Possible bug in documentation.cc (de-referencing nullpointer)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible bug in documentation.cc (de-referencing nullpointer)

Andreas Weber-6
Dear Torsten,

I write directly to you because you've added the code with cset
ba5af45bbfc4 and I hope you can help quickly. If you are busy I'll
create a bugreport for this.

In documentation.cc:78 m_help_engine is create with new and can't be
NULL after this (except on VC6) so the check in line 110 isn't needed
but after this it's set to 0 (line 112) and de-referenced afterwards
(for example line 177, 181, 186 and so on)
which results in a SIGSEGV (signal 11)

Thank you, Andy

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Torsten-3
On 02.01.19 22:22, Andreas Weber wrote:

> Dear Torsten,
>
> I write directly to you because you've added the code with cset
> ba5af45bbfc4 and I hope you can help quickly. If you are busy I'll
> create a bugreport for this.
>
> In documentation.cc:78 m_help_engine is create with new and can't be
> NULL after this (except on VC6) so the check in line 110 isn't needed
> but after this it's set to 0 (line 112) and de-referenced afterwards
> (for example line 177, 181, 186 and so on)
> which results in a SIGSEGV (signal 11)
>
> Thank you, Andy

Hi Andy,

Thanks for taking care of this.

Setting m_help_engine to 0 is directly followed by a "return" in 113.
Thus, lines 177, 181, ... should not be executed and should not cause
segfault.

Best,
Torsten

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Andreas Weber-6
Am 02.01.19 um 22:44 schrieb Torsten:
> Setting m_help_engine to 0 is directly followed by a "return" in 113.

OMG, you are absolutely right. How have I missed this? This is so
embarrassing...

I've just changed line 102 to
if (! m_help_engine->setupData() || 1)
then rebuilt, executed and got the expected segfault (which obviously is
at another place)

I'll debug this tomorrow and go to bed now, sorry for the noise.

Und falls wir uns 'mal treffen muss ich dir dringend das ein oder andere
Bier als Entschädigung ausgeben ;-)

-- Andy

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Torsten-3
On 02.01.19 23:02, Andreas Weber wrote:

> Am 02.01.19 um 22:44 schrieb Torsten:
>> Setting m_help_engine to 0 is directly followed by a "return" in 113.
>
> OMG, you are absolutely right. How have I missed this? This is so
> embarrassing...
>
> I've just changed line 102 to
> if (! m_help_engine->setupData() || 1)
> then rebuilt, executed and got the expected segfault (which obviously is
> at another place)
>
> I'll debug this tomorrow and go to bed now, sorry for the noise.
>
> Und falls wir uns 'mal treffen muss ich dir dringend das ein oder andere
> Bier als Entschädigung ausgeben ;-)
>
> -- Andy

No problem :-)

Kein Bier erforderlich, lieber ein falscher Alarm (oder auch mehr) als
ein Crash im 5.0.0 Release.

Torsten

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Andreas Weber-6
In reply to this post by Andreas Weber-6
Am 02.01.19 um 23:02 schrieb Andreas Weber:
> I've just changed line 102 to
> if (! m_help_engine->setupData() || 1)
> then rebuilt, executed and got the expected segfault (which obviously is
> at another place)

Here a backtrace after modifying line 102 (simulating that
m_help_engine->setupData() fails):

Thread 1 "octave-gui" received signal SIGSEGV, Segmentation fault.
0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
(gdb) bt
#0  0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#1  0x00007f9286e2b04e in QAction::setShortcut(QKeySequence const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#2  0x00007f928b095218 in octave::shortcut_manager::do_set_shortcut
(this=0x55c8433c26f0, action=0x55c8437151a0, key=...) at
../octave-src/libgui/src/shortcut-manager.cc:515
#3  0x00007f928afdb9a7 in octave::shortcut_manager::set_shortcut
(action=0x55c8437151a0, key=...) at
../octave-src/libgui/src/shortcut-manager.h:96
#4  0x00007f928afd77d5 in octave::documentation::notice_settings
(this=0x55c84373e230, settings=0x55c8433ca940) at
../octave-src/libgui/src/documentation.cc:551
#5  0x00007f928afd363c in
octave::documentation_dock_widget::notice_settings (this=0x55c84367bc80,
settings=0x55c8433ca940)
     at ../octave-src/libgui/src/documentation-dock-widget.cc:62
#6  0x00007f928b048216 in octave::octave_dock_widget::handle_settings
(this=0x55c84367bc80, settings=0x55c8433ca940) at
../octave-src/libgui/src/octave-dock-widget.cc:461
#7  0x00007f928b0e127b in octave::octave_dock_widget::qt_static_metacall
(_o=0x55c84367bc80, _c=QMetaObject::InvokeMetaMethod, _id=7,
_a=0x7ffe2e875280)
     at libgui/src/moc-octave-dock-widget.cc:274
#8  0x00007f92865785e9 in QMetaObject::activate(QObject*, int, int,
void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9  0x00007f928b0d7223 in octave::main_window::settings_changed
(this=0x55c843340800, _t1=0x55c8433ca940) at
libgui/src/moc-main-window.cc:948
#10 0x00007f928b02bb88 in octave::main_window::read_settings
(this=0x55c843340800) at ../octave-src/libgui/src/main-window.cc:1274
#11 0x00007f928b02570a in octave::main_window::main_window
(this=0x55c843340800, oct_qt_app=..., oct_qt_lnk=0x55c8431a7ce0) at
../octave-src/libgui/src/main-window.cc:268
#12 0x00007f928b035bcb in octave::octave_qt_app::create_main_window
(this=0x7ffe2e875620) at ../octave-src/libgui/src/main-window.cc:2911
#13 0x00007f928b03587b in octave::octave_qt_app::octave_qt_app
(this=0x7ffe2e875620, app_context=...) at
../octave-src/libgui/src/main-window.cc:2865
#14 0x00007f928b049dab in octave::gui_application::execute
(this=0x7ffe2e8756c0) at ../octave-src/libgui/src/octave-gui.cc:62
#15 0x000055c842455877 in main (argc=9, argv=0x7ffe2e8759f8) at
../octave-src/src/main-gui.cc:103

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Torsten-3
On 03.01.19 08:53, Andreas Weber wrote:

> Am 02.01.19 um 23:02 schrieb Andreas Weber:
>> I've just changed line 102 to
>> if (! m_help_engine->setupData() || 1)
>> then rebuilt, executed and got the expected segfault (which obviously
>> is at another place)
>
> Here a backtrace after modifying line 102 (simulating that
> m_help_engine->setupData() fails):
>
> Thread 1 "octave-gui" received signal SIGSEGV, Segmentation fault.
> 0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
> const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
> (gdb) bt
> #0  0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
> const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
> #1  0x00007f9286e2b04e in QAction::setShortcut(QKeySequence const&) ()
> from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
> #2  0x00007f928b095218 in octave::shortcut_manager::do_set_shortcut
> (this=0x55c8433c26f0, action=0x55c8437151a0, key=...) at
> ../octave-src/libgui/src/shortcut-manager.cc:515
> #3  0x00007f928afdb9a7 in octave::shortcut_manager::set_shortcut
> (action=0x55c8437151a0, key=...) at
> ../octave-src/libgui/src/shortcut-manager.h:96
> #4  0x00007f928afd77d5 in octave::documentation::notice_settings
> (this=0x55c84373e230, settings=0x55c8433ca940) at
> ../octave-src/libgui/src/documentation.cc:551
> #5  0x00007f928afd363c in
> octave::documentation_dock_widget::notice_settings (this=0x55c84367bc80,
> settings=0x55c8433ca940)
>     at ../octave-src/libgui/src/documentation-dock-widget.cc:62
> #6  0x00007f928b048216 in octave::octave_dock_widget::handle_settings
> (this=0x55c84367bc80, settings=0x55c8433ca940) at
> ../octave-src/libgui/src/octave-dock-widget.cc:461
> #7  0x00007f928b0e127b in octave::octave_dock_widget::qt_static_metacall
> (_o=0x55c84367bc80, _c=QMetaObject::InvokeMetaMethod, _id=7,
> _a=0x7ffe2e875280)
>     at libgui/src/moc-octave-dock-widget.cc:274
> #8  0x00007f92865785e9 in QMetaObject::activate(QObject*, int, int,
> void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
> #9  0x00007f928b0d7223 in octave::main_window::settings_changed
> (this=0x55c843340800, _t1=0x55c8433ca940) at
> libgui/src/moc-main-window.cc:948
> #10 0x00007f928b02bb88 in octave::main_window::read_settings
> (this=0x55c843340800) at ../octave-src/libgui/src/main-window.cc:1274
> #11 0x00007f928b02570a in octave::main_window::main_window
> (this=0x55c843340800, oct_qt_app=..., oct_qt_lnk=0x55c8431a7ce0) at
> ../octave-src/libgui/src/main-window.cc:268
> #12 0x00007f928b035bcb in octave::octave_qt_app::create_main_window
> (this=0x7ffe2e875620) at ../octave-src/libgui/src/main-window.cc:2911
> #13 0x00007f928b03587b in octave::octave_qt_app::octave_qt_app
> (this=0x7ffe2e875620, app_context=...) at
> ../octave-src/libgui/src/main-window.cc:2865
> #14 0x00007f928b049dab in octave::gui_application::execute
> (this=0x7ffe2e8756c0) at ../octave-src/libgui/src/octave-gui.cc:62
> #15 0x000055c842455877 in main (argc=9, argv=0x7ffe2e8759f8) at
> ../octave-src/src/main-gui.cc:103

Thanks for the backtrace. In documentation::notice_settings, the actions
are used although they were never initialized when m_help_engine is 0.
Adding a

if (! m_help_engine)
  return;

at the beginning of notice_settings should fix the segfault. I am going
to test this as soon as the current build process on my computer is
finally finished.

Torsten

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in documentation.cc (de-referencing nullpointer)

Torsten-3
On 03.01.19 21:17, Torsten wrote:

> On 03.01.19 08:53, Andreas Weber wrote:
>> Am 02.01.19 um 23:02 schrieb Andreas Weber:
>>> I've just changed line 102 to
>>> if (! m_help_engine->setupData() || 1)
>>> then rebuilt, executed and got the expected segfault (which obviously
>>> is at another place)
>>
>> Here a backtrace after modifying line 102 (simulating that
>> m_help_engine->setupData() fails):
>>
>> Thread 1 "octave-gui" received signal SIGSEGV, Segmentation fault.
>> 0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
>> const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
>> (gdb) bt
>> #0  0x00007f92868b4f70 in QKeySequence::operator==(QKeySequence const&)
>> const () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
>> #1  0x00007f9286e2b04e in QAction::setShortcut(QKeySequence const&) ()
>> from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
>> #2  0x00007f928b095218 in octave::shortcut_manager::do_set_shortcut
>> (this=0x55c8433c26f0, action=0x55c8437151a0, key=...) at
>> ../octave-src/libgui/src/shortcut-manager.cc:515
>> #3  0x00007f928afdb9a7 in octave::shortcut_manager::set_shortcut
>> (action=0x55c8437151a0, key=...) at
>> ../octave-src/libgui/src/shortcut-manager.h:96
>> #4  0x00007f928afd77d5 in octave::documentation::notice_settings
>> (this=0x55c84373e230, settings=0x55c8433ca940) at
>> ../octave-src/libgui/src/documentation.cc:551
>> #5  0x00007f928afd363c in
>> octave::documentation_dock_widget::notice_settings (this=0x55c84367bc80,
>> settings=0x55c8433ca940)
>>     at ../octave-src/libgui/src/documentation-dock-widget.cc:62
>> #6  0x00007f928b048216 in octave::octave_dock_widget::handle_settings
>> (this=0x55c84367bc80, settings=0x55c8433ca940) at
>> ../octave-src/libgui/src/octave-dock-widget.cc:461
>> #7  0x00007f928b0e127b in octave::octave_dock_widget::qt_static_metacall
>> (_o=0x55c84367bc80, _c=QMetaObject::InvokeMetaMethod, _id=7,
>> _a=0x7ffe2e875280)
>>     at libgui/src/moc-octave-dock-widget.cc:274
>> #8  0x00007f92865785e9 in QMetaObject::activate(QObject*, int, int,
>> void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
>> #9  0x00007f928b0d7223 in octave::main_window::settings_changed
>> (this=0x55c843340800, _t1=0x55c8433ca940) at
>> libgui/src/moc-main-window.cc:948
>> #10 0x00007f928b02bb88 in octave::main_window::read_settings
>> (this=0x55c843340800) at ../octave-src/libgui/src/main-window.cc:1274
>> #11 0x00007f928b02570a in octave::main_window::main_window
>> (this=0x55c843340800, oct_qt_app=..., oct_qt_lnk=0x55c8431a7ce0) at
>> ../octave-src/libgui/src/main-window.cc:268
>> #12 0x00007f928b035bcb in octave::octave_qt_app::create_main_window
>> (this=0x7ffe2e875620) at ../octave-src/libgui/src/main-window.cc:2911
>> #13 0x00007f928b03587b in octave::octave_qt_app::octave_qt_app
>> (this=0x7ffe2e875620, app_context=...) at
>> ../octave-src/libgui/src/main-window.cc:2865
>> #14 0x00007f928b049dab in octave::gui_application::execute
>> (this=0x7ffe2e8756c0) at ../octave-src/libgui/src/octave-gui.cc:62
>> #15 0x000055c842455877 in main (argc=9, argv=0x7ffe2e8759f8) at
>> ../octave-src/src/main-gui.cc:103
>
> Thanks for the backtrace. In documentation::notice_settings, the actions
> are used although they were never initialized when m_help_engine is 0.
> Adding a
>
> if (! m_help_engine)
>   return;
>
> at the beginning of notice_settings should fix the segfault. I am going
> to test this as soon as the current build process on my computer is
> finally finished.
>
> Torsten
>

Cset http://hg.savannah.gnu.org/hgweb/octave/rev/25dfa8c96b7b fixes this
bug. Andy, thanks for discovering this.

Torsten