1. flupp
  2. Smooth Tasks Fork
Issue #16 new

Crash on deletion of startup item

Anonymous created an issue

When I start new application, the starting animation is displayed but right before it switches to normal task item, smooth tasks crashes.

I ran it through valgrint and found following invalid read, which causes segfault.

{{{ ==16590== Invalid read of size 8 ==16590== at 0x2E91868B: SmoothTasks::TaskItem::expanderRect(TaskManager::AbstractGroupableItem, SmoothTasks::Applet const&, Qt::Orientation const&, QRectF const&) (TaskItem.cpp:1297) ==16590== by 0x2E91893A: SmoothTasks::TaskItem::expanderRect(QRectF const&) const (TaskItem.cpp:1325) ==16590== by 0x2E91B46C: SmoothTasks::TaskItem::paint(QPainter, QStyleOptionGraphicsItem const, QWidget) (TaskItem.cpp:906) ==16590== by 0xB34CD28: _q_paintItem(QGraphicsItem, QPainter, QStyleOptionGraphicsItem const, QWidget, bool, bool) (qgraphicsscene.cpp:4331) ==16590== by 0xB35F724: QGraphicsScenePrivate::drawItemHelper(QGraphicsItem, QPainter, QStyleOptionGraphicsItem const, QWidget, bool) (qgraphicsscene.cpp:4427) ==16590== by 0xB362097: QGraphicsScenePrivate::draw(QGraphicsItem, QPainter, QTransform const, QTransform const, QRegion, QWidget, double, QTransform const, bool, bool) (qgraphicsscene.cpp:4962) ==16590== by 0xB362754: QGraphicsScenePrivate::drawSubtreeRecursive(QGraphicsItem, QPainter, QTransform const, QRegion, QWidget, double, QTransform const) (qgraphicsscene.cpp:4853) ==16590== by 0xB361C24: QGraphicsScenePrivate::draw(QGraphicsItem, QPainter, QTransform const, QTransform const, QRegion, QWidget, double, QTransform const, bool, bool) (qgraphicsscene.cpp:4992) ==16590== by 0xB362754: QGraphicsScenePrivate::drawSubtreeRecursive(QGraphicsItem, QPainter, QTransform const, QRegion, QWidget, double, QTransform const) (qgraphicsscene.cpp:4853) ==16590== by 0xB361C24: QGraphicsScenePrivate::draw(QGraphicsItem, QPainter, QTransform const, QTransform const, QRegion, QWidget, double, QTransform const, bool, bool) (qgraphicsscene.cpp:4992) ==16590== by 0xB362754: QGraphicsScenePrivate::drawSubtreeRecursive(QGraphicsItem, QPainter, QTransform const, QRegion, QWidget, double, QTransform const) (qgraphicsscene.cpp:4853) ==16590== by 0xB36323D: QGraphicsScenePrivate::drawItems(QPainter, QTransform const, QRegion, QWidget) (qgraphicsscene.cpp:4735) ==16590== Address 0x3405e320 is 0 bytes inside a block of size 32 free'd ==16590== at 0x4C2763C: operator delete(void) (vg_replace_malloc.c:457) ==16590== by 0x2E29493B: TaskManager::GroupManagerPrivate::addTask(TaskManager::Task) (groupmanager.cpp:333) ==16590== by 0x2E296F94: TaskManager::GroupManager::qt_static_metacall(QObject, QMetaObject::Call, int, void) (groupmanager.moc:92) ==16590== by 0xA646C0E: QMetaObject::activate(QObject, QMetaObject const, int, void) (qobject.cpp:3547) ==16590== by 0x2E2AFCEE: TaskManager::TaskManager::taskAdded(TaskManager::Task) (taskmanager.moc:187) ==16590== by 0x2E2B0FF3: TaskManager::TaskManager::windowAdded(unsigned long) (taskmanager.cpp:298) ==16590== by 0x2E2B156B: TaskManager::TaskManager::qt_static_metacall(QObject, QMetaObject::Call, int, void) (taskmanager.moc:103) ==16590== by 0xA646C0E: QMetaObject::activate(QObject, QMetaObject const, int, void) (qobject.cpp:3547) ==16590== by 0x9825841: KWindowSystem::windowAdded(unsigned long) (kwindowsystem.moc:143) ==16590== by 0x98265B8: KWindowSystemPrivate::addClient(unsigned long) (kwindowsystem_x11.cpp:269) ==16590== by 0x9834C02: NETRootInfo::update(unsigned long const) (netwm.cpp:2227) ==16590== by 0x983575A: NETRootInfo::event(_XEvent, unsigned long*, int) (netwm.cpp:2099) }}}

The crash is probably caused by not handing destruction of TaskItem.

Comments (2)

  1. Anonymous

    I came out with following patch that fixes the issue for me:

    diff -r e8a97edfdebc applet/SmoothTasks/Task.cpp
    --- a/applet/SmoothTasks/Task.cpp	Sat Mar 03 23:20:42 2012 +0100
    +++ b/applet/SmoothTasks/Task.cpp	Mon Mar 19 10:03:15 2012 +0100
    @@ -83,6 +83,7 @@
     }
     
     void Task::itemDestroyed() {
    +	emit destroyed();
     	m_abstractItem = NULL;
     	m_task         = NULL;
     	m_group        = NULL;
    diff -r e8a97edfdebc applet/SmoothTasks/Task.h
    --- a/applet/SmoothTasks/Task.h	Sat Mar 03 23:20:42 2012 +0100
    +++ b/applet/SmoothTasks/Task.h	Mon Mar 19 10:03:15 2012 +0100
    @@ -114,6 +114,7 @@
     	void updateIcon(const QIcon& icon);
     	void update();
     	void gotTask();
    +	void destroyed();
     };
     
     } // namespace SmoothTasks
    diff -r e8a97edfdebc applet/SmoothTasks/TaskItem.cpp
    --- a/applet/SmoothTasks/TaskItem.cpp	Sat Mar 03 23:20:42 2012 +0100
    +++ b/applet/SmoothTasks/TaskItem.cpp	Mon Mar 19 10:03:15 2012 +0100
    @@ -122,6 +122,9 @@
     	
     	// light
     	connect(m_light, SIGNAL(update()), this, SLOT(update()));
    +
    +	//destroyed
    +	connect(m_task, SIGNAL(destroyed()), this, SLOT(taskDestroyed()));
     	
     	m_preferredTextLayoutSize = ::SmoothTasks::preferredTextLayoutSize(m_task->text(), KGlobalSettings::taskbarFont());
     	
    @@ -833,6 +836,9 @@
     	Q_UNUSED(option);
     	Q_UNUSED(widget);
     
    +	if (m_task == NULL)
    +		return;
    +
     	const QRectF bounds = boundingRect();
     	
     	if (!bounds.isValid())
    @@ -1348,5 +1354,12 @@
     	return expanderElement(m_applet->location(), m_orientation);
     }
     
    +void TaskItem::taskDestroyed()
    +{
    +	m_task = NULL;
    +	m_abstractItem = NULL;
    +	deleteLater();
    +}
    +
     } // namespace SmoothTasks
     #include "TaskItem.moc"
    diff -r e8a97edfdebc applet/SmoothTasks/TaskItem.h
    --- a/applet/SmoothTasks/TaskItem.h	Sat Mar 03 23:20:42 2012 +0100
    +++ b/applet/SmoothTasks/TaskItem.h	Mon Mar 19 10:03:15 2012 +0100
    @@ -190,6 +190,7 @@
     	void updateToolTip();
     	void publishIconGeometry();
     	void updateExpansion();
    +	void taskDestroyed();
     };
     
     } // namespace SmoothTasks
    
  2. flupp repo owner

    I cannot reproduce this, but I changed some things which may affect this bug. Please try again with a current version (kde-4.8 branch).

    Please tell me the commit id of the source code you tested with.

    To your patch: I think it is not a good idea to abuse the SIGNAL(destroyed()) to signal that a member is destroyed. Additionally, I think, if signals from libtaskmanager like TaskManager::TaskGroup::itemRemoved() are handled correctly, it should not be necessary to handle the SIGNAL(destroyed()) of AbstractGroupableItem. So maybe the bug is somewhere else.

  3. Log in to comment