389540 – KPatience: crash on exit after winning Spider Solitaire game

Bug 389540 - KPatience: crash on exit after winning Spider Solitaire game

Summary: KPatience: crash on exit after winning Spider Solitaire game

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	kpat
Classification:	Applications
Component:	general (show other bugs)
Version:	3.6
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Stephan Kulow

URL:
Keywords:	drkonqi

Depends on:
Blocks:

Reported:	2018-01-28 04:54 UTC by A. Wilcox (awilfox)
Modified:	2021-01-09 16:44 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:	https://commits.kde.org/kpat/b58fd275d7569ed7bb697d4828e088d9ae5afcfb
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description A. Wilcox (awilfox) 2018-01-28 04:54:58 UTC

Application: kpat (3.6)
 (Compiled from sources)
Qt Version: 5.9.1
Frameworks Version: 5.41.0
Operating System: Linux 4.14.8-mc2-easy x86_64

-- Information about the crash:
This computer is running Adelie Linux, which uses the musl libc.  The crash occurs in musl's free() method - here is the relevant two lines from musl code:

	/* Crash on corrupted footer (likely from buffer overflow) */
	if (next->psize != self->csize) a_crash();

This suggests that the Spider solver had a small buffer overflow.

- What I was doing when the application crashed:
Quitting the application.

-- Backtrace:
Application: KPatience (kpat), signal: Segmentation fault
[KCrash Handler]
#8  a_crash () at ./arch/x86_64/atomic_arch.h:108
#9  free (p=0x5592d381b180) at src/malloc/malloc.c:476
#10 0x00007f71829a83c5 in operator delete(void*) () from /usr/lib/libstdc++.so.6
#11 0x00007f71829a841e in operator delete[](void*) () from /usr/lib/libstdc++.so.6
#12 0x00005592d307208e in Solver::~Solver (this=0x5592d381a280, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/patsolve/patsolve.cpp:915
#13 0x00005592d3087afb in SpiderSolver::~SpiderSolver (this=0x5592d381a280, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/patsolve/spidersolver.h:25
#14 SpiderSolver::~SpiderSolver (this=0x5592d381a280, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/patsolve/spidersolver.h:25
#15 0x00005592d304f9d0 in DealerScene::~DealerScene (this=0x5592d3805d60, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/dealer.cpp:605
#16 0x00005592d308cd9e in Spider::~Spider (this=0x5592d3805d60, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/kpat_autogen/EWIEGA46WW/../../spider.h:45
#17 Spider::~Spider (this=0x5592d3805d60, __in_chrg=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/kpat_autogen/EWIEGA46WW/../../spider.h:45
#18 0x00005592d3063772 in MainWindow::~MainWindow (this=this@entry=0x5592d3465460, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/mainwindow.cpp:142
#19 0x00005592d3063891 in MainWindow::~MainWindow (this=0x5592d3465460, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/mainwindow.cpp:145
#20 0x00007f7182fa5ff0 in QObject::event(QEvent*) () from /usr/lib/libQt5Core.so.5
#21 0x00007f71843bb4eb in QWidget::event (this=this@entry=0x5592d3465460, event=event@entry=0x5592d5863320) at kernel/qwidget.cpp:9244
#22 0x00007f71844b3beb in QMainWindow::event (this=this@entry=0x5592d3465460, event=event@entry=0x5592d5863320) at widgets/qmainwindow.cpp:1557
#23 0x00007f7185f8916b in KMainWindow::event (this=this@entry=0x5592d3465460, ev=ev@entry=0x5592d5863320) at /usr/src/packages/user/kxmlgui/src/kxmlgui-5.41.0/src/kmainwindow.cpp:865
#24 0x00007f7185fce939 in KXmlGuiWindow::event (this=0x5592d3465460, ev=0x5592d5863320) at /usr/src/packages/user/kxmlgui/src/kxmlgui-5.41.0/src/kxmlguiwindow.cpp:119
#25 0x00007f7184376fdc in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x5592d3465460, e=0x5592d5863320) at kernel/qapplication.cpp:3717
#26 0x00007f718437e8d9 in QApplication::notify (this=0x7ffc10d64860, receiver=0x5592d3465460, e=0x5592d5863320) at kernel/qapplication.cpp:3476
#27 0x00007f7182f78fc0 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt5Core.so.5
#28 0x00007f7182f7bd9d in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQt5Core.so.5
#29 0x00007f7182fcf3e3 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) () from /usr/lib/libQt5Core.so.5
#30 0x00007f717cdb2a9a in g_main_dispatch (context=0x7f7180616540) at gmain.c:3148
#31 g_main_context_dispatch (context=context@entry=0x7f7180616540) at gmain.c:3813
#32 0x00007f717cdb2d28 in g_main_context_iterate (context=context@entry=0x7f7180616540, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3886
#33 0x00007f717cdb2ddf in g_main_context_iteration (context=0x7f7180616540, may_block=1) at gmain.c:3947
#34 0x00007f7182fce9af in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#35 0x00007f7182f76f2a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#36 0x00007f7182f7ff74 in QCoreApplication::exec() () from /usr/lib/libQt5Core.so.5
#37 0x00005592d3045238 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/packages/user/kpat/src/kpat-17.08.2/main.cpp:339

Reported using DrKonqi

Comment 1 Christoph Feck 2018-02-15 00:22:43 UTC

A valgrind log could confirm at which point data is written beyond the buffer in the solver.

Comment 2 Albert Astals Cid 2018-02-28 23:11:24 UTC

FWIW there's a potential patch here https://phabricator.kde.org/D10889

Comment 3 Albert Astals Cid 2018-03-25 22:27:01 UTC

Git commit b58fd275d7569ed7bb697d4828e088d9ae5afcfb by Albert Astals Cid, on behalf of Fabian Kosmale.
Committed on 25/03/2018 at 22:30.
Pushed by aacid into branch 'Applications/18.04'.

Summary: SpiderSolitaire: Check if there exists a card below before accessing it

Reviewers: #kde_games

Subscribers: aacid, #kde_games

Differential Revision: https://phabricator.kde.org/D10889

M  +12   -1    patsolve/mod3solver.cpp
M  +18   -3    patsolve/spidersolver.cpp

https://commits.kde.org/kpat/b58fd275d7569ed7bb697d4828e088d9ae5afcfb

Comment 4 Martin Walch 2018-11-11 11:56:08 UTC

I just ran into this very similar crash (suggesting the same cause) after playing several rounds of Spider and then pressing Ctrl+Shift+N. This is KDE Applications 18.04.3 which should contain the fix:

Application: KPatience (kpat), signal: Aborted
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7feed0252780 (LWP 29073))]

Thread 5 (Thread 0x7feea8a0a700 (LWP 37642)):
#0  g_source_iter_next (iter=iter@entry=0x7feea8a09c10, source=source@entry=0x7feea8a09c08) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gmain.c:982
#1  0x00007feec5b16735 in g_main_context_check (context=context@entry=0x7fee9013b1c0, max_priority=2147483647, fds=fds@entry=0x7fee90054e10, n_fds=n_fds@entry=1) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gmain.c:3785
#2  0x00007feec5b1698c in g_main_context_iterate (context=context@entry=0x7fee9013b1c0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gmain.c:3969
#3  0x00007feec5b16a53 in g_main_context_iteration (context=0x7fee9013b1c0, may_block=may_block@entry=1) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gmain.c:4033
#4  0x00007feecc7f1735 in QEventDispatcherGlib::processEvents (this=0x7fee901aeef0, flags=...) at kernel/qeventdispatcher_glib.cpp:425
#5  0x00007feecc79d0a1 in QEventLoop::processEvents (this=this@entry=0x7feea8a09e10, flags=..., flags@entry=...) at kernel/qeventloop.cpp:136
#6  0x00007feecc79d4ea in QEventLoop::exec (this=this@entry=0x7feea8a09e10, flags=flags@entry=...) at kernel/qeventloop.cpp:214
#7  0x00007feecc5fd111 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:525
#8  0x00007feecc5fd19b in QThread::run (this=<optimized out>) at thread/qthread.cpp:592
#9  0x00007feecc606ec9 in QThreadPrivate::start (arg=0x555d7f274020) at thread/qthread_unix.cpp:367
#10 0x00007feec785f9a5 in start_thread (arg=0x7feea8a0a700) at pthread_create.c:463
#11 0x00007feecbafc9cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7feeb1ad3700 (LWP 29082)):
#0  0x00007feec786672a in futex_wait_cancelable (private=<optimized out>, expected=0, futex_word=0x555d7d3f25e0) at ../sysdeps/unix/sysv/linux/futex-internal.h:88
#1  __pthread_cond_wait_common (abstime=0x0, mutex=0x555d7d3f2590, cond=0x555d7d3f25b8) at pthread_cond_wait.c:502
#2  __pthread_cond_wait (cond=0x555d7d3f25b8, mutex=0x555d7d3f2590) at pthread_cond_wait.c:655
#3  0x00007feeb259c8eb in util_queue_thread_func () from /usr/lib64/dri/i965_dri.so
#4  0x00007feeb259c617 in impl_thrd_routine () from /usr/lib64/dri/i965_dri.so
#5  0x00007feec785f9a5 in start_thread (arg=0x7feeb1ad3700) at pthread_create.c:463
#6  0x00007feecbafc9cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7feeb3fff700 (LWP 29081)):
#0  __lll_lock_wait_private () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1  0x00007feecba7fe7e in __GI___libc_realloc (oldmem=0x555d7da96490, bytes=64) at malloc.c:3228
#2  0x00007feeb3ffe7d0 in ?? ()
#3  0x00007feeb3ffdd70 in ?? ()
#4  0x00007feecc679b9e in QString::append (this=0x7feecc678f4f <QString::reallocData(unsigned int, bool)+245>, ch=...) at tools/qstring.cpp:2524
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Thread 2 (Thread 0x7feebb63d700 (LWP 29077)):
#0  0x00007feecbaf0d3d in __GI___poll (fds=fds@entry=0x7feebb63cda0, nfds=nfds@entry=1, timeout=timeout@entry=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007feec58acaa9 in poll (__timeout=-1, __nfds=1, __fds=0x7feebb63cda0) at /usr/include/bits/poll2.h:46
#2  _xcb_conn_wait (c=c@entry=0x555d7d10e6b0, cond=cond@entry=0x555d7d10e6f0, vector=vector@entry=0x0, count=count@entry=0x0) at /var/tmp/portage/x11-libs/libxcb-1.13.1/work/libxcb-1.13.1/src/xcb_conn.c:479
#3  0x00007feec58ae48b in xcb_wait_for_event (c=0x555d7d10e6b0) at /var/tmp/portage/x11-libs/libxcb-1.13.1/work/libxcb-1.13.1/src/xcb_in.c:697
#4  0x00007feebdbb0e83 in QXcbEventReader::run (this=0x555d7d118160) at qxcbconnection.cpp:1388
#5  0x00007feecc606ec9 in QThreadPrivate::start (arg=0x555d7d118160) at thread/qthread_unix.cpp:367
#6  0x00007feec785f9a5 in start_thread (arg=0x7feebb63d700) at pthread_create.c:463
#7  0x00007feecbafc9cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7feed0252780 (LWP 29073)):
[KCrash Handler]
#6  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#7  0x00007feecba2c141 in __GI_abort () at abort.c:79
#8  0x00007feecba726c8 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7feecbb8e740 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#9  0x00007feecba7a4eb in malloc_printerr (str=str@entry=0x7feecbb903d8 "double free or corruption (out)") at malloc.c:5350
#10 0x00007feecba7c260 in _int_free (av=0x7feecbdbdc40 <main_arena>, p=0x555d7f18f990, have_lock=<optimized out>) at malloc.c:4278
#11 0x0000555d7bebebdd in Solver::~Solver (this=0x555d7e7da530, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/patsolve/patsolve.cpp:915
#12 0x0000555d7bed3997 in SpiderSolver::~SpiderSolver (this=0x555d7e7da530, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/patsolve/spidersolver.h:25
#13 SpiderSolver::~SpiderSolver (this=0x555d7e7da530, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/patsolve/spidersolver.h:25
#14 0x0000555d7be9a964 in DealerScene::~DealerScene (this=0x555d7e7cef90, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/dealer.cpp:605
#15 0x0000555d7bed8b6a in Spider::~Spider (this=0x555d7e7cef90, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3_build/kpat_autogen/EWIEGA46WW/../../../kpat-18.04.3/spider.h:45
#16 Spider::~Spider (this=0x555d7e7cef90, __in_chrg=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3_build/kpat_autogen/EWIEGA46WW/../../../kpat-18.04.3/spider.h:45
#17 0x0000555d7beae1db in MainWindow::slotShowGameSelectionScreen (this=0x555d7d1dfb50) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/mainwindow.cpp:555
#18 0x0000555d7beb55f3 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (MainWindow::*)()>::call(void (MainWindow::*)(), MainWindow*, void**) (arg=<optimized out>, o=<optimized out>, f=<optimized out>) at /usr/include/qt5/QtCore/qobjectdefs_impl.h:136
#19 QtPrivate::FunctionPointer<void (MainWindow::*)()>::call<QtPrivate::List<>, void>(void (MainWindow::*)(), MainWindow*, void**) (arg=<optimized out>, o=<optimized out>, f=<optimized out>) at /usr/include/qt5/QtCore/qobjectdefs_impl.h:169
#20 QtPrivate::QSlotObject<void (MainWindow::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=<optimized out>, this_=<optimized out>, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /usr/include/qt5/QtCore/qobject_impl.h:120
#21 0x00007feecc7c9aa8 in QtPrivate::QSlotObjectBase::call (a=<optimized out>, r=0x555d7d1dfb50, this=0x555d7d1c0c20) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:376
#22 QMetaObject::activate (sender=sender@entry=0x555d7d1ffde0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x7fff5feaa8b0) at kernel/qobject.cpp:3754
#23 0x00007feecc7c9f92 in QMetaObject::activate (sender=sender@entry=0x555d7d1ffde0, m=m@entry=0x7feece20e780 <QAction::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x7fff5feaa8b0) at kernel/qobject.cpp:3633
#24 0x00007feecdb1e202 in QAction::triggered (this=this@entry=0x555d7d1ffde0, _t1=<optimized out>) at .moc/moc_qaction.cpp:376
#25 0x00007feecdb209c8 in QAction::activate (this=0x555d7d1ffde0, event=event@entry=QAction::Trigger) at kernel/qaction.cpp:1167
#26 0x00007feecdb213e9 in QAction::event (this=<optimized out>, e=<optimized out>) at kernel/qaction.cpp:1093
#27 0x00007feecdb2517a in QApplicationPrivate::notify_helper (this=this@entry=0x555d7d0fdc90, receiver=receiver@entry=0x555d7d1ffde0, e=e@entry=0x7fff5feaab70) at kernel/qapplication.cpp:3727
#28 0x00007feecdb2c944 in QApplication::notify (this=0x7fff5feaafb0, receiver=0x555d7d1ffde0, e=0x7fff5feaab70) at kernel/qapplication.cpp:3099
#29 0x00007feecc79e8c9 in QCoreApplication::notifyInternal2 (receiver=0x555d7d1ffde0, event=event@entry=0x7fff5feaab70) at kernel/qcoreapplication.cpp:1048
#30 0x00007feeccf7ded7 in QCoreApplication::sendEvent (event=0x7fff5feaab70, receiver=<optimized out>) at /usr/include/qt5/QtCore/qcoreapplication.h:234
#31 QShortcutMap::dispatchEvent (this=this@entry=0x555d7d0fdd70, e=e@entry=0x7fff5feaac30) at kernel/qshortcutmap.cpp:687
#32 0x00007feeccf7df45 in QShortcutMap::tryShortcut (this=this@entry=0x555d7d0fdd70, e=e@entry=0x7fff5feaac30) at kernel/qshortcutmap.cpp:351
#33 0x00007feeccf3026b in QWindowSystemInterface::handleShortcutEvent (window=window@entry=0x555d7d30f280, timestamp=10350613, keyCode=78, modifiers=..., nativeScanCode=57, nativeVirtualKey=78, nativeModifiers=277, text=..., autorepeat=false, count=1) at kernel/qwindowsysteminterface.cpp:461
#34 0x00007feeccf4c8d5 in QGuiApplicationPrivate::processKeyEvent (e=0x7feeb4008f40) at kernel/qguiapplication.cpp:2188
#35 0x00007feeccf52238 in QGuiApplicationPrivate::processWindowSystemEvent (e=e@entry=0x7feeb4008f40) at kernel/qguiapplication.cpp:1822
#36 0x00007feeccf2d146 in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at kernel/qwindowsysteminterface.cpp:1032
#37 0x00007feebdc3c821 in QPAEventDispatcherGlib::processEvents (this=0x555d7d177330, flags=...) at qeventdispatcher_glib.cpp:70
#38 0x00007feecc79d0a1 in QEventLoop::processEvents (this=this@entry=0x7fff5feaaeb0, flags=..., flags@entry=...) at kernel/qeventloop.cpp:136
#39 0x00007feecc79d4ea in QEventLoop::exec (this=this@entry=0x7fff5feaaeb0, flags=flags@entry=...) at kernel/qeventloop.cpp:214
#40 0x00007feecc7a5be5 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1336
#41 0x00007feeccf46f84 in QGuiApplication::exec () at kernel/qguiapplication.cpp:1761
#42 0x00007feecdb25059 in QApplication::exec () at kernel/qapplication.cpp:2901
#43 0x0000555d7be90908 in main (argc=<optimized out>, argv=<optimized out>) at /var/tmp/portage/kde-apps/kpat-18.04.3/work/kpat-18.04.3/main.cpp:337

Comment 5 Justin Zobel 2020-12-17 05:38:22 UTC

Thank you for the crash report.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.

Comment 6 Bug Janitor Service 2021-01-01 04:38:01 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 7 Martin Walch 2021-01-01 19:36:35 UTC

I am not the bug reporter, but the one who added the stracktrace in comment #4. Therefore I add that I can not reproduce the bug any more.

Comment 8 Christoph Feck 2021-01-09 16:44:20 UTC

Thanks for the update; changing status.