359442 – Crash on exit [KDevelop::BackgroundParser::~BackgroundParser, QtSharedPointer::CustomDeleter<ThreadWeaver::JobInterface, QtSharedPointer::NormalDeleter>::execute]

Bug 359442 - Crash on exit [KDevelop::BackgroundParser::~BackgroundParser, QtSharedPointer::CustomDeleter<ThreadWeaver::JobInterface, QtSharedPointer::NormalDeleter>::execute]

Summary: Crash on exit [KDevelop::BackgroundParser::~BackgroundParser, QtSharedPointer...

Status:	RESOLVED FIXED

Alias:	None

Product:	kdevplatform
Classification:	Developer tools
Component:	language (other bugs)
Version First Reported In:	git master
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	kdevelop-bugs-null

URL:
Keywords:

Duplicates (1):	341223 (view as bug list)
Depends on:
Blocks:

Reported:	2016-02-15 18:20 UTC by Kevin Funk
Modified:	2016-03-09 22:25 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	http://commits.kde.org/kdevplatform/dd624690edc22c8dc16fc07e312351d689bd339e
Version Fixed In:	5.0.0
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Funk 2016-02-15 18:20:20 UTC

Can't really make sense out of that. If someone wants to have a look:

==12703==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000e66820 at pc 0x7f737c859d65 bp 0x7ffdc5329520 sp 0x7ffdc5329518
READ of size 8 at 0x604000e66820 thread T0
    #0 0x7f737c859d64 in QtSharedPointer::CustomDeleter<ThreadWeaver::JobInterface, QtSharedPointer::NormalDeleter>::execute() /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:189:26
    #1 0x7f737c859d64 in QtSharedPointer::ExternalRefCountWithCustomDeleter<ThreadWeaver::JobInterface, QtSharedPointer::NormalDeleter>::deleter(QtSharedPointer::ExternalRefCountData*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:207
    #2 0x7f737bdae81d  (/usr/lib/x86_64-linux-gnu/libKF5ThreadWeaver.so.5+0x1381d)
    #3 0x7f737fd25d38 in QMetaType::destroy(int, void*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x29cd38)
    #4 0x7f737fd3bc78 in QMetaCallEvent::~QMetaCallEvent() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b2c78)
    #5 0x7f737fd3bce8 in QMetaCallEvent::~QMetaCallEvent() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b2ce8)
    #6 0x7f737fd128d6 in QCoreApplication::removePostedEvents(QObject*, int) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2898d6)
    #7 0x7f737fd3dff1 in QObjectPrivate::~QObjectPrivate() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b4ff1)
    #8 0x7f737fd3e118 in QObjectPrivate::~QObjectPrivate() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b5118)
    #9 0x7f737fd46707 in QObject::~QObject() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2bd707)
    #10 0x7f737c83fb7e in KDevelop::BackgroundParser::~BackgroundParser() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:487:1
    #11 0x7f737c83fb7e in KDevelop::BackgroundParser::~BackgroundParser() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:485
    #12 0x7f737fd3ce5a in QObjectPrivate::deleteChildren() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b3e5a)
    #13 0x7f737fd466bf in QObject::~QObject() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2bd6bf)
    #14 0x7f738536655b in KDevelop::LanguageController::~LanguageController() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/languagecontroller.cpp:156:1
    #15 0x7f738536655b in KDevelop::LanguageController::~LanguageController() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/languagecontroller.cpp:154
    #16 0x7f73852b1256 in KDevelop::CorePrivate::~CorePrivate() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/core.cpp:321:5
    #17 0x7f73852b4363 in KDevelop::Core::~Core() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/core.cpp:395:5
    #18 0x7f73852b442d in KDevelop::Core::~Core() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/core.cpp:391:1
    #19 0x7f737fd3f7cf in QObject::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b67cf)
    #20 0x7f73806049db in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b9db)
    #21 0x7f7380609ea5 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x160ea5)
    #22 0x7f737fd0fd7a in QCoreApplication::notifyInternal(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x286d7a)
    #23 0x7f737fd12175 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x289175)
    #24 0x7f737fd15628 in QCoreApplication::exec() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28c628)
    #25 0x504cc6 in main /home/kfunk/devel/src/kf5/kdevelop-stable/app/main.cpp:674:12
    #26 0x7f737e814a3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #27 0x43d948 in _start (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x43d948)

0x604000e66820 is located 16 bytes inside of 40-byte region [0x604000e66810,0x604000e66838)
freed by thread T0 here:
    #0 0x4e43a2 in operator delete(void*) (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x4e43a2)
    #1 0x7f737c84538d in KDevelop::BackgroundParserPrivate::~BackgroundParserPrivate() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:143:13
    #2 0x7f737c83fb66 in KDevelop::BackgroundParser::~BackgroundParser() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:486:5
    #3 0x7f737c83fb66 in KDevelop::BackgroundParser::~BackgroundParser() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:485
    #4 0x7f737fd3ce5a in QObjectPrivate::deleteChildren() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b3e5a)

previously allocated by thread T0 here:
    #0 0x4e3de2 in operator new(unsigned long) (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x4e3de2)
    #1 0x7f737c856fd2 in KDevelop::BackgroundParserPrivate::createParseJob(KDevelop::IndexedString const&, KDevelop::TopDUContext::Features, QList<QPointer<QObject> > const&, int) /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:280:57
    #2 0x7f737c84afc2 in KDevelop::BackgroundParserPrivate::parseDocumentsInternal() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:205:61
    #3 0x7f737c8428f3 in KDevelop::BackgroundParser::parseDocuments() /home/kfunk/devel/src/kf5/kdevplatform-stable/language/backgroundparser/backgroundparser.cpp:596:5
    #4 0x7f737c8547cd in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (KDevelop::BackgroundParser::*)()>::call(void (KDevelop::BackgroundParser::*)(), KDevelop::BackgroundParser*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:501:13
    #5 0x7f737c8547cd in void QtPrivate::FunctionPointer<void (KDevelop::BackgroundParser::*)()>::call<QtPrivate::List<>, void>(void (KDevelop::BackgroundParser::*)(), KDevelop::BackgroundParser*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:520
    #6 0x7f737c8547cd in QtPrivate::QSlotObject<void (KDevelop::BackgroundParser::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:143
    #7 0x7f737fd3e776 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b5776)
    #8 0x7f737fd4b197 in QTimer::timerEvent(QTimerEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2c2197)
    #9 0x7f73806049db in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b9db)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:189 QtSharedPointer::CustomDeleter<ThreadWeaver::JobInterface, QtSharedPointer::NormalDeleter>::execute()
Shadow bytes around the buggy address:
  0x0c08801c4cb0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c08801c4cc0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c08801c4cd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c08801c4ce0: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c08801c4cf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
=>0x0c08801c4d00: fa fa fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa
  0x0c08801c4d10: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c08801c4d20: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c08801c4d30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c08801c4d40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c08801c4d50: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12703==ABORTING

Reproducible: Sometimes

Comment 1 Milian Wolff 2016-02-16 11:12:02 UTC

could it be that the job is double deleted, once via threadweaver's shared ptr logic, and once via QObject inheritance?

Comment 2 Kevin Funk 2016-03-09 08:23:26 UTC

*** Bug 341223 has been marked as a duplicate of this bug. ***

Comment 3 Kevin Funk 2016-03-09 22:25:53 UTC

Git commit dd624690edc22c8dc16fc07e312351d689bd339e by Kevin Funk.
Committed on 09/03/2016 at 22:25.
Pushed by kfunk into branch '5.0'.

BackgroundParser: Fix crash-on-exit

Currently running JobInterfaces where double-deleted, once through
~BackgroundParserPrivate, once through ref counting logic when deleting
ThreadWeaver::Weaver.

Just let the Weaver take care of deleting. Every job in m_parseJobs is
also in m_weaver.
FIXED-IN: 5.0.0

M  +0    -6    language/backgroundparser/backgroundparser.cpp
M  +28   -1    language/backgroundparser/tests/test_backgroundparser.cpp
M  +2    -0    language/backgroundparser/tests/test_backgroundparser.h
M  +2    -0    language/backgroundparser/tests/testlanguagesupport.h

http://commits.kde.org/kdevplatform/dd624690edc22c8dc16fc07e312351d689bd339e