QtMoko2

Issue 871: double free() problem on Jessie

Reported by Nikolaus Schaller, Mar 1, 2018

On Jessie many applications crash when being closed.

We could trace it back to a double-free in 
QSmoothListPrivate::dereferenceItem:

Program received signal SIGABRT, Aborted.
__libc_do_syscall () at 
../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44
44	../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such 
file or directory.
(gdb) bt
#0  __libc_do_syscall () at 
../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44
#1  0xb5696ee6 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xb5697bee in __GI_abort () at abort.c:89
#3  0xb56c3d14 in malloc_printerr (action=-1258860544, 
str=0xb5740430 "free(): invalid pointer", 
ptr=<optimized out>)
   at malloc.c:5000
#4  0xb56c4d38 in free_check (mem=0x51ee50, caller=<optimized 
out>) at hooks.c:298
#5  0xb56c6fe4 in __GI___libc_free (mem=<optimized out>) at 
malloc.c:2920
#6  0xb6a93fec in QSmoothListPrivate::dereferenceItem 
(this=<optimized out>, data=0x9dbd78)
   at /home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:1167
#7  0xb6a94180 in QSmoothListPrivate::removeItems (this=0x5a8f18, 
start=start@entry=0, end=end@entry=0)
   at /home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:949
#8  0xb6a988c8 in QSmoothList::rowsRemoved (this=0x5a8d40, 
index=..., first=<optimized out>, last=<optimized out>)
   at /home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:3426
#9  0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) ()
  from /opt/qtmoko/lib/libQtCore.so.4
#10 0xb5b07880 in QAbstractItemModel::rowsRemoved(QModelIndex 
const&, int, int) () from /opt/qtmoko/lib/libQtCore.so.4
#11 0xb5aa22c0 in QAbstractItemModel::endRemoveRows() () from 
/opt/qtmoko/lib/libQtCore.so.4
#12 0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) ()
  from /opt/qtmoko/lib/libQtCore.so.4
#13 0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) ()
  from /opt/qtmoko/lib/libQtCore.so.4
#14 0xb6ac1e48 in QSqlContentSetEngine::qt_static_metacall 
(_o=<optimized out>, _id=<optimized out>, 
   _a=<optimized out>, _c=<optimized out>)
   at 
/home/qtbuild/build-gta04/src/libraries/qtopia/.moc/moc_qsqlcontentse
tengine_p.cpp:68
#15 0xb5ab958c in QObject::event(QEvent*) () from 
/opt/qtmoko/lib/libQtCore.so.4
#16 0xb5e8775c in QApplicationPrivate::notify_helper(QObject*, 
QEvent*) () from /opt/qtmoko/lib/libQtGui.so.4
#17 0xb5e8d8a0 in QApplication::notify(QObject*, QEvent*) () from 
/opt/qtmoko/lib/libQtGui.so.4
Cannot access memory at address 0x0
#18 0xb6af8000 in ?? () from /opt/qtmoko/lib/libqtopia.so.4
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt 
stack?)

Unfortunately it does not tell where the first free happened
and which object is tried to be dereferenced.

So we have no clue yet how to fix.

Note: the same code works on Wheezy.
And there is no hint in the 5 additional patches to make the Jessie 
version which relate to this issue.

So it might be a bug that is handled differently by different gcc 
versions.
Or some core libraries have a different API or different fault 
behaviour.

At the moment, this bug makes QtMoko/Jessie no really useable.

Comment 1 by Andreas Kemnade, Mar 2, 2018

Experimenting with breakpoints yields to the
following thing. Maybe an issue with threading
e.g. two threads clean up the same thing?

> (gdb) cont
> Continuing.
> 
> Program received signal SIGSEGV, Segmentation fault.
> QSmoothListPrivate::removeItems (this=0xa96, 
start=start@entry=0,
>    end=end@entry=0)
>    at 
/home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:942
> 942	in 
/home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp
> (gdb) bt
> #0  QSmoothListPrivate::removeItems (this=0xa96, 
start=start@entry=0,
>    end=end@entry=0)
>    at 
/home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:942
> #1  0xb6a988c8 in QSmoothList::rowsRemoved (this=0x63d650, 
index=...,
>    first=<optimized out>, last=<optimized out>)
>    at 
/home/qtbuild/qtmoko/src/libraries/qtopia/qsmoothlist.cpp:3426
> #2  0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) () from /opt/qtmoko/lib/libQtCore.so.4
> #3  0xb5b07880 in QAbstractItemModel::rowsRemoved(QModelIndex 
const&, int, int)
>    () from /opt/qtmoko/lib/libQtCore.so.4
> #4  0xb5aa22c0 in QAbstractItemModel::endRemoveRows() ()
>   from /opt/qtmoko/lib/libQtCore.so.4
> #5  0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) () from /opt/qtmoko/lib/libQtCore.so.4
> #6  0xb5abb7b0 in QMetaObject::activate(QObject*, QMetaObject 
const*, int, void**) () from /opt/qtmoko/lib/libQtCore.so.4
> #7  0xb6ac1e48 in QSqlContentSetEngine::qt_static_metacall (
>    _o=<optimized out>, _id=<optimized out>, 
_a=<optimized out>,
>    _c=<optimized out>)
>    at 
/home/qtbuild/build-gta04/src/libraries/qtopia/.moc/moc_qsqlcontentse
tengine_p.cpp:68
> #8  0xb5ab958c in QObject::event(QEvent*) ()
>   from /opt/qtmoko/lib/libQtCore.so.4
> ---Type <return> to continue, or q <return> to 
quit---
> #9  0xb5e8775c in QApplicationPrivate::notify_helper(QObject*, 
QEvent*) ()
>   from /opt/qtmoko/lib/libQtGui.so.4
> #10 0xb5e8d8a0 in QApplication::notify(QObject*, QEvent*) ()
>   from /opt/qtmoko/lib/libQtGui.so.4
> Cannot access memory at address 0x0
> #11 0xb6af8000 in ?? () from /opt/qtmoko/lib/libqtopia.so.4
> Cannot access memory at address 0x0
> Backtrace stopped: previous frame identical to this frame 
(corrupt stack?)
>

Created: 6 years 9 months ago by Nikolaus Schaller

Updated: 6 years 9 months ago

Status: New

Followed by: 1 person

Labels:
Type:Defect
Priority:High