[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pykde
Subject:    Re: [PyQt] Use after free bug in pyqt 5.8.0 / sip 4.19.1
From:       dequis <dx () dxzone ! com ! ar>
Date:       2017-07-31 0:54:17
Message-ID: CABAA10RjDuMA0DSSmLst2-c=emsxXqTOtex6KnVbdkX9QTbmJQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


[resending this without the attachment, sorry if it ends up being posted
twice]

On 9 March 2017 at 17:46, dequis <dx@dxzone.com.ar> wrote:

> Hi.
>
> I got a crash with anki (git version with pyqt5 instead of 4). I'm not
> sure how to reproduce it, but [snip]
>

Hey there, it's me again with the anki crashes. Still happening with pyqt
5.9. I took a break from using the anki desktop app for a few months but
now it's time to deal with it again.

I still don't know how to intentionally reproduce it other than "just use
the app normally for a while", but using the app normally for a while works
(Which I'd totally recommend since anki is an excellent app, but that's not
a very reliable way to reproduce it). Takes hours to reproduce but looks
like it happens roughly once every 12-48 hours.

So I prepared a bit better this time:

- got debug symbols for everything (thanks the-compiler for the repo!)
- patched the sip build scripts to not strip on 'make install'
- installed the excellent python gdb extensions
- replaced malloc with a tcmalloc_debug to make it crash more reliably
- set PYTHONMALLOC=malloc
- and ran the whole thing under rr

Way better than valgrind, since I have time travel now, and I can replay
this as many times as I want. I gave it a shot to try to extract as much
info as I could.

Here's the annotated gdb/rr session:

http://dump.dequis.org/G21sm.txt

And here's what I learnt:

- The object being freed is EditCurrent, a subclass of QDialog (I think
it's the dialog opened from the edit button during a review)
- The free happens during garbage collection because it needs to break a
reference cycle between EditCurrent and Editor
- Some interesting interactions with the code that calls javascript to do
"saveNow"

It got hairy at some point and I didn't reach the initial allocation of the
object - lots of incref/decref in code related to saveNow. I'll continue
later.

Also worth noting that i'm using a slightly old git revision of anki,
43a662a installed april 15. Didn't want to upgrade just in case the bug
stopped happening.

One recent anki commit caught my attention, "fix duplicate constructor call
in editcurrent", three days ago, removes a duplicate call to "QDialog.
__init__". Who knows if it's relevant. It takes forever to find out so I'd
rather stay with what I have.

Any suggestions on how to continue debugging this would be appreciated. I
got some new ideas on how to reproduce it, but nothing seems to work so far.

[Attachment #5 (text/html)]

<div dir="ltr">[resending this without the attachment, sorry if it ends up being \
posted twice]<br><div><div class="gmail_extra"><br><div class="gmail_quote">On 9 \
March 2017 at 17:46, dequis <span dir="ltr">&lt;<a href="mailto:dx@dxzone.com.ar" \
target="_blank">dx@dxzone.com.ar</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div>Hi.<br> <br>
I got a crash with anki (git version with pyqt5 instead of 4). I&#39;m not<br>
sure how to reproduce it, but [snip]<br></div></blockquote><div><br></div><div>Hey \
there, it&#39;s me again with the anki  crashes. Still happening with pyqt 5.9. I \
took a break from using the  anki desktop app for a few months but now it&#39;s time \
to deal with it  again.</div></div><div><br></div><div>I still don&#39;t know how to \
intentionally  reproduce it other than &quot;just use the app normally for a \
while&quot;, but  using the app normally for a while works (Which I&#39;d totally \
recommend  since anki is an excellent app, but that&#39;s not a very reliable way to 
reproduce it). Takes hours to reproduce but looks like it happens 
roughly once every 12-48 hours.<br></div><div><br></div><div>So I prepared a bit \
better this time:</div><div><br></div><div>- got debug symbols for everything (thanks \
the-compiler for the repo!)</div><div>- patched the sip build scripts to not strip on \
&#39;make install&#39;<br></div><div>- installed the excellent python gdb \
extensions</div><div>- replaced malloc with a tcmalloc_debug to make it crash more \
reliably</div><div>- set PYTHONMALLOC=malloc</div><div>- and ran the whole thing \
under rr</div><div><br></div><div>Way  better than valgrind, since I have time travel \
now, and I can replay  this as many times as I want. I gave it a shot to try to \
extract as much  info as I could.<br></div><div><br></div><div>Here&#39;s the \
annotated gdb/rr session:</div><div><br></div><div><a \
href="http://dump.dequis.org/G21sm.txt">http://dump.dequis.org/G21sm.txt</a><br></div><div><br></div><div> \
And here&#39;s what I learnt:</div><div><br></div><div>-  The object being freed is \
EditCurrent, a subclass of QDialog (I think  it&#39;s the dialog opened from the edit \
button during a review)<br></div>- The free happens during garbage collection because \
it needs to break a reference cycle between EditCurrent and Editor<div \
class="gmail_quote">- Some interesting interactions with the code that calls \
javascript to do &quot;saveNow&quot;</div><div class="gmail_quote"><br></div><div \
class="gmail_quote">It  got hairy at some point and I didn&#39;t reach the initial \
allocation of  the object - lots of incref/decref in code related to saveNow. \
I&#39;ll  continue later.<br></div><div class="gmail_quote"><br></div><div \
class="gmail_quote">Also worth noting that i&#39;m using a slightly old git revision \
of anki,  43a662a installed april 15. Didn&#39;t want to upgrade just in case the bug \
 stopped happening.</div><div class="gmail_quote"><br></div><div \
class="gmail_quote">One recent anki commit caught my attention, &quot;fix duplicate  \
constructor call in editcurrent&quot;, three days ago, removes a duplicate call to \
&quot;<span class="gmail-m_7386095962584855335gmail-blob-code-inner">QDialog.<span \
class="gmail-m_7386095962584855335gmail-pl-c1">__init__</span></span>&quot;. Who \
knows if it&#39;s relevant. It takes forever to find out so I&#39;d rather stay with \
what I have.</div><div class="gmail_quote"><br></div>Any  suggestions on how to \
continue debugging this would be appreciated. I  got some new ideas on how to \
reproduce it, but nothing seems to work so  far.</div></div></div>


[Attachment #6 (text/plain)]

_______________________________________________
PyQt mailing list    PyQt@riverbankcomputing.com
https://www.riverbankcomputing.com/mailman/listinfo/pyqt

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic