Bug 481849

Summary: Crashing when creating multiple windows of same app.
Product: [Plasma] plasmashell Reporter: OrakMoya <orakmoyaofficial>
Component: generalAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: kde, sitter
Priority: NOR Keywords: drkonqi
Version: 5.27.10   
Target Milestone: 1.0   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description OrakMoya 2024-02-26 08:59:48 UTC 
Application: plasmashell (5.27.10)

Qt Version: 5.15.12
Frameworks Version: 5.115.0
Operating System: Linux 6.7.6-zen1-1-zen x86_64
Windowing System: X11
Distribution: "Arch Linux"
DrKonqi: 5.27.10 [KCrashBackend]

-- Information about the crash:
I'm seeing intermittent crashes of plasmashell without an obvious cause.
Seems to be random. I'm seeing it happen once or twice within 10 minutes.

The crash can be reproduced sometimes.

-- Backtrace:
Application: Plasma (plasmashell), signal: Segmentation fault
Content of s_kcrashErrorMessage: std::unique_ptr<char []> = {get() = <optimized out>}
[KCrash Handler]
#6  0x00007c61f8039930 in std::__atomic_base<int>::load (__m=std::memory_order_relaxed, this=0x7c662a1c8c1d) at /usr/include/c++/13.2.1/bits/atomic_base.h:505
#7  QAtomicOps<int>::loadRelaxed<int> (_q_value=<error reading variable: Cannot access memory at address 0x7c662a1c8c1d>) at /usr/include/qt/QtCore/qatomic_cxx11.h:239
#8  QBasicAtomicInteger<int>::loadRelaxed (this=0x7c662a1c8c1d) at /usr/include/qt/QtCore/qbasicatomic.h:107
#9  QtPrivate::RefCount::deref (this=0x7c662a1c8c1d) at /usr/include/qt/QtCore/qrefcount.h:66
#10 QVector<int>::~QVector (this=0x7c61ec01dfa0, this=<optimized out>) at /usr/include/qt/QtCore/qvector.h:73
#11 TaskManager::TaskGroupingProxyModel::Private::sourceRowsAboutToBeRemoved (this=0x6051ad8358e0, parent=<optimized out>, first=<optimized out>, last=2) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/libtaskmanager/taskgroupingproxymodel.cpp:148
#12 0x00007c61ffac8e27 in QtPrivate::QSlotObjectBase::call (a=0x7ffd1e8661d0, r=<optimized out>, this=0x6051ad83b0b0, this=<optimized out>, r=<optimized out>, a=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#13 doActivate<false> (sender=0x6051ad831610, signal_index=14, argv=0x7ffd1e8661d0) at kernel/qobject.cpp:3925
#14 0x00007c61ffa4fa23 in QAbstractItemModel::rowsAboutToBeRemoved (this=this@entry=0x6051ad831610, _t1=..., _t2=<optimized out>, _t2@entry=2, _t3=<optimized out>, _t3@entry=2, _t4=...) at .moc/moc_qabstractitemmodel.cpp:599
#15 0x00007c61ffa4faaa in QAbstractItemModel::beginRemoveRows (this=0x6051ad831610, parent=..., first=2, last=2) at itemmodels/qabstractitemmodel.cpp:2820
#16 0x00007c61ffa6c91e in QSortFilterProxyModelPrivate::remove_proxy_interval (this=0x6051ad838550, emit_signal=true, orient=Qt::Vertical, proxy_parent=..., proxy_end=2, proxy_start=2, proxy_to_source=..., source_to_proxy=...) at itemmodels/qsortfilterproxymodel.cpp:804
#17 QSortFilterProxyModelPrivate::remove_source_items (this=0x6051ad838550, source_to_proxy=..., proxy_to_source=..., source_items=<optimized out>, source_parent=<optimized out>, orient=Qt::Vertical, emit_signal=true) at itemmodels/qsortfilterproxymodel.cpp:792
#18 0x00007c61ffa7a1ad in QSortFilterProxyModelPrivate::_q_sourceDataChanged (this=0x6051ad838550, source_top_left=<optimized out>, source_bottom_right=<optimized out>, roles=...) at itemmodels/qsortfilterproxymodel.cpp:1483
#19 0x00007c61ffac8fe3 in doActivate<false> (sender=0x6051ad82e740, signal_index=3, argv=0x7ffd1e8665d0) at kernel/qobject.cpp:3937
#20 0x00007c61ffa4f361 in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>, _t3=<optimized out>) at .moc/moc_qabstractitemmodel.cpp:557
#21 0x00007c61ffa70cbe in QConcatenateTablesProxyModelPrivate::_q_slotDataChanged (this=<optimized out>, roles=..., to=<optimized out>, from=<optimized out>) at itemmodels/qconcatenatetablesproxymodel.cpp:634
#22 QConcatenateTablesProxyModel::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at .moc/moc_qconcatenatetablesproxymodel.cpp:155
#23 0x00007c61ffac8fe3 in doActivate<false> (sender=0x6051ad82f390, signal_index=3, argv=0x7ffd1e8667c0) at kernel/qobject.cpp:3937
#24 0x00007c61ffa4f361 in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>, _t3=<optimized out>) at .moc/moc_qabstractitemmodel.cpp:557
#25 0x00007c61ffa722a1 in QIdentityProxyModelPrivate::_q_sourceDataChanged (this=<optimized out>, roles=..., bottomRight=<optimized out>, topLeft=...) at itemmodels/qidentityproxymodel.cpp:507
#26 QIdentityProxyModel::qt_static_metacall (_o=<optimized out>, _id=<optimized out>, _a=<optimized out>, _c=<optimized out>) at .moc/moc_qidentityproxymodel.cpp:164
#27 0x00007c61ffac8fe3 in doActivate<false> (sender=0x6051ad82f520, signal_index=3, argv=0x7ffd1e866980) at kernel/qobject.cpp:3937
#28 0x00007c61ffa4f361 in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=..., _t2=..., _t3=...) at .moc/moc_qabstractitemmodel.cpp:557
#29 0x00007c61f80696ef in TaskManager::XWindowTasksModel::Private::dataChanged (this=0x6051ad82f7f0, window=<optimized out>, roles=...) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/libtaskmanager/xwindowtasksmodel.cpp:417
#30 0x00007c61f8072bea in TaskManager::XWindowTasksModel::Private::windowChanged (properties2=..., properties=..., window=<optimized out>, this=0x6051ad82f7f0) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/libtaskmanager/xwindowtasksmodel.cpp:404
#31 operator() (properties2=..., properties=..., window=85983236, __closure=<optimized out>) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/libtaskmanager/xwindowtasksmodel.cpp:162
#32 QtPrivate::FunctorCall<QtPrivate::IndexesList<0, 1, 2>, QtPrivate::List<long long unsigned int, QFlags<NET::Property>, QFlags<NET::Property2> >, void, TaskManager::XWindowTasksModel::Private::init()::<lambda(WId, NET::Properties, NET::Properties2)> >::call (f=<optimized out>, arg=<optimized out>) at /usr/include/qt/QtCore/qobjectdefs_impl.h:146
#33 QtPrivate::Functor<TaskManager::XWindowTasksModel::Private::init()::<lambda(WId, NET::Properties, NET::Properties2)>, 3>::call<QtPrivate::List<unsigned long long, QFlags<NET::Property>, QFlags<NET::Property2> >, void> (arg=<optimized out>, f=<optimized out>) at /usr/include/qt/QtCore/qobjectdefs_impl.h:256
#34 QtPrivate::QFunctorSlotObject<TaskManager::XWindowTasksModel::Private::init()::<lambda(WId, NET::Properties, NET::Properties2)>, 3, QtPrivate::List<long long unsigned int, QFlags<NET::Property>, QFlags<NET::Property2> >, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *) (which=<optimized out>, this_=<optimized out>, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /usr/include/qt/QtCore/qobjectdefs_impl.h:443
#35 0x00007c61ffac8e27 in QtPrivate::QSlotObjectBase::call (a=0x7ffd1e866c00, r=<optimized out>, this=0x6051ad830ec0, this=<optimized out>, r=<optimized out>, a=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#36 doActivate<false> (sender=0x6051ad83c770, signal_index=5, argv=0x7ffd1e866c00) at kernel/qobject.cpp:3925
#37 0x00007c61f8067a88 in XWindowSystemEventBatcher::windowChanged (_t3=..., _t2=..., _t1=<optimized out>, this=<optimized out>) at /usr/src/debug/plasma-workspace/build/libtaskmanager/taskmanager_autogen/EWIEGA46WW/moc_xwindowsystemeventbatcher.cpp:176
#38 operator() (properties2=..., properties=..., window=<optimized out>, __closure=0x6051ad830ca0) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/libtaskmanager/xwindowsystemeventbatcher.cpp:46
#39 QtPrivate::FunctorCall<QtPrivate::IndexesList<0, 1, 2>, QtPrivate::List<long long unsigned int, QFlags<NET::Property>, QFlags<NET::Property2> >, void, XWindowSystemEventBatcher::XWindowSystemEventBatcher(QObject*)::<lambda(WId, NET::Properties, NET::Properties2)> >::call (arg=<optimized out>, f=...) at /usr/include/qt/QtCore/qobjectdefs_impl.h:146
#40 QtPrivate::Functor<XWindowSystemEventBatcher::XWindowSystemEventBatcher(QObject*)::<lambda(WId, NET::Properties, NET::Properties2)>, 3>::call<QtPrivate::List<unsigned long long, QFlags<NET::Property>, QFlags<NET::Property2> >, void> (arg=<optimized out>, f=...) at /usr/include/qt/QtCore/qobjectdefs_impl.h:256
#41 QtPrivate::QFunctorSlotObject<XWindowSystemEventBatcher::XWindowSystemEventBatcher(QObject*)::<lambda(WId, NET::Properties, NET::Properties2)>, 3, QtPrivate::List<long long unsigned int, QFlags<NET::Property>, QFlags<NET::Property2> >, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *) (which=<optimized out>, this_=0x6051ad830c90, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /usr/include/qt/QtCore/qobjectdefs_impl.h:443
#42 0x00007c61ffac8e27 in QtPrivate::QSlotObjectBase::call (a=0x7ffd1e866d50, r=<optimized out>, this=0x6051ad830c90, this=<optimized out>, r=<optimized out>, a=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#43 doActivate<false> (sender=0x7c62019be530 <KX11Extras::self()::instance>, signal_index=12, argv=0x7ffd1e866d50) at kernel/qobject.cpp:3925
#44 0x00007c62019a1d99 in KX11Extras::windowChanged (this=<optimized out>, _t1=<optimized out>, _t1@entry=85983236, _t2=..., _t3=...) at /usr/src/debug/kwindowsystem5/build/src/KF5WindowSystem_autogen/include/moc_kx11extras.cpp:316
#45 0x00007c61f85df6da in NETEventFilter::nativeEventFilter (this=0x6051acc015a0, ev=0x7c61ec024310) at /usr/src/debug/kwindowsystem5/kwindowsystem-5.115.0/src/platforms/xcb/kwindowsystem.cpp:344
#46 0x00007c61ffa9028f in QAbstractEventDispatcher::filterNativeEvent (this=<optimized out>, eventType=..., message=message@entry=0x7c61ec024310, result=result@entry=0x7ffd1e866ee0) at kernel/qabstracteventdispatcher.cpp:495
#47 0x00007c61fab23fb1 in QXcbConnection::handleXcbEvent (this=this@entry=0x6051ac247300, event=event@entry=0x7c61ec024310) at /usr/src/debug/qt5-base/qtbase/src/plugins/platforms/xcb/qxcbconnection.cpp:583
#48 0x00007c61fab28550 in QXcbConnection::processXcbEvents (this=0x6051ac247300, flags=...) at /usr/src/debug/qt5-base/qtbase/src/plugins/platforms/xcb/qxcbconnection.cpp:1067
#49 0x00007c61fab4d538 in xcbSourceDispatch (source=<optimized out>) at /usr/src/debug/qt5-base/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:103
#50 0x00007c61fe782f69 in g_main_dispatch (context=0x7c61f4000ec0) at ../glib/glib/gmain.c:3476
#51 0x00007c61fe7e13a7 in g_main_context_dispatch_unlocked (context=0x7c61f4000ec0) at ../glib/glib/gmain.c:4284
#52 g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7c61f4000ec0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4349
#53 0x00007c61fe781162 in g_main_context_iteration (context=0x7c61f4000ec0, may_block=1) at ../glib/glib/gmain.c:4414
#54 0x00007c61ffae2d0c in QEventDispatcherGlib::processEvents (this=0x6051ac3e86c0, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#55 0x00007c61ffa92c04 in QEventLoop::exec (this=this@entry=0x7ffd1e867260, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#56 0x00007c61ffa940a3 in QCoreApplication::exec () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#57 0x00007c61fff2bef2 in QGuiApplication::exec () at kernel/qguiapplication.cpp:1870
#58 0x00007c6200755cda in QApplication::exec () at kernel/qapplication.cpp:2832
#59 0x00006051aa5e516c in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace/plasma-workspace-5.27.10/shell/main.cpp:235
[Inferior 1 (process 3642) detached]

Reported using DrKonqi
Comment 1 OrakMoya 2024-02-26 09:08:14 UTC 
Edited title as I seem to have found the cause.

Plasmashell crashes when trying to group a newly created window of an app with an already existing window in the task manager. The easiest way for me to reproduce is to detach a tab from firefox, which causes a crash.
Comment 2 Harald Sitter 2024-02-26 10:06:47 UTC 
After staring at the code for a bit I am of the opinion that this takeAt is unsafe https://invent.kde.org/plasma/plasma-workspace/-/blob/5de0f7f4599dbcc294ecd1f5a4bbfa122db7e518/libtaskmanager/taskgroupingproxymodel.cpp#L148

We are forward iterating, so if j is not at the end we'll break the offset of j. After that a crash may manifest at any time. Trouble is I can't quite reproduce the crash because for me j is always at the end so things don't actually get corrupted.
Comment 3 Harald Sitter 2024-02-26 12:27:20 UTC 

*** This bug has been marked as a duplicate of bug 474768 ***