Application: kalarm (2.11.2-5ak) Qt Version: 5.4.2 Operating System: Linux 4.2.0-21-generic x86_64 Distribution: Ubuntu 15.10 -- Information about the crash: - What I was doing when the application crashed: Kubuntu 15.10 started up. main kalarm window was visible on desktop. no kalarm icon in sysyem tray. closed main kalarm window and crash reporting assiant started. The crash can be reproduced sometimes. -- Backtrace: Application: KAlarm (kalarm), signal: Segmentation fault Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [KCrash Handler] #6 QHashNode<QPair<QObject*, QByteArray>, QPropertyAnimation*>::same_key (key0=..., h0=972625121, this=0x3539653737656162) at ../../include/QtCore/../../src/corelib/tools/qhash.h:206 #7 QHash<QPair<QObject*, QByteArray>, QPropertyAnimation*>::findNode (this=this@entry=0x7ff375671038 <QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State)::hash>, akey=..., ahp=ahp@entry=0x0) at ../../include/QtCore/../../src/corelib/tools/qhash.h:919 #8 0x00007ff37523d01b in QHash<QPair<QObject*, QByteArray>, QPropertyAnimation*>::value (akey=..., this=0x7ff375671038 <QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State)::hash>) at ../../include/QtCore/../../src/corelib/tools/qhash.h:618 #9 QPropertyAnimation::updateState (this=0xeed110, newState=QAbstractAnimation::Stopped, oldState=QAbstractAnimation::Running) at animation/qpropertyanimation.cpp:296 #10 0x00007ff375235349 in QAbstractAnimationPrivate::setState (newState=QAbstractAnimation::Stopped, this=0xeed750) at animation/qabstractanimation.cpp:987 #11 QAbstractAnimation::stop (this=<optimized out>) at animation/qabstractanimation.cpp:1376 #12 0x00007ff37523c1d7 in QPropertyAnimation::~QPropertyAnimation (this=0xeed110, __in_chrg=<optimized out>) at animation/qpropertyanimation.cpp:169 #13 0x00007ff35a459513 in Breeze::Animation::~Animation (this=0xeed110, __in_chrg=<optimized out>) at ../../kstyle/animations/breezeanimation.h:47 #14 Breeze::Animation::~Animation (this=0xeed110, __in_chrg=<optimized out>) at ../../kstyle/animations/breezeanimation.h:47 #15 0x00007ff375469d2b in QObjectPrivate::deleteChildren (this=this@entry=0xeed6d0) at kernel/qobject.cpp:1950 #16 0x00007ff375473620 in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1030 #17 0x00007ff35a45a725 in Breeze::BaseEngine::~BaseEngine (this=0xeed660, __in_chrg=<optimized out>) at ../../kstyle/animations/breezebaseengine.h:51 #18 Breeze::BusyIndicatorEngine::~BusyIndicatorEngine (this=0xeed660, __in_chrg=<optimized out>) at ../../kstyle/animations/breezebusyindicatorengine.h:47 #19 Breeze::BusyIndicatorEngine::~BusyIndicatorEngine (this=0xeed660, __in_chrg=<optimized out>) at ../../kstyle/animations/breezebusyindicatorengine.h:47 #20 0x00007ff375469d2b in QObjectPrivate::deleteChildren (this=this@entry=0xeed480) at kernel/qobject.cpp:1950 #21 0x00007ff375473620 in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1030 #22 0x00007ff35a45a4e0 in Breeze::Animations::~Animations (this=0xeed3f0, __in_chrg=<optimized out>) at ../../kstyle/animations/breezeanimations.h:52 #23 Breeze::Animations::~Animations (this=0xeed3f0, __in_chrg=<optimized out>) at ../../kstyle/animations/breezeanimations.h:52 #24 0x00007ff375469d2b in QObjectPrivate::deleteChildren (this=this@entry=0xee8920) at kernel/qobject.cpp:1950 #25 0x00007ff375473620 in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1030 #26 0x00007ff35a436829 in Breeze::Style::~Style (this=0xed9260, __in_chrg=<optimized out>) at ../../kstyle/breezestyle.cpp:206 #27 0x00007ff37546b617 in QtPrivate::QSlotObjectBase::call (a=0x7fff073d6d90, r=0xed9260, this=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobject_impl.h:124 #28 QMetaObject::activate (sender=sender@entry=0xee8700, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fff073d6d90) at kernel/qobject.cpp:3702 #29 0x00007ff37546bf87 in QMetaObject::activate (sender=sender@entry=0xee8700, m=m@entry=0x7ff3756680e0 <QObject::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fff073d6d90) at kernel/qobject.cpp:3582 #30 0x00007ff37546c02f in QObject::destroyed (this=this@entry=0xee8700, _t1=_t1@entry=0xee8700) at .moc/moc_qobject.cpp:206 #31 0x00007ff37547319a in QObject::~QObject (this=0xee8700, __in_chrg=<optimized out>) at kernel/qobject.cpp:903 #32 0x00007ff35a44cd27 in Breeze::StylePlugin::~StylePlugin (this=0xee8700, __in_chrg=<optimized out>) at ../../kstyle/breezestyleplugin.cpp:52 #33 Breeze::StylePlugin::~StylePlugin (this=0xee8700, __in_chrg=<optimized out>) at ../../kstyle/breezestyleplugin.cpp:54 #34 0x00007ff37542ed37 in QLibraryPrivate::unload (this=this@entry=0xee8690, flag=flag@entry=QLibraryPrivate::UnloadSys) at plugin/qlibrary.cpp:548 #35 0x00007ff375426e32 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate (this=0xed91b0, __in_chrg=<optimized out>) at plugin/qfactoryloader.cpp:78 #36 0x00007ff375427059 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate (this=0xed91b0, __in_chrg=<optimized out>) at plugin/qfactoryloader.cpp:81 #37 0x00007ff375473668 in QScopedPointerDeleter<QObjectData>::cleanup (pointer=<optimized out>) at ../../include/QtCore/../../src/corelib/tools/qscopedpointer.h:54 #38 QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer (this=0x7ff376381a48 <(anonymous namespace)::Q_QGS_loader::innerFunction()::holder+8>, __in_chrg=<optimized out>) at ../../include/QtCore/../../src/corelib/tools/qscopedpointer.h:101 #39 QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:882 #40 0x00007ff375425fd0 in QFactoryLoader::~QFactoryLoader (this=0x7ff376381a40 <(anonymous namespace)::Q_QGS_loader::innerFunction()::holder>, __in_chrg=<optimized out>) at plugin/qfactoryloader.cpp:216 #41 0x00007ff375ec1589 in (anonymous namespace)::Q_QGS_loader::Holder::~Holder (this=<optimized out>, __in_chrg=<optimized out>) at styles/qstylefactory.cpp:70 #42 0x00007ff37488fd32 in __run_exit_handlers (status=0, listp=0x7ff374c1a698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82 #43 0x00007ff37488fd85 in __GI_exit (status=<optimized out>) at exit.c:104 #44 0x00007ff374876a47 in __libc_start_main (main=0x4a5420 <main(int, char**)>, argc=3, argv=0x7fff073d7158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff073d7148) at libc-start.c:323 #45 0x00000000004a8489 in _start () at ../../kalarm/main.cpp:48 Reported using DrKonqi
*** Bug 360151 has been marked as a duplicate of this bug. ***
Created attachment 98107 [details] Testcase This testcase reproduces this crash (encountered with another application). Tested with : - Qt 5.5.1 (Debian package) - Breeze 5.4.3 (Debian package) and git revision f4032a191f5e
Hi, thanks for posting the simple test case. I can reproduce the crash with qt5, (but not with qt4). Will investigate.
Git commit f56b8b9fbe97f83cf18523dde3a1f83fada9beab by Hugo Pereira Da Costa. Committed on 30/03/2016 at 13:39. Pushed by hpereiradacosta into branch 'master'. Create animation "on demand", that is, when there is at least one animated progressbar. Delete it when all animated progressbars have stoped or have been unregistered. This prevent the underlying QPropertyAnimation to be deleted "too late" after an application was exited, which in turn sometimes result in a crash M +47 -17 kstyle/animations/breezebusyindicatorengine.cpp M +2 -3 kstyle/animations/breezebusyindicatorengine.h http://commits.kde.org/breeze/f56b8b9fbe97f83cf18523dde3a1f83fada9beab
Git commit 32746a734d2825f76ddaaa903f6c80ceaa40a28f by Hugo Pereira Da Costa. Committed on 30/03/2016 at 13:41. Pushed by hpereiradacosta into branch 'master'. Create animation "on demand", that is, when there is at least one animated progressbar. Delete it when all animated progressbars have stoped or have been unregistered. This prevent the underlying QPropertyAnimation to be deleted "too late" after an application was exited, which in turn sometimes result in a crash changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. M +47 -17 kstyle/animations/oxygenbusyindicatorengine.cpp M +3 -5 kstyle/animations/oxygenbusyindicatorengine.h http://commits.kde.org/oxygen/32746a734d2825f76ddaaa903f6c80ceaa40a28f
With Breeze 5.6.1 + f56b8b9fbe97f83cf18523dde3a1f83fada9beab, I sitll manage to crash an application on exit. To reproduce, start "wireshark -O foo" (this is an invalid option, resulting in exit() after the QApplication is constructed, but before exec() is called. (Qt version 5.6.0, Wireshark from git, but also reproduced with any stable 2.0 version) Backtrace: #0 0x7fb493f8c01d in bool operator==<QObject*, QByteArray>(QPair<QObject*, QByteArray> const&, QPair<QObject*, QByteArray> const&) src/corelib/tools/qpair.h:100 #1 0x7fb493f8c01d in QHash<QPair<QObject*, QByteArray>, QPropertyAnimation*>::remove(QPair<QObject*, QByteArray> const&) src/corelib/tools/qhash.h:779 #2 0x7fb493f8b6a5 in QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) src/corelib/animation/qpropertyanimation.cpp:297 #3 0x7fb493f837e8 in QAbstractAnimationPrivate::setState(QAbstractAnimation::State) src/corelib/animation/qabstractanimation.cpp:990 #4 0x7fb493f837e8 in QAbstractAnimation::stop() src/corelib/animation/qabstractanimation.cpp:1379 #5 0x7fb493f8a326 in QPropertyAnimation::~QPropertyAnimation() src/corelib/animation/qpropertyanimation.cpp:169 #6 0x7fb479d7d712 in Breeze::Animation::~Animation() /build/src/breeze-5.6.1/kstyle/animations/breezeanimation.h:47 #7 0x7fb479d7d712 in Breeze::Animation::~Animation() /build/src/breeze-5.6.1/kstyle/animations/breezeanimation.h:47 #8 0x7fb4941adf52 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:1963 #9 0x7fb4941b7523 in QObject::~QObject() src/corelib/kernel/qobject.cpp:1034 #10 0x7fb479d7e1d2 in Breeze::WidgetStateData::~WidgetStateData() /build/src/breeze-5.6.1/kstyle/animations/breezewidgetstatedata.h:45 #11 0x7fb479d7e1d2 in Breeze::EnableData::~EnableData() /build/src/breeze-5.6.1/kstyle/animations/breezeenabledata.h:43 #12 0x7fb479d7e1d2 in Breeze::EnableData::~EnableData() /build/src/breeze-5.6.1/kstyle/animations/breezeenabledata.h:43 #13 0x7fb4941adf52 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:1963 #14 0x7fb4941b7523 in QObject::~QObject() src/corelib/kernel/qobject.cpp:1034 #15 0x7fb479d7ee38 in Breeze::WidgetStateEngine::~WidgetStateEngine() /build/src/breeze-5.6.1/kstyle/animations/breezewidgetstateengine.h:46 #16 0x7fb4941adf52 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:1963 #17 0x7fb4941b7523 in QObject::~QObject() src/corelib/kernel/qobject.cpp:1034 #18 0x7fb479d7e98f in Breeze::Animations::~Animations() /build/src/breeze-5.6.1/kstyle/animations/breezeanimations.h:52 #19 0x7fb479d7e98f in Breeze::Animations::~Animations() /build/src/breeze-5.6.1/kstyle/animations/breezeanimations.h:52 #20 0x7fb4941adf52 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:1963 #21 0x7fb4941b7523 in QObject::~QObject() src/corelib/kernel/qobject.cpp:1034 #22 0x7fb479d5cae8 in _init /build/src/breeze-5.6.1/kstyle/breezestyle.cpp:203 #23 0x7fb4941afbad in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:124 #24 0x7fb4941afbad in QMetaObject::activate(QObject*, int, int, void**) src/corelib/kernel/qobject.cpp:3715 #25 0x7fb4941b01ee in QObject::destroyed(QObject*) src/corelib/.moc/moc_qobject.cpp:213 #26 0x7fb4941b7184 in QObject::~QObject() src/corelib/kernel/qobject.cpp:913 #27 0x7fb479d706e6 in Breeze::StylePlugin::~StylePlugin() /build/src/breeze-5.6.1/kstyle/breezestyleplugin.cpp:52 #28 0x7fb479d706e6 in _init /build/src/breeze-5.6.1/kstyle/breezestyleplugin.cpp:54 #29 0x7fb494178ad8 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) src/corelib/plugin/qlibrary.cpp:551 #30 0x7fb49416eaa1 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() src/corelib/plugin/qfactoryloader.cpp:88 #31 0x7fb49416ebd8 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() src/corelib/plugin/qfactoryloader.cpp:91 #32 0x7fb4941b756b in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:54 #33 0x7fb4941b756b in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:101 #34 0x7fb4941b756b in QObject::~QObject() src/corelib/kernel/qobject.cpp:893 #35 0x7fb49416dc99 in QFactoryLoader::~QFactoryLoader() src/corelib/plugin/qfactoryloader.cpp:226 #36 0x7fb494f131e8 in ~Holder src/widgets/styles/qstylefactory.cpp:70 #37 0x7fb492673c37 in __run_exit_handlers (/usr/lib/libc.so.6+0x35c37) #38 0x7fb492673c84 in __GI_exit (/usr/lib/libc.so.6+0x35c84) #39 0x5613417cca8b in main wireshark-qt.cpp:1109:13 #40 0x7fb49265e70f in __libc_start_main (/usr/lib/libc.so.6+0x2070f) #41 0x561341704028 in _start (/tmp/wsbuild/run/wireshark+0x13ff028)
Created attachment 100758 [details] Testcase (with ASAN) I bisected Wireshark and found that it started crashing after using setStyle(new QProxyStyle). Fair enough, I can create a minimal testcase that crashes when setStyle(new QProxyStyle) is used and exit() is called. This problem does not occur when -style windows (or anything other than breeze and oxygen) is in use. Following test was done with: qt5-base 5.7.0-2 breeze v5.7.4-17-gf79266d (also reproduced with 5.7.3-1 and many releases before that...) oxygen 5.7.3-1 (not in output, but also affected) ASAN output: ================================================================= ==3262==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005930 at pc 0x7f5644140df8 bp 0x7ffd4e1b4c90 sp 0x7ffd4e1b4c80 WRITE of size 4 at 0x602000005930 thread T0 #0 0x7f5644140df7 in std::__atomic_base<int>::operator--() /usr/include/c++/6.1.1/bits/atomic_base.h:304 #1 0x7f5644140df7 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&) src/corelib/arch/qatomic_cxx11.h:147 #2 0x7f5644140df7 in QBasicAtomicInteger<int>::deref() src/corelib/thread/qbasicatomic.h:111 #3 0x7f5644140df7 in QWeakPointer<QObject>::~QWeakPointer() src/corelib/tools/qsharedpointer_impl.h:607 #4 0x7f5644140df7 in QWeakPointer<QObject>::operator=(QWeakPointer<QObject>&&) src/corelib/tools/qsharedpointer_impl.h:634 #5 0x7f5644140df7 in QWeakPointer<QObject>& QWeakPointer<QObject>::assign<QObject>(QObject*) src/corelib/tools/qsharedpointer_impl.h:719 #6 0x7f5644140df7 in QPointer<QObject>::operator=(QObject*) src/corelib/kernel/qpointer.h:83 #7 0x7f5644140df7 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #8 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #9 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #10 0x7f5644b3351b in QProxyStylePrivate::ensureBaseStyle() const styles/qproxystyle.cpp:99 #11 0x7f5644b3591d in QProxyStyle::event(QEvent*) styles/qproxystyle.cpp:386 #12 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #13 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #14 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #15 0x7f56441ea3e1 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #16 0x7f56441ea3e1 in QObjectPrivate::setParent_helper(QObject*) kernel/qobject.cpp:1996 #17 0x7f56441eb88f in QObject::~QObject() kernel/qobject.cpp:1048 #18 0x7f562b413788 (/usr/lib/qt/plugins/styles/breeze.so+0x53788) #19 0x7f56441d959a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #20 0x7f56441d959a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #21 0x7f56441da323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #22 0x7f56441eba18 in QObject::~QObject() kernel/qobject.cpp:920 #23 0x7f562b427416 (/usr/lib/qt/plugins/styles/breeze.so+0x67416) #24 0x7f56441589f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #25 0x7f5644141ea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #26 0x7f56441421a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 #27 0x7f56441eb8e9 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:60 #28 0x7f56441eb8e9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:107 #29 0x7f56441eb8e9 in QObject::~QObject() kernel/qobject.cpp:900 #30 0x7f56441402e3 in QFactoryLoader::~QFactoryLoader() plugin/qfactoryloader.cpp:205 #31 0x7f5644addbf8 in ~Holder styles/qstylefactory.cpp:72 #32 0x7f56432de98f in __run_exit_handlers (/usr/lib/libc.so.6+0x3598f) #33 0x7f56432de9e9 in __GI_exit (/usr/lib/libc.so.6+0x359e9) #34 0x403337 in MainWindow::ping() (Trial+0x403337) #35 0x7f56441d8fb6 in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3740 #36 0x7f56441fa5b3 in QTimer::timerEvent(QTimerEvent*) kernel/qtimer.cpp:254 #37 0x7f56441db70b in QObject::event(QEvent*) kernel/qobject.cpp:1285 #38 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #39 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #40 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #41 0x7f56442439b4 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #42 0x7f56442439b4 in QTimerInfoList::activateTimers() kernel/qtimerinfo_unix.cpp:644 #43 0x7f5644244ac2 in timerSourceDispatch kernel/qeventdispatcher_glib.cpp:182 #44 0x7f5640c6cdd6 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x49dd6) #45 0x7f5640c6d03f (/usr/lib/libglib-2.0.so.0+0x4a03f) #46 0x7f5640c6d0eb in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x4a0eb) #47 0x7f5644245982 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventdispatcher_glib.cpp:423 #48 0x7f56441686a4 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventloop.cpp:210 #49 0x7f564417ad1e in QCoreApplication::exec() kernel/qcoreapplication.cpp:1261 #50 0x402ff6 in main (Trial+0x402ff6) #51 0x7f56432c9290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #52 0x403179 in _start (Trial+0x403179) 0x602000005930 is located 0 bytes inside of 16-byte region [0x602000005930,0x602000005940) freed by thread T0 here: #0 0x7f56458955d0 in operator delete(void*) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:92 #1 0x7f562b4326f2 in qt_plugin_instance (/usr/lib/qt/plugins/styles/breeze.so+0x726f2) #2 0x7f5644140a02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #3 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #4 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #5 0x7f5644b3351b in QProxyStylePrivate::ensureBaseStyle() const styles/qproxystyle.cpp:99 #6 0x7f5644b3591d in QProxyStyle::event(QEvent*) styles/qproxystyle.cpp:386 #7 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #8 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #9 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #10 0x7f56441ea3e1 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #11 0x7f56441ea3e1 in QObjectPrivate::setParent_helper(QObject*) kernel/qobject.cpp:1996 #12 0x7f56441eb88f in QObject::~QObject() kernel/qobject.cpp:1048 #13 0x7f562b413788 (/usr/lib/qt/plugins/styles/breeze.so+0x53788) #14 0x7f56441d959a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #15 0x7f56441d959a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #16 0x7f56441da323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #17 0x7f56441eba18 in QObject::~QObject() kernel/qobject.cpp:920 #18 0x7f562b427416 (/usr/lib/qt/plugins/styles/breeze.so+0x67416) #19 0x7f56441589f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #20 0x7f5644141ea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #21 0x7f56441421a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 #22 0x7f56441eb8e9 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:60 #23 0x7f56441eb8e9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:107 #24 0x7f56441eb8e9 in QObject::~QObject() kernel/qobject.cpp:900 #25 0x7f56441402e3 in QFactoryLoader::~QFactoryLoader() plugin/qfactoryloader.cpp:205 #26 0x7f5644addbf8 in ~Holder styles/qstylefactory.cpp:72 #27 0x7f56432de98f in __run_exit_handlers (/usr/lib/libc.so.6+0x3598f) #28 0x7f56432de9e9 in __GI_exit (/usr/lib/libc.so.6+0x359e9) #29 0x403337 in MainWindow::ping() (Trial+0x403337) #30 0x7f56441d8fb6 in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3740 #31 0x7f56441fa5b3 in QTimer::timerEvent(QTimerEvent*) kernel/qtimer.cpp:254 #32 0x7f56441db70b in QObject::event(QEvent*) kernel/qobject.cpp:1285 #33 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #34 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 previously allocated by thread T0 here: #0 0x7f5645894f50 in operator new(unsigned long) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:60 #1 0x7f5643e59928 in QtSharedPointer::ExternalRefCountData::getAndRef(QObject const*) tools/qsharedpointer.cpp:1344 #2 0x7f562b4326b3 in qt_plugin_instance (/usr/lib/qt/plugins/styles/breeze.so+0x726b3) #3 0x7f5644140a02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #4 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #5 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #6 0x7f564499ce7c in QApplication::style() kernel/qapplication.cpp:1138 #7 0x7f564499d4f4 in QApplicationPrivate::initialize() kernel/qapplication.cpp:651 #8 0x7f564499d5ea in QApplicationPrivate::init() kernel/qapplication.cpp:592 #9 0x402fd9 in main (Trial+0x402fd9) #10 0x7f56432c9290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #11 0x403179 in _start (Trial+0x403179) SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/6.1.1/bits/atomic_base.h:304 in std::__atomic_base<int>::operator--() Shadow bytes around the buggy address: 0x0c047fff8ad0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8ae0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8af0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd =>0x0c047fff8b20: fa fa fd fd fa fa[fd]fd fa fa 00 00 fa fa fd fd 0x0c047fff8b30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b40: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00 00 0x0c047fff8b50: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8b60: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 04 fa 0x0c047fff8b70: fa fa 04 fa fa fa fd fa fa fa 04 fa fa fa 04 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3262==ABORTING
Sigh... wiped breeze before testing it, here is the stacktrace including breeze: ... #17 0x7fe4c3f9788f in QObject::~QObject() kernel/qobject.cpp:1048 #18 0x7fe4ab14d7d4 in Breeze::Style::~Style() ../kstyle/breezestyle.cpp:199 #19 0x7fe4ab14d7ef in Breeze::Style::~Style() ../kstyle/breezestyle.cpp:203 #20 0x7fe4ab1913ef in operator() ../kstyle/breezestyleplugin.cpp:45 #21 0x7fe4ab1919b5 in call /usr/include/qt/QtCore/qobjectdefs_impl.h:501 #22 0x7fe4ab191996 in call<QtPrivate::List<>, void> /usr/include/qt/QtCore/qobjectdefs_impl.h:558 #23 0x7fe4ab191927 in impl /usr/include/qt/QtCore/qobject_impl.h:198 #24 0x7fe4c3f8559a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #25 0x7fe4c3f8559a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #26 0x7fe4c3f86323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #27 0x7fe4c3f97a18 in QObject::~QObject() kernel/qobject.cpp:920 #28 0x7fe4ab1915dd in Breeze::StylePlugin::~StylePlugin() ../kstyle/breezestyleplugin.cpp:54 #29 0x7fe4ab1915f9 in Breeze::StylePlugin::~StylePlugin() ../kstyle/breezestyleplugin.cpp:57 #30 0x7fe4c3f049f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #31 0x7fe4c3eedea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #32 0x7fe4c3eee1a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 #33 0x7fe4c3f978e9 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:60 #34 0x7fe4c3f978e9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:107 #35 0x7fe4c3f978e9 in QObject::~QObject() kernel/qobject.cpp:900 #36 0x7fe4c3eec2e3 in QFactoryLoader::~QFactoryLoader() plugin/qfactoryloader.cpp:205 #37 0x7fe4c4889bf8 in ~Holder styles/qstylefactory.cpp:72 #38 0x7fe4c308a98f in __run_exit_handlers (/usr/lib/libc.so.6+0x3598f) #39 0x7fe4c308a9e9 in __GI_exit (/usr/lib/libc.so.6+0x359e9) #40 0x403337 in MainWindow::ping() (Trial+0x403337) #41 0x7fe4c3f84fb6 in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3740 #42 0x7fe4c3fa65b3 in QTimer::timerEvent(QTimerEvent*) kernel/qtimer.cpp:254 #43 0x7fe4c3f8770b in QObject::event(QEvent*) kernel/qobject.cpp:1285 #44 0x7fe4c473e417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #45 0x7fe4c4750b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #46 0x7fe4c3f180a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #47 0x7fe4c3fef9b4 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #48 0x7fe4c3fef9b4 in QTimerInfoList::activateTimers() kernel/qtimerinfo_unix.cpp:644 #49 0x7fe4c3ff0ac2 in timerSourceDispatch kernel/qeventdispatcher_glib.cpp:182 #50 0x7fe4c0a18dd6 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x49dd6) #51 0x7fe4c0a1903f (/usr/lib/libglib-2.0.so.0+0x4a03f) #52 0x7fe4c0a190eb in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x4a0eb) #53 0x7fe4c3ff19b1 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventdispatcher_glib.cpp:425 #54 0x7fe4c3f146a4 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventloop.cpp:210 #55 0x7fe4c3f26d1e in QCoreApplication::exec() kernel/qcoreapplication.cpp:1261 #56 0x402ff6 in main (Trial+0x402ff6) #57 0x7fe4c3075290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #58 0x403179 in _start (Trial+0x403179) 0x602000005930 is located 0 bytes inside of 16-byte region [0x602000005930,0x602000005940) freed by thread T0 here: #0 0x7fe4c56415d0 in operator delete(void*) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:92 #1 0x7fe4ab109cc6 in QtSharedPointer::ExternalRefCountData::operator delete(void*) /usr/include/qt/QtCore/qsharedpointer_impl.h:171 #2 0x7fe4ab10a7de in QWeakPointer<QObject>::~QWeakPointer() /usr/include/qt/QtCore/qsharedpointer_impl.h:607 #3 0x7fe4ab114545 in QWeakPointer<QObject>::operator=(QWeakPointer<QObject>&&) /usr/include/qt/QtCore/qsharedpointer_impl.h:634 #4 0x7fe4ab11394b in QWeakPointer<QObject>& QWeakPointer<QObject>::assign<QObject>(QObject*) /usr/include/qt/QtCore/qsharedpointer_impl.h:719 #5 0x7fe4ab1b3ccc in QPointer<QObject>::operator=(QObject*) /usr/include/qt/QtCore/qpointer.h:83 #6 0x7fe4ab1ab364 in qt_plugin_instance kstyle/moc_breezestyleplugin.cpp:165 #7 0x7fe4c3eeca02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #8 0x7fe4c4883e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #9 0x7fe4c4883e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #10 0x7fe4c48df51b in QProxyStylePrivate::ensureBaseStyle() const styles/qproxystyle.cpp:99 #11 0x7fe4c48e191d in QProxyStyle::event(QEvent*) styles/qproxystyle.cpp:386 #12 0x7fe4c473e417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #13 0x7fe4c4750b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #14 0x7fe4c3f180a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #15 0x7fe4c3f963e1 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #16 0x7fe4c3f963e1 in QObjectPrivate::setParent_helper(QObject*) kernel/qobject.cpp:1996 #17 0x7fe4c3f9788f in QObject::~QObject() kernel/qobject.cpp:1048 #18 0x7fe4ab14d7d4 in Breeze::Style::~Style() ../kstyle/breezestyle.cpp:199 #19 0x7fe4ab14d7ef in Breeze::Style::~Style() ../kstyle/breezestyle.cpp:203 #20 0x7fe4ab1913ef in operator() ../kstyle/breezestyleplugin.cpp:45 #21 0x7fe4ab1919b5 in call /usr/include/qt/QtCore/qobjectdefs_impl.h:501 #22 0x7fe4ab191996 in call<QtPrivate::List<>, void> /usr/include/qt/QtCore/qobjectdefs_impl.h:558 #23 0x7fe4ab191927 in impl /usr/include/qt/QtCore/qobject_impl.h:198 #24 0x7fe4c3f8559a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #25 0x7fe4c3f8559a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #26 0x7fe4c3f86323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #27 0x7fe4c3f97a18 in QObject::~QObject() kernel/qobject.cpp:920 #28 0x7fe4ab1915dd in Breeze::StylePlugin::~StylePlugin() ../kstyle/breezestyleplugin.cpp:54 #29 0x7fe4ab1915f9 in Breeze::StylePlugin::~StylePlugin() ../kstyle/breezestyleplugin.cpp:57 #30 0x7fe4c3f049f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #31 0x7fe4c3eedea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #32 0x7fe4c3eee1a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 previously allocated by thread T0 here: #0 0x7fe4c5640f50 in operator new(unsigned long) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:60 #1 0x7fe4c3c05928 in QtSharedPointer::ExternalRefCountData::getAndRef(QObject const*) tools/qsharedpointer.cpp:1344 #2 0x7fe4ab1143f1 in QWeakPointer<QObject>::QWeakPointer<QObject>(QObject*, bool) /usr/include/qt/QtCore/qsharedpointer_impl.h:723 #3 0x7fe4ab113938 in QWeakPointer<QObject>& QWeakPointer<QObject>::assign<QObject>(QObject*) /usr/include/qt/QtCore/qsharedpointer_impl.h:719 #4 0x7fe4ab1b3ccc in QPointer<QObject>::operator=(QObject*) /usr/include/qt/QtCore/qpointer.h:83 #5 0x7fe4ab1ab364 in qt_plugin_instance kstyle/moc_breezestyleplugin.cpp:165 #6 0x7fe4c3eeca02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #7 0x7fe4c4883e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #8 0x7fe4c4883e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #9 0x7fe4c4748e7c in QApplication::style() kernel/qapplication.cpp:1138 #10 0x7fe4c47494f4 in QApplicationPrivate::initialize() kernel/qapplication.cpp:651 #11 0x7fe4c47495ea in QApplicationPrivate::init() kernel/qapplication.cpp:592 #12 0x402fd9 in main (Trial+0x402fd9) #13 0x7fe4c3075290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #14 0x403179 in _start (Trial+0x403179)
Created attachment 100759 [details] debugging patch Adding David since he introduced the fix that is referenced in the breeze code: commit 2ffe20e1bfe93c921c5372b4d21447b1de308d4b Author: David Faure <faure@kde.org> Date: Sat Jun 7 14:57:29 2014 +0200 Fix crash on exit in all QCommandLineParser-based programs. Example: kioclient5 ls (= a syntax error). The issue is that ::exit(1) is called, so ~QGuiApplication isn't called (so the style isn't deleted), but global static objects are deleted, which deletes the style-plugin-factory, which unloads the style plugin. The crash happened because "AppEventFilter" in oxygen would still be installed as an app event filter, but the plugin was unloaded, so any calls to it would crash. If I disable the delete hack or avoid calling delete for the second attempt (likely wrong approach...), then the crash is gone. Was this a workaround for a specific Qt version?
Adding David (Edmundson) since he did something similarin this area (https://git.reviewboard.kde.org/r/122184/). Can the title be changed to something like "Applications using QProxyStyle crash on exit()". Wireshark actually used setStyle(), passing an extended version of QProxyStyle that follows this example: https://doc.qt.io/qt-5/qproxystyle.html#details. With this patch, the crash no longer occurs: https://git.reviewboard.kde.org/r/128760/
breeze patch is at https://git.reviewboard.kde.org/r/128760/ oxygen patch is at https://git.reviewboard.kde.org/r/128761/ (sorry for the load of mails, just noting here for tracking purposes.)
Created attachment 100797 [details] Testcase (ASAN) with normal QApplication::quit() and exit() Extended the testcase to do normal QApplication::quit(), the proposed patches would still result in a crash for that case. Better rip this delete hack completely.
(In reply to Peter Wu from comment #12) > Created attachment 100797 [details] > Testcase (ASAN) with normal QApplication::quit() and exit() > > Extended the testcase to do normal QApplication::quit(), the proposed > patches would still result in a crash for that case. Better rip this delete > hack completely. Agreed (as also on said on review board) Thanks for all the investigation and patch submission etc.
If I understand correctly, the test case is invalid: https://bugreports.qt.io/browse/QTBUG-48709
(In reply to Martin Sandsmark from comment #14) > If I understand correctly, the test case is invalid: > https://bugreports.qt.io/browse/QTBUG-48709 The linked issue is different, its root cause is heap-allocated QApplication that is not deleted early enough. If I modify the ASAN testcase, then it will indeed fail randomly: make: Nothing to be done for 'first'. ping ASAN:DEADLYSIGNAL ================================================================= ==2657==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5894fefaf9 (pc 0x7f5894fefaf9 bp 0x7f5892298d40 sp 0x7f5892298cf0 T1) ASAN:DEADLYSIGNAL AddressSanitizer: nested bug in the same thread, aborting. TEST 1 FAILED
The issues in the bug I linked to is an application exiting before the the QCoreApplication destructor is run, which is not supported by Qt. A heap allocated QApplication is just one possible way for that to happen, another is to call exit() with a stack-allocated Q*Application in main() (as most people do). See e. g. the discussion here: https://git.reviewboard.kde.org/r/127626/ The biggest problem is that the design of e. g. QCommandLineParser and KDBusService depend on calling exit(). I have discussed some solutions and hacks with thiago about it on IRC, but I haven't come up with a proper solution.
Dear Bug Submitter, This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond. Thank you for helping us make KDE software even better for everyone!
kf5-config -v -> Qt: 5.9.5 KDE Frameworks: 5.44.0 kf5-config: 1.0 Kalarm is working OK. I have not seen any problems for quite a while.
Thanks for the update!