Bug 402784

Summary: Dolphin crashes during shutdown, when stopping activity
Product: [Applications] dolphin Reporter: Simon Persson <simon.persson>
Component: generalAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: david, elvis.angelaccio, jodr666, nate, philipp.verpoort, piotr.mierzwinski, web, xrigou
Priority: NOR Keywords: drkonqi
Version First Reported In: 18.12.0   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: https://commits.kde.org/dolphin/b1ccec70f28fefca8fcd464ec21dd13070c72e5c Version Fixed In: 18.12.3
Sentry Crash Report:
Attachments: New crash information added by DrKonqi
New crash information added by DrKonqi
New crash information added by DrKonqi

Description Simon Persson 2019-01-02 12:55:20 UTC 
Application: dolphin (18.12.0)

Qt Version: 5.12.0
Frameworks Version: 5.53.0
Operating System: Linux 4.19.8-arch1-1-ARCH x86_64
Distribution (Platform): Archlinux Packages

-- Information about the crash:
How to reproduce:
Press Win+Q, make sure that you have two plasma activities running. Start dolphin in current activity. Press Win+Q again and stop current activity. Dolphin crashes while it is stopping. It does not matter if you have another instance of dolphin running in the other activity.

In the backtrace it looks suspicious that there is a recursive call to the destructor of KItemListViewAccessible.

The crash can be reproduced every time.

-- Backtrace:
Application: Dolphin (dolphin), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f1f1495f800 (LWP 2117))]

Thread 8 (Thread 0x7f1ef3fff700 (LWP 2133)):
#0  0x00007f1f1d3057a4 in read () from /usr/lib/libc.so.6
#1  0x00007f1f18b70781 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007f1f18bc0a50 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#3  0x00007f1f18bc1e86 in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00007f1f18bc1fce in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#5  0x00007f1f1b3f65c4 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#6  0x00007f1f1b39f58c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#7  0x00007f1f1b1e35c9 in QThread::exec() () from /usr/lib/libQt5Core.so.5
#8  0x00007f1f1b1e49cc in ?? () from /usr/lib/libQt5Core.so.5
#9  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#10 0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 7 (Thread 0x7f1f09a25700 (LWP 2128)):
#0  0x00007f1f19ae4afc in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f1f0b35fd94 in ?? () from /usr/lib/dri/swrast_dri.so
#2  0x00007f1f0b35fcd8 in ?? () from /usr/lib/dri/swrast_dri.so
#3  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 6 (Thread 0x7f1f0a226700 (LWP 2127)):
#0  0x00007f1f19ae4afc in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f1f0b35fd94 in ?? () from /usr/lib/dri/swrast_dri.so
#2  0x00007f1f0b35fcd8 in ?? () from /usr/lib/dri/swrast_dri.so
#3  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 5 (Thread 0x7f1f0aa27700 (LWP 2126)):
#0  0x00007f1f19ae4afc in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f1f0b35fd94 in ?? () from /usr/lib/dri/swrast_dri.so
#2  0x00007f1f0b35fcd8 in ?? () from /usr/lib/dri/swrast_dri.so
#3  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 4 (Thread 0x7f1f0b228700 (LWP 2125)):
#0  0x00007f1f19ae4afc in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f1f0b35fd94 in ?? () from /usr/lib/dri/swrast_dri.so
#2  0x00007f1f0b35fcd8 in ?? () from /usr/lib/dri/swrast_dri.so
#3  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 3 (Thread 0x7f1f11e90700 (LWP 2120)):
#0  0x00007f1f1d3057a4 in read () from /usr/lib/libc.so.6
#1  0x00007f1f18b70781 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007f1f18bc0a50 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#3  0x00007f1f18bc1e86 in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00007f1f18bc1fce in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#5  0x00007f1f1b3f65c4 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#6  0x00007f1f1b39f58c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#7  0x00007f1f1b1e35c9 in QThread::exec() () from /usr/lib/libQt5Core.so.5
#8  0x00007f1f1b669ba6 in ?? () from /usr/lib/libQt5DBus.so.5
#9  0x00007f1f1b1e49cc in ?? () from /usr/lib/libQt5Core.so.5
#10 0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#11 0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x7f1f1327a700 (LWP 2118)):
#0  0x00007f1f1d309c21 in poll () from /usr/lib/libc.so.6
#1  0x00007f1f18676630 in ?? () from /usr/lib/libxcb.so.1
#2  0x00007f1f186782db in xcb_wait_for_event () from /usr/lib/libxcb.so.1
#3  0x00007f1f1426196b in ?? () from /usr/lib/libQt5XcbQpa.so.5
#4  0x00007f1f1b1e49cc in ?? () from /usr/lib/libQt5Core.so.5
#5  0x00007f1f19adea9d in start_thread () from /usr/lib/libpthread.so.0
#6  0x00007f1f1d314b23 in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x7f1f1495f800 (LWP 2117)):
[KCrash Handler]
#6  0x00000000f7cd7ba2 in ?? ()
#7  0x00007f1f1b7d0e8b in QAccessible::registerAccessibleInterface(QAccessibleInterface*) () from /usr/lib/libQt5Gui.so.5
#8  0x00007f1f1d179a9e in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib/libdolphinprivate.so.5
#9  0x00007f1f1d179b7a in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib/libdolphinprivate.so.5
#10 0x00007f1f1b7d7093 in QAccessibleCache::deleteInterface(unsigned int, QObject*) () from /usr/lib/libQt5Gui.so.5
#11 0x00007f1f1b7d76d1 in QAccessibleCache::~QAccessibleCache() () from /usr/lib/libQt5Gui.so.5
#12 0x00007f1f1b7d7859 in ?? () from /usr/lib/libQt5Gui.so.5
#13 0x00007f1f1b3a2aa2 in qt_call_post_routines() () from /usr/lib/libQt5Core.so.5
#14 0x00007f1f1bdf8517 in QApplication::~QApplication() () from /usr/lib/libQt5Widgets.so.5
#15 0x00007f1f1d41d6a9 in kdemain () from /usr/lib/libkdeinit5_dolphin.so
#16 0x00007f1f1d23d223 in __libc_start_main () from /usr/lib/libc.so.6
#17 0x000055aed450f05e in _start ()
[Inferior 1 (process 2117) detached]

Reported using DrKonqi
Comment 1 Elvis Angelaccio 2019-01-05 18:02:45 UTC 
The problem is that when we stop the activity, the KItemListViewAccessible destructor is called *after* QApplication::exec() from the main() returns (no idea why). At that point, m_cells contains only dangling pointers and everything falls apart.
Comment 2 Elvis Angelaccio 2019-01-16 18:18:40 UTC 
*** Bug 403216 has been marked as a duplicate of this bug. ***
Comment 3 Elvis Angelaccio 2019-02-02 17:29:19 UTC 
*** Bug 403773 has been marked as a duplicate of this bug. ***
Comment 4 David Hallas 2019-02-12 10:19:52 UTC 
(In reply to Elvis Angelaccio from comment #1)
> The problem is that when we stop the activity, the KItemListViewAccessible
> destructor is called *after* QApplication::exec() from the main() returns
> (no idea why). At that point, m_cells contains only dangling pointers and
> everything falls apart.

Hi Elvis,

I was looking at the code for this and I was thinking if a solution could be to change the m_cells type to store QAccessible::Id instead of a pointer to QAccessibleInterface, since Qt provides easy access to the QAccessibleInterface* given the Id. Then in the destructor we could simply lookup the QAccessibleInterface* pointer with the Id and delete it if it was found?
Comment 5 Philipp Verpoort 2019-02-15 19:06:34 UTC 
Created attachment 118117 [details]
New crash information added by DrKonqi

dolphin (18.12.2) using Qt 5.12.0

- What I was doing when the application crashed:

Can report the same problem: dolphin crashes on system shutdown and activity closure.

-- Backtrace (Reduced):
#7  0x00007f2799590d5a in QAccessible::registerAccessibleInterface (iface=0x55644e583b50) at accessible/qaccessible.cpp:746
#8  0x00007f279e8c5f9d in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib/x86_64-linux-gnu/libdolphinprivate.so.5
#9  0x00007f279e8c6079 in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib/x86_64-linux-gnu/libdolphinprivate.so.5
#10 0x00007f2799596d7a in QAccessibleCache::deleteInterface (this=this@entry=0x55644db37d00, id=<optimized out>, obj=<optimized out>, obj@entry=0x0) at accessible/qaccessiblecache.cpp:153
#11 0x00007f2799597350 in QAccessibleCache::~QAccessibleCache (this=0x55644db37d00, __in_chrg=<optimized out>) at accessible/qaccessiblecache.cpp:67
Comment 6 Elvis Angelaccio 2019-02-16 11:28:41 UTC 
(In reply to David Hallas from comment #4)
> (In reply to Elvis Angelaccio from comment #1)
> > The problem is that when we stop the activity, the KItemListViewAccessible
> > destructor is called *after* QApplication::exec() from the main() returns
> > (no idea why). At that point, m_cells contains only dangling pointers and
> > everything falls apart.
> 
> Hi Elvis,
> 
> I was looking at the code for this and I was thinking if a solution could be
> to change the m_cells type to store QAccessible::Id instead of a pointer to
> QAccessibleInterface, since Qt provides easy access to the
> QAccessibleInterface* given the Id. Then in the destructor we could simply
> lookup the QAccessibleInterface* pointer with the Id and delete it if it was
> found?

This sounds interesting. Feel free to try and submit a patch if it works :)
Comment 7 David Hallas 2019-02-16 15:53:25 UTC 
I have created a patch here:

https://phabricator.kde.org/D19083

Please take a look at it and see what you think :)

Also, I haven't been able to reproduce the crash myself, so I would really like someone who can reproduce it to check if this fixes it.
Comment 8 David Hallas 2019-02-18 07:58:19 UTC 
Git commit c72fdaa77380ef811dfef626a4edadbb824ed252 by David Hallas.
Committed on 18/02/2019 at 07:58.
Pushed by hallas into branch 'master'.

Fix crash during shutdown

Summary:
Fix crash during shutdown. The root cause is that when Dolphin in stopped as
part of an activity, the KItemListViewAccessible destructor is called after
QApplication::exec has returned causing Qt to already having cleaned up the
QAccessibleInterface instances kept in KItemListViewAccessible. Instead of
storing the pointers to QAccessibleInterface we store the QAccessible::Id so
that we can use the QAccessible::deleteAccessibleInterface function for
deleting the instances.

Test Plan:
I wasn't able to reproduce the crash in the first place, but I have just
opened and closed Dolphin a few times and verified the the QAccessibleInterface
instances are correctly cleaned up.

Reviewers: #dolphin, elvisangelaccio, ngraham

Reviewed By: #dolphin, elvisangelaccio

Subscribers: kfm-devel

Tags: #dolphin

Differential Revision: https://phabricator.kde.org/D19083

M  +15   -10   src/kitemviews/kitemlistviewaccessible.cpp
M  +7    -1    src/kitemviews/kitemlistviewaccessible.h

https://commits.kde.org/dolphin/c72fdaa77380ef811dfef626a4edadbb824ed252
Comment 9 Christoph Feck 2019-02-18 15:32:14 UTC 
The fixed would need to be committed to 18.12 branch if the fix should appear in 18.12.3.
Comment 10 Nate Graham 2019-02-18 15:32:52 UTC 
Yes, that's in progress. :)
Comment 11 David Hallas 2019-02-18 19:21:30 UTC 
Git commit b1ccec70f28fefca8fcd464ec21dd13070c72e5c by David Hallas.
Committed on 18/02/2019 at 19:21.
Pushed by hallas into branch 'Applications/18.12'.

Fix crash during shutdown

Summary:
Fix crash during shutdown. The root cause is that when Dolphin in stopped as
part of an activity, the KItemListViewAccessible destructor is called after
QApplication::exec has returned causing Qt to already having cleaned up the
QAccessibleInterface instances kept in KItemListViewAccessible. Instead of
storing the pointers to QAccessibleInterface we store the QAccessible::Id so
that we can use the QAccessible::deleteAccessibleInterface function for
deleting the instances.

Test Plan:
I wasn't able to reproduce the crash in the first place, but I have just
opened and closed Dolphin a few times and verified the the QAccessibleInterface
instances are correctly cleaned up.

Reviewers: #dolphin, elvisangelaccio, ngraham

Reviewed By: #dolphin, elvisangelaccio

Subscribers: kfm-devel

Tags: #dolphin

Differential Revision: https://phabricator.kde.org/D19083

M  +15   -10   src/kitemviews/kitemlistviewaccessible.cpp
M  +7    -1    src/kitemviews/kitemlistviewaccessible.h

https://commits.kde.org/dolphin/b1ccec70f28fefca8fcd464ec21dd13070c72e5c
Comment 12 David Hallas 2019-02-18 19:23:34 UTC 
Should be there now :)
Comment 13 Tony 2019-03-02 18:54:23 UTC 
Created attachment 118487 [details]
New crash information added by DrKonqi

dolphin (18.12.2) using Qt 5.12.0

- What I was doing when the application crashed:

Just a Dolphin instance open with an open terminal then loging out is needed to trigger.

-- Backtrace (Reduced):
#7  0x00007fa28d1547ca in QAccessible::registerAccessibleInterface (iface=0x5584fc9ea7d0) at accessible/qaccessible.cpp:746
#8  0x00007fa28eb89a4d in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib64/libdolphinprivate.so.5
#9  0x00007fa28eb89b19 in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib64/libdolphinprivate.so.5
#10 0x00007fa28d15a743 in QAccessibleCache::deleteInterface (this=this@entry=0x5584fc28e5f0, id=<optimized out>, obj=<optimized out>, obj@entry=0x0) at accessible/qaccessiblecache.cpp:153
#11 0x00007fa28d15ad70 in QAccessibleCache::~QAccessibleCache (this=0x5584fc28e5f0, __in_chrg=<optimized out>) at accessible/qaccessiblecache.cpp:67
Comment 14 Tony 2019-03-02 18:54:27 UTC 
Created attachment 118488 [details]
New crash information added by DrKonqi

dolphin (18.12.2) using Qt 5.12.0

- What I was doing when the application crashed:

Just a Dolphin instance open with an open terminal then loging out is needed to trigger.

-- Backtrace (Reduced):
#7  0x00007fa28d1547ca in QAccessible::registerAccessibleInterface (iface=0x5584fc9ea7d0) at accessible/qaccessible.cpp:746
#8  0x00007fa28eb89a4d in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib64/libdolphinprivate.so.5
#9  0x00007fa28eb89b19 in KItemListViewAccessible::~KItemListViewAccessible() () from /usr/lib64/libdolphinprivate.so.5
#10 0x00007fa28d15a743 in QAccessibleCache::deleteInterface (this=this@entry=0x5584fc28e5f0, id=<optimized out>, obj=<optimized out>, obj@entry=0x0) at accessible/qaccessiblecache.cpp:153
#11 0x00007fa28d15ad70 in QAccessibleCache::~QAccessibleCache (this=0x5584fc28e5f0, __in_chrg=<optimized out>) at accessible/qaccessiblecache.cpp:67
Comment 15 Nate Graham 2019-03-02 20:52:51 UTC 
This bug is marked as being fixed in 18.12.3; there is no need to post additional crash reports from 18.12.2 or earlier. We'll be interested to know if you still see it in 18.12.3 once that's released though!
Comment 16 Mouth 2019-03-07 15:38:53 UTC 
OS: Arch x86_64
DE: KDE 5.55.0 / Plasma 5.15.2
dolphin 18.12.3-1

The patch has fixed the issue for me
(I have and use only one "KDE Plasma activity")

Initial bug (now marked RESOLVED DUPLICATE) : https://bugs.kde.org/show_bug.cgi?id=403216

Thank you for the work !