Ubuntu
unity8 package

unity8 crashed with SIGSEGV in QQuickWindowPrivate::polishItems()

Bug #1297240 reported by Didier Roche-Tolomelli
32
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unity8 (Ubuntu)
Fix Released
High
Albert Astals Cid

Bug Description

Unity8 with new scopes crashes randomly when expanding some big category scope

the crash here was on the app scopes, when expanding for the first time the "available" items.

Unity8 7.84+14.04.20140324.4-0ubuntu1
On image #258

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: unity8 7.84+14.04.20140324.4-0ubuntu1
Uname: Linux 3.4.0-5-mako armv7l
ApportVersion: 2.13.3-0ubuntu1
Architecture: armhf
CurrentDesktop: Unity
Date: Tue Mar 25 11:38:11 2014
ExecutablePath: /usr/bin/unity8
InstallationDate: Installed on 2014-03-25 (0 days ago)
InstallationMedia: Ubuntu Trusty Tahr (development branch) - armhf (20140325)
ProcCmdline: unity8
Signal: 11
SourcePackage: unity8
StacktraceTop:
 ?? ()
 QQuickWindowPrivate::polishItems() () from /usr/lib/arm-linux-gnueabihf/libQt5Quick.so.5
 ?? () from /usr/lib/arm-linux-gnueabihf/libQt5Quick.so.5
Title: unity8 crashed with SIGSEGV in QQuickWindowPrivate::polishItems()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dialout dip nopasswdlogin plugdev sudo tty video

Related branches

lp:~aacid/unity8/lvwphnoprocessevents
Michael Zanetti (community): Approve
PS Jenkins bot (community): Needs Fixing (continuous-integration)
Diff: 62 lines (+4/-10)
3 files modified
plugins/DashViews/listviewwithpageheader.cpp (+1/-6)
tests/plugins/DashViews/listviewwithpageheadertest.cpp (+0/-1)
tests/plugins/DashViews/listviewwithpageheadertestsection.cpp (+3/-3)
lp:ubuntu/trusty-proposed/unity8
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 ?? ()
 QQuickWindowPrivate::polishItems() () at items/qquickwindow.cpp:261
 QSGThreadedRenderLoop::polishAndSync(QSGThreadedRenderLoop::Window*) () at scenegraph/qsgthreadedrenderloop.cpp:1093
 QSGThreadedRenderLoop::event(QEvent*) () at scenegraph/qsgthreadedrenderloop.cpp:1177
 QCoreApplication::notify(QObject*, QEvent*) () at kernel/qcoreapplication.cpp:943

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in unity8 (Ubuntu):
importance: Undecided → Medium
tags: removed: need-armhf-retrace
Michał Sawicz (saviq)
information type: Private → Public
Didier Roche-Tolomelli (didrocks)
Changed in unity8 (Ubuntu):
importance: Medium → High
Revision history for this message
Michał Sawicz (saviq) wrote :

I can't repro here, would be great if anyone encounters this would add their steps to reproduce...

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity8 (Ubuntu):
status: New → Confirmed
Revision history for this message
Albert Astals Cid (aacid) wrote :

I have certainly seen this bactrace in the past but somehow it stopped happening to me and now i've been trying for 2 hours to reproduce it both on Nexus4 and PC and couldn't get a crash at all :_/

Revision history for this message
Dave Morley (davmor2) wrote :

I'm looking to reproduce this crash but I haven't seen it since. I'm wondering if it might of been something that happened on initial data retrieval for each scope and then after that is fine.

I'm still digging though so if I reproduce it steps will follow.

Revision history for this message
Michał Sawicz (saviq) wrote :

I've been able to find a semi-reliable way to reproduce, just search, clear, search, clear in the apps scope, typing relatively slowly (so that items start flowing in), or selecting items from the search history. Ultimately you'll get the crash.

Albert Astals Cid (aacid)
Changed in unity8 (Ubuntu):
assignee: nobody → Albert Astals Cid (aacid)
Revision history for this message
Albert Astals Cid (aacid) wrote :
Download full text (4.2 KiB)

A nice valgrind trace about it showing the problem is the processEvents call we have in the LVWPH code

==3365== Thread 1:
==3365== Invalid read of size 8
==3365== at 0x5BFB7E4: QQuickWindowPrivate::polishItems() (in /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5.2.1)
==3365== by 0x5BDB2D2: QSGThreadedRenderLoop::polishAndSync(QSGThreadedRenderLoop::Window*) (in /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5.2.1)
==3365== by 0x5BDB667: QSGThreadedRenderLoop::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5.2.1)
==3365== by 0x64A4EFC: QCoreApplication::notify(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64A4C2C: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64F11AC: QTimerInfoList::activateTimers() (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64F1660: timerSourceDispatch(_GSource*, int (*)(void*), void*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x8CF1E03: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==3365== by 0x8CF2047: g_main_context_iterate.isra.24 (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==3365== by 0x8CF20EB: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==3365== by 0x64F198B: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64A396A: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64AA0E0: QCoreApplication::exec() (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x406837: startShell(int, char const**, void*) (main.cpp:137)
==3365== by 0x406FA5: main (main.cpp:193)
==3365== Address 0x130fb938 is 8 bytes inside a block of size 208 free'd
==3365== at 0x4C2BB5C: operator delete(void*) (vg_replace_malloc.c:502)
==3365== by 0x64CCC9B: QObjectPrivate::deleteChildren() (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64D3631: QObject::~QObject() (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x5C06E25: QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() (in /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5.2.1)
==3365== by 0x64CD277: QObject::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x5BEEAE2: QQuickItem::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5.2.1)
==3365== by 0x64A4EFC: QCoreApplication::notify(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64A4C2C: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64A6E06: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x64F1CD2: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.2.1)
==3365== by 0x8CF1E03: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==3365== by 0x8CF2047: g_mai...

Read more...

Changed in unity8 (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Albert Astals Cid (aacid) wrote :

I'd appreciate if people could give a try to the branch i've linked. I can't reproduce the crash anymore and the fix makes sense by reading the trace valgrind gave me, but with this "racy" crash bugs it's always hard to realize if i'm not getting the crash anymore because i'm lucky or because i've really fixed it.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity8 - 7.85+14.04.20140401.3-0ubuntu1

---------------
unity8 (7.85+14.04.20140401.3-0ubuntu1) trusty; urgency=medium

  [ Michał Sawicz ]
  * Bump version to ensure incompatibility with previous Unity.Application
    implementations.
  * We'll only have the unity-mir and mock Ubuntu.Application plugins
    now, no need for mangling the import paths.

  [ Michal Hruby ]
  * Remove the albumart image provider. (LP: #1262711)
  * Don't reset search string after 2 seconds. (LP: #1297246)

  [ James Henstridge ]
  * Remove the albumart image provider. (LP: #1262711)

  [ Albert Astals ]
  * Carousel: Add test to make sure we only create the needed delegates
    and not more
  * LVWPH: Remove processEvents() call from updatePolish() It causes
    some reentrancy issues and in some times you end up in polishItems()
    with items that have been deleted because you called processEvents()
    This means i need a small tweak in itemGeometryChanged to not
    reposition items if we are inside a setContentHeight call and two
    small tweaks to tests since now things happen in a different order
    and numbers are different (though equivalent) (LP: #1297240)
  * Card.qml binding loops are gone. hooray \o/ Also made the aspect
    properties readonly

  [ Mirco Müller ]
  * A potential fix for "Cannot read property 'state' of null"-failure
    on Jenkins with the VisualSnapDecisionsQueue QML-test of
    notifications.

  [ Michael Terry ]
  * Pass user's preference for auto-brightness on to powerd. (LP:
    #1273174)

  [ Michael Zanetti ]
  * Registers a dummy QObject as QTestRootObject in uqmlscene in order
    to fix make trySomething with Qt 5.2.
 -- Ubuntu daily release <email address hidden> Tue, 01 Apr 2014 22:56:52 +0000

Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.