Bug 472922

Summary: kwin_wayland crashes in KWin::PointerInputRedirection::focusUpdate when clicking on a window decoration tooltip
Product: [Plasma] kwin Reporter: Nate Graham <nate>
Component: wayland-genericAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: amusing.random.alias, nicolas.fella
Priority: NOR    
Version: 5.27.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In: 5.27.8
Sentry Crash Report:

Description Nate Graham 2023-08-02 14:20:45 UTC
STEPS TO REPRODUCE
1. Move default bottom panel to the left screen edge
2. Maximize a window
3. Move the pointer over the maximized window's icon in the top left corner so that its tooltip appears
4. Move the pointer leftwards so that it's over Kickoff now. The tooltip should still be visible
5. Click to open Kickoff. The tooltip should now be over part of Kickoff's popup
6. Click on the tooltip


OBSERVED RESULT
kwin_wayland crashes with the following backtrace:

#0  std::__atomic_base<QThreadData*>::load(std::memory_order) const
    (__m=std::memory_order_acquire, this=<error reading variable: Cannot access memory at address 0x8>) at /usr/include/c++/13/bits/atomic_base.h:835
#1  std::atomic<QThreadData*>::load(std::memory_order) const
    (__m=std::memory_order_acquire, this=<error reading variable: Cannot access memory at address 0x8>) at /usr/include/c++/13/atomic:577
#2  QAtomicOps<QThreadData*>::loadAcquire<QThreadData*>(std::atomic<QThreadData*> const&)
    (_q_value=<error reading variable: Cannot access memory at address 0x8>)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/thread/qatomic_cxx11.h:213
#3  QBasicAtomicPointer<QThreadData>::loadAcquire() const
    (this=<error reading variable: Cannot access memory at address 0x8>)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/thread/qbasicatomic.h:181
#4  QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x0, event=0x7ffdef845d30)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qcoreapplication.cpp:1111
#5  0x00007f163f87790d in  () at /home/nate/kde/src/kwin/src/internalwindow.cpp:106
#6  0x00007f163c807d78 in vtable for QEvent () at /lib64/libQt6Core.so.6
#7  0x000000010000000b in  ()
#8  0x00007ffdef845d60 in  ()
#9  0x000000000083acf0 in  ()
#10 0x0000000002133670 in  ()
#11 0x00007f163f8c2805 in KWin::PointerInputRedirection::focusUpdate(KWin::Window*, KWin::Window*)
    (this=0x1c893f0, focusOld=0x1c893f0, focusNow=0x7ffdef845d30)
    at /home/nate/kde/src/kwin/src/pointer_input.cpp:519
#12 0x00007f163f85a650 in KWin::InputDeviceHandler::update() (this=0x83acf0)
    at /home/nate/kde/src/kwin/src/input.cpp:3433
#13 KWin::InputDeviceHandler::update() (this=0x83acf0) at /home/nate/kde/src/kwin/src/input.cpp:3414
#14 0x00007f163f8c1a72 in QArrayDataPointer<KWin::InputEventFilter*>::constEnd() const
    (this=<optimized out>) at /usr/include/qt6/QtCore/qarraydatapointer.h:112
#15 QList<KWin::InputEventFilter*>::constEnd() const (this=<optimized out>)
    at /usr/include/qt6/QtCore/qlist.h:595
#16 KWin::InputRedirection::processFilters<std::_Bind<bool (KWin::InputEventFilter::*(std::_Placeholder<1>, KWin::MouseEvent*, unsigned int))(KWin::MouseEvent*, unsigned int)> >(std::_Bind<bool (KWin::InputEventFilter::*(std::_Placeholder<1>, KWin::MouseEvent*, unsigned int))(KWin::MouseEvent*, unsigned int)>) (function=..., this=<optimized out>) at /home/nate/kde/src/kwin/src/input.h:191
#17 KWin::PointerInputRedirection::processButton(unsigned int, KWin::InputRedirection::PointerButtonState, std::chrono::duration<long, std::ratio<1l, 1000000l> >, KWin::InputDevice*)
    (this=0x83acf0, button=272, state=KWin::InputRedirection::PointerButtonReleased, time=std::chrono::duration = { <optimized out>us }, device=<optimized out>)
    at /home/nate/kde/src/kwin/src/pointer_input.cpp:280
#18 0x00007f163c3ddb35 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffdef8460a0, r=0x83acf0, this=0x2b314a0)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qobjectdefs_impl.h:363
#19 doActivate<false>(QObject*, int, void**) (sender=0x3c08470, signal_index=4, argv=0x7ffdef8460a0)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qobject.cpp:3992
#20 0x00007f163c3d4757 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**)
    (sender=<optimized out>, m=m@entry=0x7f163fd4f660 <KWin::InputDevice::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x7ffdef8460a0)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qobject.cpp:4052
--Type <RET> for more, q to quit, c to continue without paging--c
#21 0x00007f163f7d83bf in KWin::InputDevice::pointerButtonChanged(unsigned int, KWin::InputRedirection::PointerButtonState, std::chrono::duration<long, std::ratio<1l, 1000000l> >, KWin::InputDevice*)
    (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>, _t3=std::chrono::duration = { 29924362846us }, _t4=<optimized out>)
    at /home/nate/kde/build6/kwin/src/kwin_autogen/include/moc_inputdevice.cpp:1035
#22 0x00007f163fa43fbc in KWin::LibInput::Connection::processEvents() (this=<optimized out>)
    at /home/nate/kde/src/kwin/src/backends/libinput/connection.cpp:353
#23 0x00007f163c3cf797 in QObject::event(QEvent*) (this=0x7a6d20, e=0x7f15f4007040)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qobject.cpp:1391
#24 0x00007f163d7c0b08 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
    (this=<optimized out>, receiver=0x7a6d20, e=0x7f15f4007040)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/widgets/kernel/qapplication.cpp:3287
#25 0x00007f163c37c308 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
    (receiver=0x7a6d20, event=0x7f15f4007040)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qcoreapplication.cpp:1115
#26 0x00007f163c37c50d in QCoreApplication::sendEvent(QObject*, QEvent*)
    (receiver=<optimized out>, event=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qcoreapplication.cpp:1533
#27 0x00007f163c37fd75 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*)
    (receiver=receiver@entry=0x0, event_type=event_type@entry=0, data=data@entry=0x726f50)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qcoreapplication.cpp:1895
#28 0x00007f163c4fcca6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
    (this=0x72c220, flags=...)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/kernel/qeventdispatcher_unix.cpp:432
#29 0x00007f163d1434c2 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/gui/platform/unix/qunixeventdispatcher.cpp:27
#30 0x00007f163c388e93 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
    (this=this@entry=0x7ffdef846580, flags=..., flags@entry=...)
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/global/qflags.h:34
#31 0x00007f163c384b3d in QCoreApplication::exec() ()
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/corelib/global/qflags.h:74
#32 0x00007f163cbf85cd in QGuiApplication::exec() ()
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/gui/kernel/qguiapplication.cpp:1894
#33 0x00007f163d7c0a79 in QApplication::exec() ()
    at /usr/src/debug/qt6-qtbase-6.5.1-2.fc38.x86_64/src/widgets/kernel/qapplication.cpp:2566
#34 0x00000000004305e8 in main(int, char**) (argc=<optimized out>, argv=<optimized out>)
    at /home/nate/kde/src/kwin/src/main_wayland.cpp:613

EXPECTED RESULT
No crash
Comment 1 Bug Janitor Service 2023-08-02 15:39:04 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/4291
Comment 2 Zamundaaa 2023-08-03 11:39:03 UTC
Git commit be6be22bae6a978514c535a6585c5b848157895f by Xaver Hugl.
Committed on 03/08/2023 at 13:28.
Pushed by zamundaaa into branch 'master'.

internalwindow: don't crash on pointer leave when m_handle is nullptr

M  +3    -0    src/internalwindow.cpp

https://invent.kde.org/plasma/kwin/-/commit/be6be22bae6a978514c535a6585c5b848157895f
Comment 3 Zamundaaa 2023-08-03 14:38:59 UTC
Git commit 59307e2678c194d61ba70130039a856490c4de67 by Xaver Hugl.
Committed on 03/08/2023 at 16:11.
Pushed by zamundaaa into branch 'Plasma/5.27'.

internalwindow: don't crash on pointer leave when m_handle is nullptr


(cherry picked from commit be6be22bae6a978514c535a6585c5b848157895f)

M  +3    -0    src/internalwindow.cpp

https://invent.kde.org/plasma/kwin/-/commit/59307e2678c194d61ba70130039a856490c4de67
Comment 4 Zamundaaa 2023-08-09 11:53:50 UTC
*** Bug 471464 has been marked as a duplicate of this bug. ***
Comment 5 Nate Graham 2024-02-06 20:01:07 UTC
*** Bug 480925 has been marked as a duplicate of this bug. ***
Comment 6 Nate Graham 2024-02-06 20:02:45 UTC
Duplicate crash from Bug 480925 is from a Plasma 5.27.10 system, while this was supposed to be fixed in 5.27.8. Re-opening.
Comment 7 Vlad Zahorodnii 2024-02-07 12:44:48 UTC
Bug 480925 is not a duplicate of this one, it's a different crash with different backtrace.