475083 – System Settings crashes when I close the settings of an effect

Bug 475083 - System Settings crashes when I close the settings of an effect

Summary: System Settings crashes when I close the settings of an effect

Status:	RESOLVED FIXED

Alias:	None

Product:	systemsettings
Classification:	Applications
Component:	generic-crash (other bugs)
Version First Reported In:	master
Platform:	Neon Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:	qt6

Depends on:
Blocks:

Reported:	2023-10-01 10:57 UTC by Patrick Silva
Modified:	2023-10-24 20:48 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	https://invent.kde.org/plasma/kwin/-/commit/cb4e97206531934cfb3ad891020bdb1a8c8b6294
Version Fixed In:
Sentry Crash Report:

Attachments
backtrace (86.22 KB, text/vnd.kde.kcrash-report) 2023-10-01 10:57 UTC, Patrick Silva	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Silva 2023-10-01 10:57:36 UTC

Created attachment 161991 [details]
backtrace

Application: systemsettings (5.27.80)

Qt Version: 6.6.0
Frameworks Version: 5.240.0
Operating System: Linux 6.5.1-060501-generic x86_64
Windowing System: Wayland
Distribution: KDE neon Unstable Edition
DrKonqi: 5.27.80 [CoredumpBackend]

-- Information about the crash:
open Desktop Effects KCM, click on the button used to configure an effect, close the effect settings by clicking on "Ok" or "Cancel" button. System Settings crashes.

The crash can be reproduced every time.

Comment 1 Nicolas Fella 2023-10-01 12:33:32 UTC

It has to be an effect with shortcuts to configure

Comment 2 Nicolas Fella 2023-10-01 12:33:56 UTC

#6  0x00007fb9d5f68a9c in QMetaObject::cast(QObject const*) const (this=0x7fb9d8163ce0 <QTreeModel::staticMetaObject>, obj=0x56465e89f050) at ./src/corelib/kernel/qmetaobject.cpp:395
#7  0x00007fb9d7f02519 in QMetaObject::cast(QObject*) const (obj=<optimized out>, this=<optimized out>) at ./src/corelib/kernel/qobjectdefs.h:233
#8  qobject_cast<QTreeModel*>(QObject*) (object=<optimized out>) at ./src/corelib/kernel/qobject.h:388
#9  QTreeWidgetItemIterator::QTreeWidgetItemIterator(QTreeWidget*, QFlags<QTreeWidgetItemIterator::IteratorFlag>) (this=0x7ffc4aa44df0, widget=<optimized out>, flags=...) at ./src/widgets/itemviews/qtreewidgetitemiterator.cpp:60
#10 0x00007fb9d89fd121 in KShortcutsEditor::undo() () at /lib/x86_64-linux-gnu/libKF6XmlGui.so.6
#11 0x00007fb9a4346acb in KWin::OverviewEffectConfig::~OverviewEffectConfig() (this=0x56466156dd10, this=<optimized out>) at ./src/plugins/overview/kcm/overvieweffectkcm.cpp:74
#12 KWin::OverviewEffectConfig::~OverviewEffectConfig() (this=0x56466156dd10, this=<optimized out>) at ./src/plugins/overview/kcm/overvieweffectkcm.cpp:75
#13 0x00007fb9d5fabf65 in QObjectPrivate::deleteChildren() (this=this@entry=0x5646609e7250) at ./src/corelib/kernel/qobject.cpp:2206
#14 0x00007fb9d7bdd4c8 in QWidget::~QWidget() (this=0x56465fb80370, __in_chrg=<optimized out>) at ./src/widgets/kernel/qwidget.cpp:1537
#15 0x00007fb9d7961421 in  () at /lib/x86_64-linux-gnu/libKF6KCMUtils.so.6
#16 0x00007fb9d5fabf65 in QObjectPrivate::deleteChildren() (this=this@entry=0x5646610107a0) at ./src/corelib/kernel/qobject.cpp:2206
#17 0x00007fb9d7bdd4c8 in QWidget::~QWidget() (this=0x564660c7f8c0, __in_chrg=<optimized out>) at ./src/widgets/kernel/qwidget.cpp:1537
#18 0x00007fb9d84ebf81 in  () at /lib/x86_64-linux-gnu/libKF6WidgetsAddons.so.6
#19 0x00007fb9d5fabf65 in QObjectPrivate::deleteChildren() (this=this@entry=0x56466140c250) at ./src/corelib/kernel/qobject.cpp:2206
#20 0x00007fb9d7bdd4c8 in QWidget::~QWidget() (this=0x56465fa5e530, __in_chrg=<optimized out>) at ./src/widgets/kernel/qwidget.cpp:1537
#21 0x00007fb9d84ec39d in KPageWidget::~KPageWidget() () at /lib/x86_64-linux-gnu/libKF6WidgetsAddons.so.6
#22 0x00007fb9d5fabf65 in QObjectPrivate::deleteChildren() (this=this@entry=0x56465eca9360) at ./src/corelib/kernel/qobject.cpp:2206
#23 0x00007fb9d7bdd4c8 in QWidget::~QWidget() (this=0x5646606fe140, __in_chrg=<optimized out>) at ./src/widgets/kernel/qwidget.cpp:1537
#24 0x00007fb9d79625dd in KCMultiDialog::~KCMultiDialog() () at /lib/x86_64-linux-gnu/libKF6KCMUtils.so.6
#25 0x00007fb9d5fa7bb1 in QObject::event(QEvent*) (this=0x5646606fe140, e=0x56465eb7cec0) at ./src/corelib/kernel/qobject.cpp:1424
#26 0x00007fb9d7b89576 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x5646606fe140, e=0x56465eb7cec0) at ./src/widgets/kernel/qapplication.cpp:3287
#27 0x00007fb9d5f5a3d8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x5646606fe140, event=0x56465eb7cec0) at ./src/corelib/kernel/qcoreapplication.cpp:1118
#28 0x00007fb9d5f5e408 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=0x0, event_type=0, data=0x56465e81a730) at ./src/corelib/kernel/qcoreapplication.cpp:1898
#29 0x00007fb9d61b67b7 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x56465e81fd50) at ./src/corelib/kernel/qeventdispatcher_glib.cpp:243
#30 0x00007fb9d4fb3d3b in g_main_dispatch (context=0x7fb9cc005040) at ../../../glib/gmain.c:3419
#31 g_main_context_dispatch (context=0x7fb9cc005040) at ../../../glib/gmain.c:4137
#32 0x00007fb9d5009258 in g_main_context_iterate.constprop.0 (context=context@entry=0x7fb9cc005040, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4213
#33 0x00007fb9d4fb13e3 in g_main_context_iteration (context=0x7fb9cc005040, may_block=1) at ../../../glib/gmain.c:4278
#34 0x00007fb9d61b601e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x56465e81d270, flags=...) at ./src/corelib/kernel/qeventdispatcher_glib.cpp:393
#35 0x00007fb9d5f67053 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffc4aa45510, flags=..., flags@entry=...) at ./src/corelib/global/qflags.h:34
#36 0x00007fb9d5f62f86 in QCoreApplication::exec() () at ./src/corelib/global/qflags.h:74
#37 0x00007fb9d65aa4f0 in QGuiApplication::exec() () at ./src/gui/kernel/qguiapplication.cpp:1909
#38 0x00007fb9d7b894e9 in QApplication::exec() () at ./src/widgets/kernel/qapplication.cpp:2566
#39 0x000056465dbacba9 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at ./app/main.cpp:179

Comment 3 Nicolas Fella 2023-10-01 12:51:51 UTC

Application: System Settings (systemsettings), signal: Segmentation fault
Content of s_kcrashErrorMessage: std::unique_ptr<char []> = {get() = 0x0}
[KCrash Handler]
#5  0x0000000002000000 in  ()
#6  0x00007feb0a167239 in QMetaObject::cast(QObject const*) const (this=0x7feb0cb0e300 <QTreeModel::staticMetaObject>, obj=0x5665920) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qmetaobject.cpp:395
#7  0x00007feb0c8b762c in QMetaObject::cast(QObject*) const (obj=<optimized out>, this=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobjectdefs.h:233
#8  qobject_cast<QTreeModel*>(QObject*) (object=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.h:388
#9  QTreeWidgetItemIterator::QTreeWidgetItemIterator(QTreeWidget*, QFlags<QTreeWidgetItemIterator::IteratorFlag>) (this=0x7ffd8dd0e970, widget=<optimized out>, flags=...) at /home/nico/workspace/qt6/qtbase/src/widgets/itemviews/qtreewidgetitemiterator.cpp:60
#10 0x00007feb0d4b89cd in KShortcutsEditor::undo() (this=<optimized out>) at /home/nico/kde/src/kxmlgui/src/kshortcutseditor.cpp:227
#11 0x00007feabe74ccae in KWin::ZoomEffectConfig::~ZoomEffectConfig() (this=0x4a337f0, __in_chrg=<optimized out>) at /home/nico/kde/src/kwin/src/plugins/zoom/zoom_config.cpp:126
#12 KWin::ZoomEffectConfig::~ZoomEffectConfig() (this=0x4a337f0, __in_chrg=<optimized out>) at /home/nico/kde/src/kwin/src/plugins/zoom/zoom_config.cpp:127
#13 0x00007feb0a1ae815 in QObjectPrivate::deleteChildren() (this=this@entry=0x2ff7370) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:2206
#14 0x00007feb0c5ceef8 in QWidget::~QWidget() (this=this@entry=0x261abc0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qwidget.cpp:1537
#15 0x00007feb0c66358d in QFrame::~QFrame() (this=this@entry=0x261abc0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/widgets/qframe.cpp:229
#16 0x00007feb0c65f2c6 in QAbstractScrollArea::~QAbstractScrollArea() (this=this@entry=0x261abc0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/widgets/qabstractscrollarea.cpp:478
#17 0x00007feb0c7538cd in QScrollArea::~QScrollArea() (this=this@entry=0x261abc0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/widgets/qscrollarea.cpp:133
#18 0x00007feb0d6665ad in UnboundScrollArea::~UnboundScrollArea() (this=0x261abc0, __in_chrg=<optimized out>) at /home/nico/kde/src/kcmutils/src/kcmultidialog.h:158
#19 UnboundScrollArea::~UnboundScrollArea() (this=0x261abc0, __in_chrg=<optimized out>) at /home/nico/kde/src/kcmutils/src/kcmultidialog.h:158
#20 0x00007feb0a1ae815 in QObjectPrivate::deleteChildren() (this=this@entry=0x22d16c0) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:2206
#21 0x00007feb0c5ceef8 in QWidget::~QWidget() (this=this@entry=0x6768670, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qwidget.cpp:1537
#22 0x00007feb0c66358d in QFrame::~QFrame() (this=this@entry=0x6768670, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/widgets/qframe.cpp:229
#23 0x00007feb0c76988d in QStackedWidget::~QStackedWidget() (this=this@entry=0x6768670, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/widgets/qstackedwidget.cpp:110
#24 0x00007feb0cdff06d in KPageStackedWidget::~KPageStackedWidget() (this=0x6768670, __in_chrg=<optimized out>) at /home/nico/kde/src/kwidgetsaddons/src/kpageview_p.h:25
#25 KPageStackedWidget::~KPageStackedWidget() (this=0x6768670, __in_chrg=<optimized out>) at /home/nico/kde/src/kwidgetsaddons/src/kpageview_p.h:25
#26 0x00007feb0a1ae815 in QObjectPrivate::deleteChildren() (this=this@entry=0x260a8b0) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:2206
#27 0x00007feb0c5ceef8 in QWidget::~QWidget() (this=0x1eb5e50, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qwidget.cpp:1537
#28 0x00007feb0ce00d79 in KPageWidget::~KPageWidget() (this=0x1eb5e50, __in_chrg=<optimized out>) at /home/nico/kde/src/kwidgetsaddons/src/kpagewidget.cpp:58
#29 0x00007feb0a1ae815 in QObjectPrivate::deleteChildren() (this=this@entry=0x4a15e00) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:2206
#30 0x00007feb0c5ceef8 in QWidget::~QWidget() (this=0x1eb5fb0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qwidget.cpp:1537
#31 0x00007feb0d663e09 in KCMultiDialog::~KCMultiDialog() (this=0x1eb5fb0, __in_chrg=<optimized out>) at /home/nico/kde/src/kcmutils/src/kcmultidialog.cpp:240
#32 0x00007feb0a1a6718 in QObject::event(QEvent*) (this=0x1eb5fb0, e=0x6851720) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:1424
#33 0x00007feb0c57f971 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x1eb5fb0, e=0x6851720) at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:3295
#34 0x00007feb0a159b08 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x1eb5fb0, event=0x6851720) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1119
#35 0x00007feb0a159c89 in QCoreApplication::sendEvent(QObject*, QEvent*) (receiver=<optimized out>, event=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1537
#36 0x00007feb0a15d3a7 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=0x0, event_type=0, data=0x9e59a0) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1899
#37 0x00007feb0a15d6b8 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=<optimized out>, event_type=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1758
#38 0x00007feb0a3f87b3 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0xa49fb0) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#39 0x00007feb0957e4fc in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#40 0x00007feb095dc6b8 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#41 0x00007feb0957bb83 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#42 0x00007feb0a3f81ec in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x9e9440, flags=...) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#43 0x00007feb0a1656bb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffd8dd0f090, flags=..., flags@entry=...) at /home/nico/workspace/qt6/qtbase/src/corelib/global/qflags.h:34
#44 0x00007feb0a1620c2 in QCoreApplication::exec() () at /home/nico/workspace/qt6/qtbase/src/corelib/global/qflags.h:74
#45 0x00007feb0abb049c in QGuiApplication::exec() () at /home/nico/workspace/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:1925
#46 0x00007feb0c57f8e5 in QApplication::exec() () at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:2574
#47 0x0000000000412992 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /home/nico/kde/src/systemsettings/app/main.cpp:179
[Inferior 1 (process 3850) detached]

Comment 4 Nicolas Fella 2023-10-01 13:14:07 UTC

The cause is rather obvious. We call KShortcutsEditor::undo() on a deleted KShortcutsEditor. Not sure how it ever worked. 

https://invent.kde.org/frameworks/kxmlgui/-/blob/master/src/kshortcutseditor.cpp#L224 suggests it has been a problem before

Comment 5 Bug Janitor Service 2023-10-21 00:22:15 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kxmlgui/-/merge_requests/200

Comment 6 Bug Janitor Service 2023-10-21 00:24:55 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/4548

Comment 7 Christoph Cullmann 2023-10-24 19:34:16 UTC

Git commit b7365dfc6e7418b4214d671b27c0f8a67bc07021 by Christoph Cullmann, on behalf of Nicolas Fella.
Committed on 24/10/2023 at 21:26.
Pushed by cullmann into branch 'master'.

[kshortcuteditor] Undo pending changes on destruction

Currently one has to manually call undo() to discard pending changes when being done with the widget.

This is error-prone because it's easy to forget or cause use-after-free issues when calling undo() on an already deleted editor.

Instead automatically undo() on destruction
Related: bug 475097, bug 475095

M  +5    -1    src/kshortcutseditor.cpp

https://invent.kde.org/frameworks/kxmlgui/-/commit/b7365dfc6e7418b4214d671b27c0f8a67bc07021

Comment 8 Vlad Zahorodnii 2023-10-24 20:48:32 UTC

Git commit cb4e97206531934cfb3ad891020bdb1a8c8b6294 by Vlad Zahorodnii, on behalf of Nicolas Fella.
Committed on 24/10/2023 at 22:48.
Pushed by vladz into branch 'master'.

Don't manually undo pending shortcut changes

This causes user-after-free because the KShortcutsEditor is already destroyed

undo happends automatically when the editor is destroyed

M  +0    -6    src/plugins/invert/invert_config.cpp
M  +0    -1    src/plugins/invert/invert_config.h
M  +0    -6    src/plugins/magnifier/magnifier_config.cpp
M  +0    -1    src/plugins/magnifier/magnifier_config.h
M  +0    -6    src/plugins/mouseclick/mouseclick_config.cpp
M  +0    -1    src/plugins/mouseclick/mouseclick_config.h
M  +0    -6    src/plugins/mousemark/mousemark_config.cpp
M  +0    -1    src/plugins/mousemark/mousemark_config.h
M  +0    -6    src/plugins/overview/kcm/overvieweffectkcm.cpp
M  +0    -1    src/plugins/overview/kcm/overvieweffectkcm.h
M  +0    -6    src/plugins/showpaint/showpaint_config.cpp
M  +0    -1    src/plugins/showpaint/showpaint_config.h
M  +0    -6    src/plugins/thumbnailaside/thumbnailaside_config.cpp
M  +0    -1    src/plugins/thumbnailaside/thumbnailaside_config.h
M  +0    -6    src/plugins/tileseditor/kcm/tileseditoreffectkcm.cpp
M  +0    -1    src/plugins/tileseditor/kcm/tileseditoreffectkcm.h
M  +0    -6    src/plugins/windowview/kcm/windowvieweffectkcm.cpp
M  +0    -1    src/plugins/windowview/kcm/windowvieweffectkcm.h
M  +0    -6    src/plugins/zoom/zoom_config.cpp
M  +0    -1    src/plugins/zoom/zoom_config.h

https://invent.kde.org/plasma/kwin/-/commit/cb4e97206531934cfb3ad891020bdb1a8c8b6294