[kate] [Bug 356813] kwrite crashes if it is closed when the print dialog is open

Santhiar via KDE Bugzilla Wed, 16 Dec 2015 20:20:01 -0800

https://bugs.kde.org/show_bug.cgi?id=356813


--- Comment #1 from Santhiar <santhiar.anir...@gmail.com> ---
On further investigation, this is a use-after-free bug. I built kwrite with
AddressSanitizer, and the scenario leading to the bug resulted in the following
report from AddressSanitizer:

=================================================================
==23568==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000ab590
at pc 0x7f74ba658e57 bp 0x7fff0a5e0650 sp 0x7fff0a5e0648
READ of size 8 at 0x6040000ab590 thread T0
    #0 0x7f74ba658e56 in
QScopedPointerDeleter<QPrintDialog>::cleanup(QPrintDialog*)
qt4/include/QtCore/qscopedpointer.h:62
    #1 0x7f74ba658e56 in ~QScopedPointer
qt4/include/QtCore/qscopedpointer.h:100
    #2 0x7f74ba658e56 in ~QScopedPointer qt4/include/QtCore/qscopedpointer.h:98
    #3 0x7f74ba658e56 in KatePrinter::print(KateDocument*)
KDE/kde/applications/kate/part/utils/kateprinter.cpp:672
    #4 0x7f74ba0b2650 in KateDocument::print()
KDE/kde/applications/kate/part/document/katedocument.cpp:1855
    #5 0x7f74ba0b2650 in KateDocument::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
KDE/build-asan/kde/applications/kate/part/katedocument.moc:267
    #6 0x7f74ca2d9606 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #7 0x7f74cb78a41c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22541c)
    #8 0x7f74cb78a231 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x225231)
    #9 0x7f74cb78a054 in QAction::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x225054)
    #10 0x7f74cccaf7c6 in KAction::event(QEvent*)
KDE/kde/kdelibs/kdeui/actions/kaction.cpp:131
    #11 0x7f74cb79a48e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23548e)
    #12 0x7f74cb79ca8d in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237a8d)
    #13 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #14 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #15 0x7f74cb78b779 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x226779)
    #16 0x7f74cb7f0cdb in QShortcutMap::dispatchEvent(QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28bcdb)
    #17 0x7f74cb7f06d8 in QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28b6d8)
    #18 0x7f74cb79ceaa in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237eaa)
    #19 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #20 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #21 0x7f74cb7a502e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #22 0x7f74cb7a089c in qt_sendSpontaneousEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b89c)
    #23 0x7f74cb8ae35d in QKeyMapper::sendKeyEvent(QWidget*, bool,
QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int,
unsigned int, unsigned int, unsigned int, bool*)
(qt4/lib/libQtGui.so.4+0x34935d)
    #24 0x7f74cb8add40 in QKeyMapperPrivate::translateKeyEvent(QWidget*,
_XEvent const*, bool) (qt4/lib/libQtGui.so.4+0x348d40)
    #25 0x7f74cb8680b3 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x3030b3)
    #26 0x7f74cb8b2455 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d455)
    #27 0x7f74ca2acf6b in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228f6b)
    #28 0x7f74ca2ad331 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x229331)
    #29 0x7f74ca2b25ed in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22e5ed)
    #30 0x7f74cb79c525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #31 0x7f74cf2f74b5 in kdemain
KDE/kde/applications/kate/kwrite/kwritemain.cpp:739
    #32 0x445cc8 in main (KDE/install-asan/bin/kwrite+0x445cc8)
    #33 0x7f74c8bde76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #34 0x445bcc in _start (KDE/install-asan/bin/kwrite+0x445bcc)
0x6040000ab590 is located 0 bytes inside of 40-byte region
[0x6040000ab590,0x6040000ab5b8)
freed by thread T0 here:
    #0 0x4311ea in operator delete(void*)
(KDE/install-asan/bin/kwrite+0x4311ea)
    #1 0x7f74cbf306c8 in QPrintDialog::~QPrintDialog()
(qt4/lib/libQtGui.so.4+0x9cb6c8)
    #2 0x7f74ca2d1dd3 in QObjectPrivate::deleteChildren()
(qt4/lib/libQtCore.so.4+0x24ddd3)
    #3 0x7f74cb80e112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #4 0x7f74cbe445e4 in QMainWindow::~QMainWindow()
(qt4/lib/libQtGui.so.4+0x8df5e4)
    #5 0x7f74cd370b5e in KMainWindow::~KMainWindow()
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #6 0x7f74cd481ee1 in KXmlGuiWindow::~KXmlGuiWindow()
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #7 0x7f74ceda1d2c in KParts::MainWindow::~MainWindow()
KDE/kde/kdelibs/kparts/mainwindow.cpp:79
    #8 0x7f74cf2ed70e in KWrite::~KWrite()
KDE/kde/applications/kate/kwrite/kwritemain.cpp:146
    #9 0x7f74cf2ecd45 in ~KWrite
KDE/kde/applications/kate/kwrite/kwritemain.cpp:131
    #10 0x7f74cf2ecd45 in KWrite::~KWrite()
KDE/kde/applications/kate/kwrite/kwritemain.cpp:131
    #11 0x7f74ca2d2e3d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24ee3d)
    #12 0x7f74ca2d29a7 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24e9a7)
    #13 0x7f74cb825345 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0345)
    #14 0x7f74cbe46f72 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1f72)
    #15 0x7f74cd37c133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #16 0x7f74cd4820b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #17 0x7f74cb79a48e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23548e)
    #18 0x7f74cb7a032b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b32b)
    #19 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #20 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #21 0x7f74ca2b6549 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x232549)
    #22 0x7f74ca2b33f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #23 0x7f74ca3042f6 in
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2802f6)
    #24 0x7f74cb8b2669 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d669)
    #25 0x7f74ca2acf6b in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228f6b)
    #26 0x7f74ca2ad331 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x229331)
    #27 0x7f74cbf4ec8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
    #28 0x7f74cbf30794 in QPrintDialog::exec() (qt4/lib/libQtGui.so.4+0x9cb794)
    #29 0x7f74ba6492e4 in KatePrinter::print(KateDocument*)
KDE/kde/applications/kate/part/utils/kateprinter.cpp:131
    #30 0x7f74ba0b2650 in KateDocument::print()
KDE/kde/applications/kate/part/document/katedocument.cpp:1855
    #31 0x7f74ba0b2650 in KateDocument::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
KDE/build-asan/kde/applications/kate/part/katedocument.moc:267
    #32 0x7f74ca2d9606 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #33 0x7f74cb78a41c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22541c)
    #34 0x7f74cb78a231 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x225231)
    #35 0x7f74cb78a054 in QAction::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x225054)
    #36 0x7f74cccaf7c6 in KAction::event(QEvent*)
KDE/kde/kdelibs/kdeui/actions/kaction.cpp:131
    #37 0x7f74cb79a48e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23548e)
    #38 0x7f74cb79ca8d in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237a8d)
    #39 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #40 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #41 0x7f74cb78b779 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x226779)
    #42 0x7f74cb7f0cdb in QShortcutMap::dispatchEvent(QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28bcdb)
    #43 0x7f74cb7f06d8 in QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28b6d8)
    #44 0x7f74cb79ceaa in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237eaa)
    #45 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #46 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #47 0x7f74cb7a502e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #48 0x7f74cb7a089c in qt_sendSpontaneousEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b89c)
    #49 0x7f74cb8ae35d in QKeyMapper::sendKeyEvent(QWidget*, bool,
QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int,
unsigned int, unsigned int, unsigned int, bool*)
(qt4/lib/libQtGui.so.4+0x34935d)
    #50 0x7f74cb8add40 in QKeyMapperPrivate::translateKeyEvent(QWidget*,
_XEvent const*, bool) (qt4/lib/libQtGui.so.4+0x348d40)
    #51 0x7f74cb8680b3 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x3030b3)
    #52 0x7f74cb8b2455 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d455)
    #53 0x7f74ca2acf6b in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228f6b)
    #54 0x7f74ca2ad331 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x229331)
    #55 0x7f74ca2b25ed in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22e5ed)
    #56 0x7f74cb79c525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #57 0x7f74cf2f74b5 in kdemain
KDE/kde/applications/kate/kwrite/kwritemain.cpp:739
    #58 0x445cc8 in main (KDE/install-asan/bin/kwrite+0x445cc8)
    #59 0x7f74c8bde76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #60 0x445bcc in _start (KDE/install-asan/bin/kwrite+0x445bcc)
previously allocated by thread T0 here:
    #0 0x430f6a in operator new(unsigned long)
(KDE/install-asan/bin/kwrite+0x430f6a)
    #1 0x7f74cd526799 in KdePrint::createPrintDialog(QPrinter*,
KdePrint::PageSelectPolicy, QList<QWidget*> const&, QWidget*)
KDE/kde/kdelibs/kdeui/dialogs/kdeprintdialog.cpp:44
    #2 0x7f74ba6491fb in KatePrinter::print(KateDocument*)
KDE/kde/applications/kate/part/utils/kateprinter.cpp:124
    #3 0x7f74ba0b2650 in KateDocument::print()
KDE/kde/applications/kate/part/document/katedocument.cpp:1855
    #4 0x7f74ba0b2650 in KateDocument::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
KDE/build-asan/kde/applications/kate/part/katedocument.moc:267
    #5 0x7f74ca2d9606 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #6 0x7f74cb78a41c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22541c)
    #7 0x7f74cb78a231 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x225231)
    #8 0x7f74cb78a054 in QAction::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x225054)
    #9 0x7f74cccaf7c6 in KAction::event(QEvent*)
KDE/kde/kdelibs/kdeui/actions/kaction.cpp:131
    #10 0x7f74cb79a48e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23548e)
    #11 0x7f74cb79ca8d in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237a8d)
    #12 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #13 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #14 0x7f74cb78b779 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x226779)
    #15 0x7f74cb7f0cdb in QShortcutMap::dispatchEvent(QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28bcdb)
    #16 0x7f74cb7f06d8 in QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*)
(qt4/lib/libQtGui.so.4+0x28b6d8)
    #17 0x7f74cb79ceaa in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x237eaa)
    #18 0x7f74cd05c340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #19 0x7f74ca2b1dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
    #20 0x7f74cb7a502e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #21 0x7f74cb7a089c in qt_sendSpontaneousEvent(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b89c)
    #22 0x7f74cb8ae35d in QKeyMapper::sendKeyEvent(QWidget*, bool,
QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int,
unsigned int, unsigned int, unsigned int, bool*)
(qt4/lib/libQtGui.so.4+0x34935d)
    #23 0x7f74cb8add40 in QKeyMapperPrivate::translateKeyEvent(QWidget*,
_XEvent const*, bool) (qt4/lib/libQtGui.so.4+0x348d40)
    #24 0x7f74cb8680b3 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x3030b3)
    #25 0x7f74cb8b2455 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d455)
    #26 0x7f74ca2acf6b in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228f6b)
    #27 0x7f74ca2ad331 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x229331)
    #28 0x7f74ca2b25ed in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22e5ed)
    #29 0x7f74cb79c525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #30 0x7f74cf2f74b5 in kdemain
KDE/kde/applications/kate/kwrite/kwritemain.cpp:739
    #31 0x445cc8 in main (KDE/install-asan/bin/kwrite+0x445cc8)
    #32 0x7f74c8bde76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #33 0x445bcc in _start (KDE/install-asan/bin/kwrite+0x445bcc)
SUMMARY: AddressSanitizer: heap-use-after-free
qt4/include/QtCore/qscopedpointer.h:62
QScopedPointerDeleter<QPrintDialog>::cleanup(QPrintDialog*)
Shadow bytes around the buggy address:
  0x0c088000d660: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c088000d670: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 03
  0x0c088000d680: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 07
  0x0c088000d690: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c088000d6a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c088000d6b0: fa fa[fd]fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088000d6c0: fa fa 00 00 00 00 00 07 fa fa fd fd fd fd fd fd
  0x0c088000d6d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 07
  0x0c088000d6e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088000d6f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088000d700: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==23568==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

[kate] [Bug 356813] kwrite crashes if it is closed when the print dialog is open

Reply via email to