412103 – Sometimes kdeinit5 crashes when I close Gwenview image viewer

Bug 412103 - Sometimes kdeinit5 crashes when I close Gwenview image viewer

Summary: Sometimes kdeinit5 crashes when I close Gwenview image viewer

Status:	RESOLVED DUPLICATE of bug 408797

Alias:	None

Product:	frameworks-kinit
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	unspecified
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	David Faure

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-09-20 02:19 UTC by Patrick Silva
Modified:	2019-09-20 02:52 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Silva 2019-09-20 02:19:32 UTC

SUMMARY
I used Gwenview to open a jpg file stored in a folder containing ~9,000 files.
When I closed Gwenview, Plasma shown a notification about kinit5 crash.
I can reproduce this crash sometimes on both Neon unstable edition and Arch Linux (framweworks 5.62).

Operating System: KDE neon Unstable Edition
KDE Plasma Version: 5.16.80
KDE Frameworks Version: 5.63.0
Qt Version: 5.12.3

Invalid thread ID: aplly all bt

Thread 1 (Thread 0x7fe60ac85780 (LWP 2104)):
#0  __GI_raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007fe60a8911bd in KCrash::defaultCrashHandler (sig=11) at ./src/kcrash.cpp:578
#2  <signal handler called>
#3  0x00007fe60901a147 in std::__atomic_base<QMutexData*>::compare_exchange_strong (
    __m2=std::memory_order_acquire, __m1=std::memory_order_acquire, __p2=<optimized out>, 
    __p1=<synthetic pointer>: <optimized out>, this=0x0) at /usr/include/c++/7/bits/atomic_base.h:752
#4  std::atomic<QMutexData*>::compare_exchange_strong (__m2=std::memory_order_acquire, 
    __m1=std::memory_order_acquire, __p2=<optimized out>, __p1=<synthetic pointer>: <optimized out>, 
    this=0x0) at /usr/include/c++/7/atomic:498
#5  QAtomicOps<QMutexData*>::testAndSetAcquire<QMutexData*> (currentValue=<synthetic pointer>, 
    newValue=<optimized out>, expectedValue=0x0, _q_value=...)
    at ../../include/QtCore/../../src/corelib/thread/qatomic_cxx11.h:290
#6  QBasicAtomicPointer<QMutexData>::testAndSetAcquire (
    currentValue=<synthetic pointer>: <optimized out>, newValue=<optimized out>, expectedValue=0x0, 
    this=0x0) at ../../include/QtCore/../../src/corelib/thread/qbasicatomic.h:263
#7  QBasicMutex::fastTryLock (current=<synthetic pointer>: <optimized out>, this=0x0)
    at thread/qmutex.h:107
#8  QMutex::lock (this=0x0) at thread/qmutex.cpp:222
#9  0x00007fe6092584ba in QTextCodec::codecForLocale () at codecs/qtextcodec.cpp:714
#10 0x00007fe6090a4a09 in QString::fromLocal8Bit_helper (
    str=str@entry=0x557efaff6c28 "/run/user/1000", size=14) at tools/qstring.cpp:5573
#11 0x00007fe609195283 in QString::fromLocal8Bit (size=<optimized out>, str=<optimized out>)
    at ../../include/QtCore/../../src/corelib/tools/qstring.h:576
#12 QString::fromLocal8Bit (str=...) at ../../include/QtCore/../../src/corelib/tools/qstring.h:583
#13 QFile::decodeName (localFileName=...) at ../../include/QtCore/../../src/corelib/io/qfile.h:94
#14 QStandardPaths::writableLocation (type=type@entry=QStandardPaths::RuntimeLocation)
    at io/qstandardpaths_unix.cpp:126
#15 0x00007fe60a8900c1 in startProcessInternal (argc=argc@entry=12, argv=argv@entry=0x7ffdef786220, 
    waitAndExit=waitAndExit@entry=true, directly=directly@entry=false) at ./src/kcrash.cpp:706
#16 0x00007fe60a890b9e in KCrash::startProcess (argc=argc@entry=12, argv=argv@entry=0x7ffdef786220, 
    waitAndExit=waitAndExit@entry=true) at ./src/kcrash.cpp:670
#17 0x00007fe60a8910c7 in KCrash::defaultCrashHandler (sig=6) at ./src/kcrash.cpp:568
#18 <signal handler called>
#19 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#20 0x00007fe608bc1801 in __GI_abort () at abort.c:79
#21 0x00007fe608c0a897 in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7fe608d37b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#22 0x00007fe608c1190a in malloc_printerr (str=str@entry=0x7fe608d35d88 "free(): invalid pointer")
    at malloc.c:5350
#23 0x00007fe608c18e1c in _int_free (have_lock=0, p=0x7ffdef7875f8, av=0x7fe608f6cc40 <main_arena>)
    at malloc.c:4157
#24 __GI___libc_free (mem=0x7ffdef787608) at malloc.c:3124
#25 0x00007fe609244ff6 in QCoreGlobalData::~QCoreGlobalData (
    this=0x7fe6096a6f80 <(anonymous namespace)::Q_QGS_globalInstance::innerFunction()::holder>, 
    __in_chrg=<optimized out>) at kernel/qcoreglobaldata.cpp:64
#26 0x00007fe609247019 in (anonymous namespace)::Q_QGS_globalInstance::Holder::~Holder (
    this=<optimized out>, __in_chrg=<optimized out>) at kernel/qcoreglobaldata.cpp:47
#27 0x00007fe608bc4041 in __run_exit_handlers (status=status@entry=255, 
    listp=0x7fe608f6c718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, 
    run_dtors=run_dtors@entry=true) at exit.c:108
#28 0x00007fe608bc413a in __GI_exit (status=status@entry=255) at exit.c:139
#29 0x00007fe601db4b86 in KIO::SlaveBase::exit (this=this@entry=0x7ffdef787640)
    at ./src/core/slavebase.cpp:712
#30 0x00007fe601db5598 in KIO::SlaveBase::send (this=this@entry=0x7ffdef787640, cmd=cmd@entry=104, 
    arr=...) at ./src/core/slavebase.cpp:1459
#31 0x00007fe601db8a15 in KIO::SlaveBase::finished (this=0x7ffdef787640)
    at ./src/core/slavebase.cpp:562
#32 0x00007fe5faae2e73 in FileProtocol::listDir (this=0x7ffdef787630, url=...)
    at ./src/ioslaves/file/file_unix.cpp:617
#33 0x00007fe601dbc0dd in KIO::SlaveBase::dispatch (this=0x7ffdef787640, command=71, data=...)
    at ./src/core/slavebase.cpp:1223
#34 0x00007fe601dbcba6 in KIO::SlaveBase::dispatchLoop (this=0x7ffdef787640)
    at ./src/core/slavebase.cpp:348
#35 0x00007fe5faadcbb5 in kdemain (argc=<optimized out>, argv=<optimized out>)
    at ./src/ioslaves/file/file.cpp:122
#36 0x0000557ef941562d in launch (argc=4, 
    _name=0x557efaf97a68 "/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/file.so", 
    args=<optimized out>, cwd=<optimized out>, envc=<optimized out>, envs=<optimized out>, 
    reset_env=false, tty=0x0, avoid_loops=false, startup_id_str=0x557ef94182e7 "0")
    at ./src/kdeinit/kinit.cpp:704
#37 0x0000557ef9416b3b in handle_launcher_request (sock=8, who=<optimized out>)
    at ./src/kdeinit/kinit.cpp:1142
#38 0x0000557ef94173cb in handle_requests (waitForPid=0) at ./src/kdeinit/kinit.cpp:1335
#39 0x0000557ef9411ff4 in main (argc=5, argv=<optimized out>) at ./src/kdeinit/kinit.cpp:1774

Comment 1 Loïc Yhuel 2019-09-20 02:52:40 UTC

Same as https://bugs.kde.org/show_bug.cgi?id=408797, with a better stack.

QCoreGlobalData::~QCoreGlobalData calls free(0x7ffdef787608), this is a delete of a QTextCodec*.
The KIOSlaveBase (ie the FileProtocol) address is 0x7ffdef787640, so 0x7ffdef787608 is very likely to be the address of the LegacyCodec declared just before (https://cgit.kde.org/kio.git/tree/src/ioslaves/file/file.cpp#n112).

The LegacyCodec is still in the valid stack (unlike the other variant https://bugs.kde.org/show_bug.cgi?id=411441), so its contents were intact and its destructor didn't crash.
But then free isn't happy since the address is on the stack, not allocated.

*** This bug has been marked as a duplicate of bug 408797 ***