https://bugs.kde.org/show_bug.cgi?id=463764
Bug ID: 463764
Summary: SIGSEGV in QArrayData::data (called via
ThumbnailProvider::requestImage)
Classification: Applications
Product: kdenlive
Version: 22.12.0
Platform: Other
OS: OpenBSD
Status: REPORTED
Severity: normal
Priority: NOR
Component: User Interface
Assignee: j...@kdenlive.org
Reporter: kdenlive-...@nest.cx
Target Milestone: ---
SUMMARY
Frequent crashes while editing a video project.
STEPS TO REPRODUCE
Unfortunately no specific reproducible instructions are known at the moment
although normal use on OpenBSD-7.2-amd64-current reliably causes a core dump.
OBSERVED RESULT
SIGSEGV crash with this trace:
(gdb) bt
#0 0x000008bd4ce3004a in QArrayData::data() () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#1 0x000008bd4ce42f9f in QTypedArrayData<unsigned short>::data() () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#2 0x000008bd4cf0bc82 in QString::unicode() const () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#3 0x000008bd4cf0a835 in qHash(QString const&, unsigned int) () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#4 0x000008baf186a257 in ThumbnailCache::Cache_t::remove(QString const&) ()
#5 0x000008baf186a570 in ThumbnailCache::Cache_t::insert(QString const&,
QImage const&, int) ()
#6 0x000008baf1868663 in ThumbnailCache::storeThumbnail(QString const&, int,
QImage const&, bool) ()
#7 0x000008baf17daf1e in ThumbnailProvider::requestImage(QString const&,
QSize*, QSize const&) ()
#8 0x000008bdda2bbde8 in QQuickPixmapReader::processJob(QQuickPixmapReply*,
QUrl const&, QString const&, QQmlImageProviderBase::ImageType,
QSharedPointer<QQuickImageProvider> const&) () from
/usr/local/lib/qt5/./libQt5Quick.so.4.0
#9 0x000008bdda2baa63 in QQuickPixmapReader::processJobs() () from
/usr/local/lib/qt5/./libQt5Quick.so.4.0
#10 0x000008bdda2ba316 in QQuickPixmapReaderThreadObject::event(QEvent*) ()
from /usr/local/lib/qt5/./libQt5Quick.so.4.0
#11 0x000008bd4952074a in QApplicationPrivate::notify_helper(QObject*, QEvent*)
() from /usr/local/lib/qt5/./libQt5Widgets.so.4.0
#12 0x000008bd49522423 in QApplication::notify(QObject*, QEvent*) () from
/usr/local/lib/qt5/./libQt5Widgets.so.4.0
#13 0x000008bd4d186c72 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
() from /usr/local/lib/qt5/./libQt5Core.so.4.0
#14 0x000008bd4d187925 in QCoreApplication::sendEvent(QObject*, QEvent*) ()
from /usr/local/lib/qt5/./libQt5Core.so.4.0
#15 0x000008bd4d18867a in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) ()
from /usr/local/lib/qt5/./libQt5Core.so.4.0
#16 0x000008bd4d1877ea in QCoreApplication::sendPostedEvents(QObject*, int) ()
from /usr/local/lib/qt5/./libQt5Core.so.4.0
#17 0x000008bd4d25abb8 in postEventSourceDispatch(_GSource*, int (*)(void*),
void*) () from /usr/local/lib/qt5/./libQt5Core.so.4.0
#18 0x000008bde1a23c1f in g_main_context_dispatch () from
/usr/local/lib/libglib-2.0.so.4201.9
#19 0x000008bde1a23fea in g_main_context_iterate () from
/usr/local/lib/libglib-2.0.so.4201.9
#20 0x000008bde1a240c7 in g_main_context_iteration () from
/usr/local/lib/libglib-2.0.so.4201.9
#21 0x000008bd4d25a190 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/local/lib/qt5/./libQt5Core.so.4.0
#22 0x000008bd4d181f09 in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/local/lib/qt5/./libQt5Core.so.4.0
#23 0x000008bd4d182152 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#24 0x000008bd4ce5f094 in QThread::exec() () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#25 0x000008bdda2bcebd in QQuickPixmapReader::run() () from
/usr/local/lib/qt5/./libQt5Quick.so.4.0
#26 0x000008bd4ce6328c in QThreadPrivate::start(void*) () from
/usr/local/lib/qt5/./libQt5Core.so.4.0
#27 0x000008bdb98d0ee1 in _rthread_start (v=<optimized out>) at
/usr/src/lib/librthread/rthread.c:96
#28 0x000008bd00f2f27a in __tfork_thread () at
/usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84
Note the value of `%rcx` suggests memory corruption:
(gdb) disassemble
Dump of assembler code for function _ZN10QArrayData4dataEv:
0x000008bd4ce30030 <+0>: mov 0x4ff741(%rip),%r11 #
0x8bd4d32f778 <__retguard_2562>
0x000008bd4ce30037 <+7>: xor (%rsp),%r11
0x000008bd4ce3003b <+11>: push %rbp
0x000008bd4ce3003c <+12>: mov %rsp,%rbp
0x000008bd4ce3003f <+15>: mov %rdi,-0x8(%rbp)
0x000008bd4ce30043 <+19>: mov -0x8(%rbp),%rcx
0x000008bd4ce30047 <+23>: mov %rcx,%rax
=> 0x000008bd4ce3004a <+26>: add 0x10(%rcx),%rax
0x000008bd4ce3004e <+30>: pop %rbp
0x000008bd4ce3004f <+31>: xor (%rsp),%r11
0x000008bd4ce30053 <+35>: cmp 0x4ff71e(%rip),%r11 #
0x8bd4d32f778 <__retguard_2562>
0x000008bd4ce3005a <+42>: je 0x8bd4ce3006f
<_ZN10QArrayData4dataEv+63>
0x000008bd4ce30060 <+48>: int3
...
0x000008bd4ce3006f <+63>: retq
End of assembler dump.
(gdb) info registers
rax 0xdfdfdfdfdfdfdfdf -2314885530818453537
rbx 0x8bcfab7d200 9607753224704
rcx 0xdfdfdfdfdfdfdfdf -2314885530818453537
rdx 0x8bd81020240 9610006233664
rsi 0x0 0
rdi 0xdfdfdfdfdfdfdfdf -2314885530818453537
rbp 0x8bd09d09eb0 0x8bd09d09eb0
rsp 0x8bd09d09eb0 0x8bd09d09eb0
r8 0x8bd81020240 9610006233664
r9 0x8bd56ddb000 9609299210240
r10 0x8bdb889eea0 9610937888416
r11 0x1cf04888ceec81bf 2085246379896897983
r12 0x7b546758 2069129048
r13 0x1d 29
r14 0x8bda4e9ae80 9610608619136
r15 0x8bd7416c620 9609789490720
rip 0x8bd4ce3004a 0x8bd4ce3004a <QArrayData::data()+26>
eflags 0x10202 [ IF RF ]
cs 0x2b 43
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x23 35
gs 0x23 35
fs_base <unavailable>
gs_base <unavailable>
To quote malloc(3) man page "freed chunks are filled with 0xdf."
https://man.openbsd.org/malloc
EXPECTED RESULT
Reliably working UI.
SOFTWARE/OS VERSIONS
OpenBSD: 7.2-current
KDE Plasma Version: n/a
KDE Frameworks Version: 5.101.0
Qt Version: 5.15.7
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
