[kdevelop] [Bug 445699] QmlJS: crash in ParseSession::scheduleForParsing()

Fri, 26 Nov 2021 00:15:38 -0800 

https://bugs.kde.org/show_bug.cgi?id=445699

Milian Wolff <m...@milianw.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
      Latest Commit|                            |https://invent.kde.org/kdev
                   |                            |elop/kdevelop/commit/387131
                   |                            |2163689fd985832726eea7f0d86
                   |                            |663d931

--- Comment #2 from Milian Wolff <m...@milianw.de> ---
Git commit 3871312163689fd985832726eea7f0d86663d931 by Milian Wolff, on behalf
of Igor Kushnir.
Committed on 26/11/2021 at 08:11.
Pushed by igorkushnir into branch 'master'.

DocumentParsePlan: don't cache often-invalidated cend()

The loop in DocumentParsePlan::removeTargetsForListener() caches
m_targets.cend(), which can become invalidated when a target is erased
inside this loop. Comparing to the invalidated end iterator leads to
undefined behavior.

This undefined behavior makes QmlJS's test_files crash every other time,
both on my system and on the CI. The alternating crashes of this test
can be seen by clicking Next Build repeatedly starting from the first
build since the bug was introduced:
https://build.kde.org/job/KDevelop/job/kdevelop/job/kf5-qt5%20SUSEQt5.15/165/testReport/junit/projectroot.plugins.qmljs/tests/test_files/

KDevelop often crashes because of this undefined behavior too (see the
bug report referenced below).

m_targets is a QSet, which is implemented in terms of QHash. QHash's end
iterator `e` equals the d-pointer `d` via anonymous union. So the only
way cend() can be invalidated is if QSet::erase() detaches. That's
possible, because an entire DocumentParsePlan is copied in
BackgroundParserPrivate::parseDocumentsInternal():
    const DocumentParsePlan parsePlan = *parsePlanConstIt;
The involvement of multithreading explains why test_files crashes every
other time rather than each time. Examining call stacks of both
test_files and kdevelop crashes confirms this hypothesis: a background
thread crashes in DocumentParsePlan::removeTargetsForListener() while
the main thread waits on the `m_mutex.lock()` line in
parseDocumentsInternal().

This bug was introduced in 5ee9b9fe9740f2820f3ee1a575fcda2cbe142e4f.

M  +1    -1    kdevplatform/language/backgroundparser/backgroundparser.cpp

https://invent.kde.org/kdevelop/kdevelop/commit/3871312163689fd985832726eea7f0d86663d931

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to