[Ktechlab-devel] Technical details about the crashes in 0.3 series KDE4 port

Zoltan Padrah zoltan.padrah at gmail.com
Sun May 24 16:22:34 UTC 2015 

Hi,

Issue #1 and #2 is fixed in the latest revision of the porting branch
( https://github.com/ktechlab/ktechlab-0.3/tree/port-0.3.8-kde4-v1 ).
Also this latest version should work with GPSim version older than
0.26.


Issue #1 has been fixed by changing the Qt3 compatibility-related
container Q3PtrDict to the current container QHash< KtlQCanvasItem *,
bool >. Apparently the Q3PtrDict has been abused (elements of "
(void*)1 " have been inserted into it), and this seems to have caused
object corruption.

Issue #2 has been actually unrelated to corruption: some Qt signals
have been triggered when a document has been being deleted, and these
signals have been connected to slots on the document being destroyed.
Thus a non-complete document object has been receiving signals, and
this has been detected by Qt. The fix has been to disconnect relevant
signals on the document's destructor.


Issue #3 is still open.

Have fun,

 Zoltan


2015-05-16 22:32 GMT+03:00 Zoltan Padrah <zoltan.padrah at gmail.com>:
> Hi,
>
> I'm sending this email to possibly avoid debugging effort duplication
> by others, and to document my findings about crashes.
>
> # 1. crashes when the mouse pointer moves over an item on the circuit:
>
> This looks like some invalid assignmenet / reinterpretation of pointer
> to me. A KtlQCanvasPolygonalItem is created, but before crashing, it
> presents itself (when printed with qDebug() ) as an ECNode. Their
> common base class is QCanvasItem.  Maybe it is a vptr corruption. See
> a debug log and stack traces below. The invalid read happens because
> an ECNode is bigger than a KtlQCanvasPolygonalItem, thus it tries to
> read after the allocated region.
>
> I don't know where the invalid cast is taking place, unfortunately...
>
>
> created KtlQCanvasPolygonalItem at  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
> test collides  KtlQCanvasItem(0x92c10c50, name =
> "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
> test collides  KtlQCanvasItem(0x92c140d0, name =
> "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
> test collides  KtlQCanvasItem(0x92c17550, name =
> "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
>    in canvas item:  KtlQCanvasItem(0xb083f420)
> test collides  KtlQCanvasItem(0x92c1a500, name =
> "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
>    in canvas item:  ECNode(0xb083f420)
> test collides  KtlQCanvasItem(0x92c21180, name =
> "KtlQCanvasRectangle")  with  ECNode(0xb083f420)
> =================================================================
> ==22136==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0xb083f488 at pc 0x081ad183 bp 0xbf96e448 sp 0xbf96e43c
> READ of size 4 at 0xb083f488 thread T0
>     #0 0x81ad182 in KtlQCanvasPolygon::areaPoints() const
> ktechlab-0.3/src/canvas.cpp:1773
>     #1 0x81a5dfa in collision_double_dispatch() ktechlab-0.3/src/canvas.cpp:1284
>     #2 0x819d04b in KtlQCanvasRectangle::collidesWith(KtlQCanvasItem
> const*) const ktechlab-0.3/src/canvas.cpp:1305
>     #3 0x81ad770 in KtlQCanvas::collisions(Q3PointArray const&,
> KtlQCanvasItem const*, bool) const  ktechlab-0.3/src/canvas.c
> pp:1376
>     #4 0x81ad98c in KtlQCanvasItem::collisions(bool) const
> ktechlab/ktechlab-0.3/src/canvas.cpp:1325
>     #5 0x81ada15 in KtlQCanvas::collisions(QRect const&)
> ktechlab-0.3/src/canvas.cpp:1338
>     #6 0x8136d88 in ItemDocument::itemAtTop(QPoint const&) const
> ktechlab-0.3/src/itemdocument.cpp:490
>     #7 0x80e9736 in CMManager::mouseMoveEvent(EventInfo const&)
> /ktechlab-0.3/src/canvasmanipulator.cpp:230
>     #8 0x8130a11 in ItemView::contentsMouseMoveEvent(QMouseEvent*)
> ktechlab-0.3/src/itemview.cpp:428
>     #9 0x8131f2e in CVBEditor::event(QEvent*) ktechlab-0.3/src/itemview.cpp:754
>
> 0xb083f488 is located 12 bytes to the right of 92-byte region
> [0xb083f420,0xb083f47c)
>
> allocated by thread T0 here:
>     #0 0xb72a314e in operator new(unsigned int)
> (/usr/lib/i386-linux-gnu/libasan.so.2+0x9314e)
>     #1 0x808cc1d in Connector::updateDrawList()
> ktechlab-0.3/src/connector.cpp:262
>     #2 0x815c270 in ICNDocument::rerouteInvalidatedConnectors()
> ktechlab-0.3/src/icndocument.cpp:778
>     #3 0xb4def0f6 in QMetaObject::activate(QObject*, QMetaObject
> const*, int, void**) (/usr/lib/i386-linux-gnu/libQtCore.so.4+0x18e0f6)
>     #4 0xb4e3f434 in QTimer::timeout()
> (/usr/lib/i386-linux-gnu/libQtCore.so.4+0x1de434)
>     #5 0xb56d47f3 in QApplicationPrivate::notify_helper(QObject*,
> QEvent*) (/usr/lib/i386-linux-gnu/libQtGui.so.4+0x1397f3)
>
>
>
> # 2. crahes / aborts because of assertion failure inside the circuit's
> moc object: probably it is the same type of problem as #1, but I have
> not started debugging it. A Qt assertion fails, probably because of
> corrupted pointers inside the application.
>
>
> # 3. The toolbars / toolview's don't show anything, and they don't work.
>
>  In katemdi.cpp, some (crazy?) combinations of VBox / HBox / QSlider
> widgets are placed in each other, and they should show the list of
> components. However, the list of components appears (as a small,
> garbage-like rectangle), but it is not doing anything. A pushbotton in
> the place of the component list is working properly: it appears, it
> redraws and it can be clicked. If you want to debug this, then
> condsier enabling DiagnosticStyle in main.cpp -- it draws a rectangle
> around each widget, do it can be seen, which widget is where.
> Maybe as an experiment, the component list should be instantiated
> separately, to see if the component list, or the HBox,VBox, QSlider is
> the source of this bug.

More information about the Ktechlab-devel mailing list