Bug report #12411

First call to GetCapabilities after copy of the same .qgs file crashes QGIS Server

Added by Nicolas Boisteault almost 9 years ago. Updated almost 9 years ago.

Status:Closed
Priority:High
Assignee:-
Category:QGIS Server
Affected QGIS version:2.8.1 Regression?:No
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:fixed/implemented
Crashes QGIS or corrupts data:Yes Copied to github as #:20584

Description

To reproduce the bug :
  • I copy an unmodifed .qgs file from my computer (windows 7) to my linux server (ubuntu 12.04.5) via sftp
  • I make a GetCapabilities in my browser and get an error 500

I copied what I have in my apache log in bug report.txt

After that when I refresh the GetCapabilities there is no crash and I get the correct response.

bug_report.txt Magnifier (62.4 KB) Nicolas Boisteault, 2015-03-19 08:32 AM

Associated revisions

Revision 232565db
Added by Nyall Dawson almost 9 years ago

Fix server crashes when .qgs file replaced (refs #12411)

Revision f6595544
Added by Nyall Dawson over 8 years ago

Fix server crashes when .qgs file replaced (refs #12411)

Cherry-picked from 232565db96da05d871ca49f0457921a908e7df5a

History

#1 Updated by Giovanni Manghi almost 9 years ago

  • Status changed from Open to Feedback
  • Crashes QGIS or corrupts data changed from No to Yes

I also see this. I'm not sure if this also was the case in previous releases. Can you test?

#2 Updated by Nicolas Boisteault almost 9 years ago

The bug is also in master. I might try on previous releases later.

#3 Updated by James Keener almost 9 years ago

I attached gdb to the apache with mod_fcgid qgis_mapserv.fcgi process on an ubunutu 14.04.2 VM. I then updated the qgs file via rsync from another computer (delete and recreate should work as well). The issue looks like it's in the QgsServerProjectParser destructor?

(gdb) bt
#0  0x00007f62dc616cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f62dc61a0d8 in __GI_abort () at abort.c:89
#2  0x00007f62dc653394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f62dc761b28 "*** Error in `%s': %s: 0x%s ***\
") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f62dc65f66e in malloc_printerr (ptr=<optimized out>, str=0x7f62dc761cf0 "double free or corruption (fasttop)", action=1) at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x00000000004b1381 in QgsServerProjectParser::~QgsServerProjectParser() ()
#6  0x000000000048d1e1 in QgsWFSProjectParser::~QgsWFSProjectParser() ()
#7  0x00000000004292cb in QgsConfigCache::removeChangedEntry(QString const&) ()
#8  0x00007f62de57187a in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#9  0x00007f62de52ce82 in QFileSystemWatcher::fileChanged(QString const&) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#10 0x00007f62de575c1e in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#11 0x00007f62dd8f1e2c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#12 0x00007f62dd8f84a0 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#13 0x00007f62e07000db in QgsApplication::notify(QObject*, QEvent*) () from /usr/lib/libqgis_core.so.2.8.1
#14 0x00007f62de55d4dd in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#15 0x00007f62de560b3d in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#16 0x00007f62de58af83 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#17 0x00007f62d3248e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x00007f62d3249048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007f62d32490ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x00007f62de58a7a1 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007f62de56101f in QCoreApplication::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#22 0x0000000000424be5 in main ()

#4 Updated by James Keener almost 9 years ago

It seems that the rest of the functions in src/server/qgsserverprojectparser.cpp check if
`mXMLDoc` is null (or rather falsy) before using it. Is there any reason the destructor couldn't be changed from

QgsServerProjectParser::~QgsServerProjectParser()
{
  delete mXMLDoc;
}

to

QgsServerProjectParser::~QgsServerProjectParser()
{
  if (!mXMLDoc) 
  {
    delete mXMLDoc;
  }
}

or is mXMLDoc being null (or rather falsy) a mark of a larger issue?

or am I off my mark since the error is "double free or corrpution"?

#5 Updated by Jürgen Fischer almost 9 years ago

James Keener wrote:

It seems that the rest of the functions in src/server/qgsserverprojectparser.cpp check if
`mXMLDoc` is null (or rather falsy) before using it.

Invoking delete on a null pointer is save - so it doesn't need to be guarded.

or am I off my mark since the error is "double free or corrupution"?

Yes, apparently the destructor is called on an already deleted instance.

#6 Updated by Nyall Dawson almost 9 years ago

Please test with latest master and report whether the fix has resolved this issue for you.

#7 Updated by Giovanni Manghi almost 9 years ago

  • Resolution set to fixed/implemented
  • Status changed from Feedback to Closed

Nyall Dawson wrote:

Please test with latest master and report whether the fix has resolved this issue for you.

seems fixed, thanks!

Also available in: Atom PDF