[Ktechlab-devel] Technical details about the crashes in 0.3 series KDE4 port

Zoltan Padrah zoltan.padrah at gmail.com
Sun May 31 08:16:50 UTC 2015 

Hi,

Issue #3 has been caused by a Qt Widget subclass (ToolView) accidentally
overriding the virtual QWdiget::setVisible() method. ToolView objects
contain the list of available components, the component properties pages,
and so on. Because of the unintended method overriding, the ToolViews have
entered into a not-defined state of being visible and not visible in the
same time: the most derived class ToolView had the information of not being
visible, while the QWidget parent class had the information of being
visible. Thus, strange behavior has resulted.

As a fix, I've renamed ToolView's setVisible() method to
setVisibleToolView(), and things started to work.

Best regards,

 Zoltan


Zoltan Padrah <zoltan.padrah at gmail.com> ezt írta (2015. május 24.,
vasárnap):

> Hi,
>
> Issue #1 and #2 is fixed in the latest revision of the porting branch
> ( https://github.com/ktechlab/ktechlab-0.3/tree/port-0.3.8-kde4-v1 ).
> Also this latest version should work with GPSim version older than
> 0.26.
>
>
> Issue #1 has been fixed by changing the Qt3 compatibility-related
> container Q3PtrDict to the current container QHash< KtlQCanvasItem *,
> bool >. Apparently the Q3PtrDict has been abused (elements of "
> (void*)1 " have been inserted into it), and this seems to have caused
> object corruption.
>
> Issue #2 has been actually unrelated to corruption: some Qt signals
> have been triggered when a document has been being deleted, and these
> signals have been connected to slots on the document being destroyed.
> Thus a non-complete document object has been receiving signals, and
> this has been detected by Qt. The fix has been to disconnect relevant
> signals on the document's destructor.
>
>
> Issue #3 is still open.
>
> Have fun,
>
>  Zoltan
>
>
> 2015-05-16 22:32 GMT+03:00 Zoltan Padrah <zoltan.padrah at gmail.com
> <javascript:;>>:
> > Hi,
> >
> > I'm sending this email to possibly avoid debugging effort duplication
> > by others, and to document my findings about crashes.
> >
> > # 1. crashes when the mouse pointer moves over an item on the circuit:
> >
> > This looks like some invalid assignmenet / reinterpretation of pointer
> > to me. A KtlQCanvasPolygonalItem is created, but before crashing, it
> > presents itself (when printed with qDebug() ) as an ECNode. Their
> > common base class is QCanvasItem.  Maybe it is a vptr corruption. See
> > a debug log and stack traces below. The invalid read happens because
> > an ECNode is bigger than a KtlQCanvasPolygonalItem, thus it tries to
> > read after the allocated region.
> >
> > I don't know where the invalid cast is taking place, unfortunately...
> >
> >
> > created KtlQCanvasPolygonalItem at  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> > test collides  KtlQCanvasItem(0x92c10c50, name =
> > "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> > test collides  KtlQCanvasItem(0x92c140d0, name =
> > "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> > test collides  KtlQCanvasItem(0x92c17550, name =
> > "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  KtlQCanvasItem(0xb083f420)
> > test collides  KtlQCanvasItem(0x92c1a500, name =
> > "KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
> >    in canvas item:  ECNode(0xb083f420)
> > test collides  KtlQCanvasItem(0x92c21180, name =
> > "KtlQCanvasRectangle")  with  ECNode(0xb083f420)
> > =================================================================
> > ==22136==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0xb083f488 at pc 0x081ad183 bp 0xbf96e448 sp 0xbf96e43c
> > READ of size 4 at 0xb083f488 thread T0
> >     #0 0x81ad182 in KtlQCanvasPolygon::areaPoints() const
> > ktechlab-0.3/src/canvas.cpp:1773
> >     #1 0x81a5dfa in collision_double_dispatch()
> ktechlab-0.3/src/canvas.cpp:1284
> >     #2 0x819d04b in KtlQCanvasRectangle::collidesWith(KtlQCanvasItem
> > const*) const ktechlab-0.3/src/canvas.cpp:1305
> >     #3 0x81ad770 in KtlQCanvas::collisions(Q3PointArray const&,
> > KtlQCanvasItem const*, bool) const  ktechlab-0.3/src/canvas.c
> > pp:1376
> >     #4 0x81ad98c in KtlQCanvasItem::collisions(bool) const
> > ktechlab/ktechlab-0.3/src/canvas.cpp:1325
> >     #5 0x81ada15 in KtlQCanvas::collisions(QRect const&)
> > ktechlab-0.3/src/canvas.cpp:1338
> >     #6 0x8136d88 in ItemDocument::itemAtTop(QPoint const&) const
> > ktechlab-0.3/src/itemdocument.cpp:490
> >     #7 0x80e9736 in CMManager::mouseMoveEvent(EventInfo const&)
> > /ktechlab-0.3/src/canvasmanipulator.cpp:230
> >     #8 0x8130a11 in ItemView::contentsMouseMoveEvent(QMouseEvent*)
> > ktechlab-0.3/src/itemview.cpp:428
> >     #9 0x8131f2e in CVBEditor::event(QEvent*)
> ktechlab-0.3/src/itemview.cpp:754
> >
> > 0xb083f488 is located 12 bytes to the right of 92-byte region
> > [0xb083f420,0xb083f47c)
> >
> > allocated by thread T0 here:
> >     #0 0xb72a314e in operator new(unsigned int)
> > (/usr/lib/i386-linux-gnu/libasan.so.2+0x9314e)
> >     #1 0x808cc1d in Connector::updateDrawList()
> > ktechlab-0.3/src/connector.cpp:262
> >     #2 0x815c270 in ICNDocument::rerouteInvalidatedConnectors()
> > ktechlab-0.3/src/icndocument.cpp:778
> >     #3 0xb4def0f6 in QMetaObject::activate(QObject*, QMetaObject
> > const*, int, void**) (/usr/lib/i386-linux-gnu/libQtCore.so.4+0x18e0f6)
> >     #4 0xb4e3f434 in QTimer::timeout()
> > (/usr/lib/i386-linux-gnu/libQtCore.so.4+0x1de434)
> >     #5 0xb56d47f3 in QApplicationPrivate::notify_helper(QObject*,
> > QEvent*) (/usr/lib/i386-linux-gnu/libQtGui.so.4+0x1397f3)
> >
> >
> >
> > # 2. crahes / aborts because of assertion failure inside the circuit's
> > moc object: probably it is the same type of problem as #1, but I have
> > not started debugging it. A Qt assertion fails, probably because of
> > corrupted pointers inside the application.
> >
> >
> > # 3. The toolbars / toolview's don't show anything, and they don't work.
> >
> >  In katemdi.cpp, some (crazy?) combinations of VBox / HBox / QSlider
> > widgets are placed in each other, and they should show the list of
> > components. However, the list of components appears (as a small,
> > garbage-like rectangle), but it is not doing anything. A pushbotton in
> > the place of the component list is working properly: it appears, it
> > redraws and it can be clicked. If you want to debug this, then
> > condsier enabling DiagnosticStyle in main.cpp -- it draws a rectangle
> > around each widget, do it can be seen, which widget is where.
> > Maybe as an experiment, the component list should be instantiated
> > separately, to see if the component list, or the HBox,VBox, QSlider is
> > the source of this bug.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/ktechlab-devel/attachments/20150531/b277ccef/attachment.html>

More information about the Ktechlab-devel mailing list