484674 – Plasmashell crashes when attempting to drag a task with no desktop file associated with it to desktop from task manager

Bug 484674 - Plasmashell crashes when attempting to drag a task with no desktop file associated with it to desktop from task manager

Summary: Plasmashell crashes when attempting to drag a task with no desktop file assoc...

Status:	RESOLVED FIXED

Alias:	None

Product:	plasmashell
Classification:	Plasma
Component:	general (show other bugs)
Version:	6.0.2
Platform:	Arch Linux Linux

Importance:	NOR crash
Target Milestone:	1.0
Assignee:	Plasma Bugs List

URL:
Keywords:

Duplicates (2):	489741 490302 (view as bug list)
Depends on:
Blocks:

Reported:	2024-03-28 17:35 UTC by Antti Savolainen
Modified:	2024-07-18 08:21 UTC (History)
CC List:	6 users (show)

See Also:	489811
Latest Commit:	https://invent.kde.org/plasma/libplasma/-/commit/832a31c49ba90ac060a0f3c57bf3b459d7df7f46
Version Fixed In:	6.1.3
Sentry Crash Report:

Attachments
backtrace (4.92 KB, text/plain) 2024-03-28 17:35 UTC, Antti Savolainen	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Antti Savolainen 2024-03-28 17:35:12 UTC

Created attachment 167895 [details]
backtrace

SUMMARY
Demonstrative video: https://youtu.be/PeZI5naH_f4
If I launch a game through Steam and then drag the taskbar entry to desktop, plasmashell crashes.

STEPS TO REPRODUCE
1. Open a game from Steam
2. Drag it to desktop from the taskbar

OBSERVED RESULT
Plasmashell crashes

EXPECTED RESULT
No crash

SOFTWARE/OS VERSIONS
Linux: Arch Linux
KDE Plasma Version: 6.0.2
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.2

Comment 1 Nicolas Fella 2024-03-28 22:36:57 UTC

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x000076deacaab393 in __pthread_kill_internal (signo=11, threadid=<optimized out>) at pthread_kill.c:78
#2  0x000076deaca5a6c8 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
#3  0x000076deae50a43f in KCrash::defaultCrashHandler (sig=11) at /usr/src/debug/kcrash/kcrash-6.0.0/src/kcrash.cpp:586
#4  0x000076deaca5a770 in <signal handler called> () at /usr/lib/libc.so.6
#5  std::__atomic_base<int>::fetch_add (__m=std::memory_order::acq_rel, __i=1, this=0x188) at /usr/include/c++/13.2.1/bits/atomic_base.h:633
#6  QAtomicOps<int>::ref<int> (_q_value=<error reading variable: Cannot access memory at address 0x188>) at /usr/include/qt6/QtCore/qatomic_cxx11.h:258
#7  QBasicAtomicInteger<int>::ref (this=0x188) at /usr/include/qt6/QtCore/qbasicatomic.h:49
#8  QArrayData::ref (this=0x188, this=<optimized out>) at /usr/include/qt6/QtCore/qarraydata.h:52
#9  QArrayDataPointer<QAction*>::ref (this=<synthetic pointer>) at /usr/include/qt6/QtCore/qarraydatapointer.h:412
#10 QArrayDataPointer<QAction*>::QArrayDataPointer (other=..., this=<synthetic pointer>) at /usr/include/qt6/QtCore/qarraydatapointer.h:40
#11 QArrayDataPointer<QAction*>::operator= (other=..., this=0x5ff9f2bd68d8) at /usr/include/qt6/QtCore/qarraydatapointer.h:64
#12 QList<QAction*>::operator= (this=0x5ff9f2bd68d8) at /usr/include/qt6/QtCore/qlist.h:70
#13 KIO::DropMenu::addExtraActions (this=0x5ff9f2bd68b0, appActions=..., pluginActions=...) at /usr/src/debug/kio/kio-6.0.0/src/widgets/dropjob.cpp:206
#14 0x000076deabba455e in KIO::DropJobPrivate::addPluginActions (itemProps=..., popup=0x5ff9f2bd68b0, this=0x76dea0085680) at /usr/src/debug/kio/kio-6.0.0/src/widgets/dropjob.cpp:356
#15 KIO::DropJobPrivate::fillPopupMenu (popup=0x5ff9f2bd68b0, this=0x76dea0085680) at /usr/src/debug/kio/kio-6.0.0/src/widgets/dropjob.cpp:340
#16 KIO::DropJobPrivate::slotDropActionDetermined (error=151, this=0x76dea0085680) at /usr/src/debug/kio/kio-6.0.0/src/widgets/dropjob.cpp:521
#17 KIO::DropJobPrivate::handleCopyToDirectory (this=<optimized out>) at /usr/src/debug/kio/kio-6.0.0/src/widgets/dropjob.cpp:498
#18 0x000076deabd7c2c7 in QObject::event (this=0x5ff9f10bddb0, e=0x5ff9f4635910) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qobject.cpp:1437
#19 0x000076deadaf438b in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x5ff9f10bddb0, e=0x5ff9f4635910) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/widgets/kernel/qapplication.cpp:3296
#20 0x000076deabd39818 in QCoreApplication::notifyInternal2 (receiver=0x5ff9f10bddb0, event=event@entry=0x5ff9f4635910) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qcoreapplication.cpp:1121
#21 0x000076deabd39b9b in QCoreApplication::sendEvent (event=0x5ff9f4635910, receiver=<optimized out>) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qcoreapplication.cpp:1539
#22 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x5ff9efd94ba0) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qcoreapplication.cpp:1901
#23 0x000076deabf758a4 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qcoreapplication.cpp:1760
#24 postEventSourceDispatch (s=0x5ff9efdc28c0) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#25 0x000076deaaa1b199 in g_main_dispatch (context=0x76dea0000f00) at ../glib/glib/gmain.c:3344
#26 0x000076deaaa7a3bf in g_main_context_dispatch_unlocked (context=0x76dea0000f00) at ../glib/glib/gmain.c:4152
#27 g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x76dea0000f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4217
#28 0x000076deaaa1a712 in g_main_context_iteration (context=0x76dea0000f00, may_block=1) at ../glib/glib/gmain.c:4282
#29 0x000076deabf739c4 in QEventDispatcherGlib::processEvents (this=0x5ff9efdd8600, flags=...) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#30 0x000076deabd43d6e in QEventLoop::processEvents (flags=..., this=0x7ffcf29067a0) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qeventloop.cpp:100
#31 QEventLoop::exec (this=0x7ffcf29067a0, flags=...) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/kernel/qeventloop.cpp:182
#32 0x000076deabd3c2b8 in QCoreApplication::exec () at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/corelib/global/qflags.h:74
#33 0x000076deadaf0f0a in QApplication::exec () at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.2/src/widgets/kernel/qapplication.cpp:2574
#34 0x00005ff9ee091476 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace/plasma-workspace-6.0.2/shell/main.cpp:214

Comment 2 Nicolas Fella 2024-03-29 00:00:11 UTC

==6961==ERROR: AddressSanitizer: heap-use-after-free on address 0x5130002286d0 at pc 0x7fd72ecf58b5 bp 0x7ffd85d7c560 sp 0x7ffd85d7c558
READ of size 8 at 0x5130002286d0 thread T0
    #0 0x7fd72ecf58b4 in QArrayDataPointer<QAction*>::QArrayDataPointer(QArrayDataPointer<QAction*> const&) /home/nico/kde/usr/include/QtCore/qarraydatapointer.h:38
    #1 0x7fd72ecf58b4 in QArrayDataPointer<QAction*>::operator=(QArrayDataPointer<QAction*> const&) /home/nico/kde/usr/include/QtCore/qarraydatapointer.h:64
    #2 0x7fd72ecf58b4 in QList<QAction*>::operator=(QList<QAction*> const&) /home/nico/kde/usr/include/QtCore/qlist.h:70
    #3 0x7fd72ecf58b4 in KIO::DropMenu::addExtraActions(QList<QAction*> const&, QList<QAction*> const&) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:206
    #4 0x7fd72ecfa757 in KIO::DropJobPrivate::addPluginActions(KIO::DropMenu*, KFileItemListProperties const&) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:356
    #5 0x7fd72ecff447 in KIO::DropJobPrivate::fillPopupMenu(KIO::DropMenu*) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:340
    #6 0x7fd72ed00d4a in KIO::DropJobPrivate::slotDropActionDetermined(int) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:521
    #7 0x7fd72ed0352a in KIO::DropJobPrivate::handleCopyToDirectory() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:498
    #8 0x7fd72ed06002 in KIO::DropJobPrivate::slotStart() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:266
    #9 0x7fd72ed07e77 in operator() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:232
    #10 0x7fd72ed07e77 in call /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:137
    #11 0x7fd72ed07e77 in call<QtPrivate::List<>, void> /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:339
    #12 0x7fd72ed07e77 in impl /home/nico/kde/usr/include/QtCore/qobjectdefs_impl.h:522
    #13 0x7fd72fc1f24d in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobjectdefs_impl.h:433
    #14 0x7fd72fc1f24d in QMetaCallEvent::placeMetaCall(QObject*) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:649
    #15 0x7fd72fc312f5 in QObject::event(QEvent*) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:1437
    #16 0x7fd736a73811 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:3296
    #17 0x7fd736a8f107 in QApplication::notify(QObject*, QEvent*) /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:3247
    #18 0x7fd72fb48f9f in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1121
    #19 0x7fd72fb4911e in QCoreApplication::sendEvent(QObject*, QEvent*) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1539
    #20 0x7fd72fb4a451 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1901
    #21 0x7fd72fb4a746 in QCoreApplication::sendPostedEvents(QObject*, int) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1760
    #22 0x7fd7302c0c8f in postEventSourceDispatch /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:243
    #23 0x7fd72ef1270f in g_main_dispatch ../glib/gmain.c:3344
    #24 0x7fd72ef1270f in g_main_context_dispatch_unlocked ../glib/gmain.c:4152
    #25 0x7fd72ef14357 in g_main_context_iterate_unlocked ../glib/gmain.c:4217
    #26 0x7fd72ef14a0b in g_main_context_iteration ../glib/gmain.c:4282
    #27 0x7fd7302bf21f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:393
    #28 0x7fd731f63375 in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6/qtbase/src/gui/platform/unix/qeventdispatcher_glib.cpp:87
    #29 0x7fd72fb66453 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventloop.cpp:100
    #30 0x7fd72fb67837 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qeventloop.cpp:182
    #31 0x7fd72fb510a0 in QCoreApplication::exec() /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1442
    #32 0x7fd7311d6fc5 in QGuiApplication::exec() /home/nico/workspace/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:1925
    #33 0x7fd736a72ea6 in QApplication::exec() /home/nico/workspace/qt6/qtbase/src/widgets/kernel/qapplication.cpp:2574
    #34 0x42f6d5 in main /home/nico/kde/src/plasma-workspace/shell/main.cpp:211
    #35 0x7fd72f02a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #36 0x7fd72f02a2b8 in __libc_start_main_impl ../csu/libc-start.c:360
    #37 0x430af4 in _start ../sysdeps/x86_64/start.S:115

0x5130002286d0 is located 272 bytes inside of 336-byte region [0x5130002285c0,0x513000228710)
freed by thread T0 here:
    #0 0x7fd73a2fd0d8 in operator delete(void*, unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x7fd72ed0a99d in KIO::DropJobPrivate::~DropJobPrivate() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:75
    #2 0x7fd738e9d8d1 in KIO::Job::~Job() /home/nico/kde/src/kio/src/core/job.cpp:41
    #3 0x7fd72ecf1c56 in KIO::DropJob::~DropJob() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:238
    #4 0x7fd72ecf1c70 in KIO::DropJob::~DropJob() /home/nico/kde/src/kio/src/widgets/dropjob.cpp:238
    #5 0x7fd72fc3aee3 in QObjectPrivate::deleteChildren() /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:2206
    #6 0x7fd72fc42356 in QObject::~QObject() /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qobject.cpp:1159
    #7 0x7fd7395b697b in DropMenu::~DropMenu() /home/nico/kde/src/libplasma/src/plasmaquick/plasmoid/dropmenu.cpp:48
    #8 0x7fd7395b69e0 in DropMenu::~DropMenu() /home/nico/kde/src/libplasma/src/plasmaquick/plasmoid/dropmenu.cpp:48
    #9 0x7fd73957f871 in ContainmentItem::processMimeData(QMimeData*, int, int, KIO::DropJob*) /home/nico/kde/src/libplasma/src/plasmaquick/plasmoid/containmentitem.cpp:396
    #10 0x7fd739580bc2 in ContainmentItem::processMimeData(QMimeData*, int, int, KIO::DropJob*) /home/nico/kde/src/libplasma/src/plasmaquick/plasmoid/containmentitem.cpp:353
    #11 0x7fd739580bc2 in ContainmentItem::processMimeData(QObject*, int, int, KIO::DropJob*) /home/nico/kde/src/libplasma/src/plasmaquick/plasmoid/containmentitem.cpp:345
    #12 0x7fd739592e36 in ContainmentItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/nico/kde/build/libplasma/src/plasmaquick/PlasmaQuick_autogen/include/moc_containmentitem.cpp:359
    #13 0x7fd739595973 in ContainmentItem::qt_metacall(QMetaObject::Call, int, void**) /home/nico/kde/build/libplasma/src/plasmaquick/PlasmaQuick_autogen/include/moc_containmentitem.cpp:477
    #14 0x7fd733d3f0f8 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1172
    #15 0x7fd72fb6f44a in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qmetaobject.cpp:332
    #16 0x7fd733b55750 in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlobjectorgadget.cpp:14
    #17 0x7fd73369f39e in CallMethod /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1525
    #18 0x7fd7336a23fa in CallPrecise /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1830
    #19 0x7fd7336a263a in operator() /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2733
    #20 0x7fd7336a2912 in operator()<QV4::QObjectMethod::callInternal(const QV4::Value*, const QV4::Value*, int) const::<lambda()> > /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2710
    #21 0x7fd7336a3a24 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2733
    #22 0x7fd7336a3d5e in QV4::QObjectMethod::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2622
    #23 0x7fd733436e15 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/nico/workspace/qt6/qtbase/include/QtQml/6.6.1/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:171
    #24 0x7fd7337c1c98 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:902
    #25 0x7fd7337d6adc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:584
    #26 0x7fd7335931dd in doCall /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:54
    #27 0x7fd733594d5d in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:79
    #28 0x7fd73359524e in operator() /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:30
    #29 0x7fd73359524e in convertAndCall<QV4::Function::call(QObject*, void**, const QMetaType*, int, QV4::ExecutionContext*)::<lambda(const QV4::Value*, const QV4::Value*, int)> > /home/nico/workspace/qt6/qtbase/include/QtQml/6.6.1/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4jscall_p.h:170
    #30 0x7fd733595759 in QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:27
    #31 0x7fd733a961fc in QQmlJavaScriptExpression::evaluate(void**, QMetaType const*, int) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:270

previously allocated by thread T0 here:
    #0 0x7fd73a2fc1d8 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x7fd72ecf8877 in KIO::DropJobPrivate::newJob(QDropEvent const*, QUrl const&, QFlags<KIO::DropJobFlag>, QFlags<KIO::JobFlag>) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:169
    #2 0x7fd72ecf8877 in KIO::drop(QDropEvent const*, QUrl const&, QFlags<KIO::DropJobFlag>, QFlags<KIO::JobFlag>) /home/nico/kde/src/kio/src/widgets/dropjob.cpp:648
    #3 0x7fd7144db80a in FolderModel::drop(QQuickItem*, QObject*, int, bool) /home/nico/kde/src/plasma-desktop/containments/desktop/plugins/folder/foldermodel.cpp:1210
    #4 0x7fd7144730c2 in FolderModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/nico/kde/build/plasma-desktop/containments/desktop/plugins/folder/folderplugin_autogen/EWIEGA46WW/moc_foldermodel.cpp:1325
    #5 0x7fd714475593 in FolderModel::qt_metacall(QMetaObject::Call, int, void**) /home/nico/kde/build/plasma-desktop/containments/desktop/plugins/folder/folderplugin_autogen/EWIEGA46WW/moc_foldermodel.cpp:1659
    #6 0x7fd72fb6f49a in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/nico/workspace/qt6/qtbase/src/corelib/kernel/qmetaobject.cpp:334
    #7 0x7fd733b55750 in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlobjectorgadget.cpp:14
    #8 0x7fd73369f39e in CallMethod /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1525
    #9 0x7fd7336a23fa in CallPrecise /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1830
    #10 0x7fd7336a263a in operator() /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2733
    #11 0x7fd7336a2912 in operator()<QV4::QObjectMethod::callInternal(const QV4::Value*, const QV4::Value*, int) const::<lambda()> > /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2710
    #12 0x7fd7336a3a24 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2733
    #13 0x7fd7336a3d5e in QV4::QObjectMethod::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2622
    #14 0x7fd733436e15 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/nico/workspace/qt6/qtbase/include/QtQml/6.6.1/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:171
    #15 0x7fd7337c1c98 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:902
    #16 0x7fd7337d6adc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:584
    #17 0x7fd73359e149 in qfoDoCall /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:526
    #18 0x7fd7335a713c in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:556
    #19 0x7fd733436e15 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/nico/workspace/qt6/qtbase/include/QtQml/6.6.1/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:171
    #20 0x7fd7337c1c98 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:902
    #21 0x7fd7337d6adc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:584
    #22 0x7fd7335931dd in doCall /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:54
    #23 0x7fd733594d5d in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:79
    #24 0x7fd73359524e in operator() /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:30
    #25 0x7fd73359524e in convertAndCall<QV4::Function::call(QObject*, void**, const QMetaType*, int, QV4::ExecutionContext*)::<lambda(const QV4::Value*, const QV4::Value*, int)> > /home/nico/workspace/qt6/qtbase/include/QtQml/6.6.1/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4jscall_p.h:170
    #26 0x7fd733595759 in QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*) /home/nico/workspace/qt6/qtdeclarative/src/qml/jsruntime/qv4function.cpp:27
    #27 0x7fd733a961fc in QQmlJavaScriptExpression::evaluate(void**, QMetaType const*, int) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:270
    #28 0x7fd7338c3b24 in QQmlBoundSignalExpression::evaluate(void**) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:195
    #29 0x7fd7338c508d in QQmlBoundSignal_callback(QQmlNotifierEndpoint*, void**) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:314
    #30 0x7fd733b1b839 in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:70
    #31 0x7fd733951d1e in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/nico/workspace/qt6/qtdeclarative/src/qml/qml/qqmlengine.cpp:360

SUMMARY: AddressSanitizer: heap-use-after-free /home/nico/kde/usr/include/QtCore/qarraydatapointer.h:38 in QArrayDataPointer<QAction*>::QArrayDataPointer(QArrayDataPointer<QAction*> const&)

Comment 3 Akseli Lahtinen 2024-07-05 11:12:22 UTC

*** Bug 489741 has been marked as a duplicate of this bug. ***

Comment 4 Akseli Lahtinen 2024-07-05 11:38:16 UTC

This seems to happen with any xwayland apps

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0)
at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f271f46db80 (LWP 50632))]
Missing separate debuginfos, use: dnf debuginfo-install ffmpeg-libs-6.1.1-11.fc40.x86_64 x264-libs-0.164-13.20231001git31e19f92.fc40.x86_64 x265-libs-3.6-2.fc40.x86_64
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0)
at pthread_kill.c:44
#1  0x00007f27248ab1b3 in __pthread_kill_internal (threadid=<optimized out>, signo=11) at pthread_kill.c:78
#2  0x00007f272485365e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
#3  0x00007f27284cc9eb in KCrash::defaultCrashHandler (sig=11)
at /home/akseli/Repositories/kde/src/kcrash/src/kcrash.cpp:597
#4  0x00007f2724853710 in <signal handler called> () at /lib64/libc.so.6
#5  std::__atomic_base<int>::fetch_add (this=0x180, __i=1, __m=std::memory_order::acq_rel)
at /usr/include/c++/14/bits/atomic_base.h:629
#6  QAtomicOps<int>::ref<int> (_q_value=<error reading variable: Cannot access memory at address 0x180>)
at /usr/include/qt6/QtCore/qatomic_cxx11.h:259
#7  QBasicAtomicInteger<int>::ref (this=0x180) at /usr/include/qt6/QtCore/qbasicatomic.h:47
#8  QArrayData::ref (this=0x180) at /usr/include/qt6/QtCore/qarraydata.h:58
#9  QArrayDataPointer<QAction*>::ref (this=<synthetic pointer>)
at /usr/include/qt6/QtCore/qarraydatapointer.h:438
#10 QArrayDataPointer<QAction*>::QArrayDataPointer (this=<synthetic pointer>, other=...)
at /usr/include/qt6/QtCore/qarraydatapointer.h:40
#11 QArrayDataPointer<QAction*>::operator= (this=0x7f2704004148, other=...)
at /usr/include/qt6/QtCore/qarraydatapointer.h:71
#12 QList<QAction*>::operator= (this=0x7f2704004148) at /usr/include/qt6/QtCore/qlist.h:70
#13 KIO::DropMenu::addExtraActions (this=0x7f2704004120, appActions=..., pluginActions=...)
at /home/akseli/Repositories/kde/src/kio/src/widgets/dropjob.cpp:210
#14 0x00007f27247a1418 in KIO::DropJobPrivate::addPluginActions
(this=this@entry=0x2ffce780, popup=popup@entry=0x7f2704004120, itemProps=...)
at /home/akseli/Repositories/kde/src/kio/src/widgets/dropjob.cpp:362
#15 0x00007f27247a2788 in KIO::DropJobPrivate::fillPopupMenu
(this=this@entry=0x2ffce780, popup=popup@entry=0x7f2704004120)
at /home/akseli/Repositories/kde/src/kio/src/widgets/dropjob.cpp:346
#16 0x00007f27247a2c7c in KIO::DropJobPrivate::slotDropActionDetermined
(this=0x2ffce780, error=<optimized out>)
at /home/akseli/Repositories/kde/src/kio/src/widgets/dropjob.cpp:532
#17 0x00007f2724febdeb in QObject::event (this=0x31a5f6f0, e=0x7f270c0367d0)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qobject.cpp:1452
#18 0x00007f272778b168 in QApplicationPrivate::notify_helper
--Type <RET> for more, q to quit, c to continue without paging--c
(this=<optimized out>, receiver=0x31a5f6f0, e=0x7f270c0367d0)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/widgets/kernel/qapplication.cpp:3287
#19 0x00007f2724f95b18 in QCoreApplication::notifyInternal2 (receiver=0x31a5f6f0, event=0x7f270c0367d0)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1134
#20 0x00007f2724f95d7d in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1575
#21 0x00007f2724f998c1 in QCoreApplicationPrivate::sendPostedEvents
(receiver=0x0, event_type=0, data=0x2db4d0e0)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1932
#22 0x00007f2724f99b6d in QCoreApplication::sendPostedEvents
(receiver=<optimized out>, event_type=<optimized out>)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qcoreapplication.cpp:1789
#23 0x00007f272527d39f in postEventSourceDispatch (s=0x2dbbc510)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:244
#24 0x00007f2724325e8c in g_main_dispatch (context=0x7f270c000f00) at ../glib/gmain.c:3344
#25 g_main_context_dispatch_unlocked (context=0x7f270c000f00) at ../glib/gmain.c:4152
#26 0x00007f2724387c98 in g_main_context_iterate_unlocked.isra.0
(context=context@entry=0x7f270c000f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4217
#27 0x00007f2724327383 in g_main_context_iteration (context=0x7f270c000f00, may_block=1)
at ../glib/gmain.c:4282
#28 0x00007f272527cb53 in QEventDispatcherGlib::processEvents (this=0x2db52f20, flags=...)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:394
#29 0x00007f2724fa2713 in QEventLoop::exec (this=this@entry=0x7ffddaf3c550, flags=..., flags@entry=...)
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/global/qflags.h:34
#30 0x00007f2724f9e69c in QCoreApplication::exec ()
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/corelib/global/qflags.h:74
#31 0x00007f27259d53dd in QGuiApplication::exec ()
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/gui/kernel/qguiapplication.cpp:1926
#32 0x00007f272778b0d9 in QApplication::exec ()
at /usr/src/debug/qt6-qtbase-6.7.1-2.fc40.x86_64/src/widgets/kernel/qapplication.cpp:2555
#33 0x0000000000427a86 in main (argc=<optimized out>, argv=<optimized out>)
at /home/akseli/Repositories/kde/src/plasma-workspace/shell/main.cpp:188

Comment 5 Akseli Lahtinen 2024-07-05 13:30:37 UTC

After some tinkering I think I figured out where the bug happens: The item must have a desktop file associated to itself or it crashes plasmashell.

For example, xterm even being xwayland window, works. But cssh doesnt have desktop file associated with it, so it wont work.

Comment 6 Bug Janitor Service 2024-07-05 13:44:47 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kio/-/merge_requests/1656

Comment 7 Bug Janitor Service 2024-07-08 11:59:21 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/libplasma/-/merge_requests/1167

Comment 8 Akseli Lahtinen 2024-07-08 12:28:00 UTC

Git commit 1ffb07ede4d305fcdb0a58b7713cc476666b58d1 by Akseli Lahtinen.
Committed on 08/07/2024 at 12:27.
Pushed by akselmo into branch 'master'.

containmentitem.cpp: Do not set dropJob parent to m_dropMenu

Setting the parent of dropJob to m_dropMenu here can cause crashes,
due to m_dropMenu not necessarily existing. For example in cases
where one drags an item from task manager that has no associated
desktop file, the m_dropMenu is deleted, which deletes the job during
async operation/running a method (line 423), which then causes crashing
because things end up in odd state.

M  +0    -4    src/plasmaquick/plasmoid/containmentitem.cpp

https://invent.kde.org/plasma/libplasma/-/commit/1ffb07ede4d305fcdb0a58b7713cc476666b58d1

Comment 9 Akseli Lahtinen 2024-07-08 12:30:35 UTC

Git commit 832a31c49ba90ac060a0f3c57bf3b459d7df7f46 by Akseli Lahtinen.
Committed on 08/07/2024 at 12:28.
Pushed by akselmo into branch 'Plasma/6.1'.

containmentitem.cpp: Do not set dropJob parent to m_dropMenu

Setting the parent of dropJob to m_dropMenu here can cause crashes,
due to m_dropMenu not necessarily existing. For example in cases
where one drags an item from task manager that has no associated
desktop file, the m_dropMenu is deleted, which deletes the job during
async operation/running a method (line 423), which then causes crashing
because things end up in odd state.


(cherry picked from commit 1ffb07ede4d305fcdb0a58b7713cc476666b58d1)

7beed646 containmentitem.cpp: Do not set dropJob parent to m_dropMenu
22e27f1b Remove another job->setParent(m_dropMenu)

Co-authored-by: Akseli Lahtinen <akselmo@akselmo.dev>

M  +0    -4    src/plasmaquick/plasmoid/containmentitem.cpp

https://invent.kde.org/plasma/libplasma/-/commit/832a31c49ba90ac060a0f3c57bf3b459d7df7f46

Comment 10 Akseli Lahtinen 2024-07-18 08:21:47 UTC

*** Bug 490302 has been marked as a duplicate of this bug. ***