Review Request 124659: Fix segfaults in kcm_keyboard

David Edmundson david at davidedmundson.co.uk
Sat Aug 8 13:18:52 UTC 2015 


> On Aug. 8, 2015, 10:51 a.m., David Edmundson wrote:
> > are there any bug reports on those crashes?
> > 
> > Do you have commit access, can you push to Plasma/5.4 branch too
> 
> Maxim Mikityanskiy wrote:
>     I don't know if there are any bug reports, I found this bug by accident.
>     
>     I don't have commit access, could you please push it for me?
> 
> David Edmundson wrote:
>     Is this one https://bugs.kde.org/show_bug.cgi?id=348694 ?
> 
> David Edmundson wrote:
>     Just caused the old crash, yes it is.
> 
> Maxim Mikityanskiy wrote:
>     It's difficult to say... My segfault happens because of layoutInfo == NULL inside KCMKeyboardWidget::previewLayout, so layoutInfo->variantInfos resides at bad address. Looking at stacktrace in bug report https://bugs.kde.org/show_bug.cgi?id=348694 and at Qt 5.4.1 sources, I can say that his crash happens when trying to copy invalid layoutInfo->variantInfos to QForeachContainer::c, it looks like he also has layoutInfo == NULL. But for some reason my stacktrace ends in KCMKeyboardWidgets::previewLayout, not in QList copy constructor. Maybe it's because of different compiler versions or optimization flags...

Yeah, it'll be something like that.
Thanks for looking into this. Hope to see more from you in the future.


- David


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/124659/#review83556
-----------------------------------------------------------


On Aug. 8, 2015, 1:17 p.m., Maxim Mikityanskiy wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/124659/
> -----------------------------------------------------------
> 
> (Updated Aug. 8, 2015, 1:17 p.m.)
> 
> 
> Review request for Plasma.
> 
> 
> Repository: plasma-desktop
> 
> 
> Description
> -------
> 
> There are two scenarios that lead to segfault in kcm_keyboard.
> 
> 1. Run kcmshell5 keyboard; switch to the second tab; in layouts table double-click on item in third column so that combo box appears; click on empty space in layouts table; [Preview] button does not get deactivated; click on that button and see kcm_keyboard crashing.
> 2. Run kcmshell5 keyboard; switch to the second tab; modify something so that [Reset] button becomes active; select any row in layouts table; click on [Reset]; row becomes deselected, but [Preview] button is still active; click on that button and see kcm_keyboard crashing.
> 
> [Preview] button should become inactive when no rows are selected, but in these two scenarios it doesn't. KCMKeyboardWidget::layoutSelectionChanged slot does not get called in these two cases. What happens in described cases:
> 
> 1. layoutsTableModel emits dataChanged signal. KCMKeyboardWidget::uiChanged slot gets called. LayoutsTableModel::refresh is called, then in QAbstractItemModel::endResetModel modelReset signal is emitted, QAbstractItemView::reset slot gets called, and it calls QItemSelectionModel::reset. QItemSelectionModel::reset disables signals and calls QItemSelectionModel::clear that calls QItemSelectionModel::clearSelection, but signals are disabled, so itemSelectionChanged is not emitted, and KCMKeyboardWidget::layoutSelectionChanged is not called.
> 2. KCMKeyboard::load calls KCMKeyboardWidget::updateUI that calls LayoutsTableModel::refresh. All following calls are in the same order as in case 1.
> 
> I propose to call KCMKeyboardWidget::layoutSelectionChanged manually after problematic refreshes to update buttons state. It's not the best fix, there still may be places where manual call of layoutSelectionChanged is needed, but at least it fixes two segfaults.
> 
> 
> Diffs
> -----
> 
>   kcms/keyboard/kcm_keyboard_widget.cpp 78ec60b 
> 
> Diff: https://git.reviewboard.kde.org/r/124659/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Maxim Mikityanskiy
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20150808/75f5c385/attachment.html>

More information about the Plasma-devel mailing list