Created attachment 165652 [details] Simple ruby script to trigger the crash SUMMARY If a call to dbus org.freedesktop.Notifications.Notify uses the "image-data" hint, then plasmashell crashes STEPS TO REPRODUCE 1. Run the attached script (sudo apt install ruby ruby-dbus && ruby ./kdebug.rb) 2. Wait 1-2 seconds 3. Crash! OBSERVED RESULT Crash! EXPECTED RESULT The notification pops up SOFTWARE/OS VERSIONS Operating System: Debian GNU/Linux 12 KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.103.0 Qt Version: 5.15.8 Graphics Platform: X11 ADDITIONAL INFORMATION image-path seems to work fine, but image-data always causes a crash: https://specifications.freedesktop.org/notification-spec/notification-spec-latest.html#icons-and-images No crash in GNOME Shell 3 or MATE Stacktrace from journalctl: Process 257797 (plasmashell) of user 1000 dumped core. Module libsystemd.so.0 from deb systemd-252.19-1~deb12u1.amd64 Module libudev.so.1 from deb systemd-252.19-1~deb12u1.amd64 Stack trace of thread 257797: #0 0x00007f0013ca9e2c n/a (libc.so.6 + 0x8ae2c) #1 0x00007f0013c5afb2 raise (libc.so.6 + 0x3bfb2) #2 0x00007f001624183d _ZN6KCrash19defaultCrashHandlerEi (libKF5Crash.so.5 + 0x583d) #3 0x00007f0013c5b050 n/a (libc.so.6 + 0x3c050) #4 0x00007f0013ca9e2c n/a (libc.so.6 + 0x8ae2c) #5 0x00007f0013c5afb2 raise (libc.so.6 + 0x3bfb2) #6 0x00007f0013c45472 abort (libc.so.6 + 0x26472) #7 0x00007f0012971e54 n/a (libdbus-1.so.3 + 0xfe54) #8 0x00007f00129947f0 _dbus_warn_check_failed (libdbus-1.so.3 + 0x327f0) #9 0x00007f00129962a4 n/a (libdbus-1.so.3 + 0x342a4) #10 0x00007f0014bc8d19 _ZNK13QDBusArgumentrsERi (libQt5DBus.so.5 + 0x59d19) #11 0x00007effa844ba7e n/a (libnotificationmanager.so.1 + 0x42a7e) #12 0x00007effa844fbd2 n/a (libnotificationmanager.so.1 + 0x46bd2) #13 0x00007effa843cf8f n/a (libnotificationmanager.so.1 + 0x33f8f) #14 0x00007effa8471184 n/a (libnotificationmanager.so.1 + 0x68184) #15 0x00007effa8471563 n/a (libnotificationmanager.so.1 + 0x68563) #16 0x00007f0014b9261b n/a (libQt5DBus.so.5 + 0x2361b) #17 0x00007f0014b96326 n/a (libQt5DBus.so.5 + 0x27326) #18 0x00007f0014b96a82 n/a (libQt5DBus.so.5 + 0x27a82) #19 0x00007f0014b98d68 n/a (libQt5DBus.so.5 + 0x29d68) #20 0x00007f00140dd6f0 _ZN7QObject5eventEP6QEvent (libQt5Core.so.5 + 0x2dd6f0) #21 0x00007f0014d62fae _ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent (libQt5Widgets.so.5 + 0x162fae) #22 0x00007f00140b16f8 _ZN16QCoreApplication15notifyInternal2EP7QObjectP6QEvent (libQt5Core.so.5 + 0x2b16f8) #23 0x00007f00140b4681 _ZN23QCoreApplicationPrivate16sendPostedEventsEP7QObjectiP11QThreadData (libQt5Core.so.5 + 0x2b4681) #24 0x00007f001410a153 n/a (libQt5Core.so.5 + 0x30a153) #25 0x00007f0012a527a9 g_main_context_dispatch (libglib-2.0.so.0 + 0x547a9) #26 0x00007f0012a52a38 n/a (libglib-2.0.so.0 + 0x54a38) #27 0x00007f0012a52acc g_main_context_iteration (libglib-2.0.so.0 + 0x54acc) #28 0x00007f0014109836 _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt5Core.so.5 + 0x309836) #29 0x00007f00140b017b _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt5Core.so.5 + 0x2b017b) #30 0x00007f00140b82d6 _ZN16QCoreApplication4execEv (libQt5Core.so.5 + 0x2b82d6) #31 0x000055c17c7fadc3 n/a (plasmashell + 0x26dc3) #32 0x00007f0013c4624a n/a (libc.so.6 + 0x2724a) #33 0x00007f0013c46305 __libc_start_main (libc.so.6 + 0x27305) #34 0x000055c17c7faee1 n/a (plasmashell + 0x26ee1)
Can reproduce. Operating System: Fedora Linux 39 KDE Plasma Version: 6.0.80 KDE Frameworks Version: 6.0.0 Qt Version: 6.6.0 Kernel Version: 6.7.3-200.fc39.x86_64 (64-bit) Graphics Platform: Wayland Processors: 12 × AMD Ryzen 5 3600 6-Core Processor Memory: 15.5 GiB of RAM Graphics Processor: AMD Radeon RX 6600
Backtrace with debug symbols Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; [Current thread is 1 (Thread 0x7f8b4d41a400 (LWP 2147))] (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f8b518ae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f8b5185c8ee in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f8b55d65f44 in KCrash::defaultCrashHandler (sig=6) at /home/akseli/Repositories/kde/src/kcrash/src/kcrash.cpp:586 #4 0x00007f8b5185c9a0 in <signal handler called> () at /lib64/libc.so.6 #5 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #6 0x00007f8b518ae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #7 0x00007f8b5185c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #8 0x00007f8b518448ff in __GI_abort () at abort.c:79 #9 0x00007f8b5112ccf2 in _dbus_abort () at ../../dbus/dbus-sysdeps.c:101 #10 0x00007f8b51155102 in _dbus_warn_check_failed (format=format@entry=0x7f8b5116224c "type %s %d not a basic type") at ../../dbus/dbus-internals.c:289 #11 0x00007f8b51155882 in _dbus_marshal_read_basic.constprop.0 (str=<optimized out>, pos=<optimized out>, type=118, value=<optimized out>, byte_order=<optimized out>, new_pos=0x0) at ../../dbus/dbus-marshal-basic.c:615 #12 0x00007f8b531af442 in q_dbus_message_iter_get_basic (value=0x7ffe7244d950, iter=0x4642d00) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbus_symbols_p.h:316 #13 qIterGet<int> (it=0x4642d00) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusdemarshaller.cpp:35 #14 QDBusDemarshaller::toInt (this=0x4642ce0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusdemarshaller.cpp:75 #15 QDBusArgument::operator>> (this=<optimized out>, arg=@0x7ffe7244da64: 0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusargument.cpp:627 #16 QDBusArgument::operator>> (this=0x7ffe7244e5f8, arg=@0x7ffe7244da64: 0) --Type <RET> for more, q to quit, c to continue without paging--c at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusargument.cpp:624 #17 0x00007f8b3594803d in NotificationManager::Notification::Private::decodeNotificationSpecImageHint (arg=...) at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/notification.cpp:127 #18 0x00007f8b3594ac6a in NotificationManager::Notification::Private::processHints (this=0x65ccf90, hints=...) at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/notification.cpp:416 #19 0x00007f8b35927f80 in NotificationManager::ServerPrivate::Notify (this=0x2566dd0, app_name=..., replaces_id=0, app_icon=..., summary=..., body=..., actions=..., hints=..., timeout=-1) at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/server_p.cpp:167 #20 0x00007f8b359922b7 in NotificationsAdaptor::Notify (this=0x25ffde0, app_name=..., replaces_id=0, app_icon=..., summary=..., body=..., actions=..., hints=..., timeout=-1) at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/notificationsadaptor.cpp:69 #21 0x00007f8b35992618 in NotificationsAdaptor::qt_static_metacall (_o=0x25ffde0, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7ffe7244f318) at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/moc_notificationsadaptor.cpp:399 #22 0x00007f8b359929ab in NotificationsAdaptor::qt_metacall (this=0x25ffde0, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7ffe7244f318) at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/moc_notificationsadaptor.cpp:468 #23 0x00007f8b531cb479 in QDBusConnectionPrivate::deliverCall (this=this@entry=0x7f8b380016a0, object=object@entry=0x25ffde0, msg=..., metaTypes=..., slotIdx=13) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:967 #24 0x00007f8b531cf095 in QDBusConnectionPrivate::activateCall (this=this@entry=0x7f8b380016a0, object=0x25ffde0, flags=flags@entry=273, msg=...) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:876 #25 0x00007f8b531cf824 in QDBusConnectionPrivate::activateCall (msg=..., flags=273, object=<optimized out>, this=0x7f8b380016a0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:815 #26 QDBusConnectionPrivate::activateObject (this=0x7f8b380016a0, node=..., msg=..., pathStartPos=<optimized out>) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:1451 #27 0x00007f8b531d1e8a in QDBusActivateObjectEvent::placeMetaCall (this=0x2e56ad0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:1571 #28 0x00007f8b51ff3617 in QObject::event (this=0x2566dd0, e=0x2e56ad0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qobject.cpp:1437 #29 0x00007f8b549c2b38 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x2566dd0, e=0x2e56ad0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/widgets/kernel/qapplication.cpp:3290 #30 0x00007f8b51fa0ba8 in QCoreApplication::notifyInternal2 (receiver=0x2566dd0, event=0x2e56ad0) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1118 #31 0x00007f8b51fa0dad in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1536 #32 0x00007f8b51fa4aa5 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x5a8230) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1898 #33 0x00007f8b51fa4e1d in QCoreApplication::sendPostedEvents (receiver=<optimized out>, event_type=<optimized out>) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1757 #34 0x00007f8b522410bf in postEventSourceDispatch (s=0x619e70) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:243 #35 0x00007f8b50911e5c in g_main_dispatch (context=0x7f8b38000ef0) at ../glib/gmain.c:3476 #36 g_main_context_dispatch_unlocked (context=0x7f8b38000ef0) at ../glib/gmain.c:4284 #37 0x00007f8b5096cf18 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7f8b38000ef0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4349 #38 0x00007f8b5090fad3 in g_main_context_iteration (context=0x7f8b38000ef0, may_block=1) at ../glib/gmain.c:4414 #39 0x00007f8b5224096f in QEventDispatcherGlib::processEvents (this=0x5d6b60, flags=...) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:393 #40 0x00007f8b51fad9bb in QEventLoop::exec (this=this@entry=0x7ffe7244fbf0, flags=..., flags@entry=...) at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/global/qflags.h:34 #41 0x00007f8b51fa97bd in QCoreApplication::exec () at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/global/qflags.h:74 #42 0x00000000004428c0 in main (argc=2, argv=0x7ffe72450878) at /home/akseli/Repositories/kde/src/plasma-workspace/shell/main.cpp:214
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3881
Git commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6 by Akseli Lahtinen. Committed on 08/02/2024 at 15:25. Pushed by akselmo into branch 'master'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/390d4fa6d2a8e7507021884edb5bd5207ee151e6
Git commit d5549c4c1dc35ad6c2a6fcd8d8f643abb9116fc5 by Akseli Lahtinen. Committed on 08/02/2024 at 15:39. Pushed by akselmo into branch 'Plasma/6.0'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. (cherry picked from commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6) M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/d5549c4c1dc35ad6c2a6fcd8d8f643abb9116fc5
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3893
Git commit 5e964798da63304cb97b3647f71f893a7be4be3e by Fushan Wen. Committed on 12/02/2024 at 12:34. Pushed by fusionfuture into branch 'master'. appiumtests/notificationstest: ensure malformed image data can't cause a crash M +26 -0 appiumtests/notificationstest.py https://invent.kde.org/plasma/plasma-workspace/-/commit/5e964798da63304cb97b3647f71f893a7be4be3e
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3894
Git commit bbe3d49816a97f39fd1df986df1a1e1aa4277481 by Fushan Wen. Committed on 12/02/2024 at 13:37. Pushed by fusionfuture into branch 'Plasma/6.0'. appiumtests/notificationstest: ensure malformed image data can't cause a crash (cherry picked from commit 5e964798da63304cb97b3647f71f893a7be4be3e) M +26 -0 appiumtests/notificationstest.py https://invent.kde.org/plasma/plasma-workspace/-/commit/bbe3d49816a97f39fd1df986df1a1e1aa4277481
Git commit 55a279591494e227eeaf1f21bc86084eeb0a7c19 by Akseli Lahtinen. Committed on 04/03/2024 at 08:34. Pushed by akselmo into branch 'Plasma/5.27'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. (cherry picked from commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6) M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/55a279591494e227eeaf1f21bc86084eeb0a7c19