Bug 476847 - plasmashell crashes in PlasmaQuick::ContainmentView::containment() after waking up laptop from standby
Summary: plasmashell crashes in PlasmaQuick::ContainmentView::containment() after waki...
Status: RESOLVED FIXED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Containment (show other bugs)
Version: master
Platform: Other Linux
: NOR crash
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL: https://bugreports.qt.io/browse/QTBUG...
Keywords: qt6
: 477204 478071 478114 479123 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-11-11 17:19 UTC by Nicolas Fella
Modified: 2024-09-26 20:06 UTC (History)
11 users (show)

See Also:
Latest Commit: https://invent.kde.org/plasma/plasma-workspace/-/commit/7753d0e67e51751252233317353a3c9c2a94547f
Version Fixed In: 6.0
Sentry Crash Report:

Attachments
New crash information added by DrKonqi (227.35 KB, text/plain)
2023-12-01 19:23 UTC, sebastianrampe 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Fella 2023-11-11 17:19:15 UTC 
STEPS TO REPRODUCE
1. Open laptop lid after laptop was in standby

#0  __GI___pthread_sigmask (how=1, newmask=<optimized out>, oldmask=0x0) at pthread_sigmask.c:43
#1  0x00007f609ee5cb7d in __GI___sigprocmask (how=<optimized out>, set=<optimized out>, oset=<optimized out>) at ../sysdeps/unix/sysv/linux/sigprocmask.c:25
#2  0x00007f60a267cd08 in KCrash::setCrashHandler(void (*)(int)) (handler=handler@entry=0x0) at /home/nico/kde/src/kcrash/src/kcrash.cpp:407
#3  0x00007f60a267d824 in KCrash::defaultCrashHandler(int) (sig=11) at /home/nico/kde/src/kcrash/src/kcrash.cpp:611
#4  0x00007f609ee5c9a0 in <signal handler called> () at /lib64/libc.so.6
#5  std::__atomic_base<int>::load(std::memory_order) const (__m=std::memory_order::relaxed, this=0x2e65646b2e677273) at /usr/include/c++/13/bits/atomic_base.h:503
#6  QAtomicOps<int>::loadRelaxed<int>(std::atomic<int> const&) (_q_value=<error reading variable: Cannot access memory at address 0x2e65646b2e677273>)
    at /home/nico/kde/usr/include/QtCore/qatomic_cxx11.h:201
#7  QBasicAtomicInteger<int>::loadRelaxed() const (this=0x2e65646b2e677273) at /home/nico/kde/usr/include/QtCore/qbasicatomic.h:38
#8  QWeakPointer<QObject>::internalData() const (this=0x213e480) at /home/nico/kde/usr/include/QtCore/qsharedpointer_impl.h:704
#9  QPointer<Plasma::Containment>::data() const (this=0x213e480) at /home/nico/kde/usr/include/QtCore/qpointer.h:71
#10 QPointer<Plasma::Containment>::operator Plasma::Containment*() const (this=0x213e480) at /home/nico/kde/usr/include/QtCore/qpointer.h:79
#11 PlasmaQuick::ContainmentView::containment() const (this=0x1f2e7c0) at /home/nico/kde/src/plasma-framework/src/plasmaquick/containmentview.cpp:239
#12 0x000000000045b2b6 in operator() (__closure=0x3364c40) at /home/nico/kde/src/plasma-workspace/shell/shellcorona.cpp:1474
#13 QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, ShellCorona::createWaitingPanels()::<lambda()> >::call (arg=<optimized out>, f=...)
    at /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:137
#14 QtPrivate::Functor<ShellCorona::createWaitingPanels()::<lambda()>, 0>::call<QtPrivate::List<>, void> (arg=<optimized out>, f=...)
    at /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:339
#15 QtPrivate::QCallableObject<ShellCorona::createWaitingPanels()::<lambda()>, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *)
    (which=<optimized out>, this_=0x3364c30, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:522
#16 0x00007f609f5b60b3 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7fff81783120, r=0x171f350, this=0x3364c30)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobjectdefs_impl.h:433
#17 doActivate<false>(QObject*, int, void**) (sender=0x1f2e7c0, signal_index=15, argv=0x7fff81783120) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:4021
#18 0x00007f609f5addef in QMetaObject::activate(QObject*, QMetaObject const*, int, void**)
    (sender=sender@entry=0x1f2e7c0, m=m@entry=0x7f60a0490660 <QWindow::staticMetaObject>, local_signal_index=local_signal_index@entry=12, argv=argv@entry=0x7fff81783120)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:4081
#19 0x00007f609fe0cb22 in QWindow::visibleChanged(bool) (this=this@entry=0x1f2e7c0, _t1=<optimized out>, _t1@entry=false)
    at /home/nico/workspace/qt6/qtbase/src/gui/Gui_autogen/include/moc_qwindow.cpp:1195
#20 0x00007f609fe117ca in QWindowPrivate::setVisible(bool) (visible=false, this=0x1e270b0) at /home/nico/workspace/qt6/qtbase/src/gui/kernel/qwindow.cpp:340
#21 QWindow::setVisible(bool) (this=<optimized out>, visible=false) at /home/nico/workspace/qt6/qtbase/src/gui/kernel/qwindow.cpp:681
#22 0x00007f609fe11be7 in QWindowPrivate::destroy() (this=this@entry=0x1e270b0) at /home/nico/workspace/qt6/qtbase/src/gui/kernel/qwindow.cpp:2042
#23 0x00007f609fe11ddf in QWindow::~QWindow() (this=0x1f2e7c0, __in_chrg=<optimized out>) at /home/nico/workspace/qt6/qtbase/src/gui/kernel/qwindow.cpp:185
#24 0x00000000004473d9 in PanelView::~PanelView() (this=0x1f2e7c0, __in_chrg=<optimized out>) at /home/nico/kde/src/plasma-workspace/shell/panelview.cpp:127
#25 0x00007f609f5a6828 in QObject::event(QEvent*) (this=0x1f2e7c0, e=0x39143d0) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:1424
#26 0x00007f60a0b7f9d1 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x1f2e7c0, e=0x39143d0)
    at /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:3296
#27 0x00007f609f559c48 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x1f2e7c0, event=0x39143d0)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1121
#28 0x00007f609f559dc9 in QCoreApplication::sendEvent(QObject*, QEvent*) (receiver=<optimized out>, event=<optimized out>)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1539
#29 0x00007f609f55d4e7 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=0x0, event_type=0, data=0x1303d00)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1901
#30 0x00007f609f55d7f8 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=<optimized out>, event_type=<optimized out>)
    at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1760
#31 0x00007f609f7f84f3 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x13c7320) at /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#32 0x00007f609e983e5c in g_main_dispatch (context=0x7f6088000ef0) at ../glib/gmain.c:3476
#33 g_main_context_dispatch_unlocked (context=0x7f6088000ef0) at ../glib/gmain.c:4284
#34 0x00007f609e9dedd8 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7f6088000ef0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../glib/gmain.c:4349
#35 0x00007f609e981ad3 in g_main_context_iteration (context=0x7f6088000ef0, may_block=1) at ../glib/gmain.c:4414


SOFTWARE/OS VERSIONS
KDE Plasma Version: master
KDE Frameworks Version: master
Qt Version: 6.6

ADDITIONAL INFORMATION
Wayland
Comment 1 Nate Graham 2023-11-15 19:30:31 UTC 
Can reproduce. From the backtrace, it feels related to the screen scramble/freeze issue when waking up from sleep with the lid closed too.
Comment 2 Bharadwaj Raju 2023-11-21 06:11:43 UTC 
We're trying to access a ContainmentView pointer after/while(?) its destructor is being run:

(gdb) frame 21
#21 0x00007ffff7eff308 in PlasmaQuick::ContainmentView::containment (this=0x141eec0) at /home/bharadwaj/kde/src/plasma-framework/src/plasmaquick/containmentview.cpp:239
239         return d->containment;
(gdb) print this
$12 = (const PlasmaQuick::ContainmentView * const) 0x141eec0
(gdb) print d
warning: RTTI symbol not found for class 'QWindow'
$13 = (PlasmaQuick::ContainmentViewPrivate * const) 0x1442360
(gdb) frame 32
#32 0x00007ffff7eff084 in PlasmaQuick::ContainmentView::~ContainmentView (this=0x141eec0, __in_chrg=<optimized out>)
    at /home/bharadwaj/kde/src/plasma-framework/src/plasmaquick/containmentview.cpp:205
205     }
(gdb) print this
$14 = (PlasmaQuick::ContainmentView * const) 0x141eec0
(gdb) print d
warning: RTTI symbol not found for class 'QWindow'
$15 = (PlasmaQuick::ContainmentViewPrivate * const) 0x1442360
Comment 3 Marco Martin 2023-11-21 09:06:19 UTC 
in the rectNotify lambda the panel passed in the capture became invalid.

however, rectNotify is executed on signals on panel, so it shold still be valid.

what could be happening is QWindow::screenChanged or QWindow::visibleChanged being emitted in the dtor, so is still a valid qwindow but not a valid panelview anymore
Comment 4 Marco Martin 2023-11-21 13:35:43 UTC 
were external monitors connected?
Comment 5 Bharadwaj Raju 2023-11-21 13:37:01 UTC 
No, I'm on a laptop with no external monitors.
Comment 6 Bharadwaj Raju 2023-11-22 14:42:57 UTC 
*** Bug 477204 has been marked as a duplicate of this bug. ***
Comment 7 Bug Janitor Service 2023-11-24 16:07:06 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3593
Comment 8 Marco Martin 2023-11-27 08:53:47 UTC 
Git commit 90891221e737718df4e330392431861e93d12ecc by Marco Martin.
Committed on 27/11/2023 at 09:53.
Pushed by mart into branch 'master'.

Check the captured PanelView is still a PanelView

In case we get an hideevent during panelview destruction

M  +6    -0    shell/shellcorona.cpp

https://invent.kde.org/plasma/plasma-workspace/-/commit/90891221e737718df4e330392431861e93d12ecc
Comment 9 Fushan Wen 2023-11-28 14:48:38 UTC 
Git commit 7753d0e67e51751252233317353a3c9c2a94547f by Fushan Wen.
Committed on 28/11/2023 at 15:34.
Pushed by fusionfuture into branch 'master'.

shell: disconnect from rectNotify before deleting PanelView

This fixes a use-after-free caught by AddressSanitizer.
FIXED-IN: 6.0

```
    #0 0x7ff8378c07de in QWeakPointer<QObject>::internalData() const /usr/include/qt6/QtCore/qsharedpointer_impl.h:704
    #1 0x7ff8379456b9 in QPointer<Plasma::Containment>::data() const /usr/include/qt6/QtCore/qpointer.h:64
    #2 0x7ff837945747 in QPointer<Plasma::Containment>::operator Plasma::Containment*() const /usr/include/qt6/QtCore/qpointer.h:72
    #3 0x7ff837942c40 in PlasmaQuick::ContainmentView::containment() const /builds/plasma/plasma-framework/src/plasmaquick/containmentview.cpp:239
    #4 0x5b8aa5 in operator() /builds/plasma/plasma-workspace/shell/shellcorona.cpp:1480
    #5 0x5f53b7 in call /usr/include/qt6/QtCore/qobjectdefs_impl.h:137
    #6 0x5f3006 in call<QtPrivate::List<>, void> /usr/include/qt6/QtCore/qobjectdefs_impl.h:339
    #7 0x5f0e02 in impl /usr/include/qt6/QtCore/qobjectdefs_impl.h:522
    #8 0x7ff824ae4e12  (/lib64/libQt6Core.so.6+0x1dae12) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #9 0x7ff8251a5031 in QWindow::visibleChanged(bool) (/lib64/libQt6Gui.so.6+0x231031) (BuildId: ccc53eabda9c9fd1e1927c9d0a376f2278950d3f)
    #10 0x7ff8251abc12 in QWindowPrivate::setVisible(bool) (/lib64/libQt6Gui.so.6+0x237c12) (BuildId: ccc53eabda9c9fd1e1927c9d0a376f2278950d3f)
    #11 0x7ff8251ab1b6 in QWindowPrivate::destroy() (/lib64/libQt6Gui.so.6+0x2371b6) (BuildId: ccc53eabda9c9fd1e1927c9d0a376f2278950d3f)
    #12 0x7ff8251ab411 in QWindow::~QWindow() (/lib64/libQt6Gui.so.6+0x237411) (BuildId: ccc53eabda9c9fd1e1927c9d0a376f2278950d3f)
    #13 0x7ff8379a3ef5 in PlasmaQuick::QuickViewSharedEngine::~QuickViewSharedEngine() /builds/plasma/plasma-framework/src/plasmaquick/quickviewsharedengine.cpp:126
    #14 0x7ff8379422bb in PlasmaQuick::ContainmentView::~ContainmentView() /builds/plasma/plasma-framework/src/plasmaquick/containmentview.cpp:205
    #15 0x4f7fee in PanelView::~PanelView() /builds/plasma/plasma-workspace/shell/panelview.cpp:128
    #16 0x4f802d in PanelView::~PanelView() /builds/plasma/plasma-workspace/shell/panelview.cpp:128
    #17 0x5b9e6b in ShellCorona::panelContainmentDestroyed(QObject*) /builds/plasma/plasma-workspace/shell/shellcorona.cpp:1507
    #18 0x67d8ae in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QObject*>, void, void (ShellCorona::*)(QObject*)>::call(void (ShellCorona::*)(QObject*), ShellCorona*, void**) /usr/include/qt6/QtCore/qobjectdefs_impl.h:145
    #19 0x669de5 in void QtPrivate::FunctionPointer<void (ShellCorona::*)(QObject*)>::call<QtPrivate::List<QObject*>, void>(void (ShellCorona::*)(QObject*), ShellCorona*, void**) /usr/include/qt6/QtCore/qobjectdefs_impl.h:182
    #20 0x652d77 in QtPrivate::QCallableObject<void (ShellCorona::*)(QObject*), QtPrivate::List<QObject*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/qt6/QtCore/qobjectdefs_impl.h:520
    #21 0x7ff824ae4e12  (/lib64/libQt6Core.so.6+0x1dae12) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #22 0x7ff824ae53fe in QObject::destroyed(QObject*) (/lib64/libQt6Core.so.6+0x1db3fe) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #23 0x7ff824ada0d7 in QObject::~QObject() (/lib64/libQt6Core.so.6+0x1d00d7) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #24 0x7ff82cb1e413 in Plasma::Applet::~Applet() /builds/plasma/plasma-framework/src/plasma/applet.cpp:90
    #25 0x7ff82cb65f63 in Plasma::Containment::~Containment() /builds/plasma/plasma-framework/src/plasma/containment.cpp:66
    #26 0x7ff82cb65fa7 in Plasma::Containment::~Containment() /builds/plasma/plasma-framework/src/plasma/containment.cpp:66
    #27 0x5922a1 in ShellCorona::~ShellCorona() /builds/plasma/plasma-workspace/shell/shellcorona.cpp:314
    #28 0x5927ef in ShellCorona::~ShellCorona() /builds/plasma/plasma-workspace/shell/shellcorona.cpp:316
    #29 0x7ff824ad4f06 in QObject::event(QEvent*) (/lib64/libQt6Core.so.6+0x1caf06) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #30 0x7ff82aa8889d in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/lib64/libQt6Widgets.so.6+0x1c089d) (BuildId: db7ca40e8f270b70c84741225000eea542abedfa)
    #31 0x7ff824a926c7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/lib64/libQt6Core.so.6+0x1886c7) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #32 0x7ff824a92a26 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/lib64/libQt6Core.so.6+0x188a26) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #33 0x7ff824a95f12 in QCoreApplication::exec() (/lib64/libQt6Core.so.6+0x18bf12) (BuildId: 85850a361dcca189b9da51825a1598acf81b0dcb)
    #34 0x4932bd in main /builds/plasma/plasma-workspace/shell/main.cpp:230
    #35 0x7ff8243901af in __libc_start_call_main (/lib64/libc.so.6+0x281af) (BuildId: bbeee08e5f56966e641c4f3ba4ea1da9d730d0ab)
    #36 0x7ff824390278 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x28278) (BuildId: bbeee08e5f56966e641c4f3ba4ea1da9d730d0ab)
    #37 0x428ef4 in _start ../sysdeps/x86_64/start.S:115
```

M  +3    -6    shell/shellcorona.cpp

https://invent.kde.org/plasma/plasma-workspace/-/commit/7753d0e67e51751252233317353a3c9c2a94547f
Comment 10 sebastianrampe 2023-12-01 19:23:51 UTC 
Created attachment 163715 [details]
New crash information added by DrKonqi

plasmashell (5.90.0) using Qt 6.6.1

crash after login from lock screen

-- Backtrace (Reduced):
#6  std::__atomic_base<int>::load(std::memory_order) const (__m=std::memory_order::relaxed, this=0x2e65646b2e677273, this=<optimized out>, __m=<optimized out>) at /usr/include/c++/13.2.1/bits/atomic_base.h:503
#7  QAtomicOps<int>::loadRelaxed<int>(std::atomic<int> const&) (_q_value=<error reading variable: Cannot access memory at address 0x2e65646b2e677273>, _q_value=<optimized out>) at /usr/include/qt6/QtCore/qatomic_cxx11.h:201
#8  QBasicAtomicInteger<int>::loadRelaxed() const (this=0x2e65646b2e677273, this=<optimized out>) at /usr/include/qt6/QtCore/qbasicatomic.h:38
#9  QWeakPointer<QObject>::internalData() const (this=0x55b8c1e96310) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:704
#10 QPointer<Plasma::Containment>::data() const (this=0x55b8c1e96310) at /usr/include/qt6/QtCore/qpointer.h:71
Comment 11 Nate Graham 2023-12-05 16:52:28 UTC 
*** Bug 478114 has been marked as a duplicate of this bug. ***
Comment 12 Nate Graham 2024-09-26 20:06:14 UTC 
*** Bug 478071 has been marked as a duplicate of this bug. ***
Comment 13 Nate Graham 2024-09-26 20:06:22 UTC 
*** Bug 479123 has been marked as a duplicate of this bug. ***