Bug 303840 - Kwin crash to do with hidden, empty or otherwise odd window titles
Summary: Kwin crash to do with hidden, empty or otherwise odd window titles
Alias: None
Product: kwin
Classification: Unclassified
Component: tabbox (show other bugs)
Version: unspecified
Platform: Ubuntu Packages Linux
: NOR crash (vote)
Target Milestone: 4.9.0
Assignee: Martin Flöser
URL: https://git.reviewboard.kde.org/r/105...
Depends on:
Reported: 2012-07-20 10:23 UTC by Nick Leverton
Modified: 2012-07-22 17:24 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In: 4.9.0
mgraesslin: ReviewRequest+

Most likely fix (570 bytes, patch)
2012-07-20 10:35 UTC, Martin Flöser

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Leverton 2012-07-20 10:23:02 UTC
Application: kwin (4.8.90 (4.8.90))
KDE Platform Version: 4.8.90 (4.8.90)
Qt Version: 4.8.1
Operating System: Linux 3.2.0-26-generic-pae i686
Distribution: Ubuntu 12.04 LTS

-- Information about the crash:
- What I was doing when the application crashed:

I had been running a Konqueror Java applet which seemed to have left some hidden windows.  They showed up in alt-tab task list but not in the task bar.  When I alt-tabbed to them, no window appeared on the screen so I couldn't close them.

Howeverthere was also a Konqueror instance apaprently with no window title, just an icon.  I can't remember now if it showed up in the alt-tab list or only in the task bar, I hav a feeling it was the latter.  Eitehr way, when I selected that instance to close it, Kwin crashed immediately.

Not sure what the applet is, it's something supplied by my virtual hoster for VNC access to my virtual machine.  I will find out that and attempt to reproduce for other missing details, and append them later.

-- Backtrace:
Application: KWin (kwin), signal: Segmentation fault
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0xb1b2a740 (LWP 26717))]

Thread 3 (Thread 0xad56eb40 (LWP 26729)):
#0  0xb77be424 in __kernel_vsyscall ()
#1  0xb2acb96b in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:169
#2  0xb759b3dc in __pthread_cond_wait (cond=0xb67f1890, mutex=0xb67f1878) at forward.c:139
#3  0xb66ed029 in QTWTF::TCMalloc_PageHeap::scavengerThread (this=0xb67ec7a0) at ../3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp:2359
#4  0xb66ed06f in QTWTF::TCMalloc_PageHeap::runScavengerThread (context=0xb67ec7a0) at ../3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp:1464
#5  0xb2ac7d4c in start_thread (arg=0xad56eb40) at pthread_create.c:308
#6  0xb758dace in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 2 (Thread 0xae1ffb40 (LWP 30190)):
#0  0xb2b0cdcd in __GI_clock_gettime (clock_id=1, tp=0xae1fefe8) at ../sysdeps/unix/clock_gettime.c:116
#1  0xb5f80315 in do_gettime (frac=0xae1fefe0, sec=0xae1fefd8) at tools/qelapsedtimer_unix.cpp:123
#2  qt_gettime () at tools/qelapsedtimer_unix.cpp:140
#3  0xb606a226 in QTimerInfoList::updateCurrentTime (this=0xad800b24) at kernel/qeventdispatcher_unix.cpp:343
#4  0xb606bc2b in QEventDispatcherUNIXPrivate::doSelect (this=0xad800488, flags=..., timeout=0x0) at kernel/qeventdispatcher_unix.cpp:186
#5  0xb606c1f4 in QEventDispatcherUNIX::processEvents (this=0xad80f540, flags=...) at kernel/qeventdispatcher_unix.cpp:926
#6  0xb603550d in QEventLoop::processEvents (this=0xae1ff240, flags=...) at kernel/qeventloop.cpp:149
#7  0xb60357a9 in QEventLoop::exec (this=0xae1ff240, flags=...) at kernel/qeventloop.cpp:204
#8  0xb5f1e94c in QThread::exec (this=0x996eb68) at thread/qthread.cpp:501
#9  0xb6012b5d in QInotifyFileSystemWatcherEngine::run (this=0x996eb68) at io/qfilesystemwatcher_inotify.cpp:248
#10 0xb5f21de0 in QThreadPrivate::start (arg=0x996eb68) at thread/qthread_unix.cpp:298
#11 0xb2ac7d4c in start_thread (arg=0xae1ffb40) at pthread_create.c:308
#12 0xb758dace in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 1 (Thread 0xb1b2a740 (LWP 26717)):
[KCrash Handler]
#7  KWin::TabBox::ClientModel::longestCaption (this=0x9654030) at ../../kwin/tabbox/clientmodel.cpp:96
#8  0xb776c7c0 in KWin::TabBox::DeclarativeView::showEvent (this=0x9946da8, event=0xbfacbc70) at ../../kwin/tabbox/declarative.cpp:169
#9  0xb557c659 in QWidget::event (this=0x9946da8, event=0xbfacbc70) at kernel/qwidget.cpp:8569
#10 0xb5999e45 in QFrame::event (this=0x9946da8, e=0xbfacbc70) at widgets/qframe.cpp:557
#11 0xb5a2e5d4 in QAbstractScrollArea::event (this=0x9946da8, e=0xbfacbc70) at widgets/qabstractscrollarea.cpp:996
#12 0xb5bf2cd8 in QGraphicsView::event (this=0x9946da8, event=0xbfacbc70) at graphicsview/qgraphicsview.cpp:2740
#13 0xb5521ed4 in notify_helper (e=0xbfacbc70, receiver=0x9946da8, this=0x95d9508) at kernel/qapplication.cpp:4559
#14 QApplicationPrivate::notify_helper (this=0x95d9508, receiver=0x9946da8, e=0xbfacbc70) at kernel/qapplication.cpp:4531
#15 0xb55273a2 in QApplication::notify (this=0x95d9508, receiver=0x9946da8, e=0xbfacbc70) at kernel/qapplication.cpp:4524
#16 0xb724b401 in KApplication::notify (this=0xbfacc634, receiver=0x9946da8, event=0xbfacbc70) at ../../kdeui/kernel/kapplication.cpp:311
#17 0xb76bca3f in notify (e=0xbfacbc70, o=0x9946da8, this=0xbfacc634) at ../../kwin/main.cpp:371
#18 KWin::Application::notify (this=0xbfacc634, o=0x9946da8, e=0xbfacbc70) at ../../kwin/main.cpp:367
#19 0xb603697e in QCoreApplication::notifyInternal (this=0xbfacc634, receiver=0x9946da8, event=0xbfacbc70) at kernel/qcoreapplication.cpp:876
#20 0xb557f28d in sendEvent (event=0xbfacbc70, receiver=0x9946da8) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#21 QWidgetPrivate::show_helper (this=0x9972bd0) at kernel/qwidget.cpp:7542
#22 0xb557f5c1 in QWidget::setVisible (this=0x9946da8, visible=true) at kernel/qwidget.cpp:7764
#23 0xb776e349 in show (this=0x9946da8) at /usr/include/qt4/QtGui/qwidget.h:494
#24 KWin::TabBox::TabBoxHandler::show (this=0x9641b80) at ../../kwin/tabbox/tabboxhandler.cpp:253
#25 0xb7763035 in show (this=0x965ccb8) at ../../kwin/tabbox/tabbox.cpp:660
#26 KWin::TabBox::TabBox::show (this=0x965ccb8) at ../../kwin/tabbox/tabbox.cpp:651
#27 0xb7766f97 in qt_static_metacall (_a=0xbfacbe20, _id=5, _o=0x965ccb8, _c=<optimized out>) at ./tabbox.moc:139
#28 KWin::TabBox::TabBox::qt_static_metacall (_o=0x965ccb8, _c=QMetaObject::InvokeMetaMethod, _id=5, _a=0xbfacbe20) at ./tabbox.moc:128
#29 0xb604d6b1 in QMetaObject::activate (sender=0x965ccd0, m=0xb61944d8, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3547
#30 0xb60a0625 in QTimer::timeout (this=0x965ccd0) at .moc/release-shared/moc_qtimer.cpp:148
#31 0xb6056566 in QTimer::timerEvent (this=0x965ccd0, e=0xbfacc34c) at kernel/qtimer.cpp:280
#32 0xb6051ac4 in QObject::event (this=0x965ccd0, e=0xbfacc34c) at kernel/qobject.cpp:1157
#33 0xb5521ed4 in notify_helper (e=0xbfacc34c, receiver=0x965ccd0, this=0x95d9508) at kernel/qapplication.cpp:4559
#34 QApplicationPrivate::notify_helper (this=0x95d9508, receiver=0x965ccd0, e=0xbfacc34c) at kernel/qapplication.cpp:4531
#35 0xb552730d in QApplication::notify (this=0xbfacc34c, receiver=0x965ccd0, e=0xbfacc34c) at kernel/qapplication.cpp:4288
#36 0xb724b401 in KApplication::notify (this=0xbfacc634, receiver=0x965ccd0, event=0xbfacc34c) at ../../kdeui/kernel/kapplication.cpp:311
#37 0xb76bca3f in notify (e=0xbfacc34c, o=0x965ccd0, this=0xbfacc634) at ../../kwin/main.cpp:371
#38 KWin::Application::notify (this=0xbfacc634, o=0x965ccd0, e=0xbfacc34c) at ../../kwin/main.cpp:367
#39 0xb603697e in QCoreApplication::notifyInternal (this=0xbfacc634, receiver=0x965ccd0, event=0xbfacc34c) at kernel/qcoreapplication.cpp:876
#40 0xb606b990 in sendEvent (event=0xbfacc34c, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#41 QTimerInfoList::activateTimers (this=0x95d9ec4) at kernel/qeventdispatcher_unix.cpp:611
#42 0xb606c207 in QEventDispatcherUNIX::processEvents (this=0x95d94e8, flags=...) at kernel/qeventdispatcher_unix.cpp:930
#43 0xb55dbb6e in QEventDispatcherX11::processEvents (this=0x95d94e8, flags=...) at kernel/qeventdispatcher_x11.cpp:152
#44 0xb603550d in QEventLoop::processEvents (this=0xbfacc594, flags=...) at kernel/qeventloop.cpp:149
#45 0xb60357a9 in QEventLoop::exec (this=0xbfacc594, flags=...) at kernel/qeventloop.cpp:204
#46 0xb603aeba in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1148
#47 0xb551fa74 in QApplication::exec () at kernel/qapplication.cpp:3820
#48 0xb76bf8f6 in kdemain (argc=3, argv=0xbfacc8d4) at ../../kwin/main.cpp:545
#49 0x0804850b in main (argc=3, argv=0xbfacc8d4) at kwin_dummy.cpp:3

Reported using DrKonqi
Comment 1 Martin Flöser 2012-07-20 10:35:18 UTC
Created attachment 72645 [details]
Most likely fix

would you have a chance to reproduce the situation and test this patch? Pretty sure it will fix the crash but would be nice nevertheless :-)
Comment 2 Martin Flöser 2012-07-21 09:37:43 UTC
Added a review request with a unit test to simulate the crash: https://git.reviewboard.kde.org/r/105645/
Comment 3 Martin Flöser 2012-07-22 17:24:32 UTC
Git commit ff0f879b66e275030570d9d36909e7fecd01b3ec by Martin Gräßlin.
Committed on 21/07/2012 at 11:25.
Pushed by graesslin into branch 'KDE/4.9'.

Verify pointer is valid when calculating the longest caption

The method was missing a check whether the weak pointers in the
internal list got deleted. This could in very unlikely cases
lead to a crash.

In order to verify that adding the null pointer check fixes the
crash a unit test is added to simulate the situation of a
pointer being deleted. This required to add a mock a few
classes of TabBox. A MockTabBoxHandler and MockTabBoxClient are
added implementing the specific interfaces. The DeclarativeView
is completely mocked to make the linker happy. Including the
actual implementation is not possible as it pulls in half of
KWin core.
FIXED-IN: 4.9.0
REVIEW: 105645

M  +1    -0    kwin/tabbox/CMakeLists.txt
M  +3    -0    kwin/tabbox/clientmodel.cpp
A  +17   -0    kwin/tabbox/tests/CMakeLists.txt
A  +94   -0    kwin/tabbox/tests/mock_declarative.cpp     [License: GPL (v2)]
A  +38   -0    kwin/tabbox/tests/mock_tabboxclient.cpp     [License: GPL (v2)]
A  +67   -0    kwin/tabbox/tests/mock_tabboxclient.h     [License: GPL (v2)]
A  +99   -0    kwin/tabbox/tests/mock_tabboxhandler.cpp     [License: GPL (v2)]
A  +93   -0    kwin/tabbox/tests/mock_tabboxhandler.h     [License: GPL (v2)]
A  +47   -0    kwin/tabbox/tests/test_tabbox_clientmodel.cpp     [License: GPL (v2)]
A  +38   -0    kwin/tabbox/tests/test_tabbox_clientmodel.h     [License: GPL (v2)]