Bug 462841

Summary: System Monitor crashed in QEvent::isAccepted when killing a process
Product: [Applications] plasma-systemmonitor Reporter: Matt Fagnani <matt.fagnani>
Component: generalAssignee: KSysGuard Developers <ksysguard-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: ahiemstra, kde, matt.fagnani, nate, plasma-bugs
Priority: NOR Keywords: drkonqi
Version: 5.26.4   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=446111
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Log of System Monitor run under valgrind when killing aide
New crash information added by DrKonqi

Description Matt Fagnani 2022-12-10 09:27:07 UTC 
Application: plasma-systemmonitor (5.26.4)

Qt Version: 5.15.7
Frameworks Version: 5.100.0
Operating System: Linux 6.0.12-300.fc37.x86_64 x86_64
Windowing System: Wayland
Distribution: Fedora Linux 37 (KDE Plasma)
DrKonqi: 5.26.4 [KCrashBackend]

-- Information about the crash:
I was using Plasma 5.26.4 on Wayland in a Fedora 37 KDE Plasma installation. The program aide ran as root as a cron job. I started System Settings and selected Processes. I had previously selected Show: All Processes. I right-clicked on the aide process and selected Send Signal > Kill. The Plasma polkit dialog appeared, and I entered the password and pressed OK. System Settings crashed in QEvent::isAccepted at /usr/include/qt5/QtCore/qcoreevent.h:305 from Qt 5.15.7. I haven't seen this type of crash before.

The reporter is unsure if this crash is reproducible.

-- Backtrace:
Application: System Monitor (plasma-systemmonitor), signal: Segmentation fault

[KCrash Handler]
#4  0x00007fad9faaaed2 in QEvent::isAccepted() const (this=<optimized out>) at /usr/include/qt5/QtCore/qcoreevent.h:305
#5  QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55a205ed52b0, event=0x55a20669f840, receiver=0x55a20803f5d0, filteringParent=<optimized out>) at items/qquickwindow.cpp:3217
#6  0x00007fad9faaade1 in QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55a205ed52b0, event=<optimized out>, receiver=<optimized out>, filteringParent=<optimized out>) at items/qquickwindow.cpp:3320
#7  0x00007fad9faaade1 in QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55a205ed52b0, event=<optimized out>, receiver=<optimized out>, filteringParent=<optimized out>) at items/qquickwindow.cpp:3320
#8  0x00007fad9faabb91 in QQuickWindowPrivate::deliverToPassiveGrabbers(QVector<QPointer<QQuickPointerHandler> > const&, QQuickPointerEvent*) (this=this@entry=0x55a205ed52b0, passiveGrabbers=..., pointerEvent=pointerEvent@entry=0x55a20669f840) at items/qquickwindow.cpp:1982
#9  0x00007fad9fab1ea3 in QQuickWindowPrivate::deliverMouseEvent(QQuickPointerMouseEvent*) (this=this@entry=0x55a205ed52b0, pointerEvent=0x55a20669f840) at items/qquickwindow.cpp:2032
#10 0x00007fad9fab34e1 in QQuickWindowPrivate::deliverPointerEvent(QQuickPointerEvent*) (this=0x55a205ed52b0, event=0x55a20669f840) at items/qquickwindow.cpp:2617
#11 0x00007fadb65764f5 in QWindow::event(QEvent*) (this=0x55a205e671d0, ev=<optimized out>) at kernel/qwindow.cpp:2450
#12 0x00007fadb6daed12 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x55a205e671d0, e=0x7fffa241c960) at kernel/qapplication.cpp:3637
#13 0x00007fadb60a8278 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x55a205e671d0, event=0x7fffa241c960) at kernel/qcoreapplication.cpp:1064
#14 0x00007fadb656ae7d in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (e=0x7fad98007f10) at kernel/qguiapplication.cpp:2278
#15 0x00007fadb654a02c in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (flags=...) at kernel/qwindowsysteminterface.cpp:1169
#16 0x00007fadb22913f4 in userEventSourceDispatch(_GSource*, int (*)(void*), void*) () at /lib64/libQt5WaylandClient.so.5
#17 0x00007fadb4b15cbf in g_main_dispatch (context=0x7fada0005010) at ../glib/gmain.c:3444
#18 g_main_context_dispatch (context=0x7fada0005010) at ../glib/gmain.c:4162
#19 0x00007fadb4b6b598 in g_main_context_iterate.constprop.0 (context=0x7fada0005010, block=1, dispatch=1, self=<optimized out>) at ../glib/gmain.c:4238
#20 0x00007fadb4b12f40 in g_main_context_iteration (context=0x7fada0005010, may_block=1) at ../glib/gmain.c:4303
#21 0x00007fadb60f938a in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x55a205c5c970, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#22 0x00007fadb60a6cca in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fffa241ccf0, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#23 0x00007fadb60aed92 in QCoreApplication::exec() () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#24 0x000055a2048dcc22 in main ()
[Inferior 1 (process 5994) detached]

Reported using DrKonqi
Comment 1 Matt Fagnani 2022-12-11 18:55:09 UTC 
Created attachment 154508 [details]
Log of System Monitor run under valgrind when killing aide

I ran System Monitor under valgrind with valgrind --log-file=valgrind-plasma-systemmonitor-kill-aide-1.txt --enable-debuginfod=no plasma-systemmonitor I ran aide with sudo /usr/sbin/aide --check I killed aide with System Monitor as described. System Monitor didn't crash. The valgrind log showed 259 invalid reads which looked like overreads or out-out-bounds reads such as the following. The invalid reads of size 16 looked to be the last 257 or so.

==2417== Invalid read of size 4
==2417==    at 0x606F413: QSortFilterProxyModelPrivate::_q_sourceDataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (qsortfilterproxymodel.cpp:1527)
==2417==    by 0x60C0DAE: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3931)
==2417==    by 0x603DA4F: QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (moc_qabstractitemmodel.cpp:557)
==2417==    by 0x6061330: QIdentityProxyModelPrivate::_q_sourceDataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (qidentityproxymodel.cpp:507)
==2417==    by 0x60C0DAE: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3931)
==2417==    by 0x603DA4F: QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (moc_qabstractitemmodel.cpp:557)
==2417==    by 0x6061330: QIdentityProxyModelPrivate::_q_sourceDataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (qidentityproxymodel.cpp:507)
==2417==    by 0x60C0DAE: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3931)
==2417==    by 0x603DA4F: QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (moc_qabstractitemmodel.cpp:557)
==2417==    by 0x323245BB: ??? (in /usr/lib64/libprocesscore.so.5.26.4)
==2417==    by 0x60C0C25: call (qobjectdefs_impl.h:398)
==2417==    by 0x60C0C25: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3919)
==2417==    by 0x32303712: KSysGuard::ProcessAttribute::dataChanged(KSysGuard::Process*) (in /usr/lib64/libprocesscore.so.5.26.4)
==2417==  Address 0x2a236054 is 4 bytes after a block of size 64 alloc'd
==2417==    at 0x484386F: malloc (vg_replace_malloc.c:393)
==2417==    by 0x5ED8581: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:218)
==2417==    by 0x5EBE455: allocate (qarraydata.h:225)
==2417==    by 0x5EBE455: QVector<int>::realloc(int, QFlags<QArrayData::AllocationOption>) (qvector.h:699)
==2417==    by 0x5F125DE: QVector<int>::resize(int) (qvector.h:431)
==2417==    by 0x606920C: QSortFilterProxyModelPrivate::create_mapping(QModelIndex const&) const (qsortfilterproxymodel.cpp:519)
==2417==    by 0x606BE92: QSortFilterProxyModel::hasChildren(QModelIndex const&) const (qsortfilterproxymodel.cpp:2281)
==2417==    by 0x2924180E: KDescendantsProxyModel::setSourceModel(QAbstractItemModel*) (in /usr/lib64/libKF5ItemModels.so.5.100.0)
==2417==    by 0x605C60A: QAbstractProxyModel::qt_metacall(QMetaObject::Call, int, void**) (moc_qabstractproxymodel.cpp:209)
==2417==    by 0x29241918: KDescendantsProxyModel::qt_metacall(QMetaObject::Call, int, void**) (in /usr/lib64/libKF5ItemModels.so.5.100.0)
==2417==    by 0x291FE9B8: ??? (in /usr/lib64/qt5/qml/org/kde/kitemmodels/libitemmodelsplugin.so)
==2417==    by 0x4BA014D: writeProperty (qqmlpropertydata_p.h:393)
==2417==    by 0x4BA014D: QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:714)
==2417==    by 0x4BA1C45: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:258)
==2417== 
...
==2417== Invalid read of size 16
==2417==    at 0x2B6AE9B0: ???
==2417==    by 0x29812367: ???
==2417==  Address 0x2981237e is 46 bytes inside a block of size 58 alloc'd
==2417==    at 0x484386F: malloc (vg_replace_malloc.c:393)
==2417==    by 0x5ED8581: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:218)
==2417==    by 0x5F5A25D: allocate (qarraydata.h:225)
==2417==    by 0x5F5A25D: QString::fromLatin1_helper(char const*, int) (qstring.cpp:5464)
==2417==    by 0x6102141: UnknownInlinedFun (qstring.h:1067)
==2417==    by 0x6102141: stringAt (qcborvalue_p.h:294)
==2417==    by 0x6102141: QJsonValue::toString() const (qjsonvalue.cpp:698)
==2417==    by 0x29178D1A: KSysGuard::SensorFaceControllerPrivate::readSensors(KConfigGroup const&, QString const&) (in /usr/lib64/libKSysGuardSensorFaces.so.5.26.4)
==2417==    by 0x2917907D: KSysGuard::SensorFaceControllerPrivate::readAndUpdateSensors(KConfigGroup&, QString const&) (in /usr/lib64/libKSysGuardSensorFaces.so.5.26.4)
==2417==    by 0x2917FF67: KSysGuard::SensorFaceController::SensorFaceController(KConfigGroup&, QQmlEngine*) (in /usr/lib64/libKSysGuardSensorFaces.so.5.26.4)
==2417==    by 0x291500A0: UnknownInlinedFun (FaceLoader.cpp:64)
==2417==    by 0x291500A0: FaceLoader::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_FaceLoader.cpp:135)
==2417==    by 0x291509E2: FaceLoader::qt_metacall(QMetaObject::Call, int, void**) (moc_FaceLoader.cpp:183)
==2417==    by 0x4BA014D: writeProperty (qqmlpropertydata_p.h:393)
==2417==    by 0x4BA014D: QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:714)
==2417==    by 0x4BA1C45: QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (qqmlbinding.cpp:258)
==2417==    by 0x4B9F5B3: QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:194)
==2417== 

There were also many Conditional jump or move depends on uninitialised value(s). I don't know if those memory management problems might've been invloved in the crash. I'm attaching the full valgrind log. I tried to kill aide a few other times and the crash didn't happen so the problem might be infrequent. The problem looks more likely to be in Qt since most of the top of the trace had Qt functions.

That aide cronjob was created by a SCAP Workbench remediation script run as root after I ran a scan with the Standard System Security Profile for Fedora profile in 2020. The line in /etc/crontab that ran aide was 05 4 * * * root /usr/sbin/aide --check 
I doubt that the problem is related to the specific program being killed maybe other than it being run as root.
Comment 2 Matt Fagnani 2022-12-11 21:22:26 UTC 
I meant to write System Monitor instead of System Settings in my original report. Sorry for the mixup.

/usr/include/qt5/QtCore/qcoreevent.h:305 was 
inline bool isAccepted() const { return m_accept; }
The QEvent object might've been freed and then used in a race condition.

plasmashell and System Settings crashes with similar traces were described at https://bugs.kde.org/show_bug.cgi?id=446111 A qtwayland patch for that problem is at https://bugs.kde.org/show_bug.cgi?id=446111#c23
Comment 3 David Redondo 2022-12-13 08:40:44 UTC 
Thanks for the investigation!
Comment 4 David Redondo 2023-01-11 10:06:15 UTC 
If there is a patch I will close it. Please reopen if that's wrong
Comment 5 Matt Fagnani 2023-02-09 09:23:32 UTC 
Created attachment 156093 [details]
New crash information added by DrKonqi

plasma-systemmonitor (5.26.5) using Qt 5.15.8

I killed aide in System Monitor in the same way as I reported previously in Plasma 5.26.5 on Wayland in a Fedora 37 KDE Plasma installation with KF 5.102.0 and Qt 5.15.8. This is the second such crash I've seen. This crash was infrequent when killing processes in this way.

-- Backtrace (Reduced):
#4  0x00007fd03daab122 in QEvent::isAccepted() const (this=<optimized out>) at /usr/include/qt5/QtCore/qcoreevent.h:305
#5  QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55f6c5e8a7e0, event=0x55f6c6a5c300, receiver=0x55f6c8272930, filteringParent=<optimized out>) at items/qquickwindow.cpp:3228
#6  0x00007fd03daab031 in QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55f6c5e8a7e0, event=<optimized out>, receiver=<optimized out>, filteringParent=<optimized out>) at items/qquickwindow.cpp:3331
#7  0x00007fd03daab031 in QQuickWindowPrivate::sendFilteredPointerEventImpl(QQuickPointerEvent*, QQuickItem*, QQuickItem*) (this=0x55f6c5e8a7e0, event=<optimized out>, receiver=<optimized out>, filteringParent=<optimized out>) at items/qquickwindow.cpp:3331
#8  0x00007fd03daabde1 in QQuickWindowPrivate::deliverToPassiveGrabbers(QVector<QPointer<QQuickPointerHandler> > const&, QQuickPointerEvent*) (this=this@entry=0x55f6c5e8a7e0, passiveGrabbers=..., pointerEvent=pointerEvent@entry=0x55f6c6a5c300) at items/qquickwindow.cpp:1982