Bug 414066

Summary: Semi-reproducible crash when clicking on "unread notifications" bell icon in System Tray
Product: [Plasma] plasmashell Reporter: Nate Graham <nate>
Component: NotificationsAssignee: Kai Uwe Broulik <kde>
Status: RESOLVED FIXED    
Severity: crash CC: kde, materka, plasma-bugs, postix
Priority: NOR    
Version: master   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: https://commits.kde.org/plasma-workspace/34ca49210ff473377a080325fc74b59b012866a3 Version Fixed In:
Sentry Crash Report:
Attachments: Valgrind log

Description Nate Graham 2019-11-12 15:04:36 UTC 
Everything KDE from git master, just built everything from source yesterday.

I'm hitting a semi-reproducible crash when I click on the "unread notifications" bell icon in System Tray. About 25-50% of the time, clicking on it crashes plasmashell with the following backtrace:


#0  0x00007ffff71f0b27 in QQmlData::wasDeleted(QObject const*) (object=0x4487890)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/include/QtQml/5.13.1/QtQml/private/../../../../../src/qml/qml/qqmldata_p.h:338
#1  0x00007ffff71f0b27 in QV4::QObjectWrapper::wrap(QV4::ExecutionEngine*, QObject*)
    (object=0x4487890, engine=0x7b7360)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/src/qml/jsruntime/qv4qobjectwrapper_p.h:215
#2  0x00007ffff71f0b27 in loadProperty(QV4::ExecutionEngine*, QObject*, QQmlPropertyData const&) (v4=0x7b7360, object=0x389c6e0, property=...)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:137
#3  0x00007ffff71f22d5 in QV4::QObjectWrapper::getQmlProperty(QV4::ExecutionEngine*, QQmlContextData*, QObject*, QV4::String*, QV4::QObjectWrapper::RevisionMode, bool*, QQmlPropertyData**)
    (engine=engine@entry=0x7b7360, qmlContext=qmlContext@entry=0x2799ef0, object=0x389c6e0, name=0x7fffea9b0688, revisionMode=revisionMode@entry=QV4::QObjectWrapper::IgnoreRevision, hasProperty=hasProperty@entry=0x0, property=0x0)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:390
#4  0x00007ffff733bf00 in QV4::QQmlTypeWrapper::virtualGet(QV4::Managed const*, QV4::PropertyKey, QV4::Value const*, bool*)
    (m=0x7fffea9b0678, id=..., receiver=0x7fffea9b0678, hasProperty=0x0)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/include/QtQml/5.13.1/QtQml/private/../../../../../src/qml/jsruntime/qv4value_p.h:301
#5  0x00007ffff717573c in QV4::Object::get(QV4::StringOrSymbol*, bool*, QV4::Value const*) const (receiver=0x7fffea9b0678, hasProperty=0x0, name=0x7fffea9b0680, this=0x7fffea9b0678)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/include/QtQml/5.13.1/QtQml/private/../../../../../src/qml/jsruntime/qv4string_p.h:171
#6  0x00007ffff717573c in QV4::Lookup::getterFallback(QV4::Lookup*, QV4::ExecutionEngine*, QV4::Value const&) (l=<optimized out>, engine=0x7b7360, object=...)
    at /usr/src/debug/libqt5-qtdeclarative-5.13.1-1.1.x86_64/src/qml/jsruntime/qv4lookup.cpp:201
#7  0x00007fffde261414 in  ()
#8  0x0000000000000000 in  ()
Comment 1 David Edmundson 2019-11-12 15:18:58 UTC 
Can you try to run under valgrind

(valgrind plasmashell --replace)

It will be super super super super slow.
Comment 2 Nate Graham 2019-11-12 16:59:03 UTC 
Created attachment 123868 [details]
Valgrind log

I'm attaching the log. When run under valgrind, plasmashell reproducibly crashes immediately after starting; it doesn't even get to the point where I can trigger the crash in the way originally reported.
Comment 3 David Edmundson 2019-11-12 18:31:55 UTC 
Thanks. 

Relevant bit
==12370== Use of uninitialised value of size 8
==12370==    at 0xF010210: ??? (in /tmp/#403114 (deleted))
==12370== 
==12370== Invalid read of size 8
==12370==    at 0xF010210: ??? (in /tmp/#403114 (deleted))
==12370==  Address 0xb0d0bdd097d00008 is not stack'd, malloc'd or (recently) free'd
==12370== 

that's...unhelpful. It's not a dangling pointer, or at least not one from the C++ side.
Comment 4 Nate Graham 2019-11-21 14:11:02 UTC 
This looks to have been fixed by https://phabricator.kde.org/D25223. Ever since that was committed, I don't get any crashed here anymore.
Comment 5 Nate Graham 2019-11-25 22:29:21 UTC 
Never mind, it's started happening again. :/
Comment 6 Konrad Materka 2019-11-27 10:17:27 UTC 
This is probably not be related to https://phabricator.kde.org/D25223. This might be a bug in Qt declarative, I encountered similar issue when debugging plasmoids in plasmoidviewer. Qt developers introduces some optimizations in Qt declarative, this might be connected.
Comment 7 Kai Uwe Broulik 2019-12-10 20:33:30 UTC 
Git commit 34ca49210ff473377a080325fc74b59b012866a3 by Kai Uwe Broulik.
Committed on 10/12/2019 at 20:33.
Pushed by broulik into branch 'master'.

[Notifications] Fix crash accessing ViewTransition attached property

There's something really funky going on in this...
Avoid using ViewTransition attached property be just setting the animation target before triggering the model removal.

Differential Revision: https://phabricator.kde.org/D25861

M  +12   -2    applets/notifications/package/contents/ui/FullRepresentation.qml

https://commits.kde.org/plasma-workspace/34ca49210ff473377a080325fc74b59b012866a3