Bug#913715: simulide: terminates with segfault sometimes, when trying to undo changes

[Bernhard Übelacker]

Hello Nils Jarle Haugen,
these instructions are great to reproduce the crash.

Below is the backtrace with debug symbols installed.
It looks like the vector m_boardLed->m_pin contains invalid
data, and therefore we crash when calling methods on an
element retrieved from it.

Valgrind shows the same backtrace, while the accessed element
got free'd before.

This should probably be forwarded to upstream developers.
Upstream commit [1] might be related, but does not apply
cleanly to 0.1.7+dfsg-2.

Kind regards,
Bernhard



[1] https://sourceforge.net/p/simulide/svnrepo/434/




Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00005588dcda66e5 in Arduino::initialize (this=0x5588de934280) at 
../src/gui/circuitwidget/components/mcu/arduino.cpp:173
173             m_boardLed->getEpin(0)->setEnode(enod);
[Current thread is 1 (Thread 0x7f4e80ab3f80 (LWP 12035))]
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/simulide/orig/simulide-0.1.7+dfsg/src
Source directories searched: 
/home/benutzer/simulide/orig/simulide-0.1.7+dfsg/src:$cdir:$cwd
(gdb) bt
#0  0x00005588dcda66e5 in Arduino::initialize (this=0x5588de934280) at 
../src/gui/circuitwidget/components/mcu/arduino.cpp:173
#1  0x00005588dcdfee62 in Simulator::runContinuous (this=0x5588de808c30) at 
../src/simulator/simulator.cpp:176
#2  0x00005588dcd321bf in Circuit::undo (this=this@entry=0x5588de808ba0) at 
../src/gui/circuitwidget/circuit.cpp:602
#3  0x00005588dcd36230 in Circuit::keyPressEvent (this=0x5588de808ba0, 
event=0x7ffc53072c50) at ../src/gui/circuitwidget/circuit.cpp:999
#4  0x00007f4e8912a567 in QGraphicsScene::event (this=0x5588de808ba0, 
event=0x7ffc53072c50) at graphicsview/qgraphicsscene.cpp:3387
#5  0x00007f4e88e1a491 in QApplicationPrivate::notify_helper 
(this=this@entry=0x5588de7832c0, receiver=receiver@entry=0x5588de808ba0, 
e=e@entry=0x7ffc53072c50) at kernel/qapplication.cpp:3727
#6  0x00007f4e88e21ad0 in QApplication::notify (this=0x7ffc53072ea0, 
receiver=0x5588de808ba0, e=0x7ffc53072c50) at kernel/qapplication.cpp:3486
#7  0x00007f4e8832d039 in QCoreApplication::notifyInternal2 
(receiver=0x5588de808ba0, event=event@entry=0x7ffc53072c50) at 
../../include/QtCore/5.11.2/QtCore/private/../../../../../src/corelib/thread/qthread_p.h:307
#8  0x00007f4e89146f87 in QCoreApplication::sendEvent (event=0x7ffc53072c50, 
receiver=<optimized out>) at 
../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#9  QGraphicsView::keyPressEvent (this=0x5588de85a9e0, event=0x7ffc53072c50) at 
graphicsview/qgraphicsview.cpp:3161
#10 0x00007f4e88e58de7 in QWidget::event (this=this@entry=0x5588de85a9e0, 
event=event@entry=0x7ffc53072c50) at kernel/qwidget.cpp:8940
#11 0x00007f4e88efbdee in QFrame::event (this=this@entry=0x5588de85a9e0, 
e=e@entry=0x7ffc53072c50) at widgets/qframe.cpp:550
#12 0x00007f4e88efea04 in QAbstractScrollArea::event (this=0x5588de85a9e0, 
e=0x7ffc53072c50) at widgets/qabstractscrollarea.cpp:1168
#13 0x00007f4e88e1a491 in QApplicationPrivate::notify_helper 
(this=this@entry=0x5588de7832c0, receiver=receiver@entry=0x5588de85a9e0, 
e=e@entry=0x7ffc53072c50) at kernel/qapplication.cpp:3727
#14 0x00007f4e88e22a59 in QApplication::notify (this=<optimized out>, 
receiver=0x5588de85a9e0, e=0x7ffc53072c50) at kernel/qapplication.cpp:3121
#15 0x00007f4e8832d039 in QCoreApplication::notifyInternal2 
(receiver=0x5588de85a9e0, event=0x7ffc53072c50) at 
../../include/QtCore/5.11.2/QtCore/private/../../../../../src/corelib/thread/qthread_p.h:307
#16 0x00007f4e88e75e79 in QWidgetWindow::event (event=0x7ffc53072c50, 
this=0x5588de92ce80) at kernel/qwidgetwindow.cpp:274
#17 QWidgetWindow::event (this=0x5588de92ce80, event=0x7ffc53072c50) at 
kernel/qwidgetwindow.cpp:224
#18 0x00007f4e88e1a491 in QApplicationPrivate::notify_helper 
(this=this@entry=0x5588de7832c0, receiver=receiver@entry=0x5588de92ce80, 
e=e@entry=0x7ffc53072c50) at kernel/qapplication.cpp:3727
#19 0x00007f4e88e21ad0 in QApplication::notify (this=0x7ffc53072ea0, 
receiver=0x5588de92ce80, e=0x7ffc53072c50) at kernel/qapplication.cpp:3486
#20 0x00007f4e8832d039 in QCoreApplication::notifyInternal2 
(receiver=receiver@entry=0x5588de92ce80, event=event@entry=0x7ffc53072c50) at 
../../include/QtCore/5.11.2/QtCore/private/../../../../../src/corelib/thread/qthread_p.h:307
#21 0x00007f4e8872e388 in QCoreApplication::sendSpontaneousEvent 
(event=0x7ffc53072c50, receiver=0x5588de92ce80) at 
../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:237
#22 QGuiApplicationPrivate::processKeyEvent (e=0x7f4e78028cb0) at 
kernel/qguiapplication.cpp:2207
#23 0x00007f4e88733a05 in QGuiApplicationPrivate::processWindowSystemEvent 
(e=e@entry=0x7f4e78028cb0) at kernel/qguiapplication.cpp:1822
#24 0x00007f4e8870dd8b in QWindowSystemInterface::sendWindowSystemEvents 
(flags=...) at kernel/qwindowsysteminterface.cpp:1032
#25 0x00007f4e80a0585b in QPAEventDispatcherGlib::processEvents 
(this=0x5588de775ef0, flags=...) at qeventdispatcher_glib.cpp:70
#26 0x00007f4e8832bd0b in QEventLoop::exec (this=this@entry=0x7ffc53072e20, 
flags=..., flags@entry=...) at 
../../include/QtCore/../../src/corelib/global/qflags.h:140
#27 0x00007f4e88333e82 in QCoreApplication::exec () at 
../../include/QtCore/../../src/corelib/global/qflags.h:120
#28 0x00005588dcd241cb in main (argc=<optimized out>, argv=<optimized out>) at 
../src/main.cpp:52

(gdb) display/i $pc
2: x/i $pc
=> 0x5588dcda66e5 <Arduino::initialize()+117>:  callq  *0x20(%rax)

(gdb) print/x *(void**)($rax+0x20)
Cannot access memory at address 0x3ff0000000000020

#0  0x00005588dcda66e5 in Arduino::initialize (this=0x5588de934280) at 
../src/gui/circuitwidget/components/mcu/arduino.cpp:173
173             m_boardLed->getEpin(0)->setEnode(enod);

(gdb) print m_boardLed->m_pin
$26 = std::vector of length 572973101420118016, capacity 572973101420118016 = 
{Cannot access memory at address 0xc063200000000000




==22734== Invalid read of size 8
==22734==    at 0x1E96DE: Arduino::initialize() (arduino.cpp:173)
==22734==    by 0x241E61: Simulator::runContinuous() (simulator.cpp:176)
==22734==    by 0x1751BE: Circuit::undo() (circuit.cpp:602)
==22734==    by 0x17922F: Circuit::keyPressEvent(QKeyEvent*) (circuit.cpp:999)
==22734==    by 0x5512566: QGraphicsScene::event(QEvent*) 
(qgraphicsscene.cpp:3387)
==22734==    by 0x5202490: QApplicationPrivate::notify_helper(QObject*, 
QEvent*) (qapplication.cpp:3727)
==22734==    by 0x5209ACF: QApplication::notify(QObject*, QEvent*) 
(qapplication.cpp:3486)
==22734==    by 0x6065038: QCoreApplication::notifyInternal2(QObject*, QEvent*) 
(qcoreapplication.cpp:1048)
==22734==    by 0x552EF86: sendEvent (qcoreapplication.h:234)
==22734==    by 0x552EF86: QGraphicsView::keyPressEvent(QKeyEvent*) 
(qgraphicsview.cpp:3161)
==22734==    by 0x5240DE6: QWidget::event(QEvent*) (qwidget.cpp:8940)
==22734==    by 0x52E3DED: QFrame::event(QEvent*) (qframe.cpp:550)
==22734==    by 0x52E6A03: QAbstractScrollArea::event(QEvent*) 
(qabstractscrollarea.cpp:1168)
==22734==  Address 0x11ccd220 is 224 bytes inside a block of size 440 free'd
==22734==    at 0x4836EAB: operator delete(void*) (vg_replace_malloc.c:576)
==22734==    by 0x1EB9CC: Arduino::remove() (arduino.cpp:104)
==22734==    by 0x16FF2F: Circuit::removeComp(Component*) (circuit.cpp:118)
==22734==    by 0x1717BC: Circuit::remove() (circuit.cpp:138)
==22734==    by 0x174F9D: Circuit::undo() (circuit.cpp:595)
==22734==    by 0x17922F: Circuit::keyPressEvent(QKeyEvent*) (circuit.cpp:999)
==22734==    by 0x5512566: QGraphicsScene::event(QEvent*) 
(qgraphicsscene.cpp:3387)
==22734==    by 0x5202490: QApplicationPrivate::notify_helper(QObject*, 
QEvent*) (qapplication.cpp:3727)
==22734==    by 0x5209ACF: QApplication::notify(QObject*, QEvent*) 
(qapplication.cpp:3486)
==22734==    by 0x6065038: QCoreApplication::notifyInternal2(QObject*, QEvent*) 
(qcoreapplication.cpp:1048)
==22734==    by 0x552EF86: sendEvent (qcoreapplication.h:234)
==22734==    by 0x552EF86: QGraphicsView::keyPressEvent(QKeyEvent*) 
(qgraphicsview.cpp:3161)
==22734==    by 0x5240DE6: QWidget::event(QEvent*) (qwidget.cpp:8940)
==22734==  Block was alloc'd at
==22734==    at 0x4835DEF: operator new(unsigned long) (vg_replace_malloc.c:334)
==22734==    by 0x1E9EF0: Arduino::initBoard() (arduino.cpp:185)
==22734==    by 0x1EAF81: Arduino::Arduino(QObject*, QString, QString) 
(arduino.cpp:79)
==22734==    by 0x1EB472: Arduino::construct(QObject*, QString, QString) 
(arduino.cpp:40)
==22734==    by 0x172D93: Circuit::createItem(QString, QString) 
(circuit.cpp:631)
==22734==    by 0x17B0EC: CircuitView::dragEnterEvent(QDragEnterEvent*) 
(circuitview.cpp:88)
==22734==    by 0x52407C7: QWidget::event(QEvent*) (qwidget.cpp:9287)
==22734==    by 0x52E3DED: QFrame::event(QEvent*) (qframe.cpp:550)
==22734==    by 0x552E2BA: QGraphicsView::viewportEvent(QEvent*) 
(qgraphicsview.cpp:2969)
==22734==    by 0x6064D4A: sendThroughObjectEventFilters 
(qcoreapplication.cpp:1174)
==22734==    by 0x6064D4A: 
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) 
(qcoreapplication.cpp:1163)
==22734==    by 0x5202480: QApplicationPrivate::notify_helper(QObject*, 
QEvent*) (qapplication.cpp:3723)
==22734==    by 0x520B1ED: QApplication::notify(QObject*, QEvent*) 
(qapplication.cpp:3449)
==22734== 

debugging.txt.gz
Description: application/gzip