Qt
  1. Qt
  2. QTBUG-52988

[REG 5.5 -> 5.6] Segfault in QDBusConnectionPrivate::closeConnection -> QObject::disconnect on exit

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: P1: Critical P1: Critical
    • Resolution: Done
    • Affects Version/s: 5.6.0, 5.6.1, 5.7.0
    • Fix Version/s: 5.9.0 Alpha
    • Component/s: D-Bus
    • Labels:
      None

      Description

      Since upgrading to 5.6, various applications segfault here on exit:

      #0  0x00007ffff1deaab7 in QObject::disconnect (sender=0x7fff8813ff80, signal=signal@entry=0x0, receiver=receiver@entry=0x7fff84010e50, method=method@entry=0x0) at kernel/qobject.cpp:2949
      #1  0x00007fffdba4af78 in QObject::disconnect (member=0x0, receiver=0x7fff84010e50, this=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobject.h:361
      #2  QDBusConnectionPrivate::closeConnection (this=this@entry=0x7fff84010e50) at qdbusintegrator.cpp:1126
      #3  0x00007fffdba3bb36 in QDBusConnectionManager::run (this=0x7fffdbcadd00 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:191
      #4  0x00007ffff1be6de8 in QThreadPrivate::start (arg=0x7fffdbcadd00 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:340
      #5  0x00007ffff76f5424 in start_thread () from /usr/lib/libpthread.so.0
      #6  0x00007ffff7434cbd in clone () from /usr/lib/libc.so.6
      

      note the "member=0x0" - thread apply all bt full output

      Unfortunately the only way to always reproduce this is this script using PyQt and QtWebkit...

      import sys
      
      from PyQt5.QtCore import QUrl, QTimer
      from PyQt5.QtWidgets import QApplication
      from PyQt5.QtWebKitWidgets import QWebView
      
      app = QApplication(sys.argv)
      
      wv = QWebView()
      wv.load(QUrl('http://www.riverbankcomputing.com/'))
      wv.show()
      
      QTimer.singleShot(1000, app.quit)
      app.exec_()
      

      While I can't reproduce it with a minimal C++ app using QtWebKit, I've seen bugreports for many projects which are unrelated to PyQt/QtWebKit:

      This is why I think this is a general Qt issue and not a PyQt one.

      1. debug-log
        24 kB
        Weng Xuetian

        Issue Links

        For Gerrit Dashboard: QTBUG-52988
        # Subject Project Status CR V

          Activity

          Hide
          Thiago Macieira added a comment -

          The valgrind crash is unrelated.

          The sender's vptr is 0x7fff8ecc7260, has to be one of these two

          From                To                  Syms Read   Shared Object Library
          0x00007fff8eccd860  0x00007fff8ecdb1c1  Yes         /usr/lib/qt/plugins/bearer/libqgenericbearer.so
          0x00007fff8ea92310  0x00007fff8eaba461  Yes         /usr/lib/qt/plugins/bearer/libqnmbearer.so
          

          The pointer is in-between those two, which doesn't make sense. But the addresses for those two are not page-aligned either, so something is wonky. Anyway, the generic bearer does not use D-Bus but the NM one does. I'll investigate.

          Show
          Thiago Macieira added a comment - The valgrind crash is unrelated. The sender's vptr is 0x7fff8ecc7260, has to be one of these two From To Syms Read Shared Object Library 0x00007fff8eccd860 0x00007fff8ecdb1c1 Yes /usr/lib/qt/plugins/bearer/libqgenericbearer.so 0x00007fff8ea92310 0x00007fff8eaba461 Yes /usr/lib/qt/plugins/bearer/libqnmbearer.so The pointer is in-between those two, which doesn't make sense. But the addresses for those two are not page-aligned either, so something is wonky. Anyway, the generic bearer does not use D-Bus but the NM one does. I'll investigate.
          Hide
          Thiago Macieira added a comment -

          There's one more relevant fix for this discussion: https://codereview.qt-project.org/157308. This fix is already in Qt 5.6.1 and 5.7.0, so you should all have it.

          Here's the intersting thing, from comment-332400:

            Id   Target Id         Frame 
            1    Thread 0x7ffff7fa8400 (LWP 31057) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
            2    Thread 0x7fffd3afa700 (LWP 32611) "QXcbEventReader" 0x00007ffff743048d in poll () from /usr/lib/libc.so.6
            3    Thread 0x7fffcb9a3700 (LWP 32625) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
          * 5    Thread 0x7fff8a68f700 (LWP 32627) "QDBusConnection" 0x00007ffff585c9cf in QObject::disconnect (sender=0x7fff801b6320, signal=signal@entry=0x0, receiver=receiver@entry=0x7fff7c008130, method=method@entry=0x0)
              at kernel/qobject.cpp:2956
            6    Thread 0x7fff89e8e700 (LWP 32628) "Qt bearer threa" 0x00007ffff743048d in poll () from /usr/lib/libc.so.6
            7    Thread 0x7fff8892a700 (LWP 32630) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
            8    Thread 0x7fff7bfff700 (LWP 32631) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
          

          Note thread 6, the "Qt bearer thread". It's still running! But we've proven that the bearer plugins have got unloaded, so something is really wrong.

          The bearer thread is stopped from inside QApplication's destructor. Since the thread is still running, we can conclude the destructor hasn't run. But the function-local statics have begun destroying, as the full backtrace shows and as evidenced by the fact that QDBusConnectionManager is getting destroyed. This weird destruction order probably explains why you're getting this crash only with Python, not with C++.

          I've managed to reproduce this crash by applying this change to examples/network/bearermonitor, which causes it to leak QApplication and changes the order of the global statics:

          --- examples/network/bearermonitor/main.cpp
          +++ examples/network/bearermonitor/main.cpp
          @@ -50,12 +50,14 @@
           
           #include <QtWidgets/QApplication>
           #include <QtWidgets/QMainWindow>
          +#include <QtDBus/QtDBus>
           
           #include "bearermonitor.h"
           
           int main(int argc, char *argv[])
           {
          -    QApplication app(argc, argv);
          +    auto app = new QApplication(argc, argv);
          +    QDBusConnection::sessionBus();
           
               QMainWindow mainWindow;
           
          @@ -64,6 +66,6 @@ int main(int argc, char *argv[])
               mainWindow.setCentralWidget(&monitor);
               mainWindow.show();
           
          -    return app.exec();
          +    return app->exec();
           }
           
          --- examples/network/bearermonitor/bearermonitor.pro
          +++ examples/network/bearermonitor/bearermonitor.pro
          @@ -1,5 +1,5 @@
           TARGET = bearermonitor
          -QT = core gui network widgets
          +QT = core gui network widgets dbus
           
           HEADERS = sessionwidget.h \
                     bearermonitor.h
          
          Show
          Thiago Macieira added a comment - There's one more relevant fix for this discussion: https://codereview.qt-project.org/157308 . This fix is already in Qt 5.6.1 and 5.7.0, so you should all have it. Here's the intersting thing, from comment-332400 : Id Target Id Frame 1 Thread 0x7ffff7fa8400 (LWP 31057) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0 2 Thread 0x7fffd3afa700 (LWP 32611) "QXcbEventReader" 0x00007ffff743048d in poll () from /usr/lib/libc.so.6 3 Thread 0x7fffcb9a3700 (LWP 32625) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0 * 5 Thread 0x7fff8a68f700 (LWP 32627) "QDBusConnection" 0x00007ffff585c9cf in QObject::disconnect (sender=0x7fff801b6320, signal=signal@entry=0x0, receiver=receiver@entry=0x7fff7c008130, method=method@entry=0x0) at kernel/qobject.cpp:2956 6 Thread 0x7fff89e8e700 (LWP 32628) "Qt bearer threa" 0x00007ffff743048d in poll () from /usr/lib/libc.so.6 7 Thread 0x7fff8892a700 (LWP 32630) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0 8 Thread 0x7fff7bfff700 (LWP 32631) "python3" 0x00007ffff76fc10f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0 Note thread 6, the "Qt bearer thread". It's still running! But we've proven that the bearer plugins have got unloaded, so something is really wrong. The bearer thread is stopped from inside QApplication's destructor. Since the thread is still running, we can conclude the destructor hasn't run. But the function-local statics have begun destroying, as the full backtrace shows and as evidenced by the fact that QDBusConnectionManager is getting destroyed. This weird destruction order probably explains why you're getting this crash only with Python, not with C++. I've managed to reproduce this crash by applying this change to examples/network/bearermonitor, which causes it to leak QApplication and changes the order of the global statics: --- examples/network/bearermonitor/main.cpp +++ examples/network/bearermonitor/main.cpp @@ -50,12 +50,14 @@ #include <QtWidgets/QApplication> #include <QtWidgets/QMainWindow> +#include <QtDBus/QtDBus> #include "bearermonitor.h" int main(int argc, char *argv[]) { - QApplication app(argc, argv); + auto app = new QApplication(argc, argv); + QDBusConnection::sessionBus(); QMainWindow mainWindow; @@ -64,6 +66,6 @@ int main(int argc, char *argv[]) mainWindow.setCentralWidget(&monitor); mainWindow.show(); - return app.exec(); + return app->exec(); } --- examples/network/bearermonitor/bearermonitor.pro +++ examples/network/bearermonitor/bearermonitor.pro @@ -1,5 +1,5 @@ TARGET = bearermonitor -QT = core gui network widgets +QT = core gui network widgets dbus HEADERS = sessionwidget.h \ bearermonitor.h
          Show
          Thiago Macieira added a comment - https://codereview.qt-project.org/172173
          Hide
          gwendal added a comment -

          Hello, it seems I am encountering this bug with git-cola. Here is the bug report I made using fedora automated bug report tool: https://bugzilla.redhat.com/show_bug.cgi?id=1397890

          Show
          gwendal added a comment - Hello, it seems I am encountering this bug with git-cola. Here is the bug report I made using fedora automated bug report tool: https://bugzilla.redhat.com/show_bug.cgi?id=1397890
          Hide
          Tobin Davis added a comment -

          I am seeing this issue with my project, win32DiskImager (current git tip - available on SourceForge). Here is the relevant info from my debugging session:

          116 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h
          0x62b72300 55 push %ebp
          0x62b72301 <+0x0001> 89 e5 mov %esp,%ebp
          0x62b72303 <+0x0003> 83 ec 04 sub $0x4,%esp
          0x62b72306 <+0x0006> 89 4d fc mov %ecx,-0x4(%ebp)
          118 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h
          0x62b72309 <+0x0009> 8b 45 fc mov -0x4(%ebp),%eax
          0x62b7230c <+0x000c> 8b 00 mov (%eax),%eax
          119 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h
          0x62b7230e <+0x000e> c9 leave
          0x62b7230f <+0x000f> c3 ret

          I have seen this with QT/MinGW 5.7 and 5.8RC. I did not see it when I worked on my project with QT 5.4. Tomorrow, I will try stepping through the various releases to see if I can try to narrow it down a bit more.

          Show
          Tobin Davis added a comment - I am seeing this issue with my project, win32DiskImager (current git tip - available on SourceForge). Here is the relevant info from my debugging session: 116 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h 0x62b72300 55 push %ebp 0x62b72301 <+0x0001> 89 e5 mov %esp,%ebp 0x62b72303 <+0x0003> 83 ec 04 sub $0x4,%esp 0x62b72306 <+0x0006> 89 4d fc mov %ecx,-0x4(%ebp) 118 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h 0x62b72309 <+0x0009> 8b 45 fc mov -0x4(%ebp),%eax 0x62b7230c <+0x000c> 8b 00 mov (%eax),%eax 119 [1] in c:/Users/qt/work/qt/qtbase/src/corelib/tools/qscopedpointer.h 0x62b7230e <+0x000e> c9 leave 0x62b7230f <+0x000f> c3 ret I have seen this with QT/MinGW 5.7 and 5.8RC. I did not see it when I worked on my project with QT 5.4. Tomorrow, I will try stepping through the various releases to see if I can try to narrow it down a bit more.

            People

            • Assignee:
              Thiago Macieira
              Reporter:
              Florian Bruhin
            • Votes:
              9 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews