[frameworks-kinit] [Bug 426387] klauncher crashes because accessing dangled pointers

Wed, 21 Jul 2021 01:33:17 -0700 

https://bugs.kde.org/show_bug.cgi?id=426387

Ralf Habacker <ralf.habac...@freenet.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
      Latest Commit|                            |https://invent.kde.org/fram
                   |                            |eworks/kinit/commit/2a5d047
                   |                            |b49a866de7e478a632ef53ab1d7
                   |                            |11c273
   Version Fixed In|                            |5.85.0
         Resolution|---                         |FIXED

--- Comment #5 from Ralf Habacker <ralf.habac...@freenet.de> ---
Git commit 2a5d047b49a866de7e478a632ef53ab1d711c273 by Ralf Habacker.
Committed on 21/07/2021 at 07:42.
Pushed by dfaure into branch 'master'.

Fixes crash in KLauncher::idleTimeout() caused by unblockable destruction of
IdleSlave objects

According to the documentation of QObject::destroyed() at
https://doc.qt.io/qt-5/qobject.html#destroyed this signal cannot be
be blocked.
This can lead to the fact that by removing an object from mSlaveList by
slotSlaveGone(), the contents of the list are changed in such a way that
with the next iteration again an access to the deleted object takes place
and thereby a segmentation fault is released.

See the following real world trace without this patch

"2021/07/14 12:57:55,782" idleTimeout
"2021/07/14 12:57:55,782" idleTimeout 0x4d29a60
"2021/07/14 12:57:55,782" idleTimeout 0x4d32778
"2021/07/14 12:57:55,782" idleTimeout killing KIO::IdleSlave(0x4d32778)
"2021/07/14 12:57:55,782" slotSlaveGone QObject(0x4d32778)
"2021/07/14 12:57:55,782" idleTimeout 0x4d54550
"2021/07/14 12:57:55,782" idleTimeout killing KIO::IdleSlave(0x4d54550)
"2021/07/14 12:57:55,782" slotSlaveGone QObject(0x4d54550)
"2021/07/14 12:57:55,782" idleTimeout 0x4d61460
"2021/07/14 12:57:55,782" idleTimeout killing KIO::IdleSlave(0x4d61460)
"2021/07/14 12:57:55,782" slotSlaveGone QObject(0x4d61460)
"2021/07/14 12:57:55,782" idleTimeout 0x4d61460
Thread 1 received signal SIGSEGV, Segmentation fault.

where the calls to slotSlaveGone() are intermixed with the iteration.

In the opposite after applying this patch there is

"2021/07/14 13:06:12,870" idleTimeout
"2021/07/14 13:06:12,870" idleTimeout 0x4d3a668
"2021/07/14 13:06:12,870" idleTimeout 0x4d6f8e8
"2021/07/14 13:06:12,870" idleTimeout killing KIO::IdleSlave(0x4d6f8e8)
"2021/07/14 13:06:12,870" idleTimeout 0x4d60540
"2021/07/14 13:06:12,870" idleTimeout killing KIO::IdleSlave(0x4d60540)
"2021/07/14 13:06:12,870" idleTimeout 0x4d6d400
"2021/07/14 13:06:12,870" idleTimeout killing KIO::IdleSlave(0x4d6d400)
"2021/07/14 13:06:12,870" idleTimeout 0x4da14a8
"2021/07/14 13:06:12,870" idleTimeout killing KIO::IdleSlave(0x4da14a8)
"2021/07/14 13:06:12,870" slotSlaveGone QObject(0x4d6f8e8)
"2021/07/14 13:06:12,870" slotSlaveGone QObject(0x4d60540)
"2021/07/14 13:06:12,870" slotSlaveGone QObject(0x4d6d400)
"2021/07/14 13:06:12,870" slotSlaveGone QObject(0x4da14a8)

which shows that deleting the slaves after leaving idleTimeout() happens.
FIXED-IN:5.85.0

M  +1    -1    src/klauncher/klauncher.cpp

https://invent.kde.org/frameworks/kinit/commit/2a5d047b49a866de7e478a632ef53ab1d711c273

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to