crash after editing toolbar by adding a bookmark: KXMLGUI::ContainerNode::unplugClient - Use of uninitialised value of size 8 at 0x647E72E: KXMLGUI::ActionList::unplug(QWidget*) const (kxmlguifactory_p.cpp:44)

ubuntu amd64 ; krusader 1.80.0-1 ; 2.6.22-14-generic

This bug seems to be 100% reproducable.

1. create a bookmark (i.e. bookmarks icon > manage bookmarks > add new bookmark ie to /home/you/foo)
2. go to main menu - configure menubars - add the bookmark into menu
3. click ok == crash

After restart all is ok (even the new icon is there in toolbar)

Below backtrace, and end of valgrind.

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 47681382125280 (LWP 26909)]
0x00002b5dab7852e1 in nanosleep () from /lib/libc.so.6
#0 0x00002b5dab7852e1 in nanosleep () from /lib/libc.so.6
#1 0x00002b5dab785104 in sleep () from /lib/libc.so.6
#2 0x00002b5da8da7185 in KCrash::startDrKonqi (argv=0x7fff03ae4c20, argc=17)
    at /build/buildd/kdelibs-3.5.8/./kdecore/kcrash.cpp:312
#3 0x00002b5da8dbb7c7 in KCrash::defaultCrashHandler (sig=61754624)
    at /build/buildd/kdelibs-3.5.8/./kdecore/kcrash.cpp:229
#4 <signal handler called>
#5 0x0000000000000031 in ?? ()
#6 0x00000000015ab610 in ?? ()
#7 0x00007fff03ae5240 in ?? ()
#8 0x00000000015ab610 in ?? ()

#9 0x00002b5da893af8b in KXMLGUI::ContainerNode::unplugClient (
    this=0x15ab6f8, client=0x15ab6f0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory_p.cpp:426
#10 0x00002b5da893b20e in KXMLGUI::ContainerNode::unplugActions (
    this=0x15ab610, state=@0x10224f0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory_p.cpp:406
#11 0x00002b5da893b260 in KXMLGUI::ContainerNode::destruct (this=0x15ab610,
    element=@0x7fff03ae5390, state=@0x10224f0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory_p.cpp:313
#12 0x00002b5da893b42f in KXMLGUI::ContainerNode::destructChildren (
    this=0x1022a30, element=@0x7fff03ae5570, state=@0x10224f0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory_p.cpp:358
#13 0x00002b5da893b255 in KXMLGUI::ContainerNode::destruct (this=0x9fb990,
    element=@0x15b3fe0, state=@0x9ee520)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory_p.cpp:311
#14 0x00002b5da8944a44 in KXMLGUIFactory::removeClient (this=0x1022410,
    client=0x7fff03ae83d0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kxmlguifactory.cpp:364
#15 0x00002b5da8985bbb in KEditToolbarWidget::rebuildKXMLGUIClients (
    this=<value optimized out>)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kedittoolbar.cpp:722
#16 0x00002b5da89896fd in KEditToolbarWidget::save (this=0x9fbfa0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kedittoolbar.cpp:704
#17 0x00002b5da8989730 in KEditToolbar::slotApply (this=0x7fff03ae6710)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kedittoolbar.cpp:530
#18 0x00002b5da895a9b6 in KDialogBase::qt_invoke (this=0x7fff03ae6710,
    _id=75, _o=0x7fff03ae5900) at ./kdialogbase.moc:360
#19 0x00002b5da895acf4 in KEditToolbar::qt_invoke (this=0x7fff03ae6710,
    _id=75, _o=0x7fff03ae5900) at ./kedittoolbar.moc:106
#20 0x00002b5da9593e9f in QObject::activate_signal (this=0x12f4660,
    clist=0xf6c4e0, o=0x7fff03ae5900) at kernel/qobject.cpp:2380
#21 0x00002b5da9594910 in QObject::activate_signal (this=0x12f4660, signal=4)
    at kernel/qobject.cpp:2325
#22 0x00002b5da990a18f in QButton::clicked (this=0x12f4660)
    at .moc/debug-shared-mt/moc_qbutton.cpp:152
#23 0x00002b5da962e9c3 in QButton::mouseReleaseEvent (this=0x12f4660,
    e=0x7fff03ae5f20) at widgets/qbutton.cpp:836
#24 0x00002b5da95c84c4 in QWidget::event (this=0x12f4660, e=0x7fff03ae5f20)
    at kernel/qwidget.cpp:4702
#25 0x00002b5da952f2a2 in QApplication::internalNotify (this=0x7fff03ae85a0,
    receiver=0x12f4660, e=0x7fff03ae5f20) at kernel/qapplication.cpp:2635
#26 0x00002b5da9531400 in QApplication::notify (this=0x7fff03ae85a0,
    receiver=0x12f4660, e=0x7fff03ae5f20) at kernel/qapplication.cpp:2421
#27 0x00002b5da8e6d308 in KApplication::notify (this=0x7fff03ae85a0,
    receiver=0x12f4660, event=0x7fff03ae5f20)
    at /build/buildd/kdelibs-3.5.8/./kdecore/kapplication.cpp:550
#28 0x00002b5da94c1d84 in QApplication::sendSpontaneousEvent (
    receiver=0x12f4660, event=0x7fff03ae5f20) at kernel/qapplication.h:523
#29 0x00002b5da94c098e in QETWidget::translateMouseEvent (this=0x12f4660,
    event=0x7fff03ae65a0) at kernel/qapplication_x11.cpp:4304
#30 0x00002b5da94beb5a in QApplication::x11ProcessEvent (this=0x7fff03ae85a0,

    event=0x7fff03ae65a0) at kernel/qapplication_x11.cpp:3481
#31 0x00002b5da94d543e in QEventLoop::processEvents (this=0x9001f0, flags=4)
    at kernel/qeventloop_x11.cpp:192
#32 0x00002b5da95487e7 in QEventLoop::enterLoop (this=0x9001f0)
    at kernel/qeventloop.cpp:198
#33 0x00002b5da9530d06 in QApplication::enter_loop (this=0x7fff03ae85a0)
    at kernel/qapplication.cpp:2793
#34 0x00002b5da9739ef1 in QDialog::exec (this=0x7fff03ae6710)
    at dialogs/qdialog.cpp:432
#35 0x000000000046b362 in KRslots::configToolbar (this=<value optimized out>)
    at /build/buildd/krusader-1.80.0/./krusader/krslots.cpp:562
#36 0x0000000000471760 in KRslots::qt_invoke (this=0x9c7d70, _id=16,
    _o=0x7fff03ae6b30) at ./krslots.moc:355
#37 0x00002b5da9593d76 in QObject::activate_signal (this=0xa3ff30,
    clist=0xa402f0, o=0x7fff03ae6b30) at kernel/qobject.cpp:2356
#38 0x00002b5da9594910 in QObject::activate_signal (this=0xa3ff30, signal=2)
    at kernel/qobject.cpp:2325
#39 0x00002b5da89b291d in KAction::slotPopupActivated (this=0xa3ff30)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kaction.cpp:1137
#40 0x00002b5da89b2bc3 in KAction::qt_invoke (this=0xa3ff30, _id=16,
    _o=0x7fff03ae6c90) at ./kaction.moc:219
#41 0x00002b5da9593d76 in QObject::activate_signal (this=0x107d2a0,
    clist=0x107d3a0, o=0x7fff03ae6c90) at kernel/qobject.cpp:2356
#42 0x00002b5da9901e51 in QSignal::signal (this=0x107d2a0, t0=@0x107d2f0)
    at .moc/debug-shared-mt/moc_qsignal.cpp:100
#43 0x00002b5da95b2eeb in QSignal::activate (this=0x107d2a0)
    at kernel/qsignal.cpp:212
#44 0x00002b5da96b51db in QPopupMenu::keyPressEvent (this=0x15c21a0,
    e=0x7fff03ae77b0) at widgets/qpopupmenu.cpp:1961
#45 0x00002b5da88e2e5b in KPopupMenu::keyPressEvent (this=0x9fb990,
    e=0x7fff03ae77b0)
    at /build/buildd/kdelibs-3.5.8/./kdeui/kpopupmenu.cpp:292
#46 0x00002b5da95c8728 in QWidget::event (this=0x15c21a0, e=0x7fff03ae77b0)
    at kernel/qwidget.cpp:4748
#47 0x00002b5da952f2a2 in QApplication::internalNotify (this=0x7fff03ae85a0,
    receiver=0x15c21a0, e=0x7fff03ae77b0) at kernel/qapplication.cpp:2635
#48 0x00002b5da9531208 in QApplication::notify (this=0x7fff03ae85a0,
    receiver=0x15c21a0, e=0x7fff03ae77b0) at kernel/qapplication.cpp:2392
#49 0x00002b5da8e6d308 in KApplication::notify (this=0x7fff03ae85a0,
    receiver=0x15c21a0, event=0x7fff03ae77b0)
    at /build/buildd/kdelibs-3.5.8/./kdecore/kapplication.cpp:550
#50 0x00002b5da94c1d84 in QApplication::sendSpontaneousEvent (
    receiver=0x15c21a0, event=0x7fff03ae77b0) at kernel/qapplication.h:523
#51 0x00002b5da94b33d7 in QETWidget::translateKeyEvent (this=0x15c21a0,
    event=0x7fff03ae7fa0, grab=false) at kernel/qapplication_x11.cpp:5639
#52 0x00002b5da94bebd8 in QApplication::x11ProcessEvent (this=0x7fff03ae85a0,
    event=0x7fff03ae7fa0) at kernel/qapplication_x11.cpp:3496
#53 0x00002b5da94d543e in QEventLoop::processEvents (this=0x9001f0, flags=4)
    at kernel/qeventloop_x11.cpp:192
#54 0x00002b5da95487e7 in QEventLoop::enterLoop (this=0x9001f0)
    at kernel/qeventloop.cpp:198
#55 0x00002b5da95485ef in QEventLoop::exec (this=0x9001f0)
    at kernel/qeventloop.cpp:145
#56 0x00002b5da9530d68 in QApplication::exec (this=0x7fff03ae85a0)
    at kernel/qapplication.cpp:2758
#57 0x000000000045ad7a in main (argc=7, argv=0x7fff03ae8848)
    at /build/buildd/krusader-1.80.0/./krusader/main.cpp:247
#58 0x00002b5dab708b44 in __libc_start_main () from /lib/libc.so.6
#59 0x0000000000453529 in _start ()

[...]

==20547==
==20547== Syscall param writev(vector[...]) points to uninitialised byte(s)
==20547== at 0x937184C: writev (writev.c:46)
==20547== by 0xD4F5365: (within /usr/lib/libxcb.so.1.0.0)
==20547== by 0xD4F58EA: (within /usr/lib/libxcb.so.1.0.0)
==20547== by 0xD4F604F: xcb_send_request (in /usr/lib/libxcb.so.1.0.0)
==20547== by 0x8004F19: _XPutXCBBuffer (in /usr/lib/libX11.so.6.2.0)
==20547== by 0x8005266: (within /usr/lib/libX11.so.6.2.0)
==20547== by 0x7FDA522: XChangeWindowAttributes (in /usr/lib/libX11.so.6.2.0)
==20547== by 0x70AE3FB: QWidget::create(unsigned long, bool, bool) (qwidget_x11.cpp:677)
==20547== by 0x717FB7B: QWidget::QWidget(QWidget*, char const*, unsigned) (qwidget.cpp:892)
==20547== by 0x71E0220: QButton::QButton(QWidget*, char const*, unsigned) (qbutton.cpp:382)
==20547== by 0x71E4319: QCheckBox::QCheckBox(QString const&, QWidget*, char const*) (qcheckbox.cpp:142)
==20547== by 0x4BFDD7: (within /usr/bin/krusader)
==20547== Address 0xddbae67 is 5,935 bytes inside a block of size 8,680 alloc'd
==20547== at 0x4C220BC: calloc (vg_replace_malloc.c:397)
==20547== by 0xD4F557E: xcb_connect_to_fd (in /usr/lib/libxcb.so.1.0.0)
==20547== by 0xD4F7ADF: xcb_connect (in /usr/lib/libxcb.so.1.0.0)
==20547== by 0x8005529: _XConnectXCB (in /usr/lib/libX11.so.6.2.0)
==20547== by 0x7FEE7C5: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==20547== by 0x7067A4F: qt_init_internal(int*, char**, _XDisplay*, unsigned long, unsigned long) (qapplication_x11.cpp:1771)
==20547== by 0x7069A51: qt_init(int*, char**, QApplication::Type) (qapplication_x11.cpp:2390)
==20547== by 0x70E4758: QApplication::construct(int&, char**, QApplication::Type) (qapplication.cpp:816)
==20547== by 0x70E4A1E: QApplication::QApplication(int&, char**, bool) (qapplication.cpp:776)
==20547== by 0x6A3B223: KApplication::KApplication(bool, bool) (kapplication.cpp:622)
==20547== by 0x45AA55: (within /usr/bin/krusader)
==20547== by 0x92BF1C3: (below main) (libc-start.c:220)
==20547==
==20547== Use of uninitialised value of size 8
==20547== at 0x647E72E: KXMLGUI::ActionList::unplug(QWidget*) const (kxmlguifactory_p.cpp:44)
==20547== by 0xE3C9887: ???
==20547== by 0xE3C9887: ???
==20547== by 0x7FEFFD3EF: ???
==20547== by 0xE3C9887: ???
==20547== by 0xE3C9887: ???
==20547== by 0xE055737: ???
==20547== by 0xE3C98D7: ???
==20547== by 0xE055737: ???
==20547== by 0x7FEFFD63F: ???
==20547== by 0x650F30E: KXMLGUI::ContainerNode::unplugActions(KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:406)
==20547== by 0x650F35F: KXMLGUI::ContainerNode::destruct(QDomElement, KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:313)
==20547==
==20547== Jump to the invalid address stated on the next line
==20547== at 0x0: ???
==20547== by 0x647E733: KXMLGUI::ActionList::unplug(QWidget*) const (kxmlguifactory_p.cpp:44)
==20547== by 0x650F0A5: KXMLGUI::ContainerNode::unplugClient(KXMLGUI::ContainerClient*) (kxmlguifactory_p.cpp:426)
==20547== by 0x650F30E: KXMLGUI::ContainerNode::unplugActions(KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:406)
==20547== by 0x650F35F: KXMLGUI::ContainerNode::destruct(QDomElement, KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:313)
==20547== by 0x650F52F: KXMLGUI::ContainerNode::destructChildren(QDomElement const&, KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:358)
==20547== by 0x650F354: KXMLGUI::ContainerNode::destruct(QDomElement, KXMLGUI::BuildState&) (kxmlguifactory_p.cpp:311)
==20547== by 0x651A439: KXMLGUIFactory::removeClient(KXMLGUIClient*) (kxmlguifactory.cpp:364)
==20547== by 0x6581EEA: KEditToolbarWidget::rebuildKXMLGUIClients() (kedittoolbar.cpp:722)
==20547== by 0x65852A8: KEditToolbarWidget::save() (kedittoolbar.cpp:704)
==20547== by 0x658532B: KEditToolbar::slotOk() (kedittoolbar.cpp:517)
==20547== by 0x653E422: KDialogBase::qt_invoke(int, QUObject*) (kdialogbase.moc:359)
==20547== Address 0x0 is not stack'd, malloc'd or (recently) free'd
KCrash: Application 'krusader' crashing...