Bug 478970

Summary: plasmawindowed 5.91.0 crashed sometimes when closing
Product: [Plasma] Plasma SDK Reporter: Matt Fagnani <matt.fagnani>
Component: plasmoidviewerAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: agurenko, giorgos.tsiapaliokas, kdedev, nate
Priority: NOR Keywords: qt6
Version First Reported In: 5.91.0   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=478893
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Valgrind log with plasmawindowed org.kde.plasma.kickoff
Full trace of all threads of plasmawindowed crash when closing
Full trace of all threads of plasmawindowed crash in QObject::parent

Description Matt Fagnani 2023-12-24 15:29:19 UTC 
Created attachment 164426 [details]
Valgrind log with plasmawindowed org.kde.plasma.kickoff

SUMMARY

I ran plasmawindowed org.kde.plasma.kickoff in Konsole in Plasma 5.91.0 on Wayland in Fedora Rawhide based on https://community.kde.org/Plasma/Debugging plasmawindowed was blank grey. I maximized plasmawindowed. The main part of the plasmawindowed window showed a bigger version of the icon like ...> shown on the Plasma splash screen. I clicked on the main part of the plasmawindowed window. The Application Launcher menu was shown. The crashes I reported at https://bugs.kde.org/show_bug.cgi?id=478893 with Plasma 5.90.0 didn't happen. I closed plasmawindowed. plasmawindowed crashed with an error "corrupted size vs. prev_size while consolidating" in malloc_printerr in frame 5 of the trace.

Core was generated by `plasmawindowed org.kde.plasma.kickoff'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
Downloading source file /usr/src/debug/glibc-2.38.9000-29.fc40.x86_64/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;                                  
[Current thread is 1 (Thread 0x7f1b4c3b9b80 (LWP 7248))]
Missing separate debuginfos, use: dnf debuginfo-install plasma-workspace-5.91.0-2.fc40.x86_64
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
#1  0x00007f1b4a4acc33 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f1b4a45a8fe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f1b4a4428ff in __GI_abort () at abort.c:79
#4  0x00007f1b4a4437d0 in __libc_message_impl (fmt=fmt@entry=0x7f1b4a5c1335 "%s\n") at ../sysdeps/posix/libc_fatal.c:132
#5  0x00007f1b4a4b6b35 in malloc_printerr (
    str=str@entry=0x7f1b4a5c4528 "corrupted size vs. prev_size while consolidating") at malloc.c:5770
#6  0x00007f1b4a4b8c74 in _int_free_merge_chunk (av=av@entry=0x7f1b4a5f5ac0 <main_arena>, p=0x562f336de2e0, size=432)
    at malloc.c:4693
#7  0x00007f1b4a4b8f4a in _int_free (av=0x7f1b4a5f5ac0 <main_arena>, p=p@entry=0x562f336de3f0, 
    have_lock=<optimized out>, have_lock@entry=0) at malloc.c:4644
#8  0x00007f1b4a4bb7de in __GI___libc_free (mem=0x562f336de400) at malloc.c:3396
#9  0x00007f1b4d5dce98 in PlasmaQuick::AppletQuickItemPrivate::preloadWeight (this=0x562f338758b0)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/appletquickitem.cpp:69
#10 0x00007f1b4d5def99 in PlasmaQuick::AppletQuickItem::~AppletQuickItem (this=<optimized out>, this=<optimized out>)
    at /usr/include/qt6/QtCore/qflags.h:74
#11 0x00007f1b4d5e00e2 in PlasmoidItem::~PlasmoidItem (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/plasmoid/plasmoiditem.cpp:46
#12 QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement (this=<optimized out>, this=<optimized out>)
    at /usr/include/qt6/QtQml/qqmlprivate.h:99
#13 QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement (this=<optimized out>, this=<optimized out>)
    at /usr/include/qt6/QtQml/qqmlprivate.h:99
#14 0x00007f1b4d5f95d0 in PlasmaQuick::SharedQmlEngine::~SharedQmlEngine (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/sharedqmlengine.cpp:153
#15 0x00007f1b4d5f9685 in PlasmaQuick::SharedQmlEngine::~SharedQmlEngine (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/sharedqmlengine.cpp:155
#16 0x00007f1b4abfa92d in QObjectPrivate::deleteChildren (this=this@entry=0x562f336d4780)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:2206
#17 0x00007f1b4abfef68 in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:1159
#18 0x00007f1b4d555135 in Plasma::Applet::~Applet (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/applet.cpp:90
#19 0x00007f1b4abf3629 in QObject::event (this=0x562f336d5350, e=0x562f34598c30)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:1424
#20 0x00007f1b4bdc3168 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x562f336d5350, 
    e=0x562f34598c30) at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/widgets/kernel/qapplication.cpp:3296
#21 0x00007f1b4aba0e08 in QCoreApplication::notifyInternal2 (receiver=0x562f336d5350, event=0x562f34598c30)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1121
#22 0x00007f1b4aba100d in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1539
#23 0x00007f1b4aba4d05 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x562f3329fb60)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1901
#24 0x00007f1b4aba507d in QCoreApplication::sendPostedEvents (receiver=<optimized out>, event_type=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1760
#25 0x00007f1b4ae6daef in postEventSourceDispatch (s=0x562f333110b0)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#26 0x00007f1b49967e5c in g_main_dispatch (context=0x7f1b30000ef0) at ../glib/gmain.c:3476
#27 g_main_context_dispatch_unlocked (context=0x7f1b30000ef0) at ../glib/gmain.c:4284
#28 0x00007f1b499c2f18 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7f1b30000ef0, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4349
#29 0x00007f1b49965ad3 in g_main_context_iteration (context=0x7f1b30000ef0, may_block=1) at ../glib/gmain.c:4414
#30 0x00007f1b4ae6d39f in QEventDispatcherGlib::processEvents (this=0x562f332a6590, flags=...)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#31 0x00007f1b4abadbcb in QEventLoop::exec (this=this@entry=0x7ffd893d3230, flags=..., flags@entry=...)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/global/qflags.h:34
#32 0x00007f1b4aba99cd in QCoreApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/global/qflags.h:74
#33 0x00007f1b4b3fa05d in QGuiApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/gui/kernel/qguiapplication.cpp:1925
#34 0x00007f1b4bdc30d9 in QApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/widgets/kernel/qapplication.cpp:2574
#35 0x0000562f32b4849b in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/plasma-workspace-5.91.0-2.fc40.x86_64/plasma-windowed/main.cpp:78

The trace appeared to indicate memory corruption while the Plasma applet was being freed. This crash happened 3/5 times I closed plasmawindowed in this way

STEPS TO REPRODUCE
1. Log in to Plasma 5.91.0 on Wayland in Fedora Rawhide updated from koji
2. Start Konsole
3. plasmawindowed org.kde.plasma.kickoff (in Konsole) 
4. maximize plasmawindowed
5. click on the main part of the plasmawindowed window
6. close plasmawindowed
7. If the problem didn't happen, repeated 3-6 until it does

OBSERVED RESULT
plasmawindowed 5.91.0 crashed sometimes when closing

EXPECTED RESULT
plasmawindowed 5.91.0 shouldn't have crashed

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Rawhide/40
(available in About System)
KDE Plasma Version: 5.91.0
KDE Frameworks Version: 5.247.0
Qt Version: 6.6.1

ADDITIONAL INFORMATION
I ran plasmawindowed org.kde.plasma.kickoff and followed the same steps. There were invalid reads which might be overreads like

==9240== Thread 13 QSGRenderThread:
==9240== Invalid read of size 16
==9240==    at 0x30C25E78: ???
==9240==    by 0x3DE8E40F: ???
==9240==  Address 0x3dea47ae is 91,054 bytes inside a block of size 91,062 alloc'd
==9240==    at 0x484280F: malloc (vg_replace_malloc.c:442)
==9240==    by 0x6CAED10: allocateData (qarraydata.cpp:139)
==9240==    by 0x6CAED10: QArrayData::allocate(QArrayData**, long long, long long, long long, QArrayData::AllocationOption) (qarraydata.cpp:189)
==9240==    by 0x6C771BD: allocate (qarraydata.h:105)
==9240==    by 0x6C771BD: QString::fromLatin1(QByteArrayView) (qstring.cpp:5716)
==9240==    by 0x763FA67: UnknownInlinedFun (qstring.h:581)
==9240==    by 0x763FA67: KSvg::SharedSvgRenderer::load(QByteArray const&, QString const&, QHash<QString, QRectF>&) [clone .isra.0] (svg.cpp:152)
==9240==    by 0x762E77B: UnknownInlinedFun (svg.cpp:99)
==9240==    by 0x762E77B: KSvg::SvgPrivate::createRenderer() [clone .part.0] (svg.cpp:694)
==9240==    by 0x7626027: UnknownInlinedFun (svg.cpp:640)
==9240==    by 0x7626027: KSvg::SvgPrivate::findInCache(QString const&, double, QSizeF const&) (svg.cpp:628)
==9240==    by 0x7626ADE: KSvg::Svg::image(QSize const&, QString const&) (svg.cpp:922)
==9240==    by 0x2E86B6E7: UnknownInlinedFun (framesvgitem.cpp:120)
==9240==    by 0x2E86B6E7: KSvg::FrameItemNode::FrameItemNode(KSvg::FrameSvgItem*, QFlags<KSvg::FrameSvg::EnabledBorder>, KSvg::FrameItemNode::FitMode, QSGNode*) (framesvgitem.cpp:110)
==9240==    by 0x2E86CDB2: KSvg::FrameSvgItem::updatePaintNode(QSGNode*, QQuickItem::UpdatePaintNodeData*) (framesvgitem.cpp:608)
==9240==    by 0x4CFCF0B: QQuickWindowPrivate::updateDirtyNode(QQuickItem*) (qquickwindow.cpp:2155)
==9240==    by 0x4CFD6F3: QQuickWindowPrivate::updateDirtyNodes() (qquickwindow.cpp:1897)
==9240==    by 0x4D01973: QQuickWindowPrivate::syncSceneGraph() (qquickwindow.cpp:545)
==9240== 

There were many invalid reads which looked like use-after-free errors starting with the following involving PlasmaQuick::AppletQuickItem::~AppletQuickItem as in the trace.

==9240== Thread 1:
==9240== Invalid read of size 1
==9240==    at 0x4931D13: Plasma::Applet::config() const (applet.cpp:197)
==9240==    by 0x48A7F8E: PlasmaQuick::AppletQuickItem::~AppletQuickItem() (appletquickitem.cpp:459)
==9240==    by 0x48A90E1: UnknownInlinedFun (plasmoiditem.cpp:46)
==9240==    by 0x48A90E1: UnknownInlinedFun (qqmlprivate.h:99)
==9240==    by 0x48A90E1: QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement() (qqmlprivate.h:99)
==9240==    by 0x48C25CF: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:153)
==9240==    by 0x48C2684: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:155)
==9240==    by 0x6BDB92C: QObjectPrivate::deleteChildren() (qobject.cpp:2206)
==9240==    by 0x6BDFF67: QObject::~QObject() (qobject.cpp:1159)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==    by 0x6B85D04: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==9240==  Address 0x2d54ab05 is 309 bytes inside a block of size 312 free'd
==9240==    at 0x48468E5: operator delete(void*, unsigned long) (vg_replace_malloc.c:1101)
==9240==    by 0x492D0E7: UnknownInlinedFun (applet_p.cpp:96)
==9240==    by 0x492D0E7: Plasma::Applet::~Applet() (applet.cpp:89)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==    by 0x6B85D04: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==9240==    by 0x6E4EAEE: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:243)
==9240==    by 0x83ECE5B: UnknownInlinedFun (gmain.c:3476)
==9240==    by 0x83ECE5B: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4284)
==9240==    by 0x8447F17: g_main_context_iterate_unlocked.isra.0 (gmain.c:4349)
==9240==    by 0x83EAAD2: g_main_context_iteration (gmain.c:4414)
==9240==    by 0x6E4E39E: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:393)
==9240==  Block was alloc'd at
==9240==    at 0x4842F95: operator new(unsigned long) (vg_replace_malloc.c:483)
==9240==    by 0x4933883: Plasma::Applet::Applet(QObject*, KPluginMetaData const&, QList<QVariant> const&) (applet.cpp:49)
==9240==    by 0x493539B: Plasma::PluginLoader::loadApplet(QString const&, unsigned int, QList<QVariant> const&) (pluginloader.cpp:131)
==9240==    by 0x116448: PlasmaWindowedCorona::loadApplet(QString const&, QList<QVariant> const&) (plasmawindowedcorona.cpp:78)
==9240==    by 0x111404: main (main.cpp:74)
==9240== 
==9240== Invalid read of size 8
==9240==    at 0x4931E27: UnknownInlinedFun (applet_p.cpp:510)
==9240==    by 0x4931E27: Plasma::Applet::config() const (applet.cpp:205)
==9240==    by 0x48A7F8E: PlasmaQuick::AppletQuickItem::~AppletQuickItem() (appletquickitem.cpp:459)
==9240==    by 0x48A90E1: UnknownInlinedFun (plasmoiditem.cpp:46)
==9240==    by 0x48A90E1: UnknownInlinedFun (qqmlprivate.h:99)
==9240==    by 0x48A90E1: QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement() (qqmlprivate.h:99)
==9240==    by 0x48C25CF: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:153)
==9240==    by 0x48C2684: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:155)
==9240==    by 0x6BDB92C: QObjectPrivate::deleteChildren() (qobject.cpp:2206)
==9240==    by 0x6BDFF67: QObject::~QObject() (qobject.cpp:1159)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==    by 0x6B85D04: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==9240==  Address 0x2d54aa58 is 136 bytes inside a block of size 312 free'd
==9240==    at 0x48468E5: operator delete(void*, unsigned long) (vg_replace_malloc.c:1101)
==9240==    by 0x492D0E7: UnknownInlinedFun (applet_p.cpp:96)
==9240==    by 0x492D0E7: Plasma::Applet::~Applet() (applet.cpp:89)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==    by 0x6B85D04: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==9240==    by 0x6E4EAEE: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:243)
==9240==    by 0x83ECE5B: UnknownInlinedFun (gmain.c:3476)
==9240==    by 0x83ECE5B: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4284)
==9240==    by 0x8447F17: g_main_context_iterate_unlocked.isra.0 (gmain.c:4349)
==9240==    by 0x83EAAD2: g_main_context_iteration (gmain.c:4414)
==9240==    by 0x6E4E39E: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:393)
==9240==  Block was alloc'd at
==9240==    at 0x4842F95: operator new(unsigned long) (vg_replace_malloc.c:483)
==9240==    by 0x4933883: Plasma::Applet::Applet(QObject*, KPluginMetaData const&, QList<QVariant> const&) (applet.cpp:49)
==9240==    by 0x493539B: Plasma::PluginLoader::loadApplet(QString const&, unsigned int, QList<QVariant> const&) (pluginloader.cpp:131)
==9240==    by 0x116448: PlasmaWindowedCorona::loadApplet(QString const&, QList<QVariant> const&) (plasmawindowedcorona.cpp:78)
==9240==    by 0x111404: main (main.cpp:74)
==9240== 

Invalid frees which might've been double frees were shown later in the log involving PlasmaQuick::AppletQuickItemPrivate::preloadWeight as in frame 9 of the crash's trace. plasmawindowed didn't crash when I ran it under valgrind, but such errors might have resulted in the crashes I saw. I'll attach the full valgrind log.

==9240== Invalid free() / delete / delete[] / realloc()
==9240==    at 0x48468E5: operator delete(void*, unsigned long) (vg_replace_malloc.c:1101)
==9240==    by 0x48A5FC7: PlasmaQuick::AppletQuickItemPrivate::preloadWeight() const (appletquickitem.cpp:80)
==9240==    by 0x48A7F98: PlasmaQuick::AppletQuickItem::~AppletQuickItem() (appletquickitem.cpp:459)
==9240==    by 0x48A90E1: UnknownInlinedFun (plasmoiditem.cpp:46)
==9240==    by 0x48A90E1: UnknownInlinedFun (qqmlprivate.h:99)
==9240==    by 0x48A90E1: QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement() (qqmlprivate.h:99)
==9240==    by 0x48C25CF: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:153)
==9240==    by 0x48C2684: PlasmaQuick::SharedQmlEngine::~SharedQmlEngine() (sharedqmlengine.cpp:155)
==9240==    by 0x6BDB92C: QObjectPrivate::deleteChildren() (qobject.cpp:2206)
==9240==    by 0x6BDFF67: QObject::~QObject() (qobject.cpp:1159)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==  Address 0x2d547b30 is 0 bytes inside a block of size 144 free'd
==9240==    at 0x48468E5: operator delete(void*, unsigned long) (vg_replace_malloc.c:1101)
==9240==    by 0x4952351: Plasma::AppletPrivate::~AppletPrivate() (applet_p.cpp:96)
==9240==    by 0x492D0DA: UnknownInlinedFun (applet_p.cpp:96)
==9240==    by 0x492D0DA: Plasma::Applet::~Applet() (applet.cpp:89)
==9240==    by 0x492D134: Plasma::Applet::~Applet() (applet.cpp:90)
==9240==    by 0x6BD4628: QObject::event(QEvent*) (qobject.cpp:1424)
==9240==    by 0x5AB1167: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3296)
==9240==    by 0x6B81E07: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==9240==    by 0x6B85D04: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==9240==    by 0x6E4EAEE: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:243)
==9240==    by 0x83ECE5B: UnknownInlinedFun (gmain.c:3476)
==9240==    by 0x83ECE5B: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4284)
==9240==    by 0x8447F17: g_main_context_iterate_unlocked.isra.0 (gmain.c:4349)
==9240==    by 0x83EAAD2: g_main_context_iteration (gmain.c:4414)
==9240==  Block was alloc'd at
==9240==    at 0x4842F95: operator new(unsigned long) (vg_replace_malloc.c:483)
==9240==    by 0x57A77FA: KPluginMetaData::KPluginMetaData(QJsonObject const&, QString const&) (kpluginmetadata.cpp:192)
==9240==    by 0x57AD100: KPluginMetaData::fromJsonFile(QString const&) (kpluginmetadata.cpp:237)
==9240==    by 0x49A92AA: UnknownInlinedFun (package.cpp:859)
==9240==    by 0x49A92AA: KPackage::PackagePrivate::createPackageMetadata(QString const&) (package.cpp:855)
==9240==    by 0x49AFAD4: KPackage::Package::metadata() const (package.cpp:197)
==9240==    by 0x49B1DB5: KPackage::Package::setPath(QString const&) (package.cpp:522)
==9240==    by 0x49B1ABA: KPackage::PackageLoader::loadPackage(QString const&, QString const&) (packageloader.cpp:60)
==9240==    by 0x4934A2E: Plasma::PluginLoader::loadApplet(QString const&, unsigned int, QList<QVariant> const&) (pluginloader.cpp:97)
==9240==    by 0x116448: PlasmaWindowedCorona::loadApplet(QString const&, QList<QVariant> const&) (plasmawindowedcorona.cpp:78)
==9240==    by 0x111404: main (main.cpp:74)
==9240==
Comment 1 Matt Fagnani 2023-12-24 15:32:54 UTC 
Created attachment 164427 [details]
Full trace of all threads of plasmawindowed crash when closing
Comment 2 Matt Fagnani 2023-12-25 04:59:21 UTC 
Created attachment 164433 [details]
Full trace of all threads of plasmawindowed crash in QObject::parent

plasmawindowed org.kde.plasma.kickoff crashed when closing with a different trace in QObject::parent. The crash might've been a null pointer dereference since QObject::parent had this=0x0.

Core was generated by `plasmawindowed org.kde.plasma.kickoff'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  QObject::parent (this=0x0) at /usr/include/qt6/QtCore/qscopedpointer.h:90
Downloading source file /usr/include/qt6/QtCore/qscopedpointer.h
90          T *operator->() const noexcept                                                                               
[Current thread is 1 (Thread 0x7fbed19f9b80 (LWP 13870))]
Missing separate debuginfos, use: dnf debuginfo-install plasma-workspace-5.91.0-2.fc40.x86_64
(gdb) bt
#0  QObject::parent (this=0x0) at /usr/include/qt6/QtCore/qscopedpointer.h:90
#1  Plasma::Applet::containment (this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/applet.cpp:733
#2  0x00007fbed3210af3 in Plasma::AppletPrivate::mainConfigGroup (this=0x5603941b7b40)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/private/applet_p.cpp:514
#3  0x00007fbed31eeea5 in Plasma::AppletPrivate::mainConfigGroup (this=<optimized out>)
    at /usr/include/qt6/QtCore/qarraydatapointer.h:413
#4  Plasma::Applet::config (this=0x5603941ac5b0)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/applet.cpp:205
#5  0x00007fbed3273f8f in PlasmaQuick::AppletQuickItem::~AppletQuickItem (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/appletquickitem.cpp:459
#6  0x00007fbed32750e2 in PlasmoidItem::~PlasmoidItem (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/plasmoid/plasmoiditem.cpp:46
#7  QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement (this=<optimized out>, this=<optimized out>)
    at /usr/include/qt6/QtQml/qqmlprivate.h:99
#8  QQmlPrivate::QQmlElement<PlasmoidItem>::~QQmlElement (this=<optimized out>, this=<optimized out>)
    at /usr/include/qt6/QtQml/qqmlprivate.h:99
#9  0x00007fbed328e5d0 in PlasmaQuick::SharedQmlEngine::~SharedQmlEngine (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/sharedqmlengine.cpp:153
#10 0x00007fbed328e685 in PlasmaQuick::SharedQmlEngine::~SharedQmlEngine (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasmaquick/sharedqmlengine.cpp:155
#11 0x00007fbed09fa92d in QObjectPrivate::deleteChildren (this=this@entry=0x5603941ade50)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:2206
#12 0x00007fbed09fef68 in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:1159
#13 0x00007fbed31ea135 in Plasma::Applet::~Applet (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/applet.cpp:90
#14 0x00007fbed09f3629 in QObject::event (this=0x5603941ac5b0, e=0x7fbe7cf5e620)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qobject.cpp:1424
#15 0x00007fbed1bc3168 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x5603941ac5b0, 
    e=0x7fbe7cf5e620) at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/widgets/kernel/qapplication.cpp:3296
#16 0x00007fbed09a0e08 in QCoreApplication::notifyInternal2 (receiver=0x5603941ac5b0, event=0x7fbe7cf5e620)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1121
#17 0x00007fbed09a100d in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1539
#18 0x00007fbed09a4d05 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x560393dceb60)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1901
#19 0x00007fbed09a507d in QCoreApplication::sendPostedEvents (receiver=<optimized out>, event_type=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1760
#20 0x00007fbed0c6daef in postEventSourceDispatch (s=0x560393e5c8e0)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#21 0x00007fbecf614e5c in g_main_dispatch (context=0x7fbeb8000ef0) at ../glib/gmain.c:3476
#22 g_main_context_dispatch_unlocked (context=0x7fbeb8000ef0) at ../glib/gmain.c:4284
#23 0x00007fbecf66ff18 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7fbeb8000ef0, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4349
#24 0x00007fbecf612ad3 in g_main_context_iteration (context=0x7fbeb8000ef0, may_block=1) at ../glib/gmain.c:4414
#25 0x00007fbed0c6d39f in QEventDispatcherGlib::processEvents (this=0x560393dd5590, flags=...)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#26 0x00007fbed09adbcb in QEventLoop::exec (this=this@entry=0x7ffec341ab20, flags=..., flags@entry=...)
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/global/qflags.h:34
#27 0x00007fbed09a99cd in QCoreApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/corelib/global/qflags.h:74
#28 0x00007fbed11fa05d in QGuiApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/gui/kernel/qguiapplication.cpp:1925
#29 0x00007fbed1bc30d9 in QApplication::exec ()
    at /usr/src/debug/qt6-qtbase-6.6.1-1.fc40.x86_64/src/widgets/kernel/qapplication.cpp:2574
#30 0x0000560393c1149b in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/plasma-workspace-5.91.0-2.fc40.x86_64/plasma-windowed/main.cpp:78

Plasma::AppletPrivate::mainConfigGroup in frame 2 had a null q pointer and ran q->containment() so that might be where the null pointer was from.

(gdb) frame 2
#2  0x00007fbed3210af3 in Plasma::AppletPrivate::mainConfigGroup (this=0x5603941b7b40)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/private/applet_p.cpp:514
Downloading source file /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/private/applet_p.cpp
514         Containment *c = q->containment();                                                                           
(gdb) p q

The invalid reads and frees I saw with valgrind might've led to the different traces in a race condition depending on whether the memory corruption was detected by glibc or the crash in QObject::parent happened first. The full trace of all threads is attached.
Comment 3 Matt Fagnani 2023-12-25 05:02:54 UTC 
The null q pointer line wasn't shown in my previous comment.

(gdb) frame 2
#2  0x00007fbed3210af3 in Plasma::AppletPrivate::mainConfigGroup (this=0x5603941b7b40)
    at /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/private/applet_p.cpp:514
Downloading source file /usr/src/debug/libplasma-5.91.0-1.fc40.x86_64/src/plasma/private/applet_p.cpp
514         Containment *c = q->containment();                                                                           
(gdb) p q
$4 = (Plasma::Applet *) 0x0
Comment 4 TraceyC 2025-06-25 20:16:34 UTC 
Thanks for the bug report. I'm sorry we weren't able to get to this yet. There have been many fixes and improvements since this was reported, and this issue may have been fixed. I'm not able to reproduce this on today's git-master, running the command provided ten times.

Can you please re-test on your system with Plasma 6.4.1 or later and let us know if you can still reproduce the problem? If you can, please set this report back to REPORTED. Thanks!
Comment 5 Matt Fagnani 2025-06-25 20:29:15 UTC 
This problem didn't happen in Plasma 6.4.0 on Wayland when I ran plasmawindowed org.kde.plasma.kickoff several times. The application launcher menu appeared right away instead of the ...> icon as when I reported this problem. I guess this was fixed. Thanks.