[Ktechlab-devel] Technical details about the crashes in 0.3 series KDE4 port

Zoltan Padrah zoltan.padrah at gmail.com
Sat May 16 19:32:47 UTC 2015 

Hi,

I'm sending this email to possibly avoid debugging effort duplication
by others, and to document my findings about crashes.

# 1. crashes when the mouse pointer moves over an item on the circuit:

This looks like some invalid assignmenet / reinterpretation of pointer
to me. A KtlQCanvasPolygonalItem is created, but before crashing, it
presents itself (when printed with qDebug() ) as an ECNode. Their
common base class is QCanvasItem.  Maybe it is a vptr corruption. See
a debug log and stack traces below. The invalid read happens because
an ECNode is bigger than a KtlQCanvasPolygonalItem, thus it tries to
read after the allocated region.

I don't know where the invalid cast is taking place, unfortunately...


created KtlQCanvasPolygonalItem at  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
test collides  KtlQCanvasItem(0x92c10c50, name =
"KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
test collides  KtlQCanvasItem(0x92c140d0, name =
"KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
test collides  KtlQCanvasItem(0x92c17550, name =
"KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
   in canvas item:  KtlQCanvasItem(0xb083f420)
test collides  KtlQCanvasItem(0x92c1a500, name =
"KtlQCanvasRectangle")  with  KtlQCanvasItem(0xb083f420)
   in canvas item:  ECNode(0xb083f420)
test collides  KtlQCanvasItem(0x92c21180, name =
"KtlQCanvasRectangle")  with  ECNode(0xb083f420)
=================================================================
==22136==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb083f488 at pc 0x081ad183 bp 0xbf96e448 sp 0xbf96e43c
READ of size 4 at 0xb083f488 thread T0
    #0 0x81ad182 in KtlQCanvasPolygon::areaPoints() const
ktechlab-0.3/src/canvas.cpp:1773
    #1 0x81a5dfa in collision_double_dispatch() ktechlab-0.3/src/canvas.cpp:1284
    #2 0x819d04b in KtlQCanvasRectangle::collidesWith(KtlQCanvasItem
const*) const ktechlab-0.3/src/canvas.cpp:1305
    #3 0x81ad770 in KtlQCanvas::collisions(Q3PointArray const&,
KtlQCanvasItem const*, bool) const  ktechlab-0.3/src/canvas.c
pp:1376
    #4 0x81ad98c in KtlQCanvasItem::collisions(bool) const
ktechlab/ktechlab-0.3/src/canvas.cpp:1325
    #5 0x81ada15 in KtlQCanvas::collisions(QRect const&)
ktechlab-0.3/src/canvas.cpp:1338
    #6 0x8136d88 in ItemDocument::itemAtTop(QPoint const&) const
ktechlab-0.3/src/itemdocument.cpp:490
    #7 0x80e9736 in CMManager::mouseMoveEvent(EventInfo const&)
/ktechlab-0.3/src/canvasmanipulator.cpp:230
    #8 0x8130a11 in ItemView::contentsMouseMoveEvent(QMouseEvent*)
ktechlab-0.3/src/itemview.cpp:428
    #9 0x8131f2e in CVBEditor::event(QEvent*) ktechlab-0.3/src/itemview.cpp:754

0xb083f488 is located 12 bytes to the right of 92-byte region
[0xb083f420,0xb083f47c)

allocated by thread T0 here:
    #0 0xb72a314e in operator new(unsigned int)
(/usr/lib/i386-linux-gnu/libasan.so.2+0x9314e)
    #1 0x808cc1d in Connector::updateDrawList()
ktechlab-0.3/src/connector.cpp:262
    #2 0x815c270 in ICNDocument::rerouteInvalidatedConnectors()
ktechlab-0.3/src/icndocument.cpp:778
    #3 0xb4def0f6 in QMetaObject::activate(QObject*, QMetaObject
const*, int, void**) (/usr/lib/i386-linux-gnu/libQtCore.so.4+0x18e0f6)
    #4 0xb4e3f434 in QTimer::timeout()
(/usr/lib/i386-linux-gnu/libQtCore.so.4+0x1de434)
    #5 0xb56d47f3 in QApplicationPrivate::notify_helper(QObject*,
QEvent*) (/usr/lib/i386-linux-gnu/libQtGui.so.4+0x1397f3)



# 2. crahes / aborts because of assertion failure inside the circuit's
moc object: probably it is the same type of problem as #1, but I have
not started debugging it. A Qt assertion fails, probably because of
corrupted pointers inside the application.


# 3. The toolbars / toolview's don't show anything, and they don't work.

 In katemdi.cpp, some (crazy?) combinations of VBox / HBox / QSlider
widgets are placed in each other, and they should show the list of
components. However, the list of components appears (as a small,
garbage-like rectangle), but it is not doing anything. A pushbotton in
the place of the component list is working properly: it appears, it
redraws and it can be clicked. If you want to debug this, then
condsier enabling DiagnosticStyle in main.cpp -- it draws a rectangle
around each widget, do it can be seen, which widget is where.
Maybe as an experiment, the component list should be instantiated
separately, to see if the component list, or the HBox,VBox, QSlider is
the source of this bug.

More information about the Ktechlab-devel mailing list