PySide Bugzilla Closed for New Bugs

PySide is now a Qt Add-on and uses the Qt Project's JIRA Bug Tracker instead of this Bugzilla instance. This Bugzilla is left for reference purposes.

Bug 1054 - Segmentation fault on application exit
: Segmentation fault on application exit
Status: RESOLVED INVALID
Product: PySide
Classification: Unclassified
Component: Shiboken
: 1.0.7
: PC Linux
: P5 normal
Assigned To: Marcelo Lira
:
:
:
  Show dependency treegraph
 
Reported: 2011-11-11 17:50 EET by Dennis
Modified: 2011-12-13 16:05 EET (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dennis 2011-11-11 17:50:38 EET
OS: 
Ubuntu linux64 Linux 2.6.38-12-generic #51-Ubuntu SMP x86_64 x86_64 x86_64
GNU/Linux
Thread model: posix
gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4) 

Our Application uses C++ embeded python with IPython console and PySide
bindings.

Crash occurs on application exit in BindingManager singleton destructor.
Both in release and debug build of libshiboken.so.

Its a Heisenbug, occurs rarely on the same running code, we don't see the
pattern, thus unfortunately cannot provide more information for you.

Our investigation in gdb shows following information:

Program received signal SIGSEGV, Segmentation fault
Shiboken::BindingManager::releaseWrapper (this=0x7fffef8b7f08,
sbkObj=0x7fffeee42128)
    at shiboken/libshiboken/bindingmanager.cpp:206
206            void* cptr = cptrs[i];


callstack:

Shiboken::BindingManager::releaseWrapper (this=0x7fffefaddf08,
sbkObj=0x7fffef065cf8)
    at shiboken/libshiboken/bindingmanager.cpp:206
#1  0x00007fffef8d0cc7 in Shiboken::Object::invalidate (self=0x7fffef065cf8)
    at shiboken/libshiboken/basewrapper.cpp:853
#2  0x00007fffef8d0dd2 in Shiboken::Object::invalidate (pyobj=<value optimized
out>)
    at shiboken/libshiboken/basewrapper.cpp:842
#3  0x00007fffef8d0d62 in Shiboken::Object::invalidate (self=<value optimized
out>)
    at shiboken/libshiboken/basewrapper.cpp:880
#4  0x00007fffef8d0f07 in (anonymous namespace)::_destroyParentInfo
(obj=0x7fffef04ab00, keepReference=true)
    at shiboken/libshiboken/basewrapper.cpp:366
#5  0x00007fffef8d0f76 in Shiboken::Object::destroy (self=0x7fffef04ab00,
cppData=0x65eed0)
    at shiboken/libshiboken/basewrapper.cpp:1053
#6  0x00007fffef8d419a in Shiboken::BindingManager::~BindingManager
(this=0x7fffefaddf08, __in_chrg=<value optimized out>)
    at shiboken/libshiboken/bindingmanager.cpp:161
#7  0x00007ffff6958961 in __run_exit_handlers (status=0) at exit.c:78
#8  exit (status=0) at exit.c:100
#9  0x00007ffff693df06 in __libc_start_main (main=0x409614 <main(int, char**)>,
argc=2, ubp_av=0x7fffffffe208, init=<value optimized out>, fini=<value
optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffffffe1f8) at
libc-start.c:258
#10 0x0000000000409559 in _start ()


Source code: shiboken/libshiboken/bindingmanager.cpp ::
BindingManager::releaseWrapper() :: see line 206

void BindingManager::releaseWrapper(SbkObject* sbkObj)
{
    SbkObjectType* sbkType = reinterpret_cast<SbkObjectType*>(sbkObj->ob_type);
    SbkObjectTypePrivate* d = sbkType->d;
    int numBases = ((d && d->is_multicpp) ?
getNumberOfCppBaseClasses(sbkObj->ob_type) : 1);

    void** cptrs = reinterpret_cast<SbkObject*>(sbkObj)->d->cptr;
    for (int i = 0; i < numBases; ++i) {
        void* cptr = cptrs[i];                  // <-- line 206
        m_d->releaseWrapper(cptr);
        if (d && d->mi_offsets) {
            int* offset = d->mi_offsets;
            while (*offset != -1) {
                if (*offset > 0)
                    m_d->releaseWrapper((void*) ((std::size_t) cptr +
(*offset)));
                offset++;
            }
        }
    }
    sbkObj->d->validCppObject = false;
}


Reason of SIGSEGV: sbkObj->d->cptr == (void **) 0x0

Crash Context:

(gdb) p *sbkObj
$19 = {ob_refcnt = 1, ob_type = 0x7fffef3215d0, ob_dict = 0x0, weakreflist =
0x0, d = 0x8cdbd0}

(gdb) p *sbkObj->d
$23 = {cptr = 0x0, hasOwnership = 0, containsCppWrapper = 0, validCppObject =
0, cppObjectCreated = 0, parentInfo = 0x0, referredObjects = 0x0}

(gdb) p *sbkObj->ob_type 
$22 = {ob_refcnt = 79, ob_type = 0x7fffef8b76c0, ob_size = 0, tp_name =
0x7fffef0a842b "PySide.QtCore.QMetaObject", tp_basicsize = 40, tp_itemsize = 0, 
  tp_dealloc = 0x7fffef6ab13f <SbkDeallocWrapper(PyObject*)>, tp_print = 0,
tp_getattr = 0, tp_setattr = 0, tp_compare = 0, tp_repr = 0x7ffff3448a80
<object_repr>, tp_as_number = 0x0, 
  tp_as_sequence = 0x0, tp_as_mapping = 0x0, tp_hash = 0x7ffff342a330
<_Py_HashPointer>, tp_call = 0, tp_str = 0x7ffff34427b0 <object_str>, 
  tp_getattro = 0x7ffff342b740 <PyObject_GenericGetAttr>, tp_setattro =
0x7ffff342b450 <PyObject_GenericSetAttr>, tp_as_buffer = 0x0, tp_flags =
153083, tp_doc = 0x0, 
  tp_traverse = 0x7fffeeff57e4, tp_clear = 0x7fffeeff57f4, tp_richcompare = 0,
tp_weaklistoffset = 24, tp_iter = 0, tp_iternext = 0, tp_methods =
0x7fffef321940, tp_members = 0x0, 
  tp_getset = 0x0, tp_base = 0x7fffef8b7850, tp_dict = 0x852860, tp_descr_get =
0, tp_descr_set = 0, tp_dictoffset = 16, tp_init = 0x7fffeeffa5e1, 
  tp_alloc = 0x7ffff3445060 <PyType_GenericAlloc>, tp_new = 0x7fffef6a9ad1
<SbkObjectTpNew(PyTypeObject*, PyObject*, PyObject*)>, tp_free = 0x7ffff34c6c80
<PyObject_GC_Del>, tp_is_gc = 0, 
  tp_bases = 0x7ffff7e27290, tp_mro = 0x7ffff7e26dc0, tp_cache = 0x0,
tp_subclasses = 0x0, tp_weaklist = 0x7ffff7e17e10, tp_del = 0, tp_version_tag =
0}

(gdb) p *sbkObj->ob_type->ob_type 
$47 = {ob_refcnt = 5, ob_type = 0x7ffff373ec40, ob_size = 0, tp_name =
0x7fffef6b146a "Shiboken.ObjectType", tp_basicsize = 880, tp_itemsize = 40, 
  tp_dealloc = 0x7fffef6a9963 <SbkObjectTypeDealloc(PyObject*)>, tp_print = 0,
tp_getattr = 0, tp_setattr = 0, tp_compare = 0, tp_repr = 0x7ffff3448cc0
<type_repr>, tp_as_number = 0x0, 
  tp_as_sequence = 0x0, tp_as_mapping = 0x0, tp_hash = 0x7ffff342a330
<_Py_HashPointer>, tp_call = 0x7ffff3443950 <type_call>, tp_str =
0x7ffff34427b0 <object_str>, 
  tp_getattro = 0x7ffff3451b20 <type_getattro>, tp_setattro = 0x7ffff342b450
<PyObject_GenericSetAttr>, tp_as_buffer = 0x0, tp_flags = 2147636715, tp_doc =
0x0, 
  tp_traverse = 0x7ffff3442690 <type_traverse>, tp_clear = 0x7ffff3442750
<type_clear>, tp_richcompare = 0x7ffff3442e10 <type_richcompare>,
tp_weaklistoffset = 368, tp_iter = 0, 
  tp_iternext = 0, tp_methods = 0x0, tp_members = 0x0, tp_getset = 0x0, tp_base
= 0x7ffff373ec40, tp_dict = 0x773830, tp_descr_get = 0, tp_descr_set = 0,
tp_dictoffset = 264, 
  tp_init = 0x7ffff34451a0 <type_init>, tp_alloc = 0x7ffff3445060
<PyType_GenericAlloc>, tp_new = 0x7fffef6aa6a1
<SbkObjectTypeTpNew(PyTypeObject*, PyObject*, PyObject*)>, 
  tp_free = 0x7ffff34c6c80 <PyObject_GC_Del>, tp_is_gc = 0x7ffff3442790
<type_is_gc>, tp_bases = 0x7ffff7e9a810, tp_mro = 0x7ffff7f0f6e0, tp_cache =
0x0, tp_subclasses = 0x0, 
  tp_weaklist = 0x7ffff7ef6470, tp_del = 0, tp_version_tag = 0}

(gdb) p *d
$32 = {mi_offsets = 0x0, mi_init = 0, mi_specialcast = 0, type_discovery = 0,
ext_isconvertible = 0, ext_tocpp = 0, cpp_dtor = 0x7fffeeffaa4f, is_multicpp =
0, is_user_type = 0, 
  type_behaviour = -2, original_name = 0x852820 "QMetaObject*", user_data =
0x0, d_func = 0, subtype_init = 0}


Pending conclusions:

Real problem cause is still unknown. Question is: Why sbkObj->d->cptr is NULL
Note: sbkObj object type is "PySide.QtCore.QMetaObject"


To avoid SIGSEGV we can add wrap condition  "if (sbkObj->d->cptr != NULL)"  to
BindingManager::releaseWrapper() on line 203
Although it would not solve to cause of the problem.

We use Pyside 1.0.7 and did not yet tried 1.0.8.
Hope this info will help.

Best regards.
Comment 1 Dennis 2011-11-14 16:34:04 EET
Application uses QCoreApplication, instantiated in C++ and Pyside only for
shiboken bindings
Comment 2 Hugo Parente Lima 2011-11-23 15:28:59 EET
Without some testable code will be very hard to fix this bug, check if a
possible fix really fixes the issue or avoid future regressions, so I can't do
much without a testable code that reproduce the problem, even if just
sometimes.
Comment 3 Hugo Parente Lima 2011-12-13 16:05:28 EET
Sorry, but there's no enough info to do any action regarding this crash, you
can reopen this bug if you find any reproduceable test case for this bug.