[prev in list] [next in list] [prev in thread] [next in thread]
List: pykde
Subject: Re: [PyQt] Use after free bug in pyqt 5.8.0 / sip 4.19.1
From: dequis <dx () dxzone ! com ! ar>
Date: 2017-07-31 0:54:17
Message-ID: CABAA10RjDuMA0DSSmLst2-c=emsxXqTOtex6KnVbdkX9QTbmJQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[resending this without the attachment, sorry if it ends up being posted
twice]
On 9 March 2017 at 17:46, dequis <dx@dxzone.com.ar> wrote:
> Hi.
>
> I got a crash with anki (git version with pyqt5 instead of 4). I'm not
> sure how to reproduce it, but [snip]
>
Hey there, it's me again with the anki crashes. Still happening with pyqt
5.9. I took a break from using the anki desktop app for a few months but
now it's time to deal with it again.
I still don't know how to intentionally reproduce it other than "just use
the app normally for a while", but using the app normally for a while works
(Which I'd totally recommend since anki is an excellent app, but that's not
a very reliable way to reproduce it). Takes hours to reproduce but looks
like it happens roughly once every 12-48 hours.
So I prepared a bit better this time:
- got debug symbols for everything (thanks the-compiler for the repo!)
- patched the sip build scripts to not strip on 'make install'
- installed the excellent python gdb extensions
- replaced malloc with a tcmalloc_debug to make it crash more reliably
- set PYTHONMALLOC=malloc
- and ran the whole thing under rr
Way better than valgrind, since I have time travel now, and I can replay
this as many times as I want. I gave it a shot to try to extract as much
info as I could.
Here's the annotated gdb/rr session:
http://dump.dequis.org/G21sm.txt
And here's what I learnt:
- The object being freed is EditCurrent, a subclass of QDialog (I think
it's the dialog opened from the edit button during a review)
- The free happens during garbage collection because it needs to break a
reference cycle between EditCurrent and Editor
- Some interesting interactions with the code that calls javascript to do
"saveNow"
It got hairy at some point and I didn't reach the initial allocation of the
object - lots of incref/decref in code related to saveNow. I'll continue
later.
Also worth noting that i'm using a slightly old git revision of anki,
43a662a installed april 15. Didn't want to upgrade just in case the bug
stopped happening.
One recent anki commit caught my attention, "fix duplicate constructor call
in editcurrent", three days ago, removes a duplicate call to "QDialog.
__init__". Who knows if it's relevant. It takes forever to find out so I'd
rather stay with what I have.
Any suggestions on how to continue debugging this would be appreciated. I
got some new ideas on how to reproduce it, but nothing seems to work so far.
[Attachment #5 (text/html)]
<div dir="ltr">[resending this without the attachment, sorry if it ends up being \
posted twice]<br><div><div class="gmail_extra"><br><div class="gmail_quote">On 9 \
March 2017 at 17:46, dequis <span dir="ltr"><<a href="mailto:dx@dxzone.com.ar" \
target="_blank">dx@dxzone.com.ar</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div>Hi.<br> <br>
I got a crash with anki (git version with pyqt5 instead of 4). I'm not<br>
sure how to reproduce it, but [snip]<br></div></blockquote><div><br></div><div>Hey \
there, it's me again with the anki crashes. Still happening with pyqt 5.9. I \
took a break from using the anki desktop app for a few months but now it's time \
to deal with it again.</div></div><div><br></div><div>I still don't know how to \
intentionally reproduce it other than "just use the app normally for a \
while", but using the app normally for a while works (Which I'd totally \
recommend since anki is an excellent app, but that's not a very reliable way to
reproduce it). Takes hours to reproduce but looks like it happens
roughly once every 12-48 hours.<br></div><div><br></div><div>So I prepared a bit \
better this time:</div><div><br></div><div>- got debug symbols for everything (thanks \
the-compiler for the repo!)</div><div>- patched the sip build scripts to not strip on \
'make install'<br></div><div>- installed the excellent python gdb \
extensions</div><div>- replaced malloc with a tcmalloc_debug to make it crash more \
reliably</div><div>- set PYTHONMALLOC=malloc</div><div>- and ran the whole thing \
under rr</div><div><br></div><div>Way better than valgrind, since I have time travel \
now, and I can replay this as many times as I want. I gave it a shot to try to \
extract as much info as I could.<br></div><div><br></div><div>Here's the \
annotated gdb/rr session:</div><div><br></div><div><a \
href="http://dump.dequis.org/G21sm.txt">http://dump.dequis.org/G21sm.txt</a><br></div><div><br></div><div> \
And here's what I learnt:</div><div><br></div><div>- The object being freed is \
EditCurrent, a subclass of QDialog (I think it's the dialog opened from the edit \
button during a review)<br></div>- The free happens during garbage collection because \
it needs to break a reference cycle between EditCurrent and Editor<div \
class="gmail_quote">- Some interesting interactions with the code that calls \
javascript to do "saveNow"</div><div class="gmail_quote"><br></div><div \
class="gmail_quote">It got hairy at some point and I didn't reach the initial \
allocation of the object - lots of incref/decref in code related to saveNow. \
I'll continue later.<br></div><div class="gmail_quote"><br></div><div \
class="gmail_quote">Also worth noting that i'm using a slightly old git revision \
of anki, 43a662a installed april 15. Didn't want to upgrade just in case the bug \
stopped happening.</div><div class="gmail_quote"><br></div><div \
class="gmail_quote">One recent anki commit caught my attention, "fix duplicate \
constructor call in editcurrent", three days ago, removes a duplicate call to \
"<span class="gmail-m_7386095962584855335gmail-blob-code-inner">QDialog.<span \
class="gmail-m_7386095962584855335gmail-pl-c1">__init__</span></span>". Who \
knows if it's relevant. It takes forever to find out so I'd rather stay with \
what I have.</div><div class="gmail_quote"><br></div>Any suggestions on how to \
continue debugging this would be appreciated. I got some new ideas on how to \
reproduce it, but nothing seems to work so far.</div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
PyQt mailing list PyQt@riverbankcomputing.com
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic