Details
-
Bug
-
Resolution: Incomplete
-
P1: Critical
-
None
-
5.6.2
-
Linux
Description
First thread: QDBusAbstractInterface::call. This function calls connection.call(qdbusabstractinterface.cpp : line 488) which will wait for the call to be finished(qdbusintegrator.cpp : line 2039).
QDBusConnectionThread: While the first thread is waiting this thread will run until the first thread is woken up while in processFinishedCall(qdbusintegrator.cpp : line 1890).
At this point both threads are free to run.
First Thread: After connection.call finishes the QDBusAbstractInterface checks to see if the reply has any arguments. If it does not, a default constructed QVariant is appended to the reply’s arguments(qdbusabstractinterface.cpp : line 494). When the QVariant is appended to the arguments the d_ptr is not detached and there is a FIXME(qdbusmessage.cpp line 748 // FIXME: should we detach?).
QDBusConnectionThread: After the wait condition.wakeAll() the msg(reply) is checked to see if it is an error. If the msg(reply) is an error then a QDBusError is created with the msg(reply)(qdbusintegrator.cpp : line 1894). While constructing the QDBusError the reply reads contents of its arguments(qdbusmessage.cpp : line 88/89).
With the first thread potentially writing to the reply’s arguments shortly after the wakeup and the QDBusConnectionThread potentially reading from the reply’s arguments shortly after the wakeup leading to a data race. Since this data race is happening on the reply’s arguments and we have an instance of a crash involving bad data with the same reply’s arguments, it seems that the data race is causing this instance of bad data.
Stack trace: 0 0x00007f320da46c36 in (anonymous namespace)::constData (d=...) at kernel/qvariant.cpp:336 #1 qVariantToHelper<QString> (handlerManager=<synthetic pointer>..., d=...) at kernel/qvariant.cpp:2212 #2 QVariant::toString (this=0x7f31f4d22b10) at kernel/qvariant.cpp:2248 #3 0x00007f320b9be25a in QDBusMessage::errorMessage (this=this@entry=0x87fbb20) at qdbusmessage.cpp:89 #4 0x00007f320b9ae831 in QDBusError::QDBusError (this=0x7f31fdcde800, qdmsg=...) at qdbuserror.cpp:287 #5 0x00007f320b9b4100 in QDBusConnectionPrivate::processFinishedCall (call=0x87fbad0) at qdbusintegrator.cpp:1894 #6 0x00007f3203d7c812 in complete_pending_call_and_unlock (connection=connection@entry=0xe93f40, pending=0x8836b50, message=message@entry=0x88d21c0) at /usr/src/debug/dbus/1.8.20-r0.11.1/dbus-1.8.20/dbus/dbus- connection.c:2331 #7 0x00007f3203d7fbb1 in dbus_connection_dispatch (connection=0xe93f40) at /usr/src/debug/dbus/1.8.20-r0.11.1/dbus-1.8.20/dbus/dbus-connection.c:4626 #8 0x00007f320b9b96d1 in q_dbus_connection_dispatch (connection=<optimized out>) at qdbus_symbols_p.h:189 #9 QDBusConnectionPrivate::doDispatch (this=this@entry=0xe92c20) at qdbusintegrator.cpp:1172 #10 0x00007f320b9b99be in QDBusConnectionPrivate::socketRead (this=0xe92c20, fd=64) at qdbusintegrator.cpp:1198 #11 0x00007f320b9fee73 in QDBusConnectionPrivate::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at .moc/moc_qdbusconnection_p.cpp:179 #12 0x00007f320da352e1 in QMetaObject::activate (sender=sender@entry=0xe93a10, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7f31fdcdeb80) at kernel/qobject.cpp:3730 #13 0x00007f320da35927 in QMetaObject::activate (sender=sender@entry=0xe93a10, m=m@entry=0x7f320dea4240 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7f31fdcdeb80) at kernel/qobject.cpp:3595 #14 0x00007f320daa8b3e in QSocketNotifier::activated (this=this@entry=0xe93a10, _t1=64) at .moc/moc_qsocketnotifier.cpp:135 #15 0x00007f320da40c5b in QSocketNotifier::event (this=0xe93a10, e=<optimized out>) at kernel/qsocketnotifier.cpp:260 #16 0x00007f320da0ad63 in doNotify (event=0x7f31fdcdec30, receiver=0xe93a10) at kernel/qcoreapplication.cpp:1090 #17 QCoreApplication::notify (event=<optimized out>, receiver=<optimized out>, this=<optimized out>) at kernel/qcoreapplication.cpp:1076 #18 QCoreApplication::notifyInternal2 (receiver=0xe93a10, event=event@entry=0x7f31fdcdec30) at kernel/qcoreapplication.cpp:1015 #19 0x00007f320da5944a in QCoreApplication::sendEvent (event=0x7f31fdcdec30, receiver=<optimized out>) at kernel/qcoreapplication.h:225 #20 QEventDispatcherUNIX::activateSocketNotifiers (this=this@entry=0x4bded0) at kernel/qeventdispatcher_unix.cpp:565 #21 0x00007f320da598aa in QEventDispatcherUNIXPrivate::doSelect (this=this@entry=0x496080, flags=..., flags@entry=..., timeout=timeout@entry=0x7f31fdcdeda0) at kernel/qeventdispatcher_unix.cpp:264 #22 0x00007f320da59c3a in QEventDispatcherUNIX::processEvents (this=0x4bded0, flags=...) at kernel/qeventdispatcher_unix.cpp:607 #23 0x00007f320da0908a in QEventLoop::exec (this=this@entry=0x7f31fdcdee60, flags=..., flags@entry=...) at kernel/qeventloop.cpp:206 #24 0x00007f320d854bdc in QThread::exec (this=this@entry=0x7f320bc19b80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread.cpp:500 #25 0x00007f320b9a82e5 in QDBusConnectionManager::run (this=0x7f320bc19b80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:189 #26 0x00007f320d859619 in QThreadPrivate::start (arg=0x7f320bc19b80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:365 #27 0x00007f320eff73d4 in start_thread (arg=0x7f31fdcdf700) at pthread_create.c:460 #28 0x00007f32082fa8ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109