473609 – Kirigami Gallery crashed in ~DelegateCache()

Bug 473609 - Kirigami Gallery crashed in ~DelegateCache()

Summary: Kirigami Gallery crashed in ~DelegateCache()

Status:	RESOLVED UNMAINTAINED

Alias:	None

Product:	frameworks-kirigami
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	Master
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	Not decided
Assignee:	kdelibs bugs

URL:
Keywords:	qt6

Depends on:
Blocks:

Reported:	2023-08-21 18:58 UTC by ratijas
Modified:	2023-10-13 18:15 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description ratijas 2023-08-21 18:58:42 UTC

SUMMARY

backtrace:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f2e7fc8e8a3 in __pthread_kill_internal (signo=11, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f2e7fc3e668 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
#3  0x00007f2e798cd989 in KCrash::defaultCrashHandler(int) (sig=11) at /home/ratijas/kde/src6/kcrash/src/kcrash.cpp:612
#4  0x00007f2e7fc3e710 in <signal handler called> () at /usr/lib/libc.so.6
#5  0x00007f2e80f16d1b in QScopedPointer<QShortcutMapPrivate, QScopedPointerDeleter<QShortcutMapPrivate> >::get() const (this=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/tools/qscopedpointer.h:111
#6  qGetPtrHelper<QScopedPointer<QShortcutMapPrivate, QScopedPointerDeleter<QShortcutMapPrivate> > >(QScopedPointer<QShortcutMapPrivate, QScopedPointerDeleter<QShortcutMapPrivate> >&) (ptr=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/global/qtclasshelpermacros.h:79
#7  QShortcutMap::d_func() (this=<optimized out>) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/gui/kernel/qshortcutmap_p.h:37
#8  QShortcutMap::removeShortcut(int, QObject*, QKeySequence const&) (this=this@entry=0x148, id=-65, owner=owner@entry=0x564780011ad0, key=...)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/gui/kernel/qshortcutmap.cpp:149
#9  0x00007f2e81de458f in QQuickShortcut::ungrabShortcut(QQuickShortcut::Shortcut&) (shortcut=..., this=0x564780011ad0)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/quick/util/qquickshortcut.cpp:422
#10 QQuickShortcut::ungrabShortcut(QQuickShortcut::Shortcut&) (shortcut=..., this=0x564780011ad0)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/quick/util/qquickshortcut.cpp:419
#11 QQuickShortcut::~QQuickShortcut() (this=0x564780011ad0, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/quick/util/qquickshortcut.cpp:128
#12 0x00007f2e81dcac38 in QQmlPrivate::QQmlElement<QQuickShortcut>::~QQmlElement() (this=0x564780011ad0, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#13 QQmlPrivate::QQmlElement<QQuickShortcut>::~QQmlElement() (this=0x564780011ad0, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#14 0x00007f2e8057d57b in QObjectPrivate::deleteChildren() (this=this@entry=0x56477f52c660)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:2174
#15 0x00007f2e80580d68 in QObject::~QObject() (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:1112
#16 0x00007f2e7f99fece in QQuickButton::~QQuickButton() (this=0x564780083190, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/build/include/QtQuickTemplates2/6.5.2/QtQuickTemplates2/private/../../../../../../qtdeclarative-everywhere-src-6.5.2/src/quicktemplates/qquickbutton_p.h:24
#17 QQuickToolButton::~QQuickToolButton() (this=0x564780083190, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/build/include/QtQuickTemplates2/6.5.2/QtQuickTemplates2/private/../../../../../../qtdeclarative-everywhere-src-6.5.2/src/quicktemplates/qquicktoolbutton_p.h:24
#18 QQmlPrivate::QQmlElement<QQuickToolButton>::~QQmlElement() (this=0x564780083190, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#19 QQmlPrivate::QQmlElement<QQuickToolButton>::~QQmlElement() (this=0x564780083190, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#20 0x00007f2e73f3002c in ToolBarLayoutDelegate::~ToolBarLayoutDelegate() (this=0x56477ff8f6b0, __in_chrg=<optimized out>)
    at /home/ratijas/kde/src6/kirigami/src/toolbarlayoutdelegate.cpp:82
#21 0x00007f2e73f30069 in ToolBarLayoutDelegate::~ToolBarLayoutDelegate() (this=0x56477ff8f6b0, __in_chrg=<optimized out>)
    at /home/ratijas/kde/src6/kirigami/src/toolbarlayoutdelegate.cpp:88
#22 0x00007f2e73f2f7f5 in std::default_delete<ToolBarLayoutDelegate>::operator()(ToolBarLayoutDelegate*) const
    (__ptr=<optimized out>, this=<optimized out>) at /usr/include/c++/13.2.1/bits/unique_ptr.h:93
#23 std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> >::~unique_ptr() (this=0x564780020540, __in_chrg=<optimized out>)
    at /usr/include/c++/13.2.1/bits/unique_ptr.h:404
#24 std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >::~pair()
    (this=0x564780020538, __in_chrg=<optimized out>) at /usr/include/c++/13.2.1/bits/stl_pair.h:187
#25 std::__new_allocator<std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false> >::destroy<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > > >(std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >*) (__p=0x564780020538, this=<optimized out>)
    at /usr/include/c++/13.2.1/bits/new_allocator.h:194
#26 std::allocator_traits<std::allocator<std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false> > >::destroy<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > > >(std::allocator<std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false> >&, std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >*)
    (__p=0x564780020538, __a=<optimized out>) at /usr/include/c++/13.2.1/bits/alloc_traits.h:557
#27 std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false> > >::_M_deallocate_node(std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false>*) (this=<optimized out>, __n=0x564780020530)
    at /usr/include/c++/13.2.1/bits/hashtable_policy.h:2020
#28 std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false> > >::_M_deallocate_nodes(std::__detail::_Hash_node<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, false>*) (__n=0x5647800028d0, this=0x56477f3c8030)
    at /usr/include/c++/13.2.1/bits/hashtable_policy.h:2042
#29 std::_Hashtable<QObject*, std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, std::allocator<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > > >, std::__detail::_Select1st, std::equal_to<QObject*>, std::hash<QObject*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::clear() (this=this@entry=0x56477f3c8030) at /usr/include/c++/13.2.1/bits/hashtable.h:2509
#30 0x00007f2e73f2bcd2 in std::_Hashtable<QObject*, std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > >, std::allocator<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > > >, std::__detail::_Select1st, std::equal_to<QObject*>, std::hash<QObject*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::~_Hashtable() (this=0x56477f3c8030, __in_chrg=<optimized out>)
    at /usr/include/c++/13.2.1/bits/hashtable.h:1593
#31 std::unordered_map<QObject*, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> >, std::hash<QObject*>, std::equal_to<QObject*>, std::allocator<std::pair<QObject* const, std::unique_ptr<ToolBarLayoutDelegate, std::default_delete<ToolBarLayoutDelegate> > > > >::~unordered_map() (this=0x56477f3c8030, __in_chrg=<optimized out>) at /usr/include/c++/13.2.1/bits/unordered_map.h:109
#32 ToolBarLayout::Private::~Private() (this=0x56477f3c7f70, __in_chrg=<optimized out>) at /home/ratijas/kde/src6/kirigami/src/toolbarlayout.cpp:35
#33 std::default_delete<ToolBarLayout::Private>::operator()(ToolBarLayout::Private*) const (this=<optimized out>, __ptr=0x56477f3c7f70)
    at /usr/include/c++/13.2.1/bits/unique_ptr.h:99
#34 std::default_delete<ToolBarLayout::Private>::operator()(ToolBarLayout::Private*) const (__ptr=0x56477f3c7f70, this=<optimized out>)
    at /usr/include/c++/13.2.1/bits/unique_ptr.h:93
#35 std::unique_ptr<ToolBarLayout::Private, std::default_delete<ToolBarLayout::Private> >::~unique_ptr()
    (this=0x56477f7170c0, __in_chrg=<optimized out>) at /usr/include/c++/13.2.1/bits/unique_ptr.h:404
#36 ToolBarLayout::~ToolBarLayout() (this=this@entry=0x56477f7170a0, __in_chrg=<optimized out>)
    at /home/ratijas/kde/src6/kirigami/src/toolbarlayout.cpp:111
#37 0x00007f2e73f111b5 in QQmlPrivate::QQmlElement<ToolBarLayout>::~QQmlElement() (this=0x56477f7170a0, __in_chrg=<optimized out>)
    at /usr/include/qt6/QtQml/qqmlprivate.h:99
#38 QQmlPrivate::QQmlElement<ToolBarLayout>::~QQmlElement() (this=0x56477f7170a0, __in_chrg=<optimized out>) at /usr/include/qt6/QtQml/qqmlprivate.h:99
#39 0x00007f2e8057d57b in QObjectPrivate::deleteChildren() (this=this@entry=0x56477f6042c0)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:2174
#40 0x00007f2e80580d68 in QObject::~QObject() (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:1112
#41 0x00007f2e7f9a5aca in QQmlPrivate::QQmlElement<QQuickControl>::~QQmlElement() (this=0x56477fc537e0, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#42 QQmlPrivate::QQmlElement<QQuickControl>::~QQmlElement() (this=0x56477fc537e0, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#43 0x00007f2e8057d57b in QObjectPrivate::deleteChildren() (this=this@entry=0x56477f712220)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:2174
#44 0x00007f2e80580d68 in QObject::~QObject() (this=<optimized out>, this=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.5.2/src/corelib/kernel/qobject.cpp:1112
#45 0x00007f2e7f9a0b4e in QQuickItemDelegate::~QQuickItemDelegate() (this=0x56477f489960, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/build/include/QtQuickTemplates2/6.5.2/QtQuickTemplates2/private/../../../../../../qtdeclarative-everywhere-src-6.5.2/src/quicktemplates/qquickitemdelegate_p.h:24
#46 QQmlPrivate::QQmlElement<QQuickItemDelegate>::~QQmlElement() (this=0x56477f489960, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#47 QQmlPrivate::QQmlElement<QQuickItemDelegate>::~QQmlElement() (this=0x56477f489960, this=<optimized out>)
    at /usr/src/debug/qt6-declarative/qtdeclarative-everywhere-src-6.5.2/src/qml/qml/qqmlprivate.h:99
#48 0x00007f2e73ef1a17 in qDeleteAll<QList<QQuickItem*>::const_iterator>(QList<QQuickItem*>::const_iterator, QList<QQuickItem*>::const_iterator)
    (end=..., begin=...) at /usr/include/qt6/QtCore/qalgorithms.h:27
#49 qDeleteAll<QList<QQuickItem*> >(QList<QQuickItem*> const&) (c=<optimized out>) at /usr/include/qt6/QtCore/qalgorithms.h:35
#50 DelegateCache::~DelegateCache()
    (this=0x7f2e73f6e9d0 <QGlobalStatic<QtGlobalStatic::Holder<(anonymous namespace)::Q_QGS_s_delegateCache> >::instance()::holder>, __in_chrg=<optimized out>) at /home/ratijas/kde/src6/kirigami/src/delegaterecycler.cpp:63
#51 0x00007f2e73ef1c79 in QtGlobalStatic::Holder<(anonymous namespace)::Q_QGS_s_delegateCache>::~Holder()
    (this=<optimized out>, __in_chrg=<optimized out>) at /usr/include/qt6/QtCore/qglobalstatic.h:43
#52 0x00007f2e7fc40cc6 in __run_exit_handlers
    (status=0, listp=0x7f2e7fe3e680 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:111
#53 0x00007f2e7fc40e10 in __GI_exit (status=<optimized out>) at exit.c:141
#54 0x00007f2e7fc27cd7 in __libc_start_call_main
    (main=main@entry=0x56477d6cd430 <main(int, char**)>, argc=argc@entry=1, argv=argv@entry=0x7ffc047e0518)
    at ../sysdeps/nptl/libc_start_call_main.h:74
#55 0x00007f2e7fc27d8a in __libc_start_main_impl
    (main=0x56477d6cd430 <main(int, char**)>, argc=1, argv=0x7ffc047e0518, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc047e0508) at ../csu/libc-start.c:360
#56 0x000056477d6cd995 in _start ()

STEPS TO REPRODUCE
1. Open Kirigami Gallery
2. Open «Grid view of Cards» page
3. Scroll down until it starts printing lots errors like this:

qrc:/contents/ui/gallery/CardsGridViewGallery.qml:75: TypeError: Cannot read property 'title' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:76: TypeError: Cannot read property 'image' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:90: TypeError: Cannot read property 'actions' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:89: TypeError: Cannot read property 'actions' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:85: TypeError: Cannot read property 'actions' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:84: TypeError: Cannot read property 'actions' of null
qrc:/contents/ui/gallery/CardsGridViewGallery.qml:80: TypeError: Cannot read property 'text' of null

In my observations, only few errors are not sufficient. You have to scroll really far away from the top. Aim straight for the bottom of the page.
4. Quit the app.

OBSERVED RESULT

Crashes during destruction of ToolBarLayoutDelegate, deep in QQuickButton and QQuickShortcut::ungrabShortcut.

EXPECTED RESULT

Should not crash.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: git/master
Qt Version: 6.5.2

ADDITIONAL INFORMATION
Not sure if this is upstream Qt bug or ours. Destructor ~ToolBarLayoutDelegate deletes owned items with a plain C++ `delete` keyword. But even though they are directly owned, I'm not sure it is very well supported, unlike deleteLater().

However, on a closer look, this is not a regular destructor crash. This is coming from ~DelegateCache() during __run_exit_handlers! So that makes me think DelegateCache is buggy.

Comment 1 ratijas 2023-08-21 19:30:02 UTC

Seems like it affects both KF5 (Qt 5.15) and KF6 (Qt 6.5) versions of Kirigami. Stacktrace is quite similar, almost identical.

Comment 2 ratijas 2023-08-21 21:41:15 UTC

The offending page is managed by PagePool and PagePoolAction. If I manually clear() the PagePool before quitting app, it won't crash. It all comes down to the PagePool presumably not doing proper clean-up on it own destruction. DelegateRecycler stores its component and instantiated items in a DelegateCache, but the cache is supposed to be empty on exit, because every delegate creation (ref) should be balanced by a destruction (deref). Cleaning up items after shutdown (during __run_exit_handlers) is a very questionable activity, as destructors (like in case of QQuickButton) might try to access null qApp resources.

However, why do those item delegates not get destroyed along with their associated QQmlEngine?  Because they have C++ ownership, they do not have any parent QObject, and nothing connects them with their engine's lifecycle.

Comment 3 ratijas 2023-08-22 13:00:31 UTC

Proposed upstream fix for some types that don't particularly like the idea of running their destructors after main():

https://codereview.qt-project.org/c/qt/qtdeclarative/+/498195

Comment 4 ratijas 2023-10-13 18:15:47 UTC

DelegateRecycler was removed in https://invent.kde.org/frameworks/kirigami/-/commit/fab45ed502108a46277223e266920b7de6fef8e5