Bug 430492 - Application use konsolepart crashes on exist due to double free
Summary: Application use konsolepart crashes on exist due to double free
Status: RESOLVED FIXED
Alias: None
Product: konsole
Classification: Applications
Component: kpart (show other bugs)
Version: 20.12.0
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Konsole Developer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-17 04:27 UTC by Weng Xuetian
Modified: 2020-12-23 15:52 UTC (History)
1 user (show)

See Also:
Latest Commit: https://invent.kde.org/utilities/konsole/commit/3f2b2d9df4ca74baa0d263c36dc70d95c149b221
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Weng Xuetian 2020-12-17 04:27:16 UTC 
SUMMARY
konsole crashes on exit, possiblly due the destruction of static data.

Related output from valgrind:

==191447== Invalid free() / delete / delete[] / realloc()
==191447==    at 0x483B9AB: free (vg_replace_malloc.c:538)
==191447==    by 0x4A8FDFB: QHashData::free_helper(void (*)(QHashData::Node*)) (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4F1C3AD: __cxa_finalize (in /usr/lib/libc-2.32.so)
==191447==    by 0x50FB877: ??? (in /usr/lib/libkonsoleprivate.so.20.12.0)
==191447==    by 0x401168A: _dl_fini (in /usr/lib/ld-2.32.so)
==191447==    by 0x4F1BDB6: __run_exit_handlers (in /usr/lib/libc-2.32.so)
==191447==    by 0x4F1BF5D: exit (in /usr/lib/libc-2.32.so)
==191447==    by 0x4F04158: (below main) (in /usr/lib/libc-2.32.so)
==191447==  Address 0xbdba380 is 0 bytes inside a block of size 42 free'd
==191447==    at 0x483B9AB: free (vg_replace_malloc.c:538)
==191447==    by 0x4A8FDFB: QHashData::free_helper(void (*)(QHashData::Node*)) (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4F1C3AD: __cxa_finalize (in /usr/lib/libc-2.32.so)
==191447==    by 0x48B01D7: ??? (in /usr/lib/libkdeinit5_konsole.so)
==191447==    by 0x401168A: _dl_fini (in /usr/lib/ld-2.32.so)
==191447==    by 0x4F1BDB6: __run_exit_handlers (in /usr/lib/libc-2.32.so)
==191447==    by 0x4F1BF5D: exit (in /usr/lib/libc-2.32.so)
==191447==    by 0x4F04158: (below main) (in /usr/lib/libc-2.32.so)
==191447==  Block was alloc'd at
==191447==    at 0x483A77F: malloc (vg_replace_malloc.c:307)
==191447==    by 0x4A60912: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4AD7494: QString::reallocData(unsigned int, bool) (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4AD82B4: ??? (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4AD8633: ??? (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x4ADBC9F: QString::toLower_helper(QString const&) (in /usr/lib/libQt5Core.so.5.15.2)
==191447==    by 0x48CCB9A: Konsole::Profile::registerProperty(Konsole::Profile::PropertyInfo const&) (in /usr/lib/libkdeinit5_konsole.so)
==191447==    by 0x48CCD54: Konsole::Profile::fillTableWithDefaultNames() (in /usr/lib/libkdeinit5_konsole.so)
==191447==    by 0x48CCD95: Konsole::Profile::lookupByName(QString const&) (in /usr/lib/libkdeinit5_konsole.so)
==191447==    by 0x48CD3A7: Konsole::ProfileCommandParser::parse(QString const&) (in /usr/lib/libkdeinit5_konsole.so)
==191447==    by 0x5199FD7: Konsole::SessionManager::sessionProfileCommandReceived(QString const&) (in /usr/lib/libkonsoleprivate.so.20.12.0)
==191447==    by 0x4C73DD5: ??? (in /usr/lib/libQt5Core.so.5.15.2)



STEPS TO REPRODUCE
1. launch konsole
2. do something in 
3. quit konsole

OBSERVED RESULT
konsole crashes with backtrace like
QHashData::free_helper(void (*)(QHashData::Node*)) (in /usr/lib/libQt5Core.so.5.15.2)
__cxa_finalize (in /usr/lib/libc-2.32.so)



EXPECTED RESULT
No crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma:  Archliinux
(available in About System)
KDE Plasma Version: 5.20.4
KDE Frameworks Version: 5.77.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
Comment 1 Weng Xuetian 2020-12-17 04:40:46 UTC 
I read the git log a little bit, likely to be caused by change in 9d8e47298c81fc1e47c998eda1b6e980589274eb .
Comment 2 Bug Janitor Service 2020-12-17 04:48:22 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/utilities/konsole/-/merge_requests/305
Comment 3 Weng Xuetian 2020-12-18 17:28:24 UTC 
Git commit 3480514e706cb2d71014197fd61456fb19ab9329 by Weng Xuetian.
Committed on 18/12/2020 at 17:24.
Pushed by tcanabrava into branch 'master'.

Only link konsoleprofile to konsoleprivate

Using Object multiple times may cause the destructor handler called
multiple times and leads to double free crash on exit.

M  +0    -2    src/CMakeLists.txt
M  +3    -1    src/profile/ProfileModel.h

https://invent.kde.org/utilities/konsole/commit/3480514e706cb2d71014197fd61456fb19ab9329
Comment 4 Kurt Hindenburg 2020-12-23 15:52:41 UTC 
Git commit 3f2b2d9df4ca74baa0d263c36dc70d95c149b221 by Kurt Hindenburg, on behalf of Weng Xuetian.
Committed on 23/12/2020 at 15:52.
Pushed by hindenburg into branch 'release/20.12'.

Only link konsoleprofile to konsoleprivate

Using Object multiple times may cause the destructor handler called
multiple times and leads to double free crash on exit.
(cherry picked from commit 3480514e706cb2d71014197fd61456fb19ab9329)

M  +0    -2    src/CMakeLists.txt
M  +3    -1    src/profile/ProfileModel.h

https://invent.kde.org/utilities/konsole/commit/3f2b2d9df4ca74baa0d263c36dc70d95c149b221