Bug 507923

Summary:	RKWard crashed when using a context menu to paste a command in the console
Product:	[Applications] rkward	Reporter:	Matt Fagnani <matt.fagnani>
Component:	general	Assignee:	RKWard Team <rkward-devel>
Status:	RESOLVED FIXED
Severity:	crash	CC:	thomas.friedrichsmeier
Priority:	NOR	Keywords:	drkonqi
Version First Reported In:	unspecified
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:		Version Fixed/Implemented In:
Sentry Crash Report:
Attachments:	New crash information added by DrKonqi Valgrind log for RKWard crash

Description Matt Fagnani 2025-08-06 04:34:24 UTC

Application: rkward (0.8.1z+0.8.2+devel1)

ApplicationNotResponding [ANR]: false
Qt Version: 6.9.1
Frameworks Version: 6.16.0
Operating System: Linux 6.15.9-201.fc42.x86_64 x86_64
Windowing System: Wayland
Distribution: "Fedora Linux 42 (KDE Plasma Desktop Edition)"
DrKonqi: 6.4.3 [CoredumpBackend]

-- Information about the crash:
I ran the RKWard 0.8.2 pre-release rkward-0.8.2~pre^1.gitcb3c2dd3-1.fc42 which should contain the patch for https://bugs.kde.org/show_bug.cgi?id=505955  I created a new data set my.data with by clicking Enter new data. my.data contained a Numeric variable var by default. I copied the line my.data$var = as.Date("1-1-2025",tryFormats="%m-%d-%Y") from that report in Firefox. I right-clicked in the R console, then I clicked on Paste in the context menu (the data frame didn't need a row to be created for the crash to happen with the Fedora build.) RKWard crashed in std::__uniq_ptr_impl<KXMLGUIFactoryPrivate, std::default_delete<KXMLGUIFactoryPrivate> >::_M_ptr with a trace like I reported at https://bugs.kde.org/show_bug.cgi?id=505955#c3 KXMLGUIFactory::container had this=0x0, which might've resulted in a null pointer dereference in std::__uniq_ptr_impl<KXMLGUIFactoryPrivate, std::default_delete<KXMLGUIFactoryPrivate> >::_M_ptr. The trace referred to a context menu such as in TwinTable::contextMenu.

I reproduced the crash again as above. In another run I copied and pasted the line x <- data.frame(1, 2) from https://bugs.kde.org/show_bug.cgi?id=505955#c4 using a context menu. RKWard crashed with the same type of trace which is the crash I reported here with drkonqi. The problem didn't happen if I used the Edit menu in the menu bar then selected Paste.

The crash can be reproduced every time.

-- Backtrace (Reduced):
#4  0x00007f78d950e23e in std::__uniq_ptr_impl<KXMLGUIFactoryPrivate, std::default_delete<KXMLGUIFactoryPrivate> >::_M_ptr (this=<optimized out>) at /usr/include/c++/15/bits/unique_ptr.h:193
#5  std::unique_ptr<KXMLGUIFactoryPrivate, std::default_delete<KXMLGUIFactoryPrivate> >::get (this=<optimized out>) at /usr/include/c++/15/bits/unique_ptr.h:473
#6  std::unique_ptr<KXMLGUIFactoryPrivate, std::default_delete<KXMLGUIFactoryPrivate> >::operator-> (this=<optimized out>) at /usr/include/c++/15/bits/unique_ptr.h:466
#7  KXMLGUIFactory::container (this=0x0, containerName=..., client=client@entry=0x55e4410186e0, useTagName=useTagName@entry=false) at /usr/src/debug/kf6-kxmlgui-6.16.0-1.fc42.x86_64/src/kxmlguifactory.cpp:450
#8  0x000055e41a4b9d80 in TwinTable::contextMenu (this=0x55e4410185e0, row=<optimized out>, col=<optimized out>, pos=...) at /usr/src/debug/rkward-0.8.2~pre^1.gitcb3c2dd3-1.fc42.x86_64/rkward/dataeditor/twintable.cpp:325
#9  0x00007f78d61657ba in QtPrivate::QSlotObjectBase::call (this=0x55e440fb07e0, r=0x55e4410185e0, a=0x7ffe5be87070) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/corelib/kernel/qobjectdefs_impl.h:461
#10 doActivate<false> (sender=0x55e440f994e0, signal_index=15, argv=argv@entry=0x7ffe5be87070) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/corelib/kernel/qobject.cpp:4146
[...]
#13 TwinTableMember::contextMenuRequest (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>, _t3=...) at /usr/src/debug/rkward-0.8.2~pre^1.gitcb3c2dd3-1.fc42.x86_64/redhat-linux-build/rkward/dataeditor/dataeditor_autogen/EWIEGA46WW/moc_twintablemember.cpp:162
#14 TwinTableMember::handleContextMenuRequest (this=0x55e440f994e0, pos=...) at /usr/src/debug/rkward-0.8.2~pre^1.gitcb3c2dd3-1.fc42.x86_64/rkward/dataeditor/twintablemember.cpp:160
#15 0x00007f78d61657ba in QtPrivate::QSlotObjectBase::call (this=0x55e440fb0260, r=0x55e440f994e0, a=0x7ffe5be871b0) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/corelib/kernel/qobjectdefs_impl.h:461
#16 doActivate<false> (sender=0x55e440f994e0, signal_index=6, argv=argv@entry=0x7ffe5be871b0) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/corelib/kernel/qobject.cpp:4146
[...]
#19 QWidget::customContextMenuRequested (this=this@entry=0x55e440f994e0, _t1=...) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/redhat-linux-build/src/widgets/Widgets_autogen/include/moc_qwidget.cpp:603
#20 0x00007f78d86a79c2 in QWidget::event (this=this@entry=0x55e440f994e0, event=event@entry=0x7ffe5be87640) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/widgets/kernel/qwidget.cpp:9174
#21 0x00007f78d87010f6 in QFrame::event (this=0x55e440f994e0, e=0x7ffe5be87640) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/widgets/widgets/qframe.cpp:521
#22 0x00007f78d60f9caa in QCoreApplicationPrivate::sendThroughObjectEventFilters (receiver=receiver@entry=0x55e440f9b770, event=event@entry=0x7ffe5be87640) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/corelib/kernel/qcoreapplication.cpp:1243
#23 0x00007f78d863d96f in QApplicationPrivate::notify_helper (this=this@entry=0x55e43f00ca30, receiver=receiver@entry=0x55e440f9b770, e=e@entry=0x7ffe5be87640) at /usr/src/debug/qt6-qtbase-6.9.1-1.fc42.x86_64/src/widgets/kernel/qapplication.cpp:3297


Reported using DrKonqi

Comment 1 Matt Fagnani 2025-08-06 04:34:26 UTC

Created attachment 183821 [details]
New crash information added by DrKonqi

DrKonqi auto-attaching complete backtrace.

Comment 2 Matt Fagnani 2025-08-06 22:27:55 UTC

Created attachment 183839 [details]
Valgrind log for RKWard crash

I ran RKWard under valgrind and reproduced the crash. There were many uses of uninitialized variables and "Mismatched new/delete size value: 1" involving qtwebengine. The valgrind log at the time of the crash showed an invalid read at the address 0x10.

==5582== Thread 1:
==5582== Invalid read of size 8
==5582==    at 0x1122323E: UnknownInlinedFun (unique_ptr.h:193)
==5582==    by 0x1122323E: UnknownInlinedFun (unique_ptr.h:473)
==5582==    by 0x1122323E: UnknownInlinedFun (unique_ptr.h:466)
==5582==    by 0x1122323E: KXMLGUIFactory::container(QString const&, KXMLGUIClient*, bool) (kxmlguifactory.cpp:450)
==5582==    by 0x41AED7F: TwinTable::contextMenu(int, int, QPoint const&) (twintable.cpp:325)
==5582==    by 0x13A437B9: call (qobjectdefs_impl.h:461)
==5582==    by 0x13A437B9: void doActivate<false>(QObject*, int, void**) (qobject.cpp:4146)
==5582==    by 0x41AE835: UnknownInlinedFun (qobjectdefs.h:306)
==5582==    by 0x41AE835: UnknownInlinedFun (moc_twintablemember.cpp:162)
==5582==    by 0x41AE835: TwinTableMember::handleContextMenuRequest(QPoint const&) (twintablemember.cpp:160)
==5582==    by 0x13A437B9: call (qobjectdefs_impl.h:461)
==5582==    by 0x13A437B9: void doActivate<false>(QObject*, int, void**) (qobject.cpp:4146)
==5582==    by 0x117CF631: activate<void, QPoint> (qobjectdefs.h:306)
==5582==    by 0x117CF631: QWidget::customContextMenuRequested(QPoint const&) (moc_qwidget.cpp:603)
==5582==    by 0x117F39C1: QWidget::event(QEvent*) (qwidget.cpp:9174)
==5582==    by 0x1184D0F5: QFrame::event(QEvent*) (qframe.cpp:521)
==5582==    by 0x139D7CA9: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qcoreapplication.cpp:1243)
==5582==    by 0x1178996E: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3297)
==5582==    by 0x117954CA: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:2921)
==5582==    by 0x139D7F37: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1106)
==5582==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==5582== 
==5582== 
==5582== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==5582==    at 0x1437709C: __pthread_kill_implementation (pthread_kill.c:44)
==5582==    by 0x1431DA7D: raise (raise.c:26)
==5582==    by 0x110FF532: KCrash::defaultCrashHandler(int) (in /usr/lib64/libKF6Crash.so.6.16.0)
==5582==    by 0x1431DBAF: ??? (in /usr/lib64/libc.so.6)
==5582==    by 0x1122323D: KXMLGUIFactory::container(QString const&, KXMLGUIClient*, bool) (kxmlguifactory.cpp:449)
==5582==    by 0x41AED7F: TwinTable::contextMenu(int, int, QPoint const&) (twintable.cpp:325)
==5582==    by 0x13A437B9: call (qobjectdefs_impl.h:461)
==5582==    by 0x13A437B9: void doActivate<false>(QObject*, int, void**) (qobject.cpp:4146)
==5582==    by 0x41AE835: UnknownInlinedFun (qobjectdefs.h:306)
==5582==    by 0x41AE835: UnknownInlinedFun (moc_twintablemember.cpp:162)
==5582==    by 0x41AE835: TwinTableMember::handleContextMenuRequest(QPoint const&) (twintablemember.cpp:160)
==5582==    by 0x13A437B9: call (qobjectdefs_impl.h:461)
==5582==    by 0x13A437B9: void doActivate<false>(QObject*, int, void**) (qobject.cpp:4146)
==5582==    by 0x117CF631: activate<void, QPoint> (qobjectdefs.h:306)
==5582==    by 0x117CF631: QWidget::customContextMenuRequested(QPoint const&) (moc_qwidget.cpp:603)
==5582==    by 0x117F39C1: QWidget::event(QEvent*) (qwidget.cpp:9174)
==5582==    by 0x1184D0F5: QFrame::event(QEvent*) (qframe.cpp:521)
==5582== 

In another normal RKWard run, I created a new data.frame as above, wrote the letter a in the R console, selected the a, right-clicked on it, then selected Copy selection literally in the context menu. RKWard crashed with the same type of trace. So the problem can happen with copying and pasting.

Comment 3 Thomas Friedrichsmeier 2025-08-07 18:34:06 UTC

Hmm. I cannot immediately reproduce this with frameworks version 6.14.0.

I am also rather baffled by this crash. The immediate cause is factory(), returning a nullptr, of course, and this could easily be checked for. However, TwinTableMember is a widget in the dataeditor, and I do not see, why it should receive a context menu request event at all for something happening in a different widget. That's also the reason why factory() is null: it simply isn't the active window at the time of the event.

Comment 4 Thomas Friedrichsmeier 2025-08-07 19:25:45 UTC

Git commit bee78f2bf042dbc4a0cad59d7ecd9b32f12ffca3 by Thomas Friedrichsmeier.
Committed on 07/08/2025 at 19:25.
Pushed by tfry into branch 'master'.

Improve context menu event handling in console

M  +3    -8    rkward/rkconsole.cpp

https://invent.kde.org/education/rkward/-/commit/bee78f2bf042dbc4a0cad59d7ecd9b32f12ffca3

Comment 5 Thomas Friedrichsmeier 2025-08-07 19:27:24 UTC

Ok, I may have found the culprit. However, as I could not reproduce the actual crash, here, it would be much appreciated, if you could test, again.

Comment 6 Matt Fagnani 2025-08-08 01:52:51 UTC

Thanks. The problem didn't happen with rkward-master-1898-linux-gcc-x86_64.appimage which had the patch and Qt 6.8.3 and KF 6.16.0 and the previous rkward-master-1891-linux-gcc-x86_64.appimage which had Qt 6.8.3 and KF 6.15.0 from July 10. I couldn't tell if the problem was fixed by the patch that way since they both weren't affected. I built the Fedora rkward rpm with the patch, and the problem didn't happen with this build. The patch seemed to fix the problem. If you want to reproduce the crash, you could try it in a Fedora 42 KDE edition installation updated with the updates-testing repo enabled which uses Qt 6.9.1 and KF 6.16.0.

Since I used Enter new data to create a new data frame, the data editor was shown. I selected R console at the bottom left, and the console was shown in the bottom part while the data editor was in the top part. When I right-clicked in the console, the context menu partly overlapped with the data editor. When I didn't use Enter new data before the R console so the data editor wasn't shown, the crash didn't happen.