Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-58732

Crash after destroying an unfinished QDBusPendingCall

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P1: Critical
    • Resolution: Unresolved
    • Affects Version/s: 5.6.2, 5.8.0
    • Fix Version/s: None
    • Component/s: D-Bus
    • Labels:
      None
    • Environment:
      Ubuntu 16.10

      Description

      The example below crashes intermittently with what appears to be a heap corruption. The stack trace obtained from the distilled example tends to fail in QFreeList, but crashes encountered in the wild are just as likely to fail in malloc.

      #include <QCoreApplication>
      #include <QDBusConnection>
      #include <QDBusMessage>
      #include <QDBusPendingCallWatcher>
      #include <QDebug>
      
      int main(int argc, char *argv[])
      {
          QCoreApplication application(argc, argv);
      
          for (int i = 0; i < 10; ++i) {
              QDBusPendingCall call(QDBusConnection::sessionBus().asyncCall(
                          QDBusMessage::createMethodCall(
                              "org.freedesktop.DBus",
                              "/org/freedesktop/DBus",
                              "org.freedesktop.DBus",
                              "ListNames")));
              qDebug() << "finished?" << call.isFinished();
          }
      }
      
      Thread 2 "QDBusConnection" received signal SIGSEGV, Segmentation fault.
      [Switching to Thread 0x7ffff29aa700 (LWP 10333)]
      0x00007ffff780a465 in std::__atomic_base<int>::load (this=0x30, __m=std::memory_order_relaxed) at /usr/include/c++/6/bits/atomic_base.h:396
      396             return __atomic_load_n(&_M_i, __m);
      (gdb) bt
      #0  0x00007ffff780a465 in std::__atomic_base<int>::load (this=0x30, __m=std::memory_order_relaxed) at /usr/include/c++/6/bits/atomic_base.h:396
      #1  0x00007ffff78097c9 in QAtomicOps<int>::load<int> (_q_value=...) at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/arch/qatomic_cxx11.h:227
      #2  0x00007ffff7808a5c in QBasicAtomicInteger<int>::load (this=0x30) at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/thread/qbasicatomic.h:102
      #3  0x00007ffff7a931cd in QFreeList<void, QtTimerIdFreeListConstants>::next (this=0x0)
          at ../../include/QtCore/5.8.0/QtCore/private/../../../../../../../../../depot/qt/qtbase/src/corelib/tools/qfreelist_p.h:240
      #4  0x00007ffff7a92b46 in QAbstractEventDispatcherPrivate::allocateTimerId () at qt/qtbase/src/corelib/kernel/qabstracteventdispatcher.cpp:93
      #5  0x00007ffff7a92ceb in QAbstractEventDispatcher::registerTimer (this=0x7fffec0008c0, interval=25000, timerType=Qt::CoarseTimer, object=0x7fffec0032f0)
          at qt/qtbase/src/corelib/kernel/qabstracteventdispatcher.cpp:258
      #6  0x00007ffff7ad8010 in QObject::startTimer (this=0x7fffec0032f0, interval=25000, timerType=Qt::CoarseTimer) at qt/qtbase/src/corelib/kernel/qobject.cpp:1646
      #7  0x00007ffff7f579ce in qDBusAddTimeout (timeout=0x7fffec004190, data=0x7fffec0032f0) at qt/qtbase/src/dbus/qdbusintegrator.cpp:156
      #8  0x00007ffff69d548d in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
      #9  0x00007ffff69bfe82 in dbus_connection_send_with_reply () from /lib/x86_64-linux-gnu/libdbus-1.so.3
      #10 0x00007ffff7f570f7 in q_dbus_connection_send_with_reply (connection=0x7fffec00dc40, message=0x7fffec00f7b0, pending_return=0x7ffff29a94d0, timeout_milliseconds=-1)
          at qt/qtbase/src/dbus/qdbus_symbols_p.h:210
      ---Type <return> to continue, or q <return> to quit---
      #11 0x00007ffff7f626a6 in QDBusConnectionPrivate::sendInternal (this=0x7fffec0032f0, pcall=0x555555772260, message=0x7fffec00f7b0, timeout=-1)
          at qt/qtbase/src/dbus/qdbusintegrator.cpp:2168
      #12 0x00007ffff7f7432d in QtPrivate::FunctorCall<QtPrivate::IndexesList<0, 1, 2>, QtPrivate::List<QDBusPendingCallPrivate*, void*, int>, void, void (QDBusConnectionPrivate::*)(QDBusPendingCallPrivate*, void*, int)>::call (f=
          (void (QDBusConnectionPrivate::*)(QDBusConnectionPrivate * const, QDBusPendingCallPrivate *, void *, int)) 0x7ffff7f6255a <QDBusConnectionPrivate::sendInternal(QDBusPendingCallPrivate*, void*, int)>, o=0x7fffec0032f0, arg=0x555555771a30) at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/kernel/qobjectdefs_impl.h:143
      #13 0x00007ffff7f739d9 in QtPrivate::FunctionPointer<void (QDBusConnectionPrivate::*)(QDBusPendingCallPrivate*, void*, int)>::call<QtPrivate::List<QDBusPendingCallPrivate*, void*, int>, void> (f=
          (void (QDBusConnectionPrivate::*)(QDBusConnectionPrivate * const, QDBusPendingCallPrivate *, void *, int)) 0x7ffff7f6255a <QDBusConnectionPrivate::sendInternal(QDBusPendingCallPrivate*, void*, int)>, o=0x7fffec0032f0, arg=0x555555771a30) at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/kernel/qobjectdefs_impl.h:162
      #14 0x00007ffff7f71e12 in QtPrivate::QSlotObject<void (QDBusConnectionPrivate::*)(QDBusPendingCallPrivate*, void*, int), QtPrivate::List<QDBusPendingCallPrivate*, void*, int>, void>::impl (which=1,
          this_=0x7fffec0044f0, r=0x7fffec0032f0, a=0x555555771a30, ret=0x0) at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/kernel/qobject_impl.h:120
      #15 0x00007ffff7ae15b1 in QtPrivate::QSlotObjectBase::call (this=0x7fffec0044f0, r=0x7fffec0032f0, a=0x555555771a30)
          at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/kernel/qobject_impl.h:101
      #16 0x00007ffff7ad620b in QMetaCallEvent::placeMetaCall (this=0x555555771ca0, object=0x7fffec0032f0) at qt/qtbase/src/corelib/kernel/qobject.cpp:500
      ---Type <return> to continue, or q <return> to quit---
      #17 0x00007ffff7ad7427 in QObject::event (this=0x7fffec0032f0, e=0x555555771ca0) at qt/qtbase/src/corelib/kernel/qobject.cpp:1263
      #18 0x00007ffff7a98f32 in QCoreApplicationPrivate::notify_helper (receiver=0x7fffec0032f0, event=0x555555771ca0) at qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1122
      #19 0x00007ffff7a98b5a in doNotify (receiver=0x7fffec0032f0, event=0x555555771ca0) at qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1063
      #20 0x00007ffff7a98a0c in QCoreApplication::notifyInternal2 (receiver=0x7fffec0032f0, event=0x555555771ca0) at qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:987
      #21 0x00007ffff7a9cdd8 in QCoreApplication::sendEvent (receiver=0x7fffec0032f0, event=0x555555771ca0)
          at ../../include/QtCore/../../../../../../depot/qt/qtbase/src/corelib/kernel/qcoreapplication.h:231
      #22 0x00007ffff7a99f90 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x55555576fb70) at qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1648
      #23 0x00007ffff7a998e6 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1502
      #24 0x00007ffff7b1f621 in postEventSourceDispatch (s=0x7fffec0012d0) at qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:276
      #25 0x00007ffff56337d7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
      #26 0x00007ffff5633a40 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
      #27 0x00007ffff5633aec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
      #28 0x00007ffff7b1fe0a in QEventDispatcherGlib::processEvents (this=0x7fffec0008c0, flags=...) at qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
      #29 0x00007ffff7a950f2 in QEventLoop::processEvents (this=0x7ffff29a9c80, flags=...) at qt/qtbase/src/corelib/kernel/qeventloop.cpp:134
      ---Type <return> to continue, or q <return> to quit---
      #30 0x00007ffff7a95429 in QEventLoop::exec (this=0x7ffff29a9c80, flags=...) at qt/qtbase/src/corelib/kernel/qeventloop.cpp:212
      #31 0x00007ffff7838a91 in QThread::exec (this=0x7ffff7ff3dc0 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qt/qtbase/src/corelib/thread/qthread.cpp:507
      #32 0x00007ffff7f4b895 in QDBusConnectionManager::run (this=0x7ffff7ff3dc0 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>)
          at qt/qtbase/src/dbus/qdbusconnection.cpp:170
      #33 0x00007ffff7841000 in QThreadPrivate::start (arg=0x7ffff7ff3dc0 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>)
          at qt/qtbase/src/corelib/thread/qthread_unix.cpp:368
      #34 0x00007ffff6c016ca in start_thread (arg=0x7ffff29aa700) at pthread_create.c:333
      #35 0x00007ffff6f200af in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:105
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andrew.den.exter Andrew den Exter
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:

                Gerrit Reviews

                There are no open Gerrit changes