Crash on deleting dive after undoing delete

Rick Walsh rickmwalsh at gmail.com
Fri Oct 2 20:22:22 PDT 2015 

On 3 October 2015 at 05:10, Dirk Hohndel <dirk at hohndel.org> wrote:

> On Fri, Oct 02, 2015 at 07:48:03AM -0400, Dirk Hohndel wrote:
> > On Fri, Oct 02, 2015 at 08:35:24PM +1000, Rick Walsh wrote:
> > > Hi,
> > >
> > > Subsurface is crashing if I:
> > > - delete dive
> > > - undo (ctrl z) delete dive
> > > - delete a dive (same or other)
> >
> > There must be a little more to it than that. The stack trace indicates
> > that a trip might have been deleted in the process as well? I just tried
> > with some random deletes and undos and redos and nothing happened.
> >
> > But then when I deleted the last dive in a trip, things went KABOOM
> > indeed. I'm about to go on my last two dives for this trip and should
> have
> > plenty of time later today to look into that.
> >
> > Thanks for the report!
>
> OK, that wasn't nearly loud enough.
>
> TTTTTTT hh                      kk      YY   YY                !!! !!!
>   TTT   hh        aa aa nn nnn  kk  kk  YY   YY  oooo  uu   uu !!! !!!
>   TTT   hhhhhh   aa aaa nnn  nn kkkkk    YYYYY  oo  oo uu   uu !!! !!!
>   TTT   hh   hh aa  aaa nn   nn kk kk     YYY   oo  oo uu   uu
>   TTT   hh   hh  aaa aa nn   nn kk  kk    YYY    oooo   uuuu u !!! !!!
>
> (I bet this looks horrible in modern email readers... you get the idea)
>
> Seriously.
>
> Undo/redo has been in the sources for something like 5 months. And
> apparently no one ever tried deleting all dives in a trip and then undoing
> that delete. The undo/redo code completely ignored trips and ended up
> accessing the freed trip structures to great effect...
>
> I just pushed a fix for this. Can you verify that this fixes the problem?
> New daily binaries have been triggered...
>

It appears to fix the problem, but in testing, I came across another.  Not
sure if it's new or not.  Deleting all dives in a trip causes a segfault.
I reproduce it by deleting one dive at a time (segfault on last delete), or
all together.

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106             movdqu  (%rax), %xmm12
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007fffefa7ddee in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00000000005a9be3 in UndoDeleteDive::redo (this=0x200f2d0) at
/home/rick/src/subsurface/qt-ui/undocommands.cpp:50
#3  0x00007ffff18f0268 in QUndoStack::push(QUndoCommand*) () from
/lib64/libQt5Widgets.so.5
#4  0x00000000005e2d50 in DiveListView::deleteDive (this=0xffec40)
    at /home/rick/src/subsurface/qt-ui/divelistview.cpp:790
#5  0x00000000005e0787 in DiveListView::eventFilter (this=0xffec40,
event=0x7fffffffd9b0)
    at /home/rick/src/subsurface/qt-ui/divelistview.cpp:370
#6  0x00007ffff05cf40c in
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) ()
   from /lib64/libQt5Core.so.5
#7  0x00007ffff156448c in QApplicationPrivate::notify_helper(QObject*,
QEvent*) () from /lib64/libQt5Widgets.so.5
#8  0x00007ffff156b563 in QApplication::notify(QObject*, QEvent*) () from
/lib64/libQt5Widgets.so.5
#9  0x00007ffff05cf61b in QCoreApplication::notifyInternal(QObject*,
QEvent*) () from /lib64/libQt5Core.so.5
#10 0x00007ffff15c4323 in QWidgetWindow::event(QEvent*) () from
/lib64/libQt5Widgets.so.5
#11 0x00007ffff15644ac in QApplicationPrivate::notify_helper(QObject*,
QEvent*) () from /lib64/libQt5Widgets.so.5
#12 0x00007ffff1569976 in QApplication::notify(QObject*, QEvent*) () from
/lib64/libQt5Widgets.so.5
#13 0x00007ffff05cf61b in QCoreApplication::notifyInternal(QObject*,
QEvent*) () from /lib64/libQt5Core.so.5
#14 0x00007ffff0db4757 in
QGuiApplicationPrivate::processKeyEvent(QWindowSystemInterfacePrivate::KeyEvent*)
()
   from /lib64/libQt5Gui.so.5
#15 0x00007ffff0db97a5 in
QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*)
() from /lib64/libQt5Gui.so.5
#16 0x00007ffff0d9d5d8 in
QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>)
()
   from /lib64/libQt5Gui.so.5
#17 0x00007fffda663b10 in userEventSourceDispatch(_GSource*, int
(*)(void*), void*) () from /lib64/libQt5XcbQpa.so.5
#18 0x00007fffea6b2a8a in g_main_context_dispatch () from
/lib64/libglib-2.0.so.0
#19 0x00007fffea6b2e20 in g_main_context_iterate.isra () from
/lib64/libglib-2.0.so.0
#20 0x00007fffea6b2ecc in g_main_context_iteration () from
/lib64/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#21 0x00007ffff0625d8f in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
()
   from /lib64/libQt5Core.so.5
#22 0x00007ffff05ccdaa in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from
/lib64/libQt5Core.so.5
#23 0x00007ffff05d4e6c in QCoreApplication::exec() () from
/lib64/libQt5Core.so.5
#24 0x00000000004ec8c0 in run_ui () at
/home/rick/src/subsurface/qt-gui.cpp:72
#25 0x00000000004eb84a in main (argc=3, argv=0x7fffffffdef8) at
/home/rick/src/subsurface/main.cpp:78



>
> Maybe we need a bug bounty? I'll pay ¤10,000 for each bug that you find
> and report here with instructions how to reproduce them.
>

Sweet.  That's gone up to more than AU 50c with the latest exchange rates


>
> Go ahead, make yourself rich...
>
> /D
>
> PS: ¤ stands for Vietnamese Dong in case you are wondering...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.subsurface-divelog.org/pipermail/subsurface/attachments/20151003/c3ef3cc4/attachment.html>

More information about the subsurface mailing list