Bug 398412 - Discover crashes at startup with memory corruption ("corrupted size vs. prev_size")
Summary: Discover crashes at startup with memory corruption ("corrupted size vs. prev_...
Status: RESOLVED FIXED
Alias: None
Product: Discover
Classification: Applications
Component: discover (show other bugs)
Version: 5.13.5
Platform: Neon Linux
: VHI critical
Target Milestone: ---
Assignee: Aleix Pol
URL:
Keywords:
: 398373 398398 398461 398463 398464 398488 398549 398562 398564 398597 398602 398607 398639 398708 412625 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-09-09 03:00 UTC by Patrick Silva
Modified: 2019-10-07 00:34 UTC (History)
22 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
valgrind log (1.13 MB, text/x-log)
2018-09-13 01:22 UTC, Patrick Silva
Details
valgrind log (1.14 MB, text/x-log)
2018-09-13 01:30 UTC, Patrick Silva
Details
New crash information added by DrKonqi (10.94 KB, text/plain)
2018-09-14 02:23 UTC, Stefan
Details
New crash information added by DrKonqi (12.19 KB, text/plain)
2018-09-14 02:33 UTC, Stefan
Details
New crash information added by DrKonqi (9.19 KB, text/plain)
2018-09-15 19:41 UTC, Dima
Details
New crash information added by DrKonqi (13.54 KB, text/plain)
2018-11-20 02:35 UTC, nimbosa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Silva 2018-09-09 03:00:12 UTC
Plasma shows crash notitication immediately when I try to open Discover on neon dev unstable.

#0  0x00007ffff311e428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff312002a in __GI_abort () at abort.c:89
#2  0x00007ffff31607ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff3279ed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff31679dc in malloc_consolidate (ar_ptr=0x7ffff34adb20 <main_arena>, ptr=0xf0a250, str=0x7ffff3276c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#4  0x00007ffff31679dc in malloc_consolidate (av=av@entry=0x7ffff34adb20 <main_arena>) at malloc.c:4183
#5  0x00007ffff316acde in _int_malloc (av=av@entry=0x7ffff34adb20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
#6  0x00007ffff316d184 in __GI___libc_malloc (bytes=4096) at malloc.c:2913
#7  0x00007ffff312e89f in __realpath (name=0xf1f0e8 "/etc/xdg/kwinscripts.knsrc", resolved=resolved@entry=0x0) at canonicalize.c:78
#8  0x00007ffff3d4cd7e in QFileSystemEngine::canonicalName(QFileSystemEntry const---Type <return> to continue, or q <return> to quit---
&, QFileSystemMetaData&) (__resolved=0x0, __name=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/stdlib.h:48
#9  0x00007ffff3d4cd7e in QFileSystemEngine::canonicalName(QFileSystemEntry const&, QFileSystemMetaData&) (entry=..., data=...) at io/qfilesystemengine_unix.cpp:760
#10 0x00007ffff3ce2ba8 in QFileInfo::canonicalFilePath() const (name=QAbstractFileEngine::CanonicalName, this=0xf1fd10) at io/qfileinfo.cpp:59
#11 0x00007ffff3ce2ba8 in QFileInfo::canonicalFilePath() const (this=<optimized out>)
    at io/qfileinfo.cpp:567
#12 0x00007ffff5dba6c0 in  () at /usr/lib/x86_64-linux-gnu/libKF5ConfigCore.so.5
#13 0x00007ffff5dbbef1 in KConfig::KConfig(QString const&, QFlags<KConfig::OpenFlag>, QStandardPaths::StandardLocation) () at /usr/lib/x86_64-linux-gnu/libKF5ConfigCore.so.5
#14 0x00007fffa5bbd6bc in KNSBackend::KNSBackend(QObject*, QString const&, QString const&) (this=0xf13700, parent=<optimized out>, iconName=..., knsrc=...)
    at /workspace/build/libdiscover/backends/KNSBackend/KNSBackend.cpp:99
#15 0x00007fffa5bc11ce in KNSBackendFactory::newInstance(QObject*, QString const&) const (this=this@entry=0xe5cb50, parent=0x831290) at /workspace/build/libdiscover/backends/KNSBackend/KNSBackend.cpp:73
#16 0x00007ffff6cd1d60 in DiscoverBackendsFactory::backendForFile(QString const&, QString const&) const (this=this@entry=0x7fffffffd52f, libname=..., name=...)
    at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:65
#17 0x00007ffff6cd23e2 in DiscoverBackendsFactory::backend(QString const&) const (this=this@entry=0x7fffffffd52f, name=...) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:51
#18 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (name=..., __closure=<synthetic pointer>) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:99
#19 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (op=..., input=...)
    at /workspace/build/libdiscover/utils.h:48
---Type <return> to continue, or q <return> to quit---
#20 0x00007ffff6cd2846 in DiscoverBackendsFactory::allBackends() const (this=this@entry=0x7fffffffd52f) at /workspace/build/libdiscover/DiscoverBackendsFactory.cpp:99
#21 0x00007ffff6cbcd17 in ResourcesModel::registerAllBackends() (this=0x831290)
    at /workspace/build/libdiscover/resources/ResourcesModel.cpp:208
#22 0x00007ffff6ce1315 in ResourcesModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>)
    at /workspace/build/obj-x86_64-linux-gnu/libdiscover/moc_ResourcesModel.cpp:291
#23 0x00007ffff3ddbfb9 in QObject::event(QEvent*) (this=0x831290, e=<optimized out>)
    at kernel/qobject.cpp:1251
#24 0x00007ffff540839c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
    at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff540fab0 in QApplication::notify(QObject*, QEvent*) ()
    at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff3dae228 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x831290, event=event@entry=0x831640) at kernel/qcoreapplication.cpp:1048
#27 0x00007ffff3db0e2e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (event=0x831640, receiver=<optimized out>)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#28 0x00007ffff3db0e2e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=receiver@entry=0x0, event_type=event_type@entry=0, data=0x7179f0)
    at kernel/qcoreapplication.cpp:1745
#29 0x00007ffff3db12a8 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=receiver@entry=0x0, event_type=event_type@entry=0) at kernel/qcoreapplication.cpp:1599
#30 0x00007ffff3e05a93 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x75e360)
    at kernel/qeventdispatcher_glib.cpp:276
---Type <return> to continue, or q <return> to quit---
#31 0x00007fffede23197 in g_main_context_dispatch (context=0x7fffe00016f0)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3154
#32 0x00007fffede23197 in g_main_context_dispatch (context=context@entry=0x7fffe00016f0)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3769
#33 0x00007fffede233f0 in g_main_context_iterate (context=context@entry=0x7fffe00016f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3840
#34 0x00007fffede2349c in g_main_context_iteration (context=0x7fffe00016f0, may_block=may_block@entry=1) at /build/glib2.0-b4FPyK/glib2.0-2.48.2/./glib/gmain.c:3901
#35 0x00007ffff3e0509f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x75cc50, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#36 0x00007fffe7c089a1 in  () at /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#37 0x00007ffff3dac5ba in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fffffffdb60, flags=..., flags@entry=...) at kernel/qeventloop.cpp:214
#38 0x00007ffff3db56c4 in QCoreApplication::exec() () at kernel/qcoreapplication.cpp:1336
#39 0x00000000004133ff in main(int, char**) (argc=1, argv=<optimized out>)
    at /workspace/build/discover/main.cpp:156
Comment 1 Christoph Feck 2018-09-13 00:09:41 UTC
*** Bug 398373 has been marked as a duplicate of this bug. ***
Comment 2 Christoph Feck 2018-09-13 00:10:19 UTC
*** Bug 398398 has been marked as a duplicate of this bug. ***
Comment 3 Christoph Feck 2018-09-13 00:10:47 UTC
*** Bug 398461 has been marked as a duplicate of this bug. ***
Comment 4 Christoph Feck 2018-09-13 00:11:07 UTC
*** Bug 398463 has been marked as a duplicate of this bug. ***
Comment 5 Christoph Feck 2018-09-13 00:11:27 UTC
*** Bug 398464 has been marked as a duplicate of this bug. ***
Comment 6 Christoph Feck 2018-09-13 00:11:46 UTC
*** Bug 398488 has been marked as a duplicate of this bug. ***
Comment 7 Christoph Feck 2018-09-13 00:12:14 UTC
*** Bug 398549 has been marked as a duplicate of this bug. ***
Comment 8 Christoph Feck 2018-09-13 00:14:26 UTC
This is a memory corruption, most likely a double-free(). A valgrind log would be nice if anyone can reproduce it.
Comment 9 Patrick Silva 2018-09-13 01:22:48 UTC
Created attachment 114923 [details]
valgrind log
Comment 10 Patrick Silva 2018-09-13 01:30:32 UTC
Created attachment 114924 [details]
valgrind log
Comment 11 Nate Graham 2018-09-13 16:45:25 UTC
*** Bug 398562 has been marked as a duplicate of this bug. ***
Comment 12 Nate Graham 2018-09-13 16:45:50 UTC
*** Bug 398564 has been marked as a duplicate of this bug. ***
Comment 13 Stefan 2018-09-14 02:23:53 UTC
Created attachment 114946 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
Opening Discover results in a crash, as does attempting to install any packages.

-- Backtrace (Reduced):
#6  0x00007fb43d70b428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007fb43d70d02a in __GI_abort () at abort.c:89
[...]
#9  0x00007fb43d7549dc in malloc_printerr (ar_ptr=0x7fb43da9ab20 <main_arena>, ptr=0x32038c0, str=0x7fb43d863c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 malloc_consolidate (av=av@entry=0x7fb43da9ab20 <main_arena>) at malloc.c:4183
#11 0x00007fb43d757cde in _int_malloc (av=av@entry=0x7fb43da9ab20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
Comment 14 Stefan 2018-09-14 02:33:10 UTC
Created attachment 114947 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

Opening Discover or attempting to install any packages results in a crash.

-- Backtrace (Reduced):
#6  0x00007faa23972428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007faa2397402a in __GI_abort () at abort.c:89
[...]
#9  0x00007faa239c0781 in malloc_printerr (ar_ptr=0x7faa23d01b20 <main_arena>, ptr=0x37a4c60, str=0x7faa23acac75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 _int_realloc (av=av@entry=0x7faa23d01b20 <main_arena>, oldp=oldp@entry=0x37a4c10, oldsize=oldsize@entry=80, nb=nb@entry=144) at malloc.c:4298
#11 0x00007faa239c1839 in __GI___libc_realloc (oldmem=0x37a4c20, bytes=128) at malloc.c:3045
Comment 15 Patrick Silva 2018-09-14 12:01:40 UTC
*** Bug 398597 has been marked as a duplicate of this bug. ***
Comment 16 Patrick Silva 2018-09-14 12:02:01 UTC
*** Bug 398602 has been marked as a duplicate of this bug. ***
Comment 17 Nate Graham 2018-09-14 16:25:09 UTC
*** Bug 398607 has been marked as a duplicate of this bug. ***
Comment 18 David Edmundson 2018-09-14 16:51:12 UTC
Most likely source of something with that trace is an ABI break in KNS.

Can you rebuild plasma-discover from source (from the package is fine) and see if it magically fixes itself?
Comment 19 David Edmundson 2018-09-14 16:54:10 UTC
Certainly looks that way:

Provider::SearchRequest changed

Engine has an instance of that as one of it's member vars directly and not as a pointer:
    Provider::SearchRequest m_currentRequest;


Adding an entry to SearchRequest changes sizeof(Engine) everything is off *kaboom*
Comment 20 Patrick Silva 2018-09-15 03:44:26 UTC
*** Bug 398639 has been marked as a duplicate of this bug. ***
Comment 21 Jonathan Riddell 2018-09-15 09:54:14 UTC
ABI break is in Git so it will be in neon dev unstable, but it has not been in a released version of KDE Frameworks.
Comment 22 Patrick Silva 2018-09-15 11:08:27 UTC
*** Bug 398653 has been marked as a duplicate of this bug. ***
Comment 23 Dima 2018-09-15 19:41:07 UTC
Created attachment 114983 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
tried to open updates from KDE tray. Always crashes last time

-- Backtrace (Reduced):
#6  0x00007f229cdf6428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007f229cdf802a in __GI_abort () at abort.c:89
[...]
#9  0x00007f229ce4137a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7f229cf51fe8 "double free or corruption (out)", action=3) at malloc.c:5006
#10 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#11 0x00007f229ce4553c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
Comment 24 Patrick Silva 2018-09-17 03:36:08 UTC
crash is already fixed on neon dev unstable.
Comment 25 Nate Graham 2018-09-17 03:42:26 UTC
Yep, we reverted the offending commit. We'll come up with another way to do this.
Comment 26 Nate Graham 2018-09-18 19:56:27 UTC
*** Bug 398708 has been marked as a duplicate of this bug. ***
Comment 27 Kristopher Ives 2018-09-18 22:07:36 UTC
Nate,

May I ask which commit was reverted? I'm sorry if this information is easy to find in Phabricator I am still learning how to navigate it.
Comment 28 Christoph Feck 2018-09-19 00:14:07 UTC
Commit 2ad3e66d81b63495a59d012f673af7bd854b53d7 was reverted in knewstuff.git repo. See history at https://cgit.kde.org/knewstuff.git/log/
Comment 29 nimbosa 2018-11-20 02:35:20 UTC
Created attachment 116417 [details]
New crash information added by DrKonqi

plasma-discover (5.13.5) using Qt 5.11.1

- What I was doing when the application crashed:
Opening Discovery app after update

- Unusual behavior I noticed:
crashes everytime after an update

-- Backtrace (Reduced):
#6  0x00007fbf7b3ac428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#7  0x00007fbf7b3ae02a in __GI_abort () at abort.c:89
[...]
#9  0x00007fbf7b3f59dc in malloc_printerr (ar_ptr=0x7fbf7b73bb20 <main_arena>, ptr=0x3192a00, str=0x7fbf7b504c75 "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5006
#10 malloc_consolidate (av=av@entry=0x7fbf7b73bb20 <main_arena>) at malloc.c:4183
#11 0x00007fbf7b3f8cde in _int_malloc (av=av@entry=0x7fbf7b73bb20 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3450
Comment 30 Nate Graham 2019-10-07 00:34:04 UTC
*** Bug 412625 has been marked as a duplicate of this bug. ***