[prev in list] [next in list] [prev in thread] [next in thread]
List: pykde
Subject: Re: [PyQt] Use after free bug in pyqt 5.8.0 / sip 4.19.1
From: dequis <dx () dxzone ! com ! ar>
Date: 2017-08-01 19:27:57
Message-ID: CABAA10Tv0-26Smft0O1ABg4OXao+EyU9Ho3HCDo2nXk9eAJZxQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 30 July 2017 at 21:54, dequis <dx@dxzone.com.ar> wrote:
> [resending this without the attachment, sorry if it ends up being posted
> twice]
>
> On 9 March 2017 at 17:46, dequis <dx@dxzone.com.ar> wrote:
>
>> Hi.
>>
>> I got a crash with anki (git version with pyqt5 instead of 4). I'm not
>> sure how to reproduce it, but [snip]
>>
>
> Hey there, it's me again with the anki crashes. Still happening with pyqt
> 5.9. I took a break from using the anki desktop app for a few months but
> now it's time to deal with it again.
>
> I still don't know how to intentionally reproduce it other than "just use
> the app normally for a while", but using the app normally for a while works
> (Which I'd totally recommend since anki is an excellent app, but that's not
> a very reliable way to reproduce it). Takes hours to reproduce but looks
> like it happens roughly once every 12-48 hours.
>
> So I prepared a bit better this time:
>
> - got debug symbols for everything (thanks the-compiler for the repo!)
> - patched the sip build scripts to not strip on 'make install'
> - installed the excellent python gdb extensions
> - replaced malloc with a tcmalloc_debug to make it crash more reliably
> - set PYTHONMALLOC=malloc
> - and ran the whole thing under rr
>
> Way better than valgrind, since I have time travel now, and I can replay
> this as many times as I want. I gave it a shot to try to extract as much
> info as I could.
>
> Here's the annotated gdb/rr session:
>
> http://dump.dequis.org/G21sm.txt
>
> And here's what I learnt:
>
> - The object being freed is EditCurrent, a subclass of QDialog (I think
> it's the dialog opened from the edit button during a review)
> - The free happens during garbage collection because it needs to break a
> reference cycle between EditCurrent and Editor
> - Some interesting interactions with the code that calls javascript to do
> "saveNow"
>
> It got hairy at some point and I didn't reach the initial allocation of
> the object - lots of incref/decref in code related to saveNow. I'll
> continue later.
>
> Also worth noting that i'm using a slightly old git revision of anki,
> 43a662a installed april 15. Didn't want to upgrade just in case the bug
> stopped happening.
>
> One recent anki commit caught my attention, "fix duplicate constructor
> call in editcurrent", three days ago, removes a duplicate call to "
> QDialog.__init__". Who knows if it's relevant. It takes forever to find
> out so I'd rather stay with what I have.
>
> Any suggestions on how to continue debugging this would be appreciated. I
> got some new ideas on how to reproduce it, but nothing seems to work so far.
>
Okay, so, the good news is that I got decent repro steps now.
The bad (but also good) news is that this is anki's fault and it was indeed
fixed by removing that duplicate constructor call.
https://github.com/dae/anki/commit/5ef1692c781356c23d7f3c1fecbb61cb57f684cb
I'm not sure where you normally set the boundary of where to blame the
application, but I hope this is some kind of misbehavior pyqt can detect
and fail early instead of messing up reference counts.
Requirements:
- Python 3.6
- Anki 2.1.0beta4 or current git with the commit above reverted.
- Have at least one deck with one card ("add" in the main window)
- Optional: gperftools or an equivalent package containing tcmalloc (other
mallocs are less reliable for debugging)
Procedure:
1. Start anki with:
$ LD_PRELOAD=/usr/lib/libtcmalloc_debug.so PYTHONMALLOC=malloc python3
/usr/bin/anki
Or using glibc's malloc, which is less reliable:
$ MALLOC_PERTURB_=255 PYTHONMALLOC=malloc python3 /usr/bin/anki
2. Click the deck name
3. Click study now
4. Click edit (bottom left)
5. Close the edit window
6. Press ctrl+: (colon)
7. Enter "gc.collect()"
8. Press ctrl+enter
9. Click edit again
10. If using MALLOC_PERTURB_ and it doesn't crash, repeat from step 5 a
couple of times.
[Attachment #5 (text/html)]
<div dir="ltr"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 30 \
July 2017 at 21:54, dequis <span dir="ltr"><<a href="mailto:dx@dxzone.com.ar" \
target="_blank">dx@dxzone.com.ar</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">[resending this without the \
attachment, sorry if it ends up being posted twice]<br><div><div \
class="gmail_extra"><br><div class="gmail_quote"><span class="gmail-">On 9 March 2017 \
at 17:46, dequis <span dir="ltr"><<a href="mailto:dx@dxzone.com.ar" \
target="_blank">dx@dxzone.com.ar</a>></span> wrote:<br></span><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><span class="gmail-">Hi.<br> <br>
I got a crash with anki (git version with pyqt5 instead of 4). I'm not<br></span>
sure how to reproduce it, but [snip]<br></div></blockquote><span \
class="gmail-"><div><br></div><div>Hey there, it's me again with the anki \
crashes. Still happening with pyqt 5.9. I took a break from using the anki desktop \
app for a few months but now it's time to deal with it \
again.</div></span></div><span class="gmail-"><div><br></div><div>I still don't \
know how to intentionally reproduce it other than "just use the app normally \
for a while", but using the app normally for a while works (Which I'd \
totally recommend since anki is an excellent app, but that's not a very reliable \
way to reproduce it). Takes hours to reproduce but looks like it happens
roughly once every 12-48 hours.<br></div><div><br></div><div>So I prepared a bit \
better this time:</div><div><br></div><div>- got debug symbols for everything (thanks \
the-compiler for the repo!)</div><div>- patched the sip build scripts to not strip on \
'make install'<br></div><div>- installed the excellent python gdb \
extensions</div><div>- replaced malloc with a tcmalloc_debug to make it crash more \
reliably</div><div>- set PYTHONMALLOC=malloc</div><div>- and ran the whole thing \
under rr</div><div><br></div><div>Way better than valgrind, since I have time travel \
now, and I can replay this as many times as I want. I gave it a shot to try to \
extract as much info as I could.<br></div><div><br></div></span><div>Here's the \
annotated gdb/rr session:</div><div><br></div><div><a \
href="http://dump.dequis.org/G21sm.txt" \
target="_blank">http://dump.dequis.org/G21sm.<wbr>txt</a><br></div><div><br></div><div> \
And here's what I learnt:</div><span class="gmail-"><div><br></div><div>- The \
object being freed is EditCurrent, a subclass of QDialog (I think it's the \
dialog opened from the edit button during a review)<br></div>- The free happens \
during garbage collection because it needs to break a reference cycle between \
EditCurrent and Editor<div class="gmail_quote">- Some interesting interactions with \
the code that calls javascript to do "saveNow"</div><div \
class="gmail_quote"><br></div><div class="gmail_quote">It got hairy at some point \
and I didn't reach the initial allocation of the object - lots of incref/decref \
in code related to saveNow. I'll continue later.<br></div><div \
class="gmail_quote"><br></div><div class="gmail_quote">Also worth noting that i'm \
using a slightly old git revision of anki, 43a662a installed april 15. Didn't \
want to upgrade just in case the bug stopped happening.</div><div \
class="gmail_quote"><br></div><div class="gmail_quote">One recent anki commit caught \
my attention, "fix duplicate constructor call in editcurrent", three days \
ago, removes a duplicate call to "<span \
class="gmail-m_7728960927058748368gmail-m_7386095962584855335gmail-blob-code-inner">QDialog.<span \
class="gmail-m_7728960927058748368gmail-m_7386095962584855335gmail-pl-c1">__init__</span></span>". \
Who knows if it's relevant. It takes forever to find out so I'd rather stay \
with what I have.</div><div class="gmail_quote"><br></div>Any suggestions on how to \
continue debugging this would be appreciated. I got some new ideas on how to \
reproduce it, but nothing seems to work so far.</span></div></div></div>
</blockquote></div></div><br>Okay, so, the good news is that I got decent repro steps \
now.<br><br>The bad (but also good) news is that this is anki's fault and it was \
indeed fixed by removing that duplicate constructor call.<br><br><a \
href="https://github.com/dae/anki/commit/5ef1692c781356c23d7f3c1fecbb61cb57f684cb">htt \
ps://github.com/dae/anki/commit/5ef1692c781356c23d7f3c1fecbb61cb57f684cb</a><br><br>I'm \
not sure where you normally set the boundary of where to blame the application, but I \
hope this is some kind of misbehavior pyqt can detect and fail early instead of \
messing up reference counts.<br><br>Requirements:<br><br>- Python 3.6<br>- Anki \
2.1.0beta4 or current git with the commit above reverted.<br>- Have at least one deck \
with one card ("add" in the main window)<br>- Optional: gperftools or an \
equivalent package containing tcmalloc (other mallocs are less reliable for \
debugging)<br><br>Procedure:<br><br>1. Start anki with:<br><br>$ \
LD_PRELOAD=/usr/lib/libtcmalloc_debug.so PYTHONMALLOC=malloc python3 \
/usr/bin/anki<br><br>Or using glibc's malloc, which is less reliable:<br><br>$ \
MALLOC_PERTURB_=255 PYTHONMALLOC=malloc python3 /usr/bin/anki<br><br>2. Click the \
deck name<br>3. Click study now<br>4. Click edit (bottom left)<br>5. Close the edit \
window<br>6. Press ctrl+: (colon)<br>7. Enter "gc.collect()"<br>8. Press \
ctrl+enter<br>9. Click edit again<br>10. If using MALLOC_PERTURB_ and it doesn't \
crash, repeat from step 5 a couple of times.</div></div>
[Attachment #6 (text/plain)]
_______________________________________________
PyQt mailing list PyQt@riverbankcomputing.com
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic