Bug 420452

Summary: Crash on load in taskmanager
Product: [Plasma] plasmashell Reporter: David Edmundson <kde>
Component: Task Manager and Icons-Only Task Manager widgetsAssignee: Eike Hein <hein>
Status: RESOLVED FIXED    
Severity: major CC: aleixpol, kde, nate, plasma-bugs
Priority: VHI    
Version: master   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: https://commits.kde.org/plasma-desktop/0eba5453b9d46d99dc6623b165b1be1c1659003c Version Fixed In: 5.18.5
Sentry Crash Report:

Description David Edmundson 2020-04-23 10:34:03 UTC 
(gdb) bt
#0  0x00007ffff3af8a20 in __memcpy_ssse3 () at /usr/lib/libc.so.6
#1  0x00007ffff4091316 in QString::append(QString const&) (this=0x7fffffff36f8, str=...)
    at /home/david/projects/qt5/qtbase/src/corelib/text/qstring.cpp:2683
#2  0x00007fffd0b3ca1d in QString::operator+=(QString const&) (this=0x7fffffff36f8, s=...) at /opt/qt5/include/QtCore/qstring.h:554
#3  0x00007fffd0b3c923 in QStringBuilder<QString, QString>::operator QString() const (this=0x7fffffff36e8)
    at /opt/qt5/include/QtCore/qstringbuilder.h:147
#4  0x00007fffd0b38e43 in std::transform<QList<QString>::iterator, QList<QString>::iterator, SmartLauncher::Backend::reload()::$_0>(QList<QString>::iterator, QList<QString>::iterator, QList<QString>::iterator, SmartLauncher::Backend::reload()::$_0)
    (__first=..., __last=..., __result=..., __unary_op=...)
    at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.3.0/../../../../include/c++/9.3.0/bits/stl_algo.h:4337
#5  0x00007fffd0b38c7e in SmartLauncher::Backend::reload() (this=0x555556aefe30)
    at /home/david/projects/kde5/src/kde/workspace/plasma-desktop/applets/taskmanager/plugin/smartlaunchers/smartlauncherbackend.cpp:57
#6  0x00007fffd0b385f0 in SmartLauncher::Backend::Backend(QObject*) (this=0x555556aefe30, parent=0x0)
    at /home/david/projects/kde5/src/kde/workspace/plasma-desktop/applets/taskmanager/plugin/smartlaunchers/smartlauncherbackend.cpp:46
#7  0x00007fffd0b3dd89 in SmartLauncher::Item::Item(QObject*) (this=0x555556aec550, parent=0x0)
    at /home/david/projects/kde5/src/kde/workspace/plasma-desktop/applets/taskmanager/plugin/smartlaunchers/smartlauncheritem.cpp:31
#8  0x00007fffd0b383d3 in QQmlPrivate::QQmlElement<SmartLauncher::Item>::QQmlElement() (this=0x555556aec550)
    at /opt/qt5/include/QtQml/qqmlprivate.h:106
#9  0x00007fffd0b38078 in QQmlPrivate::createInto<SmartLauncher::Item>(void*) (memory=0x555556aec550)
    at /opt/qt5/include/QtQml/qqmlprivate.h:127


Caused by: https://phabricator.kde.org/D21061
Comment 1 Aleix Pol 2020-04-24 11:50:30 UTC 
I also have the issue, might be a Qt 5.15.

I've been investigating a bit.

It always seems to be happening when allocating strings and getting std::bad_alloc.

Running under valgrind I get these a lot:
==303225==  Address 0x3344137e is 61,470 bytes inside a block of size 61,484 alloc'd
==303225==    at 0x483977F: malloc (vg_replace_malloc.c:309)
==303225==    by 0x7665F20: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:221)
==303225==    by 0x76DE809: allocate (qarraydata.h:224)
==303225==    by 0x76DE809: QString::fromLatin1_helper(char const*, int) (qstring.cpp:5437)
==303225==    by 0x4EFDC07: QString::fromLatin1(char const*, int) (qstring.h:696)
==303225==    by 0x4F1DF30: QString::fromLatin1(QByteArray const&) (qstring.h:708)
==303225==    by 0x4F5DF26: Plasma::SharedSvgRenderer::load(QByteArray const&, QString const&, QHash<QString, QRectF>&) (svg.cpp:121)
==303225==    by 0x4F5D9DD: Plasma::SharedSvgRenderer::SharedSvgRenderer(QString const&, QString const&, QHash<QString, QRectF>&, QObject*) (svg.cpp:70)
==303225==    by 0x4F60E3D: Plasma::SvgPrivate::createRenderer() (svg.cpp:469)
==303225==    by 0x4F616E7: Plasma::SvgPrivate::findAndCacheElementRect(QString const&, QString const&) (svg.cpp:552)
==303225==    by 0x4F6162A: Plasma::SvgPrivate::elementRect(QString const&) (svg.cpp:543)
==303225==    by 0x4F63710: Plasma::Svg::hasElement(QString const&) const (svg.cpp:888)
==303225==    by 0x4F5245A: Plasma::FrameSvg::hasElementPrefix(QString const&) const (framesvg.cpp:152)
==303225==    by 0x1B110745: Plasma::FrameSvgItem::applyPrefixes() (framesvgitem.cpp:674)
==303225==    by 0x1B10EB81: Plasma::FrameSvgItem::setPrefix(QVariant const&) (framesvgitem.cpp:357)
==303225==    by 0x1B0E09CE: Plasma::FrameSvgItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_framesvgitem.cpp:442)
==303225==    by 0x5884A42: writeProperty (qqmlpropertydata_p.h:375)
==303225==    by 0x5884A42: QQmlPropertyPrivate::write(QObject*, QQmlPropertyData const&, QVariant const&, QQmlContextData*, QFlags<QQmlPropertyData::WriteFlag>) (qqmlproperty.cpp:1305)
==303225==    by 0x58870BB: QQmlPropertyPrivate::writeValueProperty(QObject*, QQmlPropertyData const&, QQmlPropertyData const&, QVariant const&, QQmlContextData*, QFlags<QQmlPropertyData::WriteFlag>) (qqmlproperty.cpp:1214)
==303225==    by 0x58FB0D3: QQmlBinding::slowWrite(QQmlPropertyData const&, QQmlPropertyData const&, QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:474)
==303225==    by 0x58FC1FF: GenericBinding<0>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:335)
==303225==    by 0x58FD7BE: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:258)
==303225==    by 0x58FA5F1: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:194)
==303225==    by 0x590C6B5: QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) (qqmlobjectcreator.cpp:1394)
==303225==    by 0x588885A: complete (qqmlcomponent.cpp:987)
==303225==    by 0x588885A: QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) (qqmlcomponent.cpp:983)
==303225==    by 0x588B58D: completeCreate (qqmlcomponent.cpp:1079)
==303225==    by 0x588B58D: QQmlComponentPrivate::completeCreate() (qqmlcomponent.cpp:1069)
==303225==    by 0x532C91E: QQuickListViewPrivate::getSectionItem(QString const&) (qquicklistview.cpp:1041)
==303225==    by 0x532CE4F: QQuickListViewPrivate::updateInlineSection(FxListItemSG*) [clone .part.0] (qquicklistview.cpp:1090)
==303225==    by 0x531C1FF: QQuickItemViewPrivate::createItem(int, QQmlIncubator::IncubationMode) (qquickitemview.cpp:2379)
==303225==    by 0x532F463: QQuickListViewPrivate::applyInsertionChange(QQmlChangeSet::Change const&, QQuickItemViewPrivate::ChangeResult*, QList<FxViewItem*>*, QList<QQuickItemViewPrivate::MovedItem>*) (qquicklistview.cpp:3602)
==303225==    by 0x531FAF4: QQuickItemViewPrivate::applyModelChanges(QQuickItemViewPrivate::ChangeResult*, QQuickItemViewPrivate::ChangeResult*) (qquickitemview.cpp:2061)
==303225==    by 0x531E04F: QQuickItemViewPrivate::layout() (qquickitemview.cpp:1895)
Comment 2 Aleix Pol 2020-04-24 12:39:23 UTC 
commenting the std::transform call makes my plasmashell work again. Maybe the input is getting destroyed somewhere?
Comment 3 Kai Uwe Broulik 2020-04-24 13:12:47 UTC 
I transform the item itself, but std::transform explicitly says the iterator I transform into may be the same as the one I start at.
Comment 4 Aleix Pol 2020-04-24 14:00:05 UTC 
Yes, the crash is in QString anyway, so maybe something nasty is happening to that string somewhere?
No idea
Comment 5 Kai Uwe Broulik 2020-04-27 12:12:08 UTC 
Git commit 0eba5453b9d46d99dc6623b165b1be1c1659003c by Kai Uwe Broulik.
Committed on 27/04/2020 at 12:11.
Pushed by broulik into branch 'Plasma/5.18'.

[Task Manager] Avoid crash with QStringBuilder

The lambda returns a QStringBuilder which contains dangling references, see also QTBUG-47066
FIXED-IN: 5.18.5

Differential Revision: https://phabricator.kde.org/D29224

M  +1    -1    applets/taskmanager/plugin/smartlaunchers/smartlauncherbackend.cpp

https://commits.kde.org/plasma-desktop/0eba5453b9d46d99dc6623b165b1be1c1659003c