Bug#983597: [PATCH] Segfault in libqt5quick5.so: QQuickItemLayer::~QQuickItemLayer()
Control: tag -1 - patch On Fri, Mar 05, 2021 at 07:17:24PM +0100, Pino Toscano wrote: > Did you actually check that it fixes the problem for you? No, I included the patch more as a hint to the nature of the bug, not as a fix, but I should have stated that more clearly. Regards, Dennis.
Bug#983597: [PATCH] Segfault in libqt5quick5.so: QQuickItemLayer::~QQuickItemLayer()
Control: tags -1 -patch Hi Pino! On Fri, Mar 05, 2021 at 07:17:24PM +0100, Pino Toscano wrote: > Did you actually check that it fixes the problem for you? > The thing is, in C++ (at least since C++98) the delete operator is > defined to be a no-op for a null pointer, much like free() in C. > Hence, constructs like "if (foo) delete foo;" are essentially doing > null pointer checks twice, and with the same no-op result. > > A possible cause of the crash could be that the item being deleted was > already deleted, and thus there was a stale pointer somewhere. That is > my own speculation though. > > Because of this, I'm inclined to remove the "patch" tag from this bug; > I'd like to hear from Dmitry what he thinks about it (since he already > handled this bug). I agree with you, the patch is probably not going to work. Unfortunately, I did not have time to investigate this properly yet, but I answered some upstream's questions and I hope they will fix it. -- Dmitry Shachnev signature.asc Description: PGP signature
Bug#983597: [PATCH] Segfault in libqt5quick5.so: QQuickItemLayer::~QQuickItemLayer()
Hi Dennis, In data venerdì 26 febbraio 2021 22:48:43 CET, Dennis Filder ha scritto: > If you decide to use the attached patch, please put the bugnumber in > the Bug-Debian: field for me. The patch you provided is the following: --- qtdeclarative-opensource-src-5.15.2+dfsg/src/quick/items/qquickitem.cpp 2021-02-26 18:48:50.407487828 +0100 +++ qtdeclarative-opensource-src-5.15.2+dfsg/src/quick/items/qquickitem.cpp 2021-02-26 18:48:52.711491373 +0100 @@ -8335,8 +8335,8 @@ QQuickItemLayer::~QQuickItemLayer() { -delete m_effectSource; -delete m_effect; +if (m_effectSource) delete m_effectSource; // FIXME: consider Q_ASSERT() here instead +if (m_effect) delete m_effect; // FIXME: consider Q_ASSERT() here instead } /*! Did you actually check that it fixes the problem for you? The thing is, in C++ (at least since C++98) the delete operator is defined to be a no-op for a null pointer, much like free() in C. Hence, constructs like "if (foo) delete foo;" are essentially doing null pointer checks twice, and with the same no-op result. A possible cause of the crash could be that the item being deleted was already deleted, and thus there was a stale pointer somewhere. That is my own speculation though. Because of this, I'm inclined to remove the "patch" tag from this bug; I'd like to hear from Dmitry what he thinks about it (since he already handled this bug). -- Pino Toscano signature.asc Description: This is a digitally signed message part.
Bug#983597: [PATCH] Segfault in libqt5quick5.so: QQuickItemLayer::~QQuickItemLayer()
Control: forwarded -1 https://bugreports.qt.io/browse/QTBUG-91437 Hi Dennis! On Fri, Feb 26, 2021 at 10:48:43PM +0100, Dennis Filder wrote: > The segfault happens > * both with and without a preexisting configuration, > * only if Orca is running in the same session. Without Orca the > segfault does not happen. > > Reproducer: > . Start Orca > . Start linphone > . If already configured: click "Assistant" (skip otherwise) > . Click "Use a SIP account" > . Enter as Username: a > . Enter as SIP Domain: b > . Enter as Password: c > . Click on "Use". > > [...] > > If you decide to use the attached patch, please put the bugnumber in > the Bug-Debian: field for me. Thanks for your bug and for the patch. As neither you nor me are sure that your patch is the correct fix, I decided to ask upstream before applying it. Let's wait for response on the bug I filed, then there is still time to get the patch included before freeze. -- Dmitry Shachnev signature.asc Description: PGP signature
Bug#983597: [PATCH] Segfault in libqt5quick5.so: QQuickItemLayer::~QQuickItemLayer()
Package: libqt5quick5 Version: 5.15.2+dfsg-4 Architecture: amd64 Severity: normal Tags: sid bullseye a11y upstream patch confirmed Control: affects -1 + linphone-desktop The segfault happens * both with and without a preexisting configuration, * only if Orca is running in the same session. Without Orca the segfault does not happen. Reproducer: . Start Orca . Start linphone . If already configured: click "Assistant" (skip otherwise) . Click "Use a SIP account" . Enter as Username: a . Enter as SIP Domain: b . Enter as Password: c . Click on "Use". The program segfaults with a stacktrace like the attached with the top-most 5 frames pasted below: -- #0 0x in () #1 0x774d7ba7 in QQuickItemLayer::~QQuickItemLayer() (this=0x581100e0, __in_chrg=) at items/qquickitem.cpp:8338 (/lib/x86_64-linux-gnu/libQt5Quick.so.5) #2 0x774d7be9 in QQuickItemLayer::~QQuickItemLayer() (this=0x581100e0, __in_chrg=) at items/qquickitem.cpp:8340 #3 0x7764b21b in QAccessibleQuickItem::role() const (this=0x5811e0d0) at accessible/qaccessiblequickitem.cpp:215 #4 0x7fffeb1f18ca in () at /lib/x86_64-linux-gnu/libQt5XcbQpa.so.5 ... -- A web search for "segfault" "QQuickItemLayer::~QQuickItemLayer" produces an qt.io forum thread[1] where someone segfaulted with an almost identical stacktrace with a virtual keyboard. Thus I mark this bug as confirmed. If you decide to use the attached patch, please put the bugnumber in the Bug-Debian: field for me. Regards, Dennis. 1: https://forum.qt.io/topic/105120/qt-application-crash-with-onboard-virtual-keyboard-with-non-root-users qtdecl-segfault.patch.gz Description: patch libqt5quick5-stacktrace.txt.gz Description: stacktrace