399989 – The QListWidget crashes and/or corrupts its list when I drag/drop items with icons.

Bug 399989 - The QListWidget crashes and/or corrupts its list when I drag/drop items with icons.

Summary: The QListWidget crashes and/or corrupts its list when I drag/drop items with ...

Status:	RESOLVED FIXED

Alias:	None

Product:	plasmashell
Classification:	Plasma
Component:	generic-crash (show other bugs)
Version:	5.12.2
Platform:	Mageia RPMs Linux

Importance:	NOR normal
Target Milestone:	1.0
Assignee:	Plasma Bugs List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-18 14:53 UTC by bkimerer
Modified:	2018-11-02 12:26 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:	https://commits.kde.org/kiconthemes/3501660aa3d7ffc83597b0ca7ba33767f0124429
Version Fixed In:

Attachments
Source code for the WidgedListCrash program. (9.83 KB, application/zip) 2018-10-18 14:53 UTC, bkimerer	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description bkimerer 2018-10-18 14:53:52 UTC

Created attachment 115725 [details]
Source code for the WidgedListCrash program.

SUMMARY
When dragging and dropping items in a QListWidget that have an associated icon,
the list gets corrupted, which subsequently results in a crash. This Qt
problem has been reported to happen only on the KDE platform and not other
platforms such as Gnome. It is also reported that it only happens on Qt5, and
not on Qt4. I have posted the bug here because it is reported to occur only
on KDE.

All of my computers are running Plasma5 and Qt5, so I cannot attest to the
assertions about Qt4 and Gnome.


STEPS TO REPRODUCE
1. Compile WidgetListCrash program
2. Open terminal window
3. Run WidgetListCrash
4. Drag a list item that has an icon with it to another location in that
list or the other list.

OBSERVED RESULT

The program crashes with the following errors:

Trying to construct an instance of an invalid type, type id: 6553705
Trying to construct an instance of an invalid type, type id: 788558336
Trying to construct an instance of an invalid type, type id: 524358
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted (core dumped)


EXPECTED RESULT

The dragged item should be moved to the drop location in the list.


SOFTWARE VERSIONS
(available in About System)
Mageia 6
KDE Plasma Version:  5.12.2
KDE Frameworks Version: 5.42.0
Qt Version: 5.9.4

Mint 18.1
KDE Plasma Version:  5.8.9
KDE Frameworks Version: 5.36.0
Qt Version: 5.6.1


ADDITIONAL INFORMATION

The problem can be easily replicated using a small program, which can be found here:

https://gitlab.com/bugpocs/WidgetListCrash

and in the attachment. There is a QtCreator project file (.pro)

One system is running Mageia 6,, with the following system paramaters:

System:    Host: mageia6 Kernel: 4.14.70-desktop-2.mga6 x86_64 (64 bit) Desktop: KDE Plasma 5.12.2
           Distro: Mageia 6 mga6
Machine:   Device: desktop Mobo: ASUSTeK model: P5G41T-M LX PLUS v: Rev X.0x BIOS: American Megatrends v: 0502 date: 10/21/2011
CPU:       Dual core Intel Core2 Duo E7300 (-MCP-) speed/max: 1617/1927 MHz
Graphics:  Card: NVIDIA G94 [GeForce 9600 GT]
           Display Server: Mageia X.org 119.5 drivers: v4l,nouveau Resolution: 1680x1050@59.95hz
           GLX Renderer: NV94 GLX Version: 3.0 Mesa 17.3.9


When I run the WidgetListCrash program on Mageia6 and attempt to move one of the list items
that has an icon associated with it, the program crashes with the following output:

$ ./WidgetListCrash 
Trying to construct an instance of an invalid type, type id: 6553705
Trying to construct an instance of an invalid type, type id: 788558336
Trying to construct an instance of an invalid type, type id: 524358
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted (core dumped)
[poobah@mageia6 WidgetListCrash-master]$


I can reproduce this bug on my Mint 18.1 system as well, but with different
symptoms. Here are the system parameters of my Mint system.


System:    Host: LinuxMain Kernel: 4.4.0-137-generic x86_64 (64 bit) Desktop: KDE Plasma 5.8.9
           Distro: Linux Mint 18.1 Serena
Machine:   System: ASUS product: All Series
           Mobo: ASUSTeK model: Z97-A-USB31 v: Rev 1.xx
           Bios: American Megatrends v: 2501 date: 06/24/2015
CPU:       Quad core Intel Core i5-4590 (-MCP-) speed/max: 3282/3700 MHz
Graphics:  Card: NVIDIA GM107 [GeForce GTX 750 Ti]
           Display Server: X.Org 1.18.4 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.00hz, 1920x1080@60.00hz
           GLX Renderer: GeForce GTX 750 Ti/PCIe/SSE2 GLX Version: 4.5.0 NVIDIA 384.130


When I run the WidgetListCrash program on Mint and attempt to move one of the list items
that has an icon associated with it, the list gets corrupted, leaving blank
spaces between the list items. On subsequent attempts to move the item, the
program crashes with the following output:

$ ./WidgetListCrash
Trying to construct an instance of an invalid type, type id: 6553705
Trying to construct an instance of an invalid type, type id: 788558336
Trying to construct an instance of an invalid type, type id: 524358
Trying to construct an instance of an invalid type, type id: 6553705
Trying to construct an instance of an invalid type, type id: 788558336
Trying to construct an instance of an invalid type, type id: 524358
Segmentation fault

Comment 1 Kai Uwe Broulik 2018-10-18 15:06:09 UTC

I can confirm the crash with Breeze, Fusion, and Oxygen style when running in a Plasma environment. It does not crash when running without Plasma's Platform Integration.

Comment 2 David Edmundson 2018-10-18 17:05:08 UTC

Found where we the problem occurs, but not why

QDataStream &operator>>(QDataStream &s, QIcon &icon)


finds the relevant IconEngine and asks it to serialise.


We serialise fine.

When we deserialise, suddenly we can't find our engine any more.

We know the engine's key is "KIconEngine" correctly, but 
            const int index = loader()->indexOf(key);

fails to find us.


From what I can see that doesn't include loaders loaded from the QPT.

Will be a Qt fix.

Comment 3 Fabian Vogt 2018-10-18 18:16:14 UTC

Or we add a KIconEngine plugin, just like libqsvgicon.so.

There are multiple bugs that lead to this crash:
- QIcon can't create a KIconEngine - but whether that's a bug is not clear
- QIcon's deserialization operator ignores that the engine didn't get created
- QAbstractItemModel::decode data doesn't sanitize values

Comment 4 JanKusanagi 2018-10-18 18:34:51 UTC

This is the bug I reported to Qt back in the day:
https://bugreports.qt.io/browse/QTBUG-63546

Comment 5 Fabian Vogt 2018-10-18 18:53:16 UTC

Here's a patch which adds an icon engine plugin: https://phabricator.kde.org/D16305

With this installed the PoC works just fine. The items get copied to the other side and keep their icons.

Comment 6 Fabian Vogt 2018-11-02 12:26:05 UTC

Git commit 3501660aa3d7ffc83597b0ca7ba33767f0124429 by Fabian Vogt.
Committed on 02/11/2018 at 12:25.
Pushed by fvogt into branch 'master'.

Add a QIconEnginePlugin to allow QIcon deserialization

Summary:
This is necessary to allow QIcons with a KIconEngine as engine to deserialize
properly.

Test Plan: Ran the PoC in the bug report, works fine.

Reviewers: #frameworks, davidedmundson

Reviewed By: davidedmundson

Subscribers: lbeltrame, kde-frameworks-devel

Tags: #frameworks

Differential Revision: https://phabricator.kde.org/D16305

M  +10   -0    src/CMakeLists.txt
A  +43   -0    src/kiconengineplugin.cpp     [License: LGPL (v2)]
A  +4    -0    src/kiconengineplugin.json

https://commits.kde.org/kiconthemes/3501660aa3d7ffc83597b0ca7ba33767f0124429