Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-54769

free(): invalid pointer / corrupted double-linked list on exit

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.7.1
    • 5.7.0
    • WebEngine
    • None
    • Archlinux

    Description

      When running my PyQt application with QtWebEngine, about once in 20 runs I get one of the following on exit:

      *** Error in `/opt/python-valgrind/bin/python': free(): invalid pointer: 0x0000558d3143e2a0 ***
      ======= Backtrace: =========
      /usr/lib/libc.so.6(+0x6ed4b)[0x7f3ea614ad4b]
      /usr/lib/libc.so.6(+0x74546)[0x7f3ea6150546]
      /usr/lib/libc.so.6(+0x74d1e)[0x7f3ea6150d1e]
      /usr/lib/libQt5WebEngineCore.so.5(+0x68b8e6)[0x7f3e8a30a8e6]
      /usr/lib/libc.so.6(+0x35be8)[0x7f3ea6111be8]
      /usr/lib/libc.so.6(+0x35c35)[0x7f3ea6111c35]
      /opt/python-valgrind/lib/libpython3.5d.so.1.0(+0x19ce52)[0x7f3ea6836e52]
      /opt/python-valgrind/lib/libpython3.5d.so.1.0(+0x1a0c42)[0x7f3ea683ac42]
      /opt/python-valgrind/lib/libpython3.5d.so.1.0(PyErr_PrintEx+0x20d)[0x7f3ea683b0ed]
      /opt/python-valgrind/lib/libpython3.5d.so.1.0(+0x1bccdd)[0x7f3ea6856cdd]
      /opt/python-valgrind/lib/libpython3.5d.so.1.0(Py_Main+0x5eb)[0x7f3ea685752b]
      /opt/python-valgrind/bin/python(main+0x187)[0x558d2def0be7]
      /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f3ea60fc741]
      /opt/python-valgrind/bin/python(_start+0x29)[0x558d2def0c89]
      
      *** Error in `./.venv/bin/python': corrupted double-linked list: 0x0000000002adb6c0 ***
      ======= Backtrace: =========
      /usr/lib/libc.so.6(+0x6ed4b)[0x7f002cbe2d4b]
      /usr/lib/libc.so.6(+0x74546)[0x7f002cbe8546]
      /usr/lib/libc.so.6(+0x748cc)[0x7f002cbe88cc]
      /usr/lib/libc.so.6(+0x75390)[0x7f002cbe9390]
      /usr/lib/libnspr4.so(+0x29f61)[0x7f0015113f61]
      /usr/lib/libnspr4.so(+0xd45a)[0x7f00150f745a]
      /lib64/ld-linux-x86-64.so.2(+0xfa7a)[0x7f002d60fa7a]
      /usr/lib/libc.so.6(+0x35be8)[0x7f002cba9be8]
      /usr/lib/libc.so.6(+0x35c35)[0x7f002cba9c35]
      /usr/lib/libpython3.5m.so.1.0(+0x14586f)[0x7f002d27786f]
      /usr/lib/libpython3.5m.so.1.0(+0x1485a8)[0x7f002d27a5a8]
      /usr/lib/libpython3.5m.so.1.0(PyErr_PrintEx+0x1bd)[0x7f002d27a98d]
      /usr/lib/libpython3.5m.so.1.0(+0x15f66d)[0x7f002d29166d]
      /usr/lib/libpython3.5m.so.1.0(Py_Main+0x5b1)[0x7f002d291d71]
      ./.venv/bin/python(main+0x170)[0x400af0]
      /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f002cb94741]
      ./.venv/bin/python(_start+0x29)[0x400b99]
      

      full log 1 / full log 2

      When showing the backtrace with gdb on the double-linked list message:

      #0  0x00007ffff7380295 in raise () from /usr/lib/libc.so.6
      #1  0x00007ffff73816da in abort () from /usr/lib/libc.so.6
      #2  0x00007ffff73bbd50 in __libc_message () from /usr/lib/libc.so.6
      #3  0x00007ffff73c1546 in malloc_printerr () from /usr/lib/libc.so.6
      #4  0x00007ffff73c18cc in malloc_consolidate () from /usr/lib/libc.so.6
      #5  0x00007ffff73c2390 in _int_free () from /usr/lib/libc.so.6
      #6  0x00007fffdf8ecf61 in ?? () from /usr/lib/libnspr4.so
      #7  0x00007fffdf8d045a in ?? () from /usr/lib/libnspr4.so
      #8  0x00007ffff7de8a7a in _dl_fini () from /lib64/ld-linux-x86-64.so.2
      #9  0x00007ffff7382be8 in __run_exit_handlers () from /usr/lib/libc.so.6
      #10 0x00007ffff7382c35 in exit () from /usr/lib/libc.so.6
      #11 0x00007ffff7a5086f in Py_Exit () from /usr/lib/libpython3.5m.so.1.0
      #12 0x00007ffff7a535a8 in ?? () from /usr/lib/libpython3.5m.so.1.0
      #13 0x00007ffff7a5398d in PyErr_PrintEx () from /usr/lib/libpython3.5m.so.1.0
      #14 0x00007ffff7a6a66d in ?? () from /usr/lib/libpython3.5m.so.1.0
      #15 0x00007ffff7a6ad71 in Py_Main () from /usr/lib/libpython3.5m.so.1.0
      #16 0x0000000000400af0 in main ()
      

      Running with valgrind I get a lot of warnings like this:

      ==6006== Invalid read of size 8
      ==6006==    at 0x21C3A843: reset (scoped_ptr.h:174)
      ==6006==    by 0x21C3A843: ~scoped_ptr_impl (scoped_ptr.h:166)
      ==6006==    by 0x21C3A843: ~scoped_ptr (scoped_ptr.h:240)
      ==6006==    by 0x21C3A843: QtWebEngineCore::WebEngineContext::~WebEngineContext() (web_engine_context.cpp:187)
      ==6006==    by 0x21C3A8E5: Release (ref_counted.h:134)
      ==6006==    by 0x21C3A8E5: Release (ref_counted.h:409)
      ==6006==    by 0x21C3A8E5: scoped_refptr<QtWebEngineCore::WebEngineContext>::~scoped_refptr() (ref_counted.h:304)
      ==6006==    by 0x55E0BE7: __run_exit_handlers (in /usr/lib/libc-2.23.so)
      ==6006==    by 0x55E0C34: exit (in /usr/lib/libc-2.23.so)
      ==6006==    by 0x4FD2E51: Py_Exit (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FD6C41: ??? (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FD70EC: PyErr_PrintEx (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FF2CDC: ??? (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FF352A: Py_Main (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x108BE6: main (in /opt/python-valgrind/bin/python3.5)
      ==6006==  Address 0xfdea818 is 24 bytes inside a block of size 80 free'd
      ==6006==    at 0x4C2C104: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==6006==    by 0x21BEF61F: Release (ref_counted.h:134)
      ==6006==    by 0x21BEF61F: Release (ref_counted.h:409)
      ==6006==    by 0x21BEF61F: ~scoped_refptr (ref_counted.h:304)
      ==6006==    by 0x21BEF61F: QtWebEngineCore::BrowserMainPartsQt::PostMainMessageLoopRun() (content_browser_client_qt.cpp:241)
      ==6006==    by 0x2297817F: content::BrowserMainLoop::ShutdownThreadsAndCleanUp() (browser_main_loop.cc:983)
      ==6006==    by 0x2279EC0E: Shutdown (browser_main_runner.cc:293)
      ==6006==    by 0x2279EC0E: ~BrowserMainRunnerImpl (browser_main_runner.cc:141)
      ==6006==    by 0x2279EC0E: content::BrowserMainRunnerImpl::~BrowserMainRunnerImpl() (browser_main_runner.cc:142)
      ==6006==    by 0x21C3A842: operator() (unique_ptr.h:76)
      ==6006==    by 0x21C3A842: reset (scoped_ptr.h:177)
      ==6006==    by 0x21C3A842: ~scoped_ptr_impl (scoped_ptr.h:166)
      ==6006==    by 0x21C3A842: ~scoped_ptr (scoped_ptr.h:240)
      ==6006==    by 0x21C3A842: QtWebEngineCore::WebEngineContext::~WebEngineContext() (web_engine_context.cpp:187)
      ==6006==    by 0x21C3A8E5: Release (ref_counted.h:134)
      ==6006==    by 0x21C3A8E5: Release (ref_counted.h:409)
      ==6006==    by 0x21C3A8E5: scoped_refptr<QtWebEngineCore::WebEngineContext>::~scoped_refptr() (ref_counted.h:304)
      ==6006==    by 0x55E0BE7: __run_exit_handlers (in /usr/lib/libc-2.23.so)
      ==6006==    by 0x55E0C34: exit (in /usr/lib/libc-2.23.so)
      ==6006==    by 0x4FD2E51: Py_Exit (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FD6C41: ??? (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FD70EC: PyErr_PrintEx (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FF2CDC: ??? (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==  Block was alloc'd at
      ==6006==    at 0x4C2B0D8: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==6006==    by 0x21C3D261: QtWebEngineCore::WebEngineContext::current() (web_engine_context.cpp:194)
      ==6006==    by 0x21C2DFDD: QtWebEngineCore::WebContentsAdapterPrivate::WebContentsAdapterPrivate() (web_contents_adapter.cpp:341)
      ==6006==    by 0x21C30EE4: QtWebEngineCore::WebContentsAdapter::WebContentsAdapter(content::WebContents*) (web_contents_adapter.cpp:380)
      ==6006==    by 0x213925B4: QWebEnginePagePrivate::QWebEnginePagePrivate(QWebEngineProfile*) (qwebenginepage.cpp:107)
      ==6006==    by 0x21392BE3: QWebEnginePage::QWebEnginePage(QObject*) (qwebenginepage.cpp:499)
      ==6006==    by 0x21151605: sipQWebEnginePage::sipQWebEnginePage(QObject*) (sipQtWebEngineWidgetsQWebEnginePage.cpp:171)
      ==6006==    by 0x21156E2F: init_type_QWebEnginePage (sipQtWebEngineWidgetsQWebEnginePage.cpp:1806)
      ==6006==    by 0xF9E87AA: ??? (in /opt/python-valgrind/lib/python3.5/site-packages/sip.so)
      ==6006==    by 0x4F1EC0C: ??? (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4EA15B4: PyObject_Call (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      ==6006==    by 0x4FA0B86: PyEval_EvalFrameEx (in /opt/python-valgrind/lib/libpython3.5d.so.1.0)
      

      full valgrind log

      valgrind commandline:

      LD_PRELOAD=/opt/python-valgrind/lib/libpython3.5d.so.1.0 valgrind --suppressions=/opt/python-valgrind/valgrind-python.supp --leak-check=no --smc-check=all /opt/python-valgrind/bin/python -m qutebrowser  --backend webengine  --temp-basedir heise.de ':later 2000 quit' 2>&1 | tee valgrindlog
      

      (with a debug python build without custom memory allocator in /opt/python-valgrind)

      Unfortunately I didn't find a straightforward way to reproduce it (short of installing PyQt5 and qutebrowser and running that), but I can follow up with more information and test patches.

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-54769
          # Subject Branch Project Status CR V

          Activity

            People

              allan.jensen Allan Sandfeld Jensen
              the compiler Florian Bruhin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes