileSystemWatcherEngine::run (this=0x11666e0) at io/qfilesystemwatcher_inotify.cpp:265
#12 0x00007fb23f892b2a in QThreadPrivate::start (arg=0x11666e0) at thread/qthread_unix.cpp:361
#13 0x00007fb244cf2e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#14 0x00007fb23e6ae38d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#15 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7fb2454f3780 (LWP 10883)):
[KCrash Handler]
#6  0x00007fb241ff6a81 in QMap<QAction*, KUrl>::constBegin (this=<optimized out>) at qt4/include/QtCore/qmap.h:374
#7  0x00007fb241ff42c0 in KRecentFilesAction::removeUrl (this=<optimized out>, url=...) at KDE/kde/kdelibs/kdeui/actions/krecentfilesaction.cpp:234
#8  0x00007fb235065074 in CervisiaPart::openSandbox (this=0xd5acd0, url=...) at KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
#9  0x00007fb235058226 in CervisiaPart::slotOpenSandbox (this=0xd5acd0) at KDE/kde/kdesdk/cervisia/cervisiapart.cpp:788
#10 0x00007fb2350506b3 in CervisiaPart::qt_static_metacall (_o=0xd5acd0, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at KDE/build/kde/kdesdk/cervisia/cervisiapart.moc:195
#11 0x00007fb23fa42607 in QMetaObject::activate (sender=0xe045f0, m=0x7fb241e1d540 <QAction::staticMetaObject>, local_signal_index=1, argv=0x7fff43d3fb40) at kernel/qobject.cpp:3569
#12 0x00007fb240dff41d in QAction::triggered (this=0xe045f0, _t1=false) at .moc/debug-shared/moc_qaction.cpp:277
#13 0x00007fb240dff232 in QAction::activate (this=0xe045f0, event=QAction::Trigger) at kernel/qaction.cpp:1257
#14 0x00007fb2414f6717 in QMenuPrivate::activateCausedStack (this=0xecb970, causedStack=..., action=0xe045f0, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1037
#15 0x00007fb2414f45d6 in QMenuPrivate::activateAction (this=0xecb970, action=0xe045f0, action_e=QAction::Trigger, self=true) at widgets/qmenu.cpp:1129
#16 0x00007fb2414fba02 in QMenu::mouseReleaseEvent (this=0xecb930, e=0x7fff43d418a8) at widgets/qmenu.cpp:2371
#17 0x00007fb24235ba8e in KMenu::mouseReleaseEvent (this=0xecb930, e=0x7fff43d418a8) at KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
#18 0x00007fb240e9897e in QWidget::event (this=0xecb930, event=0x7fff43d418a8) at kernel/qwidget.cpp:8389
#19 0x00007fb2414fc34a in QMenu::event (this=0xecb930, e=0x7fff43d418a8) at widgets/qmenu.cpp:2480
#20 0x00007fb240e0f48f in QApplicationPrivate::notify_helper (this=0xc52480, receiver=0xecb930, e=0x7fff43d418a8) at kernel/qapplication.cpp:4565
#21 0x00007fb240e12893 in QApplication::notify (this=0x7fff43d42ef0, receiver=0xecb930, e=0x7fff43d418a8) at kernel/qapplication.cpp:4108
#22 0x00007fb2421b2f7b in KApplication::notify (this=0x7fff43d42ef0, receiver=0xecb930, event=0x7fff43d418a8) at KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#23 0x00007fb23fa1adc6 in QCoreApplication::notifyInternal (this=0x7fff43d42ef0, receiver=0xecb930, event=0x7fff43d418a8) at kernel/qcoreapplication.cpp:955
#24 0x00007fb240e1a02f in QCoreApplication::sendSpontaneousEvent (receiver=0xecb930, event=0x7fff43d418a8) at qt/src/gui/../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#25 0x00007fb240e10531 in QApplicationPrivate::sendMouseEvent (receiver=0xecb930, event=0x7fff43d418a8, alienWidget=0x0, nativeWidget=0xecb930, buttonDown=0x7fb241e63050 <qt_button_down>, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3171
#26 0x00007fb240ee1229 in QETWidget::translateMouseEvent (this=0xecb930, event=0x7fff43d42b28) at kernel/qapplication_x11.cpp:4459
#27 0x00007fb240edcff6 in QApplication::x11ProcessEvent (this=0x7fff43d42ef0, event=0x7fff43d42b28) at kernel/qapplication_x11.cpp:3520
#28 0x00007fb240f27456 in QEventDispatcherX11::processEvents (this=0xc2fc90, flags=...) at kernel/qeventdispatcher_x11.cpp:151
#29 0x00007fb23fa15f6c in QEventLoop::processEvents (this=0x7fff43d42e20, flags=...) at kernel/qeventloop.cpp:149
#30 0x00007fb23fa16332 in QEventLoop::exec (this=0x7fff43d42e20, flags=...) at kernel/qeventloop.cpp:225
#31 0x00007fb23fa1b5ee in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1229
#32 0x00007fb240e11526 in QApplication::exec () at kernel/qapplication.cpp:3823
#33 0x00007fb244a41662 in kdemain (argc=<optimized out>, argv=<optimized out>) at KDE/kde/kdesdk/cervisia/main.cpp:205
#34 0x0000000000400a21 in main (argc=1050093312, argv=0xffffffff) at KDE/build/kde/kdesdk/cervisia/cervisia_dummy.cpp:3

=====================
AddressSanitizer stack:
=====================
==13060==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100013e3f0 at pc 0x7f67c86a59cd bp 0x7fff1a363770 sp 0x7fff1a363768
READ of size 8 at 0x61100013e3f0 thread T0
    #0 0x7f67c86a59cc in CervisiaPart::openSandbox(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
    #1 0x7f67c86833be in CervisiaPart::slotOpenSandbox() KDE/kde/kdesdk/cervisia/cervisiapart.cpp:788
    #2 0x7f67c8668ed3 in CervisiaPart::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdesdk/cervisia/cervisiapart.moc:195
    #3 0x7f67d83ce606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #4 0x7f67d711241c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22541c)
    #5 0x7f67d7112231 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x225231)
    #6 0x7f67d7809716 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c716)
    #7 0x7f67d78075d5 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a5d5)
    #8 0x7f67d780ea01 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921a01)
    #9 0x7f67da26bf3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #10 0x7f67d71ab97d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be97d)
    #11 0x7f67d780f349 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922349)
    #12 0x7f67d712248e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #13 0x7f67d7125892 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x238892)
    #14 0x7f67d9f42340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #15 0x7f67d83a6dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #16 0x7f67d712d02e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #17 0x7f67d7123530 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236530)
    #18 0x7f67d71f4228 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x307228)
    #19 0x7f67d71efff5 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302ff5)
    #20 0x7f67d723a455 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d455)
    #21 0x7f67d83a1f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #22 0x7f67d83a2331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #23 0x7f67d83a75ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #24 0x7f67d7124525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #25 0x7f67dc00ad4f in kdemain KDE/kde/kdesdk/cervisia/main.cpp:205
    #26 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #27 0x7f67d5d1176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #28 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
0x61100013e3f0 is located 112 bytes inside of 216-byte region [0x61100013e380,0x61100013e458)
freed by thread T0 here:
    #0 0x43120a in operator delete(void*) (KDE/install-asan/bin/cervisia+0x43120a)
    #1 0x7f67c86a1419 in CervisiaPart::~CervisiaPart() KDE/kde/kdesdk/cervisia/cervisiapart.cpp:180
    #2 0x7f67dc01328f in CervisiaShell::~CervisiaShell() KDE/kde/kdesdk/cervisia/cervisiashell.cpp:81
    #3 0x7f67dc012ca5 in ~CervisiaShell KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
    #4 0x7f67dc012ca5 in CervisiaShell::~CervisiaShell() KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
    #5 0x7f67d83c7e3d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24ee3d)
    #6 0x7f67d83c79a7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e9a7)
    #7 0x7f67d71ad345 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0345)
    #8 0x7f67d77cef72 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1f72)
    #9 0x7f67da262133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #10 0x7f67da3680b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #11 0x7f67d712248e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #12 0x7f67d712832b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b32b)
    #13 0x7f67d9f42340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #14 0x7f67d83a6dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #15 0x7f67d83ab549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #16 0x7f67d83a83f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #17 0x7f67d83f92f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #18 0x7f67d723a669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #19 0x7f67d83a1f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #20 0x7f67d83a2331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #21 0x7f67d78d6c8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
    #22 0x7f67d9cce9dc in KMessageBox::createKMessageBox(KDialog*, QIcon const&, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
    #23 0x7f67d9ccbfe1 in KMessageBox::createKMessageBox(KDialog*, QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
    #24 0x7f67d9cdef44 in KMessageBox::sorryWId(unsigned long, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:928
    #25 0x7f67d9cde90d in KMessageBox::sorry(QWidget*, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:907
    #26 0x7f67c86a4814 in CervisiaPart::openSandbox(KUrl const&) KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1807
    #27 0x7f67c86833be in CervisiaPart::slotOpenSandbox() KDE/kde/kdesdk/cervisia/cervisiapart.cpp:788
    #28 0x7f67c8668ed3 in CervisiaPart::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdesdk/cervisia/cervisiapart.moc:195
    #29 0x7f67d83ce606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #30 0x7f67d711241c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22541c)
    #31 0x7f67d7112231 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x225231)
    #32 0x7f67d7809716 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c716)
    #33 0x7f67d78075d5 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a5d5)
    #34 0x7f67d780ea01 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921a01)
    #35 0x7f67da26bf3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #36 0x7f67d71ab97d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be97d)
    #37 0x7f67d780f349 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922349)
    #38 0x7f67d712248e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #39 0x7f67d7125892 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x238892)
    #40 0x7f67d9f42340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #41 0x7f67d83a6dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #42 0x7f67d712d02e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #43 0x7f67d7123530 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236530)
    #44 0x7f67d71f4228 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x307228)
    #45 0x7f67d71efff5 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302ff5)
    #46 0x7f67d723a455 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d455)
    #47 0x7f67d83a1f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #48 0x7f67d83a2331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #49 0x7f67d83a75ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #50 0x7f67d7124525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #51 0x7f67dc00ad4f in kdemain KDE/kde/kdesdk/cervisia/main.cpp:205
    #52 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #53 0x7f67d5d1176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #54 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
previously allocated by thread T0 here:
    #0 0x430f8a in operator new(unsigned long) (KDE/install-asan/bin/cervisia+0x430f8a)
    #1 0x7f67c86b08c9 in QObject* KPluginFactory::createPartInstance<CervisiaPart>(QWidget*, QObject*, QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:483
    #2 0x7f67d91ff0cc in KPluginFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) KDE/kde/kdelibs/kdecore/util/kpluginfactory.cpp:203
    #3 0x7f67dc01581e in KParts::ReadOnlyPart* KPluginFactory::create<KParts::ReadOnlyPart>(QObject*, QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:507
    #4 0x7f67dc00f019 in CervisiaShell::CervisiaShell(char const*) KDE/kde/kdesdk/cervisia/cervisiashell.cpp:48
    #5 0x7f67dc00abfa in kdemain KDE/kde/kdesdk/cervisia/main.cpp:190
    #6 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
    #7 0x7f67d5d1176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #8 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813 CervisiaPart::openSandbox(KUrl const&)
Shadow bytes around the buggy address:
  0x0c228001fc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c228001fc70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c228001fc80: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c228001fc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fcb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001fcc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13060==ABORTING
Comment 2 Andrew Crouthamel 2018-11-01 13:46:28 UTC
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 3 Bug Janitor Service 2018-11-16 11:36:51 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 4 Bug Janitor Service 2018-12-01 03:50:56 UTC
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!