Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-64879

Race condition involving a reply that is an error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Need More Info
    • Priority: P1: Critical
    • Resolution: Incomplete
    • Affects Version/s: 5.6.2
    • Fix Version/s: None
    • Component/s: D-Bus
    • Environment:
      Linux

      Description

      First thread: QDBusAbstractInterface::call. This function calls connection.call(qdbusabstractinterface.cpp : line 488) which will wait for the call to be finished(qdbusintegrator.cpp : line 2039).
      QDBusConnectionThread: While the first thread is waiting this thread will run until the first thread is woken up while in processFinishedCall(qdbusintegrator.cpp : line 1890).

      At this point both threads are free to run.

      First Thread: After connection.call finishes the QDBusAbstractInterface checks to see if the reply has any arguments. If it does not, a default constructed QVariant is appended to the reply’s arguments(qdbusabstractinterface.cpp : line 494). When the QVariant is appended to the arguments the d_ptr is not detached and there is a FIXME(qdbusmessage.cpp line 748 // FIXME: should we detach?).
      QDBusConnectionThread: After the wait condition.wakeAll() the msg(reply) is checked to see if it is an error. If the msg(reply) is an error then a QDBusError is created with the msg(reply)(qdbusintegrator.cpp : line 1894). While constructing the QDBusError the reply reads contents of its arguments(qdbusmessage.cpp : line 88/89).

      With the first thread potentially writing to the reply’s arguments shortly after the wakeup and the QDBusConnectionThread potentially reading from the reply’s arguments shortly after the wakeup leading to a data race. Since this data race is happening on the reply’s arguments and we have an instance of a crash involving bad data with the same reply’s arguments, it seems that the data race is causing this instance of bad data.

      Stack trace:
      0  0x00007f320da46c36 in (anonymous namespace)::constData (d=...) at
      kernel/qvariant.cpp:336
      #1  qVariantToHelper<QString> (handlerManager=<synthetic
      pointer>..., d=...) at kernel/qvariant.cpp:2212
      #2  QVariant::toString (this=0x7f31f4d22b10) at kernel/qvariant.cpp:2248
      #3  0x00007f320b9be25a in QDBusMessage::errorMessage
      (this=this@entry=0x87fbb20) at qdbusmessage.cpp:89
      #4  0x00007f320b9ae831 in QDBusError::QDBusError (this=0x7f31fdcde800,
      qdmsg=...) at qdbuserror.cpp:287
      #5  0x00007f320b9b4100 in QDBusConnectionPrivate::processFinishedCall
      (call=0x87fbad0) at qdbusintegrator.cpp:1894
      #6  0x00007f3203d7c812 in complete_pending_call_and_unlock
      (connection=connection@entry=0xe93f40, pending=0x8836b50,
      message=message@entry=0x88d21c0)
         at /usr/src/debug/dbus/1.8.20-r0.11.1/dbus-1.8.20/dbus/dbus-
      connection.c:2331
      #7  0x00007f3203d7fbb1 in dbus_connection_dispatch (connection=0xe93f40) at
      /usr/src/debug/dbus/1.8.20-r0.11.1/dbus-1.8.20/dbus/dbus-connection.c:4626
      #8  0x00007f320b9b96d1 in q_dbus_connection_dispatch (connection=<optimized
      out>) at qdbus_symbols_p.h:189
      #9  QDBusConnectionPrivate::doDispatch (this=this@entry=0xe92c20) at
      qdbusintegrator.cpp:1172
      #10 0x00007f320b9b99be in QDBusConnectionPrivate::socketRead (this=0xe92c20,
      fd=64) at qdbusintegrator.cpp:1198
      #11 0x00007f320b9fee73 in QDBusConnectionPrivate::qt_static_metacall
      (_o=<optimized out>, _c=<optimized out>, _id=<optimized
      out>, _a=<optimized out>) at .moc/moc_qdbusconnection_p.cpp:179
      #12 0x00007f320da352e1 in QMetaObject::activate (sender=sender@entry=0xe93a10,
      signalOffset=<optimized out>,
      local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7f31fdcdeb80)
         at kernel/qobject.cpp:3730
      #13 0x00007f320da35927 in QMetaObject::activate (sender=sender@entry=0xe93a10,
      m=m@entry=0x7f320dea4240 <QSocketNotifier::staticMetaObject>,
      local_signal_index=local_signal_index@entry=0,
         argv=argv@entry=0x7f31fdcdeb80) at kernel/qobject.cpp:3595
      #14 0x00007f320daa8b3e in QSocketNotifier::activated
      (this=this@entry=0xe93a10, _t1=64) at .moc/moc_qsocketnotifier.cpp:135
      #15 0x00007f320da40c5b in QSocketNotifier::event (this=0xe93a10,
      e=<optimized out>) at kernel/qsocketnotifier.cpp:260
      #16 0x00007f320da0ad63 in doNotify (event=0x7f31fdcdec30, receiver=0xe93a10)
      at kernel/qcoreapplication.cpp:1090
      #17 QCoreApplication::notify (event=<optimized out>,
      receiver=<optimized out>, this=<optimized out>) at
      kernel/qcoreapplication.cpp:1076
      #18 QCoreApplication::notifyInternal2 (receiver=0xe93a10,
      event=event@entry=0x7f31fdcdec30) at kernel/qcoreapplication.cpp:1015
      #19 0x00007f320da5944a in QCoreApplication::sendEvent (event=0x7f31fdcdec30,
      receiver=<optimized out>) at kernel/qcoreapplication.h:225
      #20 QEventDispatcherUNIX::activateSocketNotifiers (this=this@entry=0x4bded0)
      at kernel/qeventdispatcher_unix.cpp:565
      #21 0x00007f320da598aa in QEventDispatcherUNIXPrivate::doSelect
      (this=this@entry=0x496080, flags=..., flags@entry=...,
      timeout=timeout@entry=0x7f31fdcdeda0) at kernel/qeventdispatcher_unix.cpp:264
      #22 0x00007f320da59c3a in QEventDispatcherUNIX::processEvents (this=0x4bded0,
      flags=...) at kernel/qeventdispatcher_unix.cpp:607
      #23 0x00007f320da0908a in QEventLoop::exec
      &#40;this=this@entry=0x7f31fdcdee60, flags=..., flags@entry=...&#41;
      at kernel/qeventloop.cpp:206
      #24 0x00007f320d854bdc in QThread::exec
      &#40;this=this@entry=0x7f320bc19b80 <(anonymous
      namespace&#41;::Q_QGS__q_manager::innerFunction()::holder>) at
      thread/qthread.cpp:500
      #25 0x00007f320b9a82e5 in QDBusConnectionManager::run (this=0x7f320bc19b80
      <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at
      qdbusconnection.cpp:189
      #26 0x00007f320d859619 in QThreadPrivate::start (arg=0x7f320bc19b80
      <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at
      thread/qthread_unix.cpp:365
      #27 0x00007f320eff73d4 in start_thread (arg=0x7f31fdcdf700) at
      pthread_create.c:460
      #28 0x00007f32082fa8ad in clone () at
      ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              Eddy Edward Welbourne
              Reporter:
              andysh Andy Shaw
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes