Bug 499654 - plasmashell crashes in QMimeData::hasImage() when dragging panel widgets
Summary: plasmashell crashes in QMimeData::hasImage() when dragging panel widgets
Status: CONFIRMED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Panel (show other bugs)
Version: master
Platform: Other Linux
: NOR crash
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-07 16:54 UTC by Nicolas Fella
Modified: 2025-03-06 23:41 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report: https://crash-reports.kde.org/organizations/kde/issues/45244/

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Fella 2025-02-07 16:54:39 UTC 
==5174==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030017055d0 at pc 0x7f979048632b bp 0x7ffcdd80b850 sp 0x7ffcdd80b848
READ of size 8 at 0x5030017055d0 thread T0
    #0 0x7f979048632a in QMimeData::hasImage() const /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qmimedata.cpp:496
    #1 0x7f9793abc961 in QWaylandMimeHelper::getByteArray(QMimeData*, QString const&) /home/nico/workspace/qt6-dev/qtwayland/src/shared/qwaylandmimehelper.cpp:18
    #2 0x7f9793c22c43 in QtWaylandClient::QWaylandDataSource::data_source_send(QString const&, int) /home/nico/workspace/qt6-dev/qtwayland/src/client/qwaylanddatasource.cpp:46
    #3 0x7f9793bdd689 in QtWayland::wl_data_source::handle_send(void*, wl_data_source*, char const*, int) /home/nico/workspace/qt6-dev/qtwayland/src/client/qwayland-wayland.cpp:756
    #4 0x7f979cc3bba1 in ffi_call_unix64 ../src/x86/unix64.S:104
    #5 0x7f979cc383ec in ffi_call_int ../src/x86/ffi64.c:673
    #6 0x7f979cc3b1ad in ffi_call ../src/x86/ffi64.c:710
    #7 0x7f979eb2bf90 in wl_closure_invoke ../../src/wayland/src/connection.c:1236
    #8 0x7f979eb27f5e in dispatch_event ../../src/wayland/src/wayland-client.c:1682
    #9 0x7f979eb28f9a in dispatch_queue ../../src/wayland/src/wayland-client.c:1828
    #10 0x7f979eb28f9a in wl_display_dispatch_queue_pending ../../src/wayland/src/wayland-client.c:2165
    #11 0x7f9793af283c in QtWaylandClient::EventThread::dispatchQueuePending() (/home/nico/kde-qtdev/usr/lib64/libQt6WaylandClient.so.6+0xf283c) (BuildId: cb12e0639e9de8af9647a94136ce8758a3065f12)
    #12 0x7f9793af737a in QtWaylandClient::EventThread::readAndDispatchEvents() /home/nico/workspace/qt6-dev/qtwayland/src/client/qwaylanddisplay.cpp:115
    #13 0x7f9793adf5b3 in QtWaylandClient::QWaylandDisplay::flushRequests() /home/nico/workspace/qt6-dev/qtwayland/src/client/qwaylanddisplay.cpp:525
    #14 0x7f9793b004bc in QtPrivate::FunctorCall<std::integer_sequence<unsigned long>, QtPrivate::List<>, void, void (QtWaylandClient::QWaylandDisplay::*)()>::call(void (QtWaylandClient::QWaylandDisplay::*)(), QtWaylandClient::QWaylandDisplay*, void**)::{lambda()#1}::operator()() const (/home/nico/kde-qtdev/usr/lib64/libQt6WaylandClient.so.6+0x1004bc) (BuildId: cb12e0639e9de8af9647a94136ce8758a3065f12)
    #15 0x7f9793b045f2 in QtPrivate::FunctorCall<std::integer_sequence<unsigned long>, QtPrivate::List<>, void, void (QtWaylandClient::QWaylandDisplay::*)()>::call(void (QtWaylandClient::QWaylandDisplay::*)(), QtWaylandClient::QWaylandDisplay*, void**) (/home/nico/kde-qtdev/usr/lib64/libQt6WaylandClient.so.6+0x1045f2) (BuildId: cb12e0639e9de8af9647a94136ce8758a3065f12)
    #16 0x7f9793b046ee in QtPrivate::QCallableObject<void (QtWaylandClient::QWaylandDisplay::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/home/nico/kde-qtdev/usr/lib64/libQt6WaylandClient.so.6+0x1046ee) (BuildId: cb12e0639e9de8af9647a94136ce8758a3065f12)
    #17 0x7f9790490d8b in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobjectdefs_impl.h:461
    #18 0x7f9790490d8b in QMetaCallEvent::placeMetaCall(QObject*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:620
    #19 0x7f97904a57f6 in QObject::event(QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:1429
    #20 0x7f9798a72c04 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3305
    #21 0x7f9798a8eb88 in QApplication::notify(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3255
    #22 0x7f97903a7eaf in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1098
    #23 0x7f97903a80a0 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1538
    #24 0x7f97903a972c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1878
    #25 0x7f97903a9a51 in QCoreApplication::sendPostedEvents(QObject*, int) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1732
    #26 0x7f9790c1e15f in postEventSourceDispatch /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
    #27 0x7f978fb10ef7 in g_main_dispatch ../glib/gmain.c:3357
    #28 0x7f978fb10ef7 in g_main_context_dispatch_unlocked ../glib/gmain.c:4208
    #29 0x7f978fb12ce7 in g_main_context_iterate_unlocked ../glib/gmain.c:4273
    #30 0x7f978fb134fb in g_main_context_iteration ../glib/gmain.c:4338
    #31 0x7f9790c1c45e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:399
    #32 0x7f97931ca449 in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/gui/platform/unix/qeventdispatcher_glib.cpp:89
    #33 0x7f97903c7647 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:104
    #34 0x7f97903c8c06 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:186
    #35 0x7f9792e88e30 in QBasicDrag::drag(QDrag*) /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qsimpledrag.cpp:176
    #36 0x7f9792e7d0f1 in QDragManager::drag(QDrag*) /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qdnd.cpp:81
    #37 0x7f9792e7e93a in QDrag::exec(QFlags<Qt::DropAction>, Qt::DropAction) /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qdrag.cpp:248
    #38 0x7f975ec7f710 in DeclarativeDragArea::startDrag(QImage const&) /home/nico/kde-qtdev/src/kdeclarative/src/qmlcontrols/draganddrop/DeclarativeDragArea.cpp:360
    #39 0x7f975ec7dda3 in operator() /home/nico/kde-qtdev/src/kdeclarative/src/qmlcontrols/draganddrop/DeclarativeDragArea.cpp:260
    #40 0x7f975ec81471 in operator() /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:116
    #41 0x7f975ec81619 in call_internal<void, QtPrivate::FunctorCall<std::integer_sequence<long unsigned int>, QtPrivate::List<>, void, DeclarativeDragArea::mouseMoveEvent(QMouseEvent*)::<lambda()> >::call(DeclarativeDragArea::mouseMoveEvent(QMouseEvent*)::<lambda()>&, void**)::<lambda()> > /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:65
    #42 0x7f975ec81577 in call /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:115
    #43 0x7f975ec81298 in call<QtPrivate::List<>, void> /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:337
    #44 0x7f975ec81220 in impl /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:547
    #45 0x7f97904c0a13 in void doActivate<false>(QObject*, int, void**) (/home/nico/kde-qtdev/usr/lib64/libQt6Core.so.6+0x4c0a13) (BuildId: 6e0075c428733fba6b7afa36481746c3de9b15fe)
    #46 0x7f979049f98b in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:4188
    #47 0x7f9796a530f9 in QQuickItemGrabResult::ready() /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/Quick_autogen/include/moc_qquickitemgrabresult.cpp:167
    #48 0x7f9796a55f62 in QQuickItemGrabResult::event(QEvent*) /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/items/qquickitemgrabresult.cpp:224
    #49 0x7f9798a72c04 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3305
    #50 0x7f9798a8eb88 in QApplication::notify(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3255
    #51 0x7f97903a7eaf in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1098
    #52 0x7f97903a80a0 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1538
    #53 0x7f97903a972c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1878
    #54 0x7f97903a9a51 in QCoreApplication::sendPostedEvents(QObject*, int) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1732
    #55 0x7f9790c1e15f in postEventSourceDispatch /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
    #56 0x7f978fb10ef7 in g_main_dispatch ../glib/gmain.c:3357
    #57 0x7f978fb10ef7 in g_main_context_dispatch_unlocked ../glib/gmain.c:4208
    #58 0x7f978fb12ce7 in g_main_context_iterate_unlocked ../glib/gmain.c:4273
    #59 0x7f978fb134fb in g_main_context_iteration ../glib/gmain.c:4338
    #60 0x7f9790c1c45e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:399
    #61 0x7f97931ca449 in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/gui/platform/unix/qeventdispatcher_glib.cpp:89
    #62 0x7f97903c7647 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:104
    #63 0x7f97903c8c06 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:186
    #64 0x7f97903b0f7a in QCoreApplication::exec() /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1441
    #65 0x7f979223b5c7 in QGuiApplication::exec() /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:1993
    #66 0x7f9798a6fb20 in QApplication::exec() /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:2572
    #67 0x441876 in main /home/nico/kde-qtdev/src/plasma-workspace/shell/main.cpp:191
    #68 0x7f978f82a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #69 0x7f978f82a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #70 0x42f624 in _start ../sysdeps/x86_64/start.S:115

0x5030017055d0 is located 0 bytes inside of 24-byte region [0x5030017055d0,0x5030017055e8)
freed by thread T0 here:
    #0 0x7f979e4fe198 in operator delete(void*, unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x7f975ec99af8 in DeclarativeMimeData::~DeclarativeMimeData() /home/nico/kde-qtdev/src/kdeclarative/src/qmlcontrols/draganddrop/DeclarativeMimeData.h:17
    #2 0x7f9792e7d51c in QDrag::~QDrag() /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qdrag.cpp:94
    #3 0x7f9792e7d55c in QDrag::~QDrag() /home/nico/workspace/qt6-dev/qtbase/src/gui/kernel/qdrag.cpp:95
    #4 0x7f97904b0cf9 in QObjectPrivate::deleteChildren() /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:2221
    #5 0x7f97904b8a0c in QObject::~QObject() /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:1138
    #6 0x7f97969e487f in QQuickItem::~QQuickItem() /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2436
    #7 0x7f97971932d8 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/nico/workspace/qt6-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:104
    #8 0x7f9797193308 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/nico/workspace/qt6-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:104
    #9 0x7f97904a541d in QObject::event(QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:1414
    #10 0x7f97969f7ef3 in QQuickItem::event(QEvent*) /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/items/qquickitem.cpp:9220
    #11 0x7f9798a72c04 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3305
    #12 0x7f9798a8eb88 in QApplication::notify(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3255
    #13 0x7f97903a7eaf in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1098
    #14 0x7f97903a80a0 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1538
    #15 0x7f97903a972c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1878
    #16 0x7f97903a9a51 in QCoreApplication::sendPostedEvents(QObject*, int) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1732
    #17 0x7f9790c1e15f in postEventSourceDispatch /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
    #18 0x7f978fb10ef7 in g_main_dispatch ../glib/gmain.c:3357
    #19 0x7f978fb10ef7 in g_main_context_dispatch_unlocked ../glib/gmain.c:4208

previously allocated by thread T0 here:
    #0 0x7f979e4fd298 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x7f975ec7e8e9 in DeclarativeDragArea::startDrag(QImage const&) /home/nico/kde-qtdev/src/kdeclarative/src/qmlcontrols/draganddrop/DeclarativeDragArea.cpp:310
    #2 0x7f975ec7dda3 in operator() /home/nico/kde-qtdev/src/kdeclarative/src/qmlcontrols/draganddrop/DeclarativeDragArea.cpp:260
    #3 0x7f975ec81471 in operator() /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:116
    #4 0x7f975ec81619 in call_internal<void, QtPrivate::FunctorCall<std::integer_sequence<long unsigned int>, QtPrivate::List<>, void, DeclarativeDragArea::mouseMoveEvent(QMouseEvent*)::<lambda()> >::call(DeclarativeDragArea::mouseMoveEvent(QMouseEvent*)::<lambda()>&, void**)::<lambda()> > /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:65
    #5 0x7f975ec81577 in call /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:115
    #6 0x7f975ec81298 in call<QtPrivate::List<>, void> /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:337
    #7 0x7f975ec81220 in impl /home/nico/kde-qtdev/usr/include/QtCore/qobjectdefs_impl.h:547
    #8 0x7f97904c0a13 in void doActivate<false>(QObject*, int, void**) (/home/nico/kde-qtdev/usr/lib64/libQt6Core.so.6+0x4c0a13) (BuildId: 6e0075c428733fba6b7afa36481746c3de9b15fe)
    #9 0x7f979049f98b in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qobject.cpp:4188
    #10 0x7f9796a530f9 in QQuickItemGrabResult::ready() /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/Quick_autogen/include/moc_qquickitemgrabresult.cpp:167
    #11 0x7f9796a55f62 in QQuickItemGrabResult::event(QEvent*) /home/nico/workspace/qt6-dev/qtdeclarative/src/quick/items/qquickitemgrabresult.cpp:224
    #12 0x7f9798a72c04 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3305
    #13 0x7f9798a8eb88 in QApplication::notify(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3255
    #14 0x7f97903a7eaf in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1098
    #15 0x7f97903a80a0 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1538
    #16 0x7f97903a972c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1878
    #17 0x7f97903a9a51 in QCoreApplication::sendPostedEvents(QObject*, int) /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1732
    #18 0x7f9790c1e15f in postEventSourceDispatch /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
    #19 0x7f978fb10ef7 in g_main_dispatch ../glib/gmain.c:3357
    #20 0x7f978fb10ef7 in g_main_context_dispatch_unlocked ../glib/gmain.c:4208

SUMMARY: AddressSanitizer: heap-use-after-free /home/nico/workspace/qt6-dev/qtbase/src/corelib/kernel/qmimedata.cpp:496 in QMimeData::hasImage() const

STEPS TO REPRODUCE
1. Add Quick Launch applet
2. Add two lanchers
3. Drag around one of the launchers


SOFTWARE/OS VERSIONS
KDE Plasma Version: master
KDE Frameworks Version: master
Qt Version: dev

ADDITIONAL INFORMATION
Comment 1 Nicolas Fella 2025-02-07 16:55:26 UTC 
This is not a recent issue, see https://crash-reports.kde.org/organizations/kde/issues/45244
Comment 2 TraceyC 2025-02-07 20:21:44 UTC 
I'm not able to reproduce this with
KDE Plasma Version: master
KDE Frameworks Version: master
Qt Version: 6.8.2

Looks like a crash in Qt based on the backtrace
Setting to high priority given the activity in Sentry
Also, other users reported getting this crash with the same reproduction steps
Comment 3 Luis 2025-03-04 01:41:24 UTC 
In my case this happens when I move the Pager widget from the default panel (which is in the top of the screen) to the panel in the bottom (that only has the icons-only task manager). Disabling the "Fill free space in the panel" feature on the settings for the icons-only task manager lets me move the widget to the bottom panel just fine.