Bug 499927

Summary: plasmashell crashed sometimes in QSharedPointer<NetworkManager::Device>::deref when clicking on the Networks icon in the system tray
Product: [Plasma] plasmashell Reporter: Matt Fagnani <matt.fagnani>
Component: generic-crashAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: nate, sam
Priority: NOR Keywords: drkonqi
Version: 6.3.0   
Target Milestone: 1.0   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=499218
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116506
https://bugs.kde.org/show_bug.cgi?id=494693
https://bugs.kde.org/show_bug.cgi?id=499100
Latest Commit: https://invent.kde.org/plasma/plasma-nm/-/commit/2c9a19ee5d14ee828c3e075d041301733e9a76fa Version Fixed In: 6.3.1
Sentry Crash Report: https://crash-reports.kde.org/organizations/kde/issues/122628/events/7a7e880982054ed18e3d035ae30129f4/
Attachments: New crash information added by DrKonqi
plasmashell 6.3.1 trace

Description Matt Fagnani 2025-02-12 21:28:24 UTC 
Application: plasmashell (6.3.0)

ApplicationNotResponding [ANR]: false
Qt Version: 6.8.2
Frameworks Version: 6.11.0
Operating System: Linux 6.14.0-0.rc2.22.fc43.x86_64 x86_64
Windowing System: Wayland
Distribution: "Fedora Linux 43 (KDE Plasma Prerelease)"
DrKonqi: 6.3.0 [CoredumpBackend]

-- Information about the crash:
I booted the Fedora Rawhide KDE live image Fedora-KDE-Desktop-Live-Rawhide-20250212.n.0.x86_64.iso on bare metal. Plasma 6.3.0 on Wayland started. I clicked on the Networks icon in the system tray a few times. plasmashell crashed the third time the Networks applet was shown. plasmashell crashed sometimes in QSharedPointer<NetworkManager::Device>::deref with what looked like an invalid pointer this=0x11 in frames 4 to 8. The trace was similar but different at its top to the one at https://bugs.kde.org/show_bug.cgi?id=499218 The problem might be due to a GCC 15 problem with C++ coroutines https://bugs.kde.org/show_bug.cgi?id=499218#c4

The crash can be reproduced sometimes.

-- Backtrace (Reduced):
#5  QSharedPointer<NetworkManager::Device>::~QSharedPointer (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:284
#6  std::destroy_at<QSharedPointer<NetworkManager::Device> > (__location=0x11) at /usr/include/c++/15/bits/stl_construct.h:88
#7  std::_Destroy<QSharedPointer<NetworkManager::Device> > (__pointer=0x11) at /usr/include/c++/15/bits/stl_construct.h:163
#8  std::_Destroy<QSharedPointer<NetworkManager::Device>*> (__first=0x11, __last=0x7ffc15f9b2711) at /usr/include/c++/15/bits/stl_construct.h:211
#9  std::destroy<QSharedPointer<NetworkManager::Device>*> (__first=<optimized out>, __last=0x7ffc15f9b2711) at /usr/include/c++/15/bits/stl_construct.h:288


Reported using DrKonqi
Comment 1 Matt Fagnani 2025-02-12 21:28:26 UTC 
Created attachment 178233 [details]
New crash information added by DrKonqi

DrKonqi auto-attaching complete backtrace.
Comment 2 Bug Janitor Service 2025-02-12 22:53:52 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/414
Comment 3 Fushan Wen 2025-02-14 01:14:02 UTC 
Git commit 1754d67e318fdf73633bf8fd62656df52b823eb8 by Fushan Wen, on behalf of David Edmundson.
Committed on 14/02/2025 at 01:11.
Pushed by fusionfuture into branch 'master'.

Guard more qcoro usages

co_await does not disconnect a pending event like
It's possible for 'this' to be gone and everything to be in a broken
state. Lots of this code continued to process things after DBus replies
were invalid.

Every usage of co_await needs to either manage the lifespan of all
objects used or explicitly check.

M  +29   -1    libs/handler.cpp

https://invent.kde.org/plasma/plasma-nm/-/commit/1754d67e318fdf73633bf8fd62656df52b823eb8
Comment 4 Fushan Wen 2025-02-14 01:20:13 UTC 
Git commit 2c9a19ee5d14ee828c3e075d041301733e9a76fa by Fushan Wen.
Committed on 14/02/2025 at 01:14.
Pushed by fusionfuture into branch 'Plasma/6.3'.

Guard more qcoro usages

co_await does not disconnect a pending event like
It's possible for 'this' to be gone and everything to be in a broken
state. Lots of this code continued to process things after DBus replies
were invalid.

Every usage of co_await needs to either manage the lifespan of all
objects used or explicitly check.


(cherry picked from commit 1754d67e318fdf73633bf8fd62656df52b823eb8)

Co-authored-by: David Edmundson <kde@davidedmundson.co.uk>

M  +29   -1    libs/handler.cpp

https://invent.kde.org/plasma/plasma-nm/-/commit/2c9a19ee5d14ee828c3e075d041301733e9a76fa
Comment 5 Matt Fagnani 2025-02-21 05:53:04 UTC 
Created attachment 178676 [details]
plasmashell 6.3.1 trace

I was using Plasma 6.3.1 on Wayland in a Fedora Rawhide live image on bare metal. I clicked on the Networks icon in the system tray repeatedly. plasmashell crashed in QSharedPointer<NetworkManager::Device>::deref with a trace like I reported here.

Thread 1 (Thread 0x7fef7b8c4d80 (LWP 2816)):
[KCrash Handler]
#4  QSharedPointer<NetworkManager::Device>::deref (this=0x10) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:471
#5  QSharedPointer<NetworkManager::Device>::~QSharedPointer (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:284
#6  std::destroy_at<QSharedPointer<NetworkManager::Device> > (__location=0x10) at /usr/include/c++/15/bits/stl_construct.h:88
#7  std::_Destroy<QSharedPointer<NetworkManager::Device> > (__pointer=0x10) at /usr/include/c++/15/bits/stl_construct.h:163
#8  std::_Destroy<QSharedPointer<NetworkManager::Device>*> (__first=0x10, __last=0x7ffcdb3a7b310) at /usr/include/c++/15/bits/stl_construct.h:211
#9  std::destroy<QSharedPointer<NetworkManager::Device>*> (__first=<optimized out>, __last=0x7ffcdb3a7b310) at /usr/include/c++/15/bits/stl_construct.h:288
#10 QtPrivate::QGenericArrayOps<QSharedPointer<NetworkManager::Device> >::destroyAll (this=0x7ffcdb3a7a40) at /usr/include/qt6/QtCore/qarraydataops.h:377
#11 QArrayDataPointer<QSharedPointer<NetworkManager::Device> >::~QArrayDataPointer (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qarraydatapointer.h:109
#12 QArrayDataPointer<QSharedPointer<NetworkManager::Device> >::~QArrayDataPointer (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qarraydatapointer.h:106
#13 0x00007feebc78ced7 in QList<QSharedPointer<NetworkManager::Device> >::~QList (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qlist.h:83
#14 Handler::requestScanInternal (frame_ptr=0x55ebfbb27b30) at /usr/src/debug/plasma-nm-6.3.1-1.fc43.x86_64/libs/handler.cpp:674
#15 0x00007feebc7999e1 in std::__n4861::coroutine_handle<void>::resume (this=<optimized out>) at /usr/include/c++/15/coroutine:142
#16 QCoro::detail::QCoroDBusPendingReply<QDBusObjectPath>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}::operator()<QDBusPendingCallWatcher>(QDBusPendingCallWatcher*) (__closure=<optimized out>, watcher=0x55ebfbe7b820) at /usr/include/qcoro6/qcoro/qcorodbuspendingreply.h:43
#17 QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QDBusPendingCallWatcher*>, void, QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}>::call(QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}&, void**)::{lambda()#1}::operator()() const (__closure=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:141
#18 QtPrivate::FunctorCallBase::call_internal<void, QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QDBusPendingCallWatcher*>, void, QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}>::call(QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}&, void**)::{lambda()#1}>(void**, QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QDBusPendingCallWatcher*>, void, QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}>::call(QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}&, void**)::{lambda()#1}&&) (args=<optimized out>, fn=...) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:65
#19 QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QDBusPendingCallWatcher*>, void, QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}>::call(QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}&, void**) (f=..., arg=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:140
#20 QtPrivate::FunctorCallable<QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}, QDBusPendingCallWatcher*>::call<QtPrivate::List<QDBusPendingCallWatcher*>, void>(QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}&, void*, void**) (f=..., arg=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:362
#21 QtPrivate::QCallableObject<QCoro::detail::QCoroDBusPendingReply<>::WaitForFinishedOperation::await_suspend(std::__n4861::coroutine_handle<void>)::{lambda(auto:1*)#1}, QtPrivate::List<QDBusPendingCallWatcher*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=<optimized out>, this_=<optimized out>, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:572
#22 0x00007fef7a8c5efa in QtPrivate::QSlotObjectBase::call (this=0x55ebfcd3dcc0, r=0x55ebfbe7b820, a=0x7ffcdb3a7bf0) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qobjectdefs_impl.h:486
#23 doActivate<false> (sender=0x55ebfbe7b820, signal_index=3, argv=argv@entry=0x7ffcdb3a7bf0) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qobject.cpp:4115
#24 0x00007fef7a8bc8a9 in QMetaObject::activate (sender=<optimized out>, m=m@entry=0x7fef7aed2f00, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffcdb3a7bf0) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qobject.cpp:4175
#25 0x00007fef7ae83471 in QDBusPendingCallWatcher::finished (this=<optimized out>, _t1=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/redhat-linux-build/src/dbus/DBus_autogen/include/moc_qdbuspendingcall.cpp:163
#26 0x00007fef7a8b6a2c in QObject::event (this=<optimized out>, e=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qobject.cpp:1418
#27 0x00007fef7cb944ca in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQt6Widgets.so.6
#28 0x00007fef7a85c49c in QCoreApplication::notifyInternal2 (receiver=0x55ebfbe7b820, event=0x7fef6008c500) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1172
#29 0x00007fef7a85c6ed in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1612
#30 0x00007fef7a85ffd0 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, event_type@entry=32751, data=0x55ebf643ec10) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1946
#31 0x00007fef7a8602e0 in QCoreApplication::sendPostedEvents (receiver=<optimized out>, event_type=32751) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1800
#32 0x00007fef7ab5e47f in postEventSourceDispatch (s=0x55ebf6446660) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:246
#33 0x00007fef790a7f16 in g_main_context_dispatch_unlocked.lto_priv () from /lib64/libglib-2.0.so.0
#34 0x00007fef790b1068 in g_main_context_iterate_unlocked.isra () from /lib64/libglib-2.0.so.0
#35 0x00007fef790b1217 in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#36 0x00007fef7ab5dcc3 in QEventDispatcherGlib::processEvents (this=0x55ebf64474b0, flags=...) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:399
#37 0x00007fef7a8696d3 in QEventLoop::exec (this=this@entry=0x7ffcdb3a8090, flags=..., flags@entry=...) at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/global/qflags.h:34
#38 0x00007fef7a8651d5 in QCoreApplication::exec () at /usr/src/debug/qt6-qtbase-6.8.2-3.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1515
#39 0x000055ebd3861b26 in main ()

The patch included in 6.3.1 might not be enough to avoid this crash.