Bug 514619

Summary: Use of split transaction editor causes crash
Product: [Applications] kmymoney Reporter: Lawrence Wright <lwright>
Component: generalAssignee: KMyMoney Devel Mailing List <kmymoney-devel>
Status: RESOLVED FIXED    
Severity: crash CC: a.urso, ralf.habacker
Priority: NOR    
Version First Reported In: 5.2.1   
Target Milestone: ---   
Platform: Microsoft Windows   
OS: Other   
Latest Commit: https://invent.kde.org/office/kmymoney/-/commit/70fb8caf85d7b4f03891f960146df23c08fa2a3b Version Fixed/Implemented In: 5.2.2
Sentry Crash Report:
Attachments: crash video

Description Lawrence Wright 2026-01-14 21:37:32 UTC 
SUMMARY

I make daily use of the split transaction editor, however on the Windows build from commit eda3fb1 it causes a crash as soon as you press OK. It happens regardless of whether you're creating a new transaction or editing an existing one.

Commit 914c61b is fine.

STEPS TO REPRODUCE
1. Install 5.2.1-eda3fb1 
2. Create a transaction and use the split editor
3. Enter one or more lines
4. Press OK and watch it crash

OBSERVED RESULT

Total crash after a short delay

EXPECTED RESULT

Transaction correctly entered in register

SOFTWARE/OS VERSIONS
Windows: 11 25H2
Comment 1 Adilson Urso 2026-01-14 22:35:47 UTC 
Created attachment 188536 [details]
crash video

I make a video with the problem
Comment 2 Jack 2026-01-14 23:18:11 UTC 
I can replicate the crash on Win 10 in VirtualBox on a Gentoo Linux host.  Not sure how helpful this is without better degub info, but running under gdb gives me:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ffff9fc6a44 in Qt6Widgets!?visualRegionForSelection@QHeaderView@@MEBA?AVQRegion@@AEBVQItemSelection@@@Z () from C:\Users\ostro\Desktop\KMM\5143\bin\Qt6Widgets.dll
(gdb) bt
#0  0x00007ffff9fc6a44 in Qt6Widgets!?visualRegionForSelection@QHeaderView@@MEBA?AVQRegion@@AEBVQItemSelection@@@Z () from C:\Users\ostro\Desktop\KMM\5143\bin\Qt6Widgets.dll
#1  0x00007ffff9fbf160 in Qt6Widgets!?saveState@QHeaderView@@QEBA?AVQByteArray@@XZ () from C:\Users\ostro\Desktop\KMM\5143\bin\Qt6Widgets.dll
#2  0x00007ff81711491a in kmm_base_widgets!??$fromValue@VQByteArray@@@QVariant@@SA?AV0@AEBVQByteArray@@@Z () from C:\Users\ostro\Desktop\KMM\5143\bin\kmm_base_widgets.dll
#3  0x00007ff81710e8d8 in kmm_base_widgets!??$fromValue@VQByteArray@@@QVariant@@SA?AV0@AEBVQByteArray@@@Z () from C:\Users\ostro\Desktop\KMM\5143\bin\kmm_base_widgets.dll
#4  0x00007ff6f74bbed5 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
and that starts in the dll mentioned in your Discuss post:

(b1dc.b108): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\KMyMoney\bin\Qt6Widgets.dll
Qt6Widgets!QHeaderView::visualRegionForSelection+0x674:
00007ffd05ea6a44 8b9158050000    mov     edx,dword ptr [rcx+558h] ds:feeefeeefeef0446=???
Comment 3 Ralf Habacker 2026-01-15 19:52:35 UTC 
I asked an AI and got this answer: 

Problem 1: ColumnSelector destructor calls updateHeaderState()
ColumnSelector::~ColumnSelector()
{
    Q_D(ColumnSelector);
    d->updateHeaderState();
    delete d;
}
But: ColumnSelector is a child of the view (QObject(view)). When the view is destroyed:
- QHeaderView is destroyed first
- Then ColumnSelector is destroyed
At that point:
d->headerView may already be deleted
Or partially destructed (selection model gone)
Yet updateHeaderState() does:
   grp.writeEntry("HeaderState", headerView->saveState());

💥 saveState() internally calls visualRegionForSelection()
→ uses selection model
→ boom: SIGSEGV

This matches your stack trace perfectly.

❌ Problem 2: destroyed signal lambda still calls saveState()
connect(d->headerView, &QObject::destroyed, this, [&]() {
    Q_D(ColumnSelector);
    d->updateHeaderState();
    d->headerView = nullptr;
});
This is even worse:
destroyed(QObject*) is emitted during destruction
The header is already partially torn down
Internal members used by saveState() are invalid

Qt docs explicitly warn:
Do not call complex functions on objects from within their destroyed() handler.

🧨 Why Qt 6 crashes and Qt 5 didn’t
Qt 6 changed internal header handling:
Selection handling is more aggressive
saveState() now accesses selection regions
Undefined behavior that “worked” in Qt 5 now crashes deterministically
So this is latent UB exposed by Qt 6, not a regression.


How to verify this 100% locally
Test A – comment out the destroyed() connection
// connect(d->headerView, &QObject::destroyed, ...);
➡️ Crash disappears (TreeView)
Test B – keep destroyed(), but comment out saveState()
connect(d->headerView, &QObject::destroyed, this, [&]() {
    d->headerView = nullptr;
});
➡️ Crash disappears
Test C – add a guard
if (!headerView->selectionModel()) return;
➡️ Crash disappears
All three confirm the same root cause.


Minimal Patch
❌ Remove this block in ColumnSelector::ColumnSelector entirely:
connect(d->headerView, &QObject::destroyed, this, [&]() {
    Q_D(ColumnSelector);
    d->updateHeaderState();
    d->headerView = nullptr;
});
Comment 4 Thomas Baumgart 2026-01-16 13:10:26 UTC 
Git commit 3073fc6344602d51477aeb7452550ac3c50c1f37 by Thomas Baumgart.
Committed on 16/01/2026 at 13:10.
Pushed by tbaumgart into branch 'master'.

Prevent crash when closing split view
FIXED-IN: 5.2.2

M  +5    -0    kmymoney/views/splitview.cpp

https://invent.kde.org/office/kmymoney/-/commit/3073fc6344602d51477aeb7452550ac3c50c1f37
Comment 5 Thomas Baumgart 2026-01-16 13:10:51 UTC 
Git commit 70fb8caf85d7b4f03891f960146df23c08fa2a3b by Thomas Baumgart.
Committed on 16/01/2026 at 13:10.
Pushed by tbaumgart into branch '5.2'.

Prevent crash when closing split view
FIXED-IN: 5.2.2
(cherry picked from commit 3073fc6344602d51477aeb7452550ac3c50c1f37)

M  +5    -0    kmymoney/views/splitview.cpp

https://invent.kde.org/office/kmymoney/-/commit/70fb8caf85d7b4f03891f960146df23c08fa2a3b
Comment 6 Jack 2026-01-16 23:28:34 UTC 
fix confirmed