Project

General

Profile

Bug #10455

dt sometimes crashes when using mouse wheel to adjust exposure in histogram

Added by Patrick Shanahan almost 5 years ago. Updated almost 5 years ago.

Status:
Fixed
Priority:
Low
Assignee:
Category:
Darkroom
Start date:
05/12/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
git development version
System:
all
bitness:
64-bit
hardware architecture:
amd64/x86

Description

frequent crashes when using mouse wheel to adjust exposure in the histogram


Related issues

Related to darktable - Bug #10438: Crashes in "more modules" due to multi-instancesFixed04/28/2015

Associated revisions

Revision 4c5f3122 (diff)
Added by Roman Lebedev almost 5 years ago

Properly deal with exposure iop hooks. Fixes #10455

Since there can be several instances of exposure iop,
previously if user deleted last created instance, we end up
using no-longer-valid hook data.
Also, previously exposure iop did not cleanup hook in gui_cleanup()

In order to fix this i stored exposure iop hooks in sorted GList.
That way, it should always be representative of current situation,
and we can easily find the needed exposure iop instance (last one)

Revision 3859f096 (diff)
Added by Roman Lebedev almost 5 years ago

dt_dev_module_remove(): properly remove all history entries related to module

Fixes following issue: (refs #10455, comment 3)
1. (empty history stack) change exposure
2. add new exposure iop instance
3. change exposure in second instance
4. delete that new instance
5. change exposure in original instance

=================================================================
31502ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190023d489c at pc 0x7f073823a423 bp 0x7ffd3f9349d0 sp 0x7ffd3f9349c8
READ of size 4 at 0x6190023d489c thread T0
#0 0x7f073823a422 in dt_dev_add_history_item /home/lebedevri/darktable/src/develop/develop.c:557
#1 0x7f0711886433 in exposure_set_white /home/lebedevri/darktable/src/iop/exposure.c:661
#2 0x7f0711886882 in dt_iop_exposure_set_white /home/lebedevri/darktable/src/iop/exposure.c:682
#3 0x7f07118869e2 in exposure_callback /home/lebedevri/darktable/src/iop/exposure.c:827
#4 0x7f0735ee0503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#5 0x7f0735ef9fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#6 0x7f0735efae49 in g_signal_emit_by_name (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2ae49)
#7 0x7f073814fe94 in dt_bauhaus_slider_set_normalized /home/lebedevri/darktable/src/bauhaus/bauhaus.c:1937
#8 0x7f07381535c6 in dt_bauhaus_slider_scroll /home/lebedevri/darktable/src/bauhaus/bauhaus.c:1781
#9 0x7f07379ad41d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ed41d)
#10 0x7f0735ee0503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#11 0x7f0735ef9a4f in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a4f)
#12 0x7f0735efa8fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#13 0x7f0737addde3 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x31dde3)
#14 0x7f07379aad2d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ead2d)
#15 0x7f07379ac93d in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ec93d)
#16 0x7f073754fb11 (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x4fb11)
#17 0x7f0735c09c3c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49c3c)
#18 0x7f0735c09f1f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49f1f)
#19 0x7f0735c0a241 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a241)
#20 0x7f07379abbf4 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ebbf4)
#21 0x7f073833ec96 in dt_gui_gtk_run /home/lebedevri/darktable/src/gui/gtk.c:964
#22 0x400cf3 in main /home/lebedevri/darktable/src/main.c:25
#23 0x7f07309e9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#24 0x400bd8 (/usr/local/bin/darktable+0x400bd8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/develop/develop.c:557 dt_dev_add_history_item
...
31502ABORTING

Revision 369c7f8b (diff)
Added by Roman Lebedev almost 5 years ago

Properly deal with exposure iop hooks. Fixes #10455

Since there can be several instances of exposure iop,
previously if user deleted last created instance, we end up
using no-longer-valid hook data.
Also, previously exposure iop did not cleanup hook in gui_cleanup()

In order to fix this i stored exposure iop hooks in sorted GList.
That way, it should always be representative of current situation,
and we can easily find the needed exposure iop instance (last one)

(cherry picked from commit 4c5f3122e1287dd126a3e17f45da909039ea3b62)

Revision 6b3b04c9 (diff)
Added by Roman Lebedev almost 5 years ago

dt_dev_module_remove(): properly remove all history entries related to module

Fixes following issue: (refs #10455, comment 3)
1. (empty history stack) change exposure
2. add new exposure iop instance
3. change exposure in second instance
4. delete that new instance
5. change exposure in original instance

=================================================================
31502ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190023d489c at pc 0x7f073823a423 bp 0x7ffd3f9349d0 sp 0x7ffd3f9349c8
READ of size 4 at 0x6190023d489c thread T0

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/develop/develop.c:557 dt_dev_add_history_item
...
31502ABORTING

(cherry picked from commit 3859f096a36c7f3060f8898f0e3647f69f7762b7)

Revision d24d1310 (diff)
Added by Roman Lebedev almost 5 years ago

Accels: properly handle accels in dt_accel_deregister_{iop,lib}()

Fixes following issue: (refs #10455, comment 3)
1. Open image in DT
2. change exposure
3. create preset

Each accel in accel_closures_local, accel_closures and accelerator_list
points to the same memory, so we must free it only once, when no other
list contains it and when no longer needed - when deleting from accelerator_list

AddressSanitizer: heap-use-after-free on address 0x61800054ec80 at pc 0x7fc58932f178 bp 0x7ffd083407a0 sp 0x7ffd08340768
READ of size 1 at 0x61800054ec80 thread T0
#0 0x7fc58932f177 in strncmp (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x37177)
#1 0x7fc589065042 in dt_accel_deregister_iop /home/lebedevri/darktable/src/gui/accelerators.c:730
#2 0x7fc589065db3 in dt_accel_rename_preset_iop /home/lebedevri/darktable/src/gui/accelerators.c:848
#3 0x7fc5890a8f56 in edit_preset_response /home/lebedevri/darktable/src/gui/presets.c:295
...

0x61800054ec80 is located 0 bytes inside of 784-byte region [0x61800054ec80,0x61800054ef90)
freed by thread T0 here:
#0 0x7fc58934c537 in _interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54537)
#1 0x7fc589064fb1 in dt_accel_deregister_iop /home/lebedevri/darktable/src/gui/accelerators.c:719
#2 0x7fc589065db3 in dt_accel_rename_preset_iop /home/lebedevri/darktable/src/gui/accelerators.c:848
#3 0x7fc5890a8f56 in edit_preset_response /home/lebedevri/darktable/src/gui/presets.c:295
#4 0x7fc586c0a567 in g_cclosure_marshal_VOID
_INTv (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x12567)

previously allocated by thread T0 here:
#0 0x7fc58934c74f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5474f)
#1 0x7fc586937799 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f799)
#2 0x7fc5890a7cb5 in menuitem_new_preset /home/lebedevri/darktable/src/gui/presets.c:663
#3 0x7fc586c082d4 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x102d4)

Revision 9bf3f99a (diff)
Added by Roman Lebedev almost 5 years ago

Accels: properly handle accels in dt_accel_deregister_{iop,lib}()

Fixes following issue: (refs #10455, comment 3)
1. Open image in DT
2. change exposure
3. create preset

Each accel in accel_closures_local, accel_closures and accelerator_list
points to the same memory, so we must free it only once, when no other
list contains it and when no longer needed - when deleting from accelerator_list

AddressSanitizer: heap-use-after-free on address 0x61800054ec80 at pc 0x7fc58932f178 bp 0x7ffd083407a0 sp 0x7ffd08340768
READ of size 1 at 0x61800054ec80 thread T0
#0 0x7fc58932f177 in strncmp (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x37177)
#1 0x7fc589065042 in dt_accel_deregister_iop /home/lebedevri/darktable/src/gui/accelerators.c:730
#2 0x7fc589065db3 in dt_accel_rename_preset_iop /home/lebedevri/darktable/src/gui/accelerators.c:848
#3 0x7fc5890a8f56 in edit_preset_response /home/lebedevri/darktable/src/gui/presets.c:295
...

0x61800054ec80 is located 0 bytes inside of 784-byte region [0x61800054ec80,0x61800054ef90)
freed by thread T0 here:
#0 0x7fc58934c537 in _interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54537)
#1 0x7fc589064fb1 in dt_accel_deregister_iop /home/lebedevri/darktable/src/gui/accelerators.c:719
#2 0x7fc589065db3 in dt_accel_rename_preset_iop /home/lebedevri/darktable/src/gui/accelerators.c:848
#3 0x7fc5890a8f56 in edit_preset_response /home/lebedevri/darktable/src/gui/presets.c:295
#4 0x7fc586c0a567 in g_cclosure_marshal_VOID
_INTv (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x12567)

previously allocated by thread T0 here:
#0 0x7fc58934c74f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5474f)
#1 0x7fc586937799 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f799)
#2 0x7fc5890a7cb5 in menuitem_new_preset /home/lebedevri/darktable/src/gui/presets.c:663
#3 0x7fc586c082d4 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x102d4)

(cherry picked from commit d24d1310331a5b53f9a478809d7d4eed6c472f01)

History

#1 Updated by Patrick Shanahan almost 5 years ago

Thread 1 (Thread 0x7f98e9ad5a80 (LWP 14864)):
#0 0x00007f98e9277fd9 in __waitpid (pid=pid@entry=26335, stat_loc=stat_loc@entry=0x0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid$
resultvar = 26335
oldtype = 0
#1 0x00007f98e9506e00 in _dt_sigsegv_handler (param=11) at /usr/src/debug/darktable-1.7.0.1431283610.42cd9c6/src/common/darktable.c:185
pid = 26335
name_used = 0x6b80ec0 "/tmp/darktable_bt_YDIPYX.txt"
fout = <optimized out>
delete_file = 0
datadir = "/usr/share/darktable", '\000' <repeats 4075 times>
pid_arg = 0x473b540 "14864"
comm_arg = 0x46fac80 "/usr/share/darktable/gdb_commands"
log_arg = 0x6c7cdc0 "set logging on /tmp/darktable_bt_YDIPYX.txt"
#2 <signal handler called>
No locals.
#3 dt_iop_exposure_get_white (self=0x6d23de0) at /usr/src/debug/darktable-1.7.0.1431283610.42cd9c6/src/iop/exposure.c:691
p = 0x0
#4 0x00007f98352ad78f in _lib_histogram_scroll_callback (widget=<optimized out>, event=0x6eb3560, user_data=<optimized out>) at /usr/src/debug/darkt$
self = <optimized out>
d = 0x3888210
cw = <optimized out>
cb = <optimized out>
#5 0x00007f98e87f25fe in ?? () from /usr/lib64/libgtk-3.so.0
No symbol table info available.
#6 0x00007f98e6f95247 in ?? () from /usr/lib64/libgobject-2.0.so.0
No symbol table info available.
#7 0x00007f98e6fad418 in g_signal_emit_valist () from /usr/lib64/libgobject-2.0.so.0
No symbol table info available.
#8 0x00007f98e6fae062 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
No symbol table info available.
#9 0x00007f98e8920c5c in ?? () from /usr/lib64/libgtk-3.so.0
No symbol table info available.
#10 0x00007f98e87efc3c in ?? () from /usr/lib64/libgtk-3.so.0
No symbol table info available.
#11 0x00007f98e87f1766 in gtk_main_do_event () from /usr/lib64/libgtk-3.so.0
No symbol table info available.
#12 0x00007f98e837a672 in ?? () from /usr/lib64/libgdk-3.so.0
No symbol table info available.
#13 0x00007f98e6cc0c74 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
No symbol table info available.
#14 0x00007f98e6cc0ec8 in ?? () from /usr/lib64/libglib-2.0.so.0
No symbol table info available.
#15 0x00007f98e6cc118a in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
No symbol table info available.
#16 0x00007f98e87f0a35 in gtk_main () from /usr/lib64/libgtk-3.so.0
No symbol table info available.
#17 0x00007f98e95d94b4 in dt_gui_gtk_run (gui=<optimized out>) at /usr/src/debug/darktable-1.7.0.1431283610.42cd9c6/src/gui/gtk.c:964
widget = <optimized out>
allocation = {x = 330, y = 10, width = 240, height = 480}
#18 0x00000000004008ba in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/darktable-1.7.0.1431283610.42cd9c6/src/main.c:25
No locals.

#2 Updated by Roman Lebedev almost 5 years ago

  • System changed from openSUSE to all
  • % Done changed from 0 to 10
  • Assignee set to Roman Lebedev
  • Status changed from New to Confirmed

Steps to reproduce:
1. use mouse wheel to adjust exposure in histogram
2. duplicate exposure iop
3. use mouse wheel to adjust exposure in histogram
4. delete last exposure iop instance
5. use mouse wheel to adjust exposure in histogram => BOOM

I think that it is a regression due to multi-instance.

#3 Updated by Roman Lebedev almost 5 years ago

  • % Done changed from 10 to 20
  • Status changed from Confirmed to Triaged

I'm also seeing use-after-free/heap-buffer-overflow:
1. add new iop instance (does not seem to happen with duplicate instance)
2. delete that new instance
3. change something in original instance

=================================================================
31502ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190023d489c at pc 0x7f073823a423 bp 0x7ffd3f9349d0 sp 0x7ffd3f9349c8
READ of size 4 at 0x6190023d489c thread T0
#0 0x7f073823a422 in dt_dev_add_history_item /home/lebedevri/darktable/src/develop/develop.c:557
#1 0x7f0711886433 in exposure_set_white /home/lebedevri/darktable/src/iop/exposure.c:661
#2 0x7f0711886882 in dt_iop_exposure_set_white /home/lebedevri/darktable/src/iop/exposure.c:682
#3 0x7f07118869e2 in exposure_callback /home/lebedevri/darktable/src/iop/exposure.c:827
#4 0x7f0735ee0503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#5 0x7f0735ef9fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#6 0x7f0735efae49 in g_signal_emit_by_name (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2ae49)
#7 0x7f073814fe94 in dt_bauhaus_slider_set_normalized /home/lebedevri/darktable/src/bauhaus/bauhaus.c:1937
#8 0x7f07381535c6 in dt_bauhaus_slider_scroll /home/lebedevri/darktable/src/bauhaus/bauhaus.c:1781
#9 0x7f07379ad41d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ed41d)
#10 0x7f0735ee0503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#11 0x7f0735ef9a4f in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a4f)
#12 0x7f0735efa8fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#13 0x7f0737addde3 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x31dde3)
#14 0x7f07379aad2d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ead2d)
#15 0x7f07379ac93d in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ec93d)
#16 0x7f073754fb11 (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x4fb11)
#17 0x7f0735c09c3c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49c3c)
#18 0x7f0735c09f1f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49f1f)
#19 0x7f0735c0a241 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a241)
#20 0x7f07379abbf4 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ebbf4)
#21 0x7f073833ec96 in dt_gui_gtk_run /home/lebedevri/darktable/src/gui/gtk.c:964
#22 0x400cf3 in main /home/lebedevri/darktable/src/main.c:25
#23 0x7f07309e9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#24 0x400bd8 (/usr/local/bin/darktable+0x400bd8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/develop/develop.c:557 dt_dev_add_history_item
Shadow bytes around the buggy address:
0x0c32804728c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32804728d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32804728e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32804728f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3280472910: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280472960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
31502ABORTING

#4 Updated by Roman Lebedev almost 5 years ago

  • % Done changed from 20 to 100
  • Status changed from Triaged to Fixed

#5 Updated by Roman Lebedev over 4 years ago

  • Related to Bug #10438: Crashes in "more modules" due to multi-instances added

Also available in: Atom PDF

Go to top