Re: Review Request 126725: prevent crash-on-exit in KSelectAction::~KSelectAction

[René J . V . Bertin]

> On Jan. 12, 2016, 10:49 p.m., David Faure wrote:
> > Can I see the backtrace, with a description of how this gets triggered? I'm 
> > not sure the issue is fully understood (as shown by the use of "might" in 
> > the description...).
> > 
> > Is the action being destroyed by clicking into a submenu of the action? 
> > Otherwise I don't get the relation with the fix.
> 
> René J.V. Bertin wrote:
>     A CrashReporter backtrace I still had logged:
>     
>     ```
>     Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
>     Exception Codes: EXC_I386_GPFLT
>     
>     Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
>     0   org.qt-project.QtCore                 0x000000010cbac886 
> QObject::property(char const*) const + 150 (qlist.h:105)
>     1   libqcocoa.dylib                       0x000000011189e37a 
> QCocoaMenuItem::~QCocoaMenuItem() + 58 (qcocoamenuitem.mm:109)
>     2   libqcocoa.dylib                       0x000000011189e52e 
> QCocoaMenuItem::~QCocoaMenuItem() + 14 (qcocoamenuitem.mm:106)
>     3   org.qt-project.QtWidgets              0x000000010b2989bd 
> QMenu::actionEvent(QActionEvent*) + 749 (qmenu.cpp:3224)
>     4   org.qt-project.QtWidgets              0x000000010b1643d0 
> QWidget::event(QEvent*) + 1232 (qwidget.cpp:9044)
>     5   org.qt-project.QtWidgets              0x000000010b296bdc 
> QMenu::event(QEvent*) + 1164 (qmenu.cpp:2678)
>     6   org.qt-project.QtWidgets              0x000000010b12653b 
> QApplicationPrivate::notify_helper(QObject*, QEvent*) + 251 
> (qapplication.cpp:3716)
>     7   org.qt-project.QtWidgets              0x000000010b1298f4 
> QApplication::notify(QObject*, QEvent*) + 8212 (qapplication.cpp:3681)
>     8   org.qt-project.QtCore                 0x000000010cb7b433 
> QCoreApplication::notifyInternal(QObject*, QEvent*) + 115 (qthread_p.h:291)
>     9   org.qt-project.QtWidgets              0x000000010b1582ed 
> QWidget::removeAction(QAction*) + 125 (qcoreapplication.h:224)
>     10  org.qt-project.QtWidgets              0x000000010b11c711 
> QAction::~QAction() + 97 (qaction.cpp:566)
>     11  org.qt-project.QtWidgets              0x000000010b16d16c 
> QWidgetAction::~QWidgetAction() + 444 (qwidgetaction.cpp:122)
>     12  libKF5WidgetsAddons.5.dylib           0x000000010acddd80 
> KSelectAction::~KSelectAction() + 64 (kselectaction.cpp:99)
>     13  org.qt-project.QtCore                 0x000000010cba3d75 
> QObjectPrivate::deleteChildren() + 245 (qobject.cpp:1943)
>     14  org.qt-project.QtWidgets              0x000000010b153ee1 
> QWidget::~QWidget() + 1441 (qwidget.cpp:1658)
>     15                                        0x00000001093c16bb Bin::~Bin() 
> + 1067 (bin.cpp:456)
>     16                                        0x00000001093c181e Bin::~Bin() 
> + 14 (bin.cpp:438)
>     17                                        0x0000000109443d3e 
> Core::~Core() + 62 (core.cpp:43)
>     18                                        0x000000010940c95f 
> MainWindow::~MainWindow() + 207 (mainwindow.cpp:549)
>     19                                        0x000000010940cd45 
> MainWindow::~MainWindow() + 21 (mainwindow.cpp:542)
>     20  org.qt-project.QtCore                 0x000000010cba4748 
> QObject::event(QEvent*) + 776 (qobject.cpp:4455)
>     21  org.qt-project.QtWidgets              0x000000010b164d26 
> QWidget::event(QEvent*) + 3622 (qwidget.cpp:9105)
>     22  org.qt-project.QtWidgets              0x000000010b26c45f 
> QMainWindow::event(QEvent*) + 911 (qmainwindow.cpp:1495)
>     23  libKF5XmlGui.5.dylib                  0x000000010a81e810 
> KMainWindow::event(QEvent*) + 624 (kmainwindow.cpp:829)
>     24  libKF5XmlGui.5.dylib                  0x000000010a856398 
> KXmlGuiWindow::event(QEvent*) + 24 (kxmlguiwindow.cpp:118)
>     25  org.qt-project.QtWidgets              0x000000010b12653b 
> QApplicationPrivate::notify_helper(QObject*, QEvent*) + 251 
> (qapplication.cpp:3716)
>     26  org.qt-project.QtWidgets              0x000000010b1298f4 
> QApplication::notify(QObject*, QEvent*) + 8212 (qapplication.cpp:3681)
>     27  org.qt-project.QtCore                 0x000000010cb7c0db 
> QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) + 971 
> (qthread_p.h:291)
>     28  org.qt-project.QtCore                 0x000000010cb7ba2c 
> QCoreApplication::exec() + 412 (qcoreapplication.cpp:1240)
>     29                                        0x00000001093f3761 main + 10257 
> (main.cpp:118)
>     30  libdyld.dylib                         0x00007fff8508c5fd start + 1
>     ```
>     
>     When I say crash-on-exit, I mean that the crash occurs after selecting 
> the Quit menu item, or closing the main window.

Here's a backtrace obtained in the debugger:

```
* thread #1: tid = 0x3727c3, 0x0000000103c4e886 QtCore`QObject::property(char 
const*) const [inlined] QListData::size() const + 4 at qlist.h:105, queue = 
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x0000000103c4e886 QtCore`QObject::property(char const*) const 
[inlined] QListData::size() const + 4 at qlist.h:105
   102      void remove(int i);
   103      void remove(int i, int n);
   104      void move(int from, int to);
-> 105      inline int size() const { return d->end - d->begin; }
   106      inline bool isEmpty() const { return d->end  == d->begin; }
   107      inline void **at(int i) const { return d->array + d->begin + i; }
   108      inline void **begin() const { return d->array + d->begin; }
(lldb) bt
* thread #1: tid = 0x3727c3, 0x0000000103c4e886 QtCore`QObject::property(char 
const*) const [inlined] QListData::size() const + 4 at qlist.h:105, queue = 
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x0000000103c4e886 QtCore`QObject::property(char const*) const 
[inlined] QListData::size() const + 4 at qlist.h:105
    frame #1: 0x0000000103c4e882 QtCore`QObject::property(char const*) const 
[inlined] QList<QByteArray>::indexOf(this=0x0000000118b9a1c0, 
t=0x0000000118b9a1c0, from=<unavailable>) const at qlist.h:940
    frame #2: 0x0000000103c4e882 QtCore`QObject::property(this=<unavailable>, 
name=0x000000010af1799a) const + 146 at qobject.cpp:3884
    frame #3: 0x000000010ae9e37a 
libqcocoa.dylib`QCocoaMenuItem::~QCocoaMenuItem(this=0x00000001069bd9d0) + 58 
at qcocoamenuitem.mm:109
    frame #4: 0x000000010ae9e52e 
libqcocoa.dylib`QCocoaMenuItem::~QCocoaMenuItem() [inlined] 
QCocoaMenuItem::~QCocoaMenuItem(this=0x00000001069bd9d0) + 14 at 
qcocoamenuitem.mm:106
    frame #5: 0x000000010ae9e529 
libqcocoa.dylib`QCocoaMenuItem::~QCocoaMenuItem(this=0x00000001069bd9d0) + 9 at 
qcocoamenuitem.mm:106
    frame #6: 0x00000001022339bd 
QtWidgets`QMenu::actionEvent(this=0x00000001069bce00, e=<unavailable>) + 749 at 
qmenu.cpp:3224
    frame #7: 0x00000001020ff3d0 
QtWidgets`QWidget::event(this=0x00000001069bce00, event=0x00007fff5fbfde30) + 
1232 at qwidget.cpp:9044
    frame #8: 0x0000000102231bdc 
QtWidgets`QMenu::event(this=0x00000001069bce00, e=0x00007fff5fbfde30) + 1164 at 
qmenu.cpp:2678
    frame #9: 0x00000001020c153b 
QtWidgets`QApplicationPrivate::notify_helper(this=<unavailable>, 
receiver=0x00000001069bce00, e=0x00007fff5fbfde30) + 251 at 
qapplication.cpp:3716
    frame #10: 0x00000001020c48f4 
QtWidgets`QApplication::notify(this=<unavailable>, receiver=<unavailable>, 
e=<unavailable>) + 8212 at qapplication.cpp:3681
    frame #11: 0x0000000103c1d433 
QtCore`QCoreApplication::notifyInternal(this=<unavailable>, 
receiver=<unavailable>, event=<unavailable>) + 115 at qcoreapplication.cpp:970
    frame #12: 0x00000001020f32ed QtWidgets`QWidget::removeAction(QAction*) 
[inlined] QCoreApplication::sendEvent(receiver=<unavailable>, 
event=0x00000001037c1480) + 125 at qcoreapplication.h:224
    frame #13: 0x00000001020f32ce 
QtWidgets`QWidget::removeAction(this=<unavailable>, action=0x0000000106a7eff0) 
+ 94 at qwidget.cpp:3317
    frame #14: 0x00000001020b7711 
QtWidgets`QAction::~QAction(this=0x0000000106a7eff0) + 97 at qaction.cpp:568
    frame #15: 0x000000010210816c 
QtWidgets`QWidgetAction::~QWidgetAction(this=0x0000000106a7eff0) + 444 at 
qwidgetaction.cpp:122
    frame #16: 0x0000000101db9d80 
libKF5WidgetsAddons.5.dylib`KSelectAction::~KSelectAction() [inlined] 
KSelectAction::~KSelectAction(this=0x0000000106a7eff0) + 64 at 
kselectaction.cpp:107
    frame #17: 0x0000000101db9d49 
libKF5WidgetsAddons.5.dylib`KSelectAction::~KSelectAction() [inlined] 
KSelectAction::~KSelectAction(this=0x0000000106a7eff0) at kselectaction.cpp:99
    frame #18: 0x0000000101db9d49 
libKF5WidgetsAddons.5.dylib`KSelectAction::~KSelectAction(this=0x0000000106a7eff0)
 + 9 at kselectaction.cpp:99
    frame #19: 0x0000000103c45d75 
QtCore`QObjectPrivate::deleteChildren(this=0x0000000106a78e30) + 245 at 
qobject.cpp:1946
    frame #20: 0x00000001020eeee1 
QtWidgets`QWidget::~QWidget(this=0x0000000106a78c80) + 1441 at qwidget.cpp:1658
    frame #21: 0x0000000100363e6b kdenlive`Bin::~Bin(this=0x0000000106a78c80) + 
1067 at bin.cpp:458
    frame #22: 0x0000000100363fce kdenlive`Bin::~Bin() [inlined] 
Bin::~Bin(this=0x0000000106a78c80) + 14 at bin.cpp:440
    frame #23: 0x0000000100363fc9 kdenlive`Bin::~Bin(this=0x0000000106a78c80) + 
9 at bin.cpp:440
    frame #24: 0x00000001003e8bed kdenlive`Core::~Core() [inlined] 
Core::~Core(this=0x0000000106a6ba60) + 68 at core.cpp:47
    frame #25: 0x00000001003e8ba9 kdenlive`Core::~Core() [inlined] 
Core::~Core(this=0x0000000106a6ba60) at core.cpp:43
    frame #26: 0x00000001003e8ba9 kdenlive`Core::~Core(this=0x0000000106a6ba60) 
+ 9 at core.cpp:43
    frame #27: 0x00000001003bbb8f 
kdenlive`MainWindow::~MainWindow(this=0x0000000106b4df40, 
vtt=0x00000001004e1850) + 207 at mainwindow.cpp:614
    frame #28: 0x00000001003bbf75 kdenlive`MainWindow::~MainWindow() [inlined] 
MainWindow::~MainWindow(this=0x0000000106b4df40) + 12 at mainwindow.cpp:608
    frame #29: 0x00000001003bbf69 
kdenlive`MainWindow::~MainWindow(this=0x0000000106b4df40) + 9 at 
mainwindow.cpp:608
    frame #30: 0x0000000103c46748 QtCore`QObject::event(QEvent*) [inlined] 
qDeleteInEventHandler(o=0x0000000106b4df40) + 14 at qobject.cpp:4455
    frame #31: 0x0000000103c4673a 
QtCore`QObject::event(this=0x0000000106b4df40, e=<unavailable>) + 762 at 
qobject.cpp:1230
    frame #32: 0x00000001020ffd26 
QtWidgets`QWidget::event(this=0x0000000106b4df40, event=0x00000001236a90d0) + 
3622 at qwidget.cpp:9105
    frame #33: 0x000000010220745f 
QtWidgets`QMainWindow::event(this=0x0000000106b4df40, event=0x00000001236a90d0) 
+ 911 at qmainwindow.cpp:1495
    frame #34: 0x0000000101925810 
libKF5XmlGui.5.dylib`KMainWindow::event(this=0x0000000106b4df40, 
ev=0x00000001236a90d0) + 624 at kmainwindow.cpp:829
    frame #35: 0x000000010195d398 
libKF5XmlGui.5.dylib`KXmlGuiWindow::event(this=0x0000000106b4df40, 
ev=0x00000001236a90d0) + 24 at kxmlguiwindow.cpp:118
    frame #36: 0x00000001020c153b 
QtWidgets`QApplicationPrivate::notify_helper(this=<unavailable>, 
receiver=0x0000000106b4df40, e=0x00000001236a90d0) + 251 at 
qapplication.cpp:3716
    frame #37: 0x00000001020c48f4 
QtWidgets`QApplication::notify(this=<unavailable>, receiver=<unavailable>, 
e=<unavailable>) + 8212 at qapplication.cpp:3681
    frame #38: 0x0000000103c1e0db 
QtCore`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) 
[inlined] QCoreApplication::notifyInternal(this=<unavailable>, 
receiver=<unavailable>, event=<unavailable>) + 95 at qcoreapplication.cpp:970
    frame #39: 0x0000000103c1e07c 
QtCore`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) 
[inlined] QCoreApplication::sendEvent(receiver=<unavailable>, 
event=0x00000001236a90d0) + 28 at qcoreapplication.h:224
    frame #40: 0x0000000103c1e060 
QtCore`QCoreApplicationPrivate::sendPostedEvents(receiver=0x0000000000000000, 
event_type=0, data=0x0000000106a00e70) + 848 at qcoreapplication.cpp:1598
    frame #41: 0x0000000103c1da2c QtCore`QCoreApplication::exec() + 412 at 
qcoreapplication.cpp:1240
    frame #42: 0x00000001003a13b1 kdenlive`main(argc=1, argv=<unavailable>) + 
9841 at main.cpp:126
    frame #43: 0x00007fff8508c5fd libdyld.dylib`start + 1
    frame #44: 0x00007fff8508c5fd libdyld.dylib`start + 1
```


> On Jan. 12, 2016, 10:49 p.m., David Faure wrote:
> > src/kselectaction.cpp, line 101
> > <https://git.reviewboard.kde.org/r/126725/diff/1/?file=430463#file430463line101>
> >
> >     This seems unnecessary and wasteful (it sends an ActionChanged event). 
> > You're not deleting the menu right now anyway, you're using deleteLater. So 
> > the action will be gone before the menu is deleted, therefore the action 
> > will never have a dangling pointer to the menu.
> 
> René J.V. Bertin wrote:
>     It's almost impossible to debug this kind of situation because an 
> interactive debugging session will alter the event flow. It does look like 
> we're dealing only with Qt events here, no pending native events that get 
> delivered to ObjC objects.
>     Doesn't the menu have its parent set to the action (KSelectAction), and 
> if so, will that relationship be broken when the action gets deleted? Because 
> if not, it's the menu that could have a dangling pointer to the action, no?
>     Also, remember that using deleteLater isn't required to prevent the 
> systematic crash-on-exit. I suppose I could try to see if deleting the d-ptr 
> last is the most important change here.

So...

- `delete menu() ; delete d_ptr;` crashes just as hard as `delete d_ptr ; 
delete menu();`
- a `delete menu();` doesn't crash after a preceding `setMenu(Q_NULLPTR);`
- `if(m) m->deleteLater();` *without* `setMenu(Q_NULLPTR);` _doesn't_ crash (at 
least not all the time).

I think that really means that the safest workaround will be the implementation 
I submitted. We can of course try to use either setMenu+delete or else 
deleteLater on its own and go from there if a sufficiently repeatable crasher 
represents itself.


- René J.V.


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126725/#review90980
-----------------------------------------------------------


On Jan. 12, 2016, 2:14 p.m., René J.V. Bertin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126725/
> -----------------------------------------------------------
> 
> (Updated Jan. 12, 2016, 2:14 p.m.)
> 
> 
> Review request for KDE Frameworks and Christoph Feck.
> 
> 
> Repository: kwidgetsaddons
> 
> 
> Description
> -------
> 
> I was seeing a systematic crash on exitting kdenlive5, on OS X deep under the 
> `delete menu()` instruction in `KSelectAction::~KSelectAction`. The backtrace 
> suggested this might be due to a pending event (or an event due to the menu 
> deletion) being delivered post-mortem to an instance of a QMenu related class.
> 
> My fix is based on 3 principles:
> 1) release the "foreign" member instance (`menu()`) before releasing the own 
> d-ptr
> 2) Remove the QMenu instance from ourselves before deleting it to have one 
> less potential dangling reference to it
> 3) QMenu is a QObject descendent that corresponds to a UI element: on OS X it 
> is safer to dispose these through `deleteLater()` rather than directly.
> 
> 
> Diffs
> -----
> 
>   src/kselectaction.cpp 1381099 
> 
> Diff: https://git.reviewboard.kde.org/r/126725/diff/
> 
> 
> Testing
> -------
> 
> On OS X 10.9.5, Qt 5.5.1 and KF5 Frameworks 5.16.0, built for installation 
> under /opt/local .
> 
> It seems that points 1) and 2) above already solve the crash issue in 
> kdenlive on OS X, but the general principle stands so I suggest keeping 3) in 
> library code like this.
> 
> 
> Thanks,
> 
> René J.V. Bertin
> 
>


_______________________________________________
Kde-frameworks-devel mailing list
Kde-frameworks-devel@kde.org
https://mail.kde.org/mailman/listinfo/kde-frameworks-devel