413003 – energy info corrupts solid battery pointers

Bug 413003 - energy info corrupts solid battery pointers

Summary: energy info corrupts solid battery pointers

Status:	RESOLVED FIXED

Alias:	None

Product:	kinfocenter
Classification:	Applications
Component:	Energy Information (show other bugs)
Version:	5.17.5
Platform:	Fedora RPMs Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Kai Uwe Broulik

URL:
Keywords:	drkonqi

Duplicates (12):	414099 414200 414205 414209 414500 414817 414844 415021 415372 415474 416413 416668 (view as bug list)
Depends on:
Blocks:

Reported:	2019-10-15 20:34 UTC by Ruben
Modified:	2020-02-19 21:48 UTC (History)
CC List:	19 users (show)

See Also:	414200
Latest Commit:	https://commits.kde.org/kinfocenter/764fce4aefbe1567dc3bfc795f0232fef9df478c
Version Fixed In:	5.18.0
Sentry Crash Report:

Attachments
New crash information added by DrKonqi (22.88 KB, patch) 2019-12-01 12:31 UTC, Matt Fagnani	Details
valgrind log from kinfocenter run when clicking Energy Information, File Indexer Monitor, then Energy Information (259.97 KB, text/plain) 2019-12-01 14:09 UTC, Matt Fagnani	Details
New crash information added by DrKonqi (10.82 KB, patch) 2020-01-13 21:36 UTC, bonfostar	Details
New crash information added by DrKonqi (6.42 KB, text/plain) 2020-02-02 15:30 UTC, VK	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ruben 2019-10-15 20:34:41 UTC

Application: kinfocenter (5.17.0)

Qt Version: 5.13.1
Frameworks Version: 5.63.0
Operating System: Linux 5.0.0-31-generic x86_64
Distribution: KDE neon User Edition 5.17

-- Information about the crash:
- What I was doing when the application crashed:

When browsing through energy information, it would eventually crash every time I did it. This behaviour was repeatable. There was also a segfault notification.

The crash can be reproduced every time.

-- Backtrace:
Application: Info Center (kinfocenter), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7ff21a140d40 (LWP 24591))]

Thread 5 (Thread 0x7ff1ebfff700 (LWP 24596)):
#0  0x00007ff20fb80664 in g_mutex_unlock () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ff20fb3a6e6 in g_main_context_iteration () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ff216d3d9db in QEventDispatcherGlib::processEvents (this=0x7ff1e4000b20, flags=...) at kernel/qeventdispatcher_glib.cpp:425
#3  0x00007ff216cddeaa in QEventLoop::exec (this=this@entry=0x7ff1ebffed80, flags=..., flags@entry=...) at kernel/qeventloop.cpp:225
#4  0x00007ff216af93ca in QThread::exec (this=this@entry=0x5625077766d0) at thread/qthread.cpp:531
#5  0x00007ff21525bcb5 in QQmlThreadPrivate::run (this=0x5625077766d0) at qml/ftw/qqmlthread.cpp:152
#6  0x00007ff216afab72 in QThreadPrivate::start (arg=0x5625077766d0) at thread/qthread_unix.cpp:360
#7  0x00007ff2118816db in start_thread (arg=0x7ff1ebfff700) at pthread_create.c:463
#8  0x00007ff2163f788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7ff1f1d1a700 (LWP 24594)):
#0  0x00007ff2118879f3 in futex_wait_cancelable (private=<optimized out>, expected=0, futex_word=0x5625078214ec) at ../sysdeps/unix/sysv/linux/futex-internal.h:88
#1  __pthread_cond_wait_common (abstime=0x0, mutex=0x562507821498, cond=0x5625078214c0) at pthread_cond_wait.c:502
#2  __pthread_cond_wait (cond=0x5625078214c0, mutex=0x562507821498) at pthread_cond_wait.c:655
#3  0x00007ff1f2fed2cb in ?? () from /usr/lib/x86_64-linux-gnu/dri/i965_dri.so
#4  0x00007ff1f2fecff7 in ?? () from /usr/lib/x86_64-linux-gnu/dri/i965_dri.so
#5  0x00007ff2118816db in start_thread (arg=0x7ff1f1d1a700) at pthread_create.c:463
#6  0x00007ff2163f788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7ff1fef19700 (LWP 24593)):
#0  0x00007ff2163e60b4 in __GI___libc_read (fd=7, buf=0x7ff1fef18b60, nbytes=16) at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x00007ff20fb7f2d0 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ff20fb3a0b7 in g_main_context_check () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ff20fb3a570 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ff20fb3a6dc in g_main_context_iteration () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ff216d3d9db in QEventDispatcherGlib::processEvents (this=0x7ff1f8000b20, flags=...) at kernel/qeventdispatcher_glib.cpp:425
#6  0x00007ff216cddeaa in QEventLoop::exec (this=this@entry=0x7ff1fef18d70, flags=..., flags@entry=...) at kernel/qeventloop.cpp:225
#7  0x00007ff216af93ca in QThread::exec (this=<optimized out>) at thread/qthread.cpp:531
#8  0x00007ff21441e0e5 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5DBus.so.5
#9  0x00007ff216afab72 in QThreadPrivate::start (arg=0x7ff214695d80) at thread/qthread_unix.cpp:360
#10 0x00007ff2118816db in start_thread (arg=0x7ff1fef19700) at pthread_create.c:463
#11 0x00007ff2163f788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7ff206f31700 (LWP 24592)):
#0  0x00007ff2163eabf9 in __GI___poll (fds=0x7ff206f30ca8, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007ff211eb0747 in ?? () from /usr/lib/x86_64-linux-gnu/libxcb.so.1
#2  0x00007ff211eb236a in xcb_wait_for_event () from /usr/lib/x86_64-linux-gnu/libxcb.so.1
#3  0x00007ff209d16f00 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#4  0x00007ff216afab72 in QThreadPrivate::start (arg=0x56250761c0a0) at thread/qthread_unix.cpp:360
#5  0x00007ff2118816db in start_thread (arg=0x7ff206f31700) at pthread_create.c:463
#6  0x00007ff2163f788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7ff21a140d40 (LWP 24591)):
[KCrash Handler]
#6  0x00007ff216ce8f67 in QMetaObject::cast (this=this@entry=0x7ff2050ac8e0 <Solid::Battery::staticMetaObject>, obj=0x562507e3e980) at kernel/qmetaobject.cpp:374
#7  0x00007ff216ce8fa5 in QMetaObject::cast (this=this@entry=0x7ff2050ac8e0 <Solid::Battery::staticMetaObject>, obj=<optimized out>) at kernel/qmetaobject.cpp:363
#8  0x00007ff1f0562a29 in qobject_cast<Solid::Battery*> (object=<optimized out>) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject.h:508
#9  Solid::Device::as<Solid::Battery> (this=0x7ffda14b8730) at /usr/include/KF5/Solid/solid/device.h:233
#10 BatteryModel::data (this=<optimized out>, index=..., role=<optimized out>) at ./Modules/energy/batterymodel.cpp:75
#11 0x00007ff214ffe5d2 in QModelIndex::data (arole=256, this=0x7ffda14b87b0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:462
#12 QQmlDMAbstractItemModelData::value (role=256, this=0x56250c1db610) at util/qqmladaptormodel.cpp:414
#13 QQmlDMCachedModelData::metaCall (this=0x56250c1db610, call=<optimized out>, id=<optimized out>, arguments=0x7ffda14b8860) at util/qqmladaptormodel.cpp:282
#14 0x00007ff215105704 in QQmlPropertyData::readProperty (property=0x7ffda14b8840, target=0x56250c1db610, this=0x562507b630c8) at ../../include/QtQml/5.13.1/QtQml/private/../../../../../src/qml/qml/qqmlpropertycache_p.h:328
#15 loadProperty (v4=0x5625077744d0, object=0x56250c1db610, property=...) at jsruntime/qv4qobjectwrapper.cpp:178
#16 0x00007ff215106cef in QV4::QObjectWrapper::virtualResolveLookupGetter (object=0x7ff1f011a510, engine=<optimized out>, lookup=<optimized out>) at jsruntime/qv4qobjectwrapper.cpp:877
#17 0x00007ff1e80e7a4e in ?? ()
#18 0x0000000000000000 in ?? ()

Reported using DrKonqi

Comment 1 Méven Car 2019-11-22 10:20:25 UTC

Seems to related to https://cgit.kde.org/kinfocenter.git/commit/?id=95569a0eae884427c7f7ab11fd63ae577f0be16d

Thi is easily reproductible :

1. Open kinfocenter > energy information
2. Switch to another tab in kinfocenter (for instance memory)
3. Return to energy information tab
4. Crash

[KCrash Handler]
#7  0x000055716942d120 in ?? ()
#8  0x00007fdb30a388de in QMetaObject::cast (this=this@entry=0x7fdb2a551a20 <Solid::Battery::staticMetaObject>, obj=0x5571698ea6f0) at kernel/qmetaobject.cpp:374
#9  0x00007fdb30a38919 in QMetaObject::cast (this=this@entry=0x7fdb2a551a20 <Solid::Battery::staticMetaObject>, obj=<optimized out>) at kernel/qmetaobject.cpp:363
#10 0x00007fdb219cc721 in qobject_cast<Solid::Battery*> (object=<optimized out>) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject.h:499
#11 Solid::Device::as<Solid::Battery> (this=0x7ffc2056ec90) at /home/meven/kde/usr/include/KF5/Solid/solid/device.h:233
#12 BatteryModel::data (this=<optimized out>, index=..., role=<optimized out>) at /home/meven/kde/src/kinfocenter/Modules/energy/batterymodel.cpp:76
#13 0x00007fdb2facc99c in QModelIndex::data (arole=256, this=0x7ffc2056ed10) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:458
#14 QQmlDMAbstractItemModelData::value (role=256, this=0x55716c74c1b0) at util/qqmladaptormodel.cpp:408
#15 QQmlDMCachedModelData::metaCall (this=0x55716c74c1b0, call=<optimized out>, id=<optimized out>, arguments=0x7ffc2056edc0) at util/qqmladaptormodel.cpp:276
#16 0x00007fdb2fbd69b4 in QQmlPropertyData::readProperty (property=0x7ffc2056eda0, target=0x55716c74c1b0, this=0x55716cae2038) at ../../include/QtQml/5.12.4/QtQml/private/../../../../../src/qml/qml/qqmlpropertycache_p.h:328
#17 loadProperty (v4=0x557169bc9220, object=0x55716c74c1b0, property=...) at jsr

Comment 2 Matt Fagnani 2019-12-01 12:31:12 UTC

Created attachment 124235 [details]
New crash information added by DrKonqi

kinfocenter (5.17.3) using Qt 5.12.5

- What I was doing when the application crashed:

I was using Plasma 5.17.3 on Wayland in Fedora 31. I started kinfocenter. I clicked on Energy Information, File Indexer Monitor, then Energy Information. Dr. Konqi showed a segmentation fault in QMetaObject::cast at kernel/qmetaobject.cpp:381 in qt5-qtbase-5.12.5-1.fc31.x86_64. This crash happened 3/3 times I tried the steps above.

-- Backtrace (Reduced):
#8  0x00007fcdf8222ae1 in qobject_cast<Solid::Battery*> (object=<optimized out>) at /usr/include/qt5/QtCore/qobject.h:499
#9  Solid::Device::as<Solid::Battery> (this=0x7ffd448d5eb0) at /usr/include/KF5/Solid/solid/device.h:233
#10 BatteryModel::data (this=<optimized out>, index=..., role=<optimized out>) at /usr/src/debug/kinfocenter-5.17.3-1.fc31.x86_64/Modules/energy/batterymodel.cpp:75
#11 0x00007fce16fbd74b in QModelIndex::data (arole=256, this=0x7ffd448d5f30) at /usr/include/qt5/QtCore/qabstractitemmodel.h:458
#12 QQmlDMAbstractItemModelData::value (role=256, this=0x563ab03a4810) at util/qqmladaptormodel.cpp:414

Comment 3 Matt Fagnani 2019-12-01 14:09:35 UTC

Created attachment 124238 [details]
valgrind log from kinfocenter run when clicking Energy Information, File Indexer Monitor, then Energy Information

I ran valgrind --log-file=valgrind-kinfocenter-energy-index-1.txt --track-origins=yes kinfocenter & I reproduced the crash in the same way as in my previous comment. The valgrind log showed an invalid read in wl_proxy_unref at wayland-client.c:229 and an invalid write in wl_proxy_unref at wayland-client.c:230 in libwayland-client. They appeared to be use-after-free errors like those I've previously reported for kwin_wayland, plasmashell, konsole, powerdevil, etc. ( https://bugs.kde.org/show_bug.cgi?id=409688 ) 84 Conditional jump or move depends on uninitialised value(s) and 13 Use of uninitialised value  messages were shown.

An invalid read in QMetaObject::cast at qmetaobject.cpp:381 in freed memory was followed by an invalid read "Address 0x5300000000 is not stack'd, malloc'd or (recently) free'd" at the same line. This trace looks like that of the crashing thread. The use-after-free error might've led to the segmentation fault due to the invalid pointer.

==5320== Invalid read of size 8
==5320==    at 0x5CA7FA0: QMetaObject::cast(QObject const*) const (qmetaobject.cpp:381)
==5320==    by 0x2880DAE0: qobject_cast<Solid::Battery*> (qobject.h:504)
==5320==    by 0x2880DAE0: as<Solid::Battery> (device.h:233)
==5320==    by 0x2880DAE0: BatteryModel::data(QModelIndex const&, int) const (batterymodel.cpp:75)
==5320==    by 0x68F874A: data (qabstractitemmodel.h:458)
==5320==    by 0x68F874A: value (qqmladaptormodel.cpp:414)
==5320==    by 0x68F874A: QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) (qqmladaptormodel.cpp:282)
==5320==    by 0x6A0A043: readProperty (qqmlpropertycache_p.h:328)
==5320==    by 0x6A0A043: loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) (qv4qobjectwrapper.cpp:178)
==5320==    by 0x6A0BB3B: QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) (qv4qobjectwrapper.cpp:877)
==5320==    by 0x6A2A714: QV4::Moth::VME::interpret(QV4::CppStackFrame*, QV4::ExecutionEngine*, char const*) (qv4vme_moth.cpp:621)
==5320==    by 0x6A2F556: QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) (qv4vme_moth.cpp:447)
==5320==    by 0x69BC8FE: QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) (qv4function.cpp:68)
==5320==    by 0x6B45C06: QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) (qqmljavascriptexpression.cpp:211)
==5320==    by 0x6B4B9B2: QQmlBinding::evaluate(bool*) (qqmlbinding.cpp:209)
==5320==    by 0x6B504E9: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:245)
==5320==    by 0x6B4CC93: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:185)
==5320==  Address 0x2ae6bf60 is 0 bytes inside a block of size 192 free'd
==5320==    at 0x483AA0C: free (vg_replace_malloc.c:540)
==5320==    by 0x68EEEAF: UnknownInlinedFun (qarraydata.h:239)
==5320==    by 0x68EEEAF: ~QString (qstring.h:1135)
==5320==    by 0x68EEEAF: node_destruct (qlist.h:499)
==5320==    by 0x68EEEAF: dealloc (qlist.h:868)
==5320==    by 0x68EEEAF: QList<QString>::~QList() (qlist.h:830)
==5320==    by 0x692050E: ~QStringList (qstringlist.h:99)
==5320==    by 0x692050E: QV4::CompiledData::CompilationUnit::loadFromDisk(QUrl const&, QDateTime const&, QString*) (qv4compileddata.cpp:658)
==5320==    by 0x6B0C07F: QQmlScriptBlob::dataReceived(QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:3020)
==5320==    by 0x6B04AB1: QQmlTypeLoader::setData(QQmlDataBlob*, QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:1302)
==5320==    by 0x6B053DC: QQmlTypeLoader::setData(QQmlDataBlob*, QString const&) (qqmltypeloader.cpp:1292)
==5320==    by 0x6B0550C: QQmlTypeLoader::loadThread(QQmlDataBlob*) (qqmltypeloader.cpp:1162)
==5320==    by 0x6B134FB: loadThread (qqmltypeloader.cpp:1007)
==5320==    by 0x6B134FB: void QQmlTypeLoader::doLoad<PlainLoader>(PlainLoader const&, QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1066)
==5320==    by 0x6B05779: QQmlTypeLoader::load(QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1098)
==5320==    by 0x6B05E6E: QQmlTypeLoader::getScript(QUrl const&) (qqmltypeloader.cpp:1760)
==5320==    by 0x6B0896A: QQmlTypeLoader::Blob::addImport(QV4::CompiledData::Import const*, QList<QQmlError>*) (qqmltypeloader.cpp:1444)
==5320==    by 0x6B09F6C: QQmlTypeData::tryLoadFromDiskCache() (qqmltypeloader.cpp:2215)
==5320==  Block was alloc'd at
==5320==    at 0x483980B: malloc (vg_replace_malloc.c:309)
==5320==    by 0x5B02100: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:118)
==5320==    by 0x5B71896: UnknownInlinedFun (qarraydata.h:224)
==5320==    by 0x5B71896: QString::QString(int, Qt::Initialization) (qstring.cpp:2176)
==5320==    by 0x691BF5A: convertTo<QString> (qstringbuilder.h:112)
==5320==    by 0x691BF5A: operator QStringBuilder<QStringBuilder<QStringBuilder<QString, QString>, QLatin1Char>, QString>::ConvertTo (qstringbuilder.h:131)
==5320==    by 0x691BF5A: QV4::CompiledData::CompilationUnit::localCacheFilePath(QUrl const&) (qv4compileddata.cpp:140)
==5320==    by 0x6920382: QV4::CompiledData::CompilationUnit::loadFromDisk(QUrl const&, QDateTime const&, QString*) (qv4compileddata.cpp:658)
==5320==    by 0x6B0C07F: QQmlScriptBlob::dataReceived(QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:3020)
==5320==    by 0x6B04AB1: QQmlTypeLoader::setData(QQmlDataBlob*, QQmlDataBlob::SourceCodeData const&) (qqmltypeloader.cpp:1302)
==5320==    by 0x6B053DC: QQmlTypeLoader::setData(QQmlDataBlob*, QString const&) (qqmltypeloader.cpp:1292)
==5320==    by 0x6B0550C: QQmlTypeLoader::loadThread(QQmlDataBlob*) (qqmltypeloader.cpp:1162)
==5320==    by 0x6B134FB: loadThread (qqmltypeloader.cpp:1007)
==5320==    by 0x6B134FB: void QQmlTypeLoader::doLoad<PlainLoader>(PlainLoader const&, QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1066)
==5320==    by 0x6B05779: QQmlTypeLoader::load(QQmlDataBlob*, QQmlTypeLoader::Mode) (qqmltypeloader.cpp:1098)
==5320==    by 0x6B05E6E: QQmlTypeLoader::getScript(QUrl const&) (qqmltypeloader.cpp:1760)
==5320== 
==5320== 
==5320== More than 100 errors detected.  Subsequent errors
==5320== will still be recorded, but in less detail than before.
==5320== Invalid read of size 8
==5320==    at 0x5CA7FAC: QMetaObject::cast(QObject const*) const (qmetaobject.cpp:381)
==5320==    by 0x2880DAE0: qobject_cast<Solid::Battery*> (qobject.h:504)
==5320==    by 0x2880DAE0: as<Solid::Battery> (device.h:233)
==5320==    by 0x2880DAE0: BatteryModel::data(QModelIndex const&, int) const (batterymodel.cpp:75)
==5320==    by 0x68F874A: data (qabstractitemmodel.h:458)
==5320==    by 0x68F874A: value (qqmladaptormodel.cpp:414)
==5320==    by 0x68F874A: QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) (qqmladaptormodel.cpp:282)
==5320==    by 0x6A0A043: readProperty (qqmlpropertycache_p.h:328)
==5320==    by 0x6A0A043: loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) (qv4qobjectwrapper.cpp:178)
==5320==    by 0x6A0BB3B: QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) (qv4qobjectwrapper.cpp:877)
==5320==    by 0x6A2A714: QV4::Moth::VME::interpret(QV4::CppStackFrame*, QV4::ExecutionEngine*, char const*) (qv4vme_moth.cpp:621)
==5320==    by 0x6A2F556: QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) (qv4vme_moth.cpp:447)
==5320==    by 0x69BC8FE: QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) (qv4function.cpp:68)
==5320==    by 0x6B45C06: QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) (qqmljavascriptexpression.cpp:211)
==5320==    by 0x6B4B9B2: QQmlBinding::evaluate(bool*) (qqmlbinding.cpp:209)
==5320==    by 0x6B504E9: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:245)
==5320==    by 0x6B4CC93: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:185)
==5320==  Address 0x5300000000 is not stack'd, malloc'd or (recently) free'd
==5320== 


Two further invalid reads were shown in socketNotifierSourceCheck at qeventdispatcher_glib.cpp:88 and 79 which looked like use-after-free errors. Those errors might be side-effects of the segmentation fault. I've seen this crash 4/4 times. I'm attaching the full valgrind log.

Comment 4 Christoph Feck 2019-12-04 00:40:15 UTC

*** Bug 414500 has been marked as a duplicate of this bug. ***

Comment 5 Christoph Feck 2019-12-04 01:04:25 UTC

*** Bug 414205 has been marked as a duplicate of this bug. ***

Comment 6 Christoph Feck 2019-12-04 01:05:41 UTC

*** Bug 414209 has been marked as a duplicate of this bug. ***

Comment 7 Christoph Feck 2019-12-27 17:12:06 UTC

*** Bug 415372 has been marked as a duplicate of this bug. ***

Comment 8 Christoph Feck 2019-12-27 17:16:53 UTC

*** Bug 414844 has been marked as a duplicate of this bug. ***

Comment 9 Christoph Feck 2019-12-27 17:17:40 UTC

*** Bug 414817 has been marked as a duplicate of this bug. ***

Comment 10 postix 2020-01-05 18:57:05 UTC

*** Bug 414099 has been marked as a duplicate of this bug. ***

Comment 11 bonfostar 2020-01-13 21:36:49 UTC

Created attachment 125101 [details]
New crash information added by DrKonqi

kinfocenter (5.17.5) using Qt 5.13.2

- What I was doing when the application crashed:
I selected the energy view.
Those are the step to reproduce the crash (at least for me):
1) Open the info center.
2) Select the energy view.
3) Select any of the other view.
4) Select (again) the energy view.
5) The app now crash as soon as you select that view.
It happens every time i've tried (like 4 times).

-- Backtrace (Reduced):
#6  0x00007f2a2ad81a78 in vtable for QQuickShaderEffectSource () from /lib64/libQt5Quick.so.5
[...]
#8  0x00007f2a108f8ae1 in BatteryModel::data(QModelIndex const&, int) const () from /usr/lib64/qt5/plugins/kcms/kcm_energyinfo.so
#9  0x00007f2a2a48bd5b in QQmlDMCachedModelData::metaCall(QMetaObject::Call, int, void**) () from /lib64/libQt5Qml.so.5
#10 0x00007f2a2a59f904 in loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) () from /lib64/libQt5Qml.so.5
#11 0x00007f2a2a5a13fc in QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) () from /lib64/libQt5Qml.so.5

Comment 12 Harald Sitter 2020-01-17 12:23:42 UTC

https://phabricator.kde.org/D26725

Essentially when leaving the energy module, qml will delete the Battery pointers we've passed it from the cpp side, those are however internal to solid and mustn't be deleted. So, solid would implode the next time we try to get the pointers.

Comment 13 Harald Sitter 2020-01-17 12:32:18 UTC

*** Bug 414200 has been marked as a duplicate of this bug. ***

Comment 14 Harald Sitter 2020-01-17 12:33:28 UTC

*** Bug 415021 has been marked as a duplicate of this bug. ***

Comment 15 Harald Sitter 2020-01-17 13:31:29 UTC

Git commit 764fce4aefbe1567dc3bfc795f0232fef9df478c by Harald Sitter.
Committed on 17/01/2020 at 13:30.
Pushed by sitter into branch 'Plasma/5.18'.

make sure Solid::Battery is not deleted from QML

Summary:
Battery objects are casted DeviceInterface objects and those are
owned by Solid. deleting them outside solid means they will end
up as dangling pointers inside Solid's global static objects.

when switching away from the energy KCM the qml engine would
get cleaned up as part of the KCM destruction, qml would then
sweep up the Battery object and corrupt the solid internal
pointers.

to prevent this, explicitly mark Battery objects we give to QML
as owned on the c++ side.
FIXED-IN: 5.18.0

Test Plan:
open kinfocenter
switch to energy
switch away
switch to energy
no crash

Reviewers: broulik, davidedmundson

Reviewed By: davidedmundson

Subscribers: plasma-devel

Tags: #plasma

Differential Revision: https://phabricator.kde.org/D26725

M  +6    -1    Modules/energy/batterymodel.cpp

https://commits.kde.org/kinfocenter/764fce4aefbe1567dc3bfc795f0232fef9df478c

Comment 16 Harald Sitter 2020-01-20 16:30:58 UTC

*** Bug 416413 has been marked as a duplicate of this bug. ***

Comment 17 Nate Graham 2020-01-24 04:09:29 UTC

*** Bug 416668 has been marked as a duplicate of this bug. ***

Comment 18 Harald Sitter 2020-01-28 11:39:07 UTC

*** Bug 416798 has been marked as a duplicate of this bug. ***

Comment 19 VK 2020-02-02 15:30:25 UTC

Created attachment 125616 [details]
New crash information added by DrKonqi

kinfocenter (5.17.5) using Qt 5.13.2

- What I was doing when the application crashed:

Looked through battery and Graphical Information, and closed the app.

-- Backtrace (Reduced):
#6  QWeakPointer<QObject>::data (this=0x1e48) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:569
#7  QPointer<QObject>::data (this=0x1e48) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qpointer.h:86
#8  Solid::DeviceInterfacePrivate::backendObject (this=0x1e40) at ./src/solid/devices/frontend/deviceinterface.cpp:110
#9  0x00007f618ef61d08 in Solid::DevicePrivate::~DevicePrivate (this=0x5577d6ac3ae0, __in_chrg=<optimized out>) at ./src/solid/devices/frontend/device.cpp:222
#10 0x00007f618ef61e89 in Solid::DevicePrivate::~DevicePrivate (this=0x5577d6ac3ae0, __in_chrg=<optimized out>) at ./src/solid/devices/frontend/device.cpp:225

Comment 20 Christoph Feck 2020-02-19 21:48:40 UTC

*** Bug 415474 has been marked as a duplicate of this bug. ***