Bug 489096

Summary: plasmashell crashes in SystemClipboard::checkClipData with possible nullptr on data or data->formats()
Product: [Plasma] plasmashell Reporter: kolorafa <kde_org>
Component: ClipboardAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: dikey0ficial, jaxad0127, kde_org, kiril, matt.fagnani, nate, nikolakocicbz, notmart, postix, qydwhotmail
Priority: NOR Keywords: drkonqi, wayland
Version: 6.1.0   
Target Milestone: 1.0   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In: 6.1.3
Sentry Crash Report: https://crash-reports.kde.org/organizations/kde/issues/18441/
Attachments: New crash information added by DrKonqi

Description kolorafa 2024-06-24 10:33:45 UTC
Application: plasmashell (6.1.0)

Qt Version: 6.7.1
Frameworks Version: 6.3.0
Operating System: Linux 6.9.5-arch1-1 x86_64
Windowing System: Wayland
Distribution: "Arch Linux"
DrKonqi: 6.1.0 [CoredumpBackend]

-- Information about the crash:
Was just closing flatpak app com.github.vikdevelop.timer.
And the plasmashell froze and then restarted.

The reporter is unsure if this crash is reproducible.

-- Backtrace (Reduced):
#5  SystemClipboard::checkClipData (this=0x61e8e0517e20, mode=QClipboard::Selection) at /usr/src/debug/plasma-workspace/plasma-workspace-6.1.0/klipper/systemclipboard.cpp:157
#6  0x00007dbce8ba17e7 in QtPrivate::QSlotObjectBase::call (this=<optimized out>, r=<optimized out>, a=<optimized out>, this=<optimized out>, r=<optimized out>, a=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobjectdefs_impl.h:469
#7  doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:4086
#8  0x00007dbce898db01 in KSystemClipboard::changed (this=<optimized out>, _t1=<optimized out>) at /usr/src/debug/kguiaddons/build/src/KF6GuiAddons_autogen/include/moc_ksystemclipboard.cpp:142
#9  0x00007dbce8ba17e7 in QtPrivate::QSlotObjectBase::call (this=<optimized out>, r=<optimized out>, a=<optimized out>, this=<optimized out>, r=<optimized out>, a=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobjectdefs_impl.h:469


Reported using DrKonqi
Comment 1 kolorafa 2024-06-24 10:33:47 UTC
Created attachment 170904 [details]
New crash information added by DrKonqi

DrKonqi auto-attaching complete backtrace.
Comment 2 Marco Martin 2024-06-25 11:42:20 UTC
Thread 1 (Thread 0x7dbce27f1200 (LWP 9083)):
[KCrash Handler]
#5  SystemClipboard::checkClipData (this=0x61e8e0517e20, mode=QClipboard::Selection) at /usr/src/debug/plasma-workspace/plasma-workspace-6.1.0/klipper/systemclipboard.cpp:157
#6  0x00007dbce8ba17e7 in QtPrivate::QSlotObjectBase::call (this=<optimized out>, r=<optimized out>, a=<optimized out>, this=<optimized out>, r=<optimized out>, a=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobjectdefs_impl.h:469
#7  doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:4086
#8  0x00007dbce898db01 in KSystemClipboard::changed (this=<optimized out>, _t1=<optimized out>) at /usr/src/debug/kguiaddons/build/src/KF6GuiAddons_autogen/include/moc_ksystemclipboard.cpp:142
#9  0x00007dbce8ba17e7 in QtPrivate::QSlotObjectBase::call (this=<optimized out>, r=<optimized out>, a=<optimized out>, this=<optimized out>, r=<optimized out>, a=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobjectdefs_impl.h:469
#10 doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:4086
#11 0x00007dbce9858596 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#12 0x00007dbce985500e in ffi_call_int (cif=cif@entry=0x7ffccc87cd00, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
#13 0x00007dbce9857bd3 in ffi_call (cif=cif@entry=0x7ffccc87cd00, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffccc87cdd0) at ../src/x86/ffi64.c:710
#14 0x00007dbceb3ca860 in wl_closure_invoke (closure=closure@entry=0x7dbcd400c0a0, target=<optimized out>, target@entry=0x61e8e0529ae0, opcode=opcode@entry=3, data=<optimized out>, flags=1) at ../wayland-1.23.0/src/connection.c:1228
#15 0x00007dbceb3cb0d9 in dispatch_event (display=display@entry=0x61e8dc799e10, queue=queue@entry=0x61e8dc799f08) at ../wayland-1.23.0/src/wayland-client.c:1670
#16 0x00007dbceb3cb4f3 in dispatch_queue (display=0x61e8dc799e10, queue=0x61e8dc799f08) at ../wayland-1.23.0/src/wayland-client.c:1816
#17 wl_display_dispatch_queue_pending (display=0x61e8dc799e10, queue=0x61e8dc799f08) at ../wayland-1.23.0/src/wayland-client.c:2058
#18 0x00007dbce99740c6 in QtWaylandClient::QWaylandDisplay::flushRequests (this=<optimized out>) at /usr/src/debug/qt6-wayland/qtwayland/src/client/qwaylanddisplay.cpp:227
#19 0x00007dbce8b8c0ff in QObject::event (this=0x61e8dc799be0, e=0x7dbcd4044010) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:1452
#20 0x00007dbceaafc55c in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x61e8dc799be0, e=0x7dbcd4044010) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3287
#21 0x00007dbce8b44e38 in QCoreApplication::notifyInternal2 (receiver=0x61e8dc799be0, event=event@entry=0x7dbcd4044010) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1142
#22 0x00007dbce8b451fb in QCoreApplication::sendEvent (receiver=<optimized out>, event=0x7dbcd4044010) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1583
#23 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x61e8dc768ba0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1940
#24 0x00007dbce8da460c in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1797
#25 postEventSourceDispatch (s=0x61e8dc796c50) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:244
#26 0x00007dbce768ba89 in g_main_dispatch (context=0x7dbcdc000f00) at ../glib/glib/gmain.c:3344
#27 0x00007dbce76ed9b7 in g_main_context_dispatch_unlocked (context=0x7dbcdc000f00) at ../glib/glib/gmain.c:4152
#28 g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7dbcdc000f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4217
#29 0x00007dbce768af95 in g_main_context_iteration (context=0x7dbcdc000f00, may_block=1) at ../glib/glib/gmain.c:4282
#30 0x00007dbce8da28dd in QEventDispatcherGlib::processEvents (this=0x61e8dc7ae480, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:394
#31 0x00007dbce8b4f10e in QEventLoop::processEvents (this=0x7ffccc87d400, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:100
#32 QEventLoop::exec (this=0x7ffccc87d400, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:182
#33 0x00007dbce8b4945d in QCoreApplication::exec () at /usr/src/debug/qt6-base/qtbase/src/corelib/global/qflags.h:74
#34 0x00007dbceaaf83fa in QApplication::exec () at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:2555
#35 0x000061e8a2073d66 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace/plasma-workspace-6.1.0/shell/main.cpp:188
Comment 3 Nate Graham 2024-06-25 14:27:53 UTC
Crashing here:


> if (!data) {
>     Q_EMIT receivedEmptyClipboard(mode);
>     return;
> } else if (data->formats().isEmpty()) {
>     // Might be a timeout. Try again
>     roundtrip();
>     data = m_clip->mimeData(mode);
>     if (data->formats().isEmpty()) {                                 <<<<<<<<<<<<<< Here
>         qCDebug(KLIPPER_LOG) << "was empty. Retried, now still empty";
>         Q_EMIT receivedEmptyClipboard(mode);
>         return;
>     }
> }

Maybe data or data->formats() are nullptr.
Comment 4 Jared Adams 2024-07-09 02:53:02 UTC
I can consistently recreate this by copying a file, moving or deleting it, then clearing the clipboard. Copying something else before the clear does not crash.
Comment 5 Jared Adams 2024-07-11 13:43:36 UTC
Still happening.
Qt 6.7.2
Plasma 6.1.2
Frameworks 6.3.0
Kernel 6.9.8-arch1-1
Arch Linux
Wayland

Matching backtrace, though I've seen one with a different middle section before (didn't save it).
Comment 6 Bug Janitor Service 2024-07-15 07:22:16 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/4522
Comment 7 Bug Janitor Service 2024-07-15 07:38:07 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/4523
Comment 8 postix 2024-07-15 16:30:17 UTC
*** Bug 488074 has been marked as a duplicate of this bug. ***
Comment 9 Vlad Zahorodnii 2024-07-16 07:16:33 UTC
Git commit 1cdf4dc24a9b9d565d6163557375690ba6701673 by Vlad Zahorodnii.
Committed on 16/07/2024 at 06:56.
Pushed by vladz into branch 'master'.

klipper: Fix a potential null dereferencing

Prior to da06b136f645e57b79e319e34bba4f88bee54616, klipper used to make
a roundtrip. In meanwhile, anything could happen to the selection,
including getting destroyed. In either case, let's handle mimeData()
returning null to harden this clipboard code.

M  +1    -1    klipper/systemclipboard.cpp

https://invent.kde.org/plasma/plasma-workspace/-/commit/1cdf4dc24a9b9d565d6163557375690ba6701673
Comment 10 Vlad Zahorodnii 2024-07-16 08:08:35 UTC
Git commit 02d852d163ef98f42d341f4cdcf9a9c10d29115f by Vlad Zahorodnii.
Committed on 16/07/2024 at 07:48.
Pushed by vladz into branch 'Plasma/6.1'.

klipper: Fix a potential null dereferencing

Prior to da06b136f645e57b79e319e34bba4f88bee54616, klipper used to make
a roundtrip. In meanwhile, anything could happen to the selection,
including getting destroyed. In either case, let's handle mimeData()
returning null to harden this clipboard code.


(cherry picked from commit 1cdf4dc24a9b9d565d6163557375690ba6701673)

Co-authored-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>

M  +1    -1    klipper/systemclipboard.cpp

https://invent.kde.org/plasma/plasma-workspace/-/commit/02d852d163ef98f42d341f4cdcf9a9c10d29115f
Comment 11 Vlad Zahorodnii 2024-07-16 09:30:48 UTC
Git commit ec617701e49b29422d246f23d1515670f1a9efa5 by Vlad Zahorodnii, on behalf of David Edmundson.
Committed on 16/07/2024 at 09:12.
Pushed by vladz into branch 'Plasma/6.1'.

klipper: Avoid incorrect wayland roundtrips

Klipper code is full of existing X11 hacks, as clipboard is a
complicated problem.

In 923e9bc9f20028d5eaa07828ced02ddaf31eba63 these X11 workarounds were
split into another file, but also in that change the existing roundtrip
function gained a wayland backend. This doens't help as the reasons we
need to roundtrip are platform specific. Trying to generalise makes
things harder rather than easier.

(cherry picked from commit da06b136f645e57b79e319e34bba4f88bee54616)

M  +5    -9    klipper/systemclipboard.cpp

https://invent.kde.org/plasma/plasma-workspace/-/commit/ec617701e49b29422d246f23d1515670f1a9efa5
Comment 12 Nate Graham 2024-07-22 20:23:30 UTC
*** Bug 486286 has been marked as a duplicate of this bug. ***
Comment 13 Nate Graham 2024-07-22 20:23:46 UTC
*** Bug 488838 has been marked as a duplicate of this bug. ***