https://bugs.kde.org/show_bug.cgi?id=508785
--- Comment #1 from [email protected] --- Update, I decided to do some research on my own. However, I'm not familiar with Qt, with the Krita ecosystem, so my assumptions might be wrong. I think I found out that this code causes the crash (ui/kis_mimedata.cpp:263)): // Qt 4.8 way if (nodes.isEmpty() && data->hasFormat("application/x-krita-node-internal-pointer")) { QByteArray nodeXml = data->data("application/x-krita-node-internal-pointer"); QDomDocument doc; doc.setContent(nodeXml); QDomElement root = doc.documentElement(); qint64 pid = root.attribute("application_pid").toLongLong(); forceCopy = root.attribute("force_copy").toInt(); qint64 imagePointerValue = root.attribute("image_pointer_value").toLongLong(); sourceImage = reinterpret_cast<KisImage*>(imagePointerValue); if (pid == QApplication::applicationPid()) { QDomElement e; for (e = root.firstChildElement(); !e.isNull(); e = e.nextSiblingElement()) { qint64 pointerValue = e.attribute("pointer_value").toLongLong(); if (pointerValue) { nodes << reinterpret_cast<KisNode*>(pointerValue); } } } } The problem here is that in between copy and paste, on Xfce 4.20 an xcb event may sometimes be launched that destroys the KisMimeData object, which in turn frees all internal nodes. However, the node.data() is still in the DOM in the form of pointer_value and is a dangling pointer. Asan detects it early, and reports during this line: nodes << reinterpret_cast<KisNode*>(pointerValue); In the release build, it stays in the list, and when passed to dynamic_cast it crashes the app, due to dereferencing a freed pointer. Interestingly, if you comment out the "Qt 4.8" (or in my case, add check for mimedata in the conditional), Krita DOES NOT crash! I think there should be a proper DOM cleanup routine though, which would fix the issue (I think). Anyway, I hope this gets noticed, since this bug persists in upstream. -- You are receiving this mail because: You are watching all bug changes.
