[Kde-imaging] [Bug 283321] photolayoutseditor crashes on exit

Kevin Kofler kevin.kofler at chello.at
Tue Oct 4 21:33:04 UTC 2011 

https://bugs.kde.org/show_bug.cgi?id=283321


Kevin Kofler <kevin.kofler at chello.at> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kevin.kofler at chello.at




--- Comment #2 from Kevin Kofler <kevin kofler chello at>  2011-10-04 21:33:04 ---
So the source of the crash appears to be this use-after-free bug:

==1363== Invalid read of size 4
==1363==    at 0x809C41F: KIPIPhotoLayoutsEditor::AbstractPhoto::refresh()
(AbstractPhoto.cpp:515)
==1363==    by 0x80BB797:
KIPIPhotoLayoutsEditor::PhotoEffectsGroup::emitEffectsChanged(KIPIPhotoLayoutsEditor::AbstractPhotoEffectInterface*)
(PhotoEffectsGroup.cpp:369)
==1363==    by 0x80BC145:
KIPIPhotoLayoutsEditor::PhotoEffectsGroup::removeRows(int, int, QModelIndex
const&) (PhotoEffectsGroup.cpp:360)
==1363==    by 0x80E9933:
KIPIPhotoLayoutsEditor::AbstractItemsListViewTool::chooserCancelled()
(qabstractitemmodel.h:319)
==1363==    by 0xFFFFFFFE: ???
==1363==  Address 0x7ba34a0 is 16 bytes inside a block of size 48 free'd
==1363==    at 0x4029B7D: operator delete(void*) (vg_replace_malloc.c:387)
==1363==    by 0x80A193A: KIPIPhotoLayoutsEditor::PhotoItem::~PhotoItem()
(PhotoItem.cpp:198)
==1363==    by 0x535C8E4: QGraphicsScene::clear() (in
/usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x535C95F: QGraphicsScene::~QGraphicsScene() (in
/usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x8082C63: KIPIPhotoLayoutsEditor::Scene::~Scene()
(Scene.cpp:528)
==1363==    by 0x8082CB2: KIPIPhotoLayoutsEditor::Scene::~Scene()
(Scene.cpp:531)
==1363==    by 0x5B01E51: QObjectPrivate::deleteChildren() (in
/usr/lib/libQtCore.so.4.8.0)
==1363==    by 0x4D0E32B: QWidget::~QWidget() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x512C14F: QFrame::~QFrame() (in /usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x51BFF34: QAbstractScrollArea::~QAbstractScrollArea() (in
/usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x5392FF5: QGraphicsView::~QGraphicsView() (in
/usr/lib/libQtGui.so.4.8.0)
==1363==    by 0x8075DE5: KIPIPhotoLayoutsEditor::Canvas::~Canvas()
(Canvas.cpp:78)

Valgrind continues execution from there because it keeps freed blocks reserved
so it can track use-after-free bugs, and thus the access doesn't cause a
segfault right away, and the code hits a NULL pointer dereference later. But
outside of Valgrind, the above is the fatal bug.

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Kde-imaging mailing list