Bug 500044 - Plasma crashed while waking from sleep and middle-clicking the media player applet
Summary: Plasma crashed while waking from sleep and middle-clicking the media player a...
Status: REPORTED
Alias: None
Product: plasmashell
Classification: Plasma
Component: generic-crash (show other bugs)
Version: 6.3.0
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL:
Keywords: drkonqi
Depends on:
Blocks:
 
Reported: 2025-02-14 07:25 UTC by nyanpasu64
Modified: 2025-02-18 22:46 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report: https://crash-reports.kde.org/organizations/kde/issues/132887/events/86a0c2d99a7041c5b6d346c0e722997f/

Attachments
New crash information added by DrKonqi (152.51 KB, text/plain)
2025-02-14 07:25 UTC, nyanpasu64 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description nyanpasu64 2025-02-14 07:25:26 UTC 
Application: plasmashell (6.3.0)

ApplicationNotResponding [ANR]: false
Qt Version: 6.8.2
Frameworks Version: 6.10.0
Operating System: Linux 6.12.11-200.fc41.x86_64 x86_64
Windowing System: Wayland
Distribution: "Fedora Linux 41 (KDE Plasma)"
DrKonqi: 6.3.0 [CoredumpBackend]

-- Information about the crash:
After waking my computer from sleep, I tried middle-clicking the media player applet to play/pause a player (I think KDE Connect linked to an Android phone running Droidsound-E, which doesn't properly report play-pause status?), but plasmashell hung and crashed.

The reporter is unsure if this crash is reproducible.

-- Backtrace (Reduced):
#5  0x00007efec5d336f2 in QQmlData::wasDeleted (priv=0x3ff0000000000000) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmldata_p.h:309
#6  QQmlData::wasDeleted (object=0x560f670aeb60) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmldata_p.h:322
#7  QV4::QObjectWrapper::wrap (engine=0x560f65154730, object=0x560f670aeb60) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper_p.h:240
#8  0x00007efec5da9008 in QV4::loadProperty (v4=0x560f65154730, wrapper=<optimized out>, object=0x7efe80dfae50, property=...) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:126
#9  0x00007efec5dab144 in QV4::QObjectWrapper::virtualResolveLookupGetter (object=0x7efe949be5a8, engine=0x560f65154730, lookup=0x560f663ae720) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:1135


Reported using DrKonqi
Comment 1 nyanpasu64 2025-02-14 07:25:29 UTC 
Created attachment 178341 [details]
New crash information added by DrKonqi

DrKonqi auto-attaching complete backtrace.
Comment 2 cwo 2025-02-14 23:08:36 UTC 
The top of the backtrace looks similar to bug 499353 which was marked as a duplicate of bug 477941, but the path it took to get there seems different from all the duplicates of that bug I looked at.

That bug involves switching monitors or activating external displays. Is such a thing involved here or do you have a single-monitor setup?
Comment 3 nyanpasu64 2025-02-15 00:04:58 UTC 
I was/am using a multi-monitor setup, but the crash occurred when clicking the taskbar and not while plugging/unplugging a display (I think the second display was already plugged in when I woke the computer from sleep).

I suspect the top of the stack trace is some sort of use-after-free where QV4::loadProperty() is loading a corrupted property/field object, passing a freed? pointer to QV4::QObjectWrapper::wrap. The latter function tries to check if the pointer target is deleted, but QQmlData::wasDeleted(const QObject *) accesses a bad d-pointer overwritten with 0x3ff0000000000000 = (double)1.0, causing QQmlData::wasDeleted(const QObjectPrivate * = 0x3ff0...) to crash.

- loadProperty: https://codebrowser.dev/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp.html#126
- QObjectWrapper::wrap: https://codebrowser.dev/qt6/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper_p.h.html#_ZN3QV414QObjectWrapper4wrapEPNS_15ExecutionEngineEP7QObject

> The top of the backtrace looks similar to bug 499353 which was marked as a duplicate of bug 477941
As far as I can tell, it's a common mode of failure (use-after-free) but triggered by a different sequence of events. There might be some sort of logic bug involved with transferring ownership between C++ and JS in your Qt Quick-C++ bindings, or a QML engine/code bug?

In my experience it's effectively impossible to debug UAF crashes in mixed QML-C++ code (because it's hard to trace the sites of allocation, deallocation, and usage across language/interpreter boundaries to program logic, and Qt Quick apps have poor compatibility with valgrind/asan/rr), but perhaps other people with more insider knowledge of QV4 or KDE's bindings will have a better idea.

- Annoyingly a gdb stack trace does not say *which* QML code is triggering an interpreter crash, and trying to print the object involved hangs gdb for minutes and sends my machine into OOM because of a longstanding GDB bug(?), possibly caused by LTO (https://sourceware.org/bugzilla/show_bug.cgi?id=23710)? I tried debugging gdb with a second GDB, which says the target is parsing DWARF symbols.
Comment 4 TraceyC 2025-02-18 22:46:47 UTC 
Backtrace for searchability

Thread 1 (Thread 0x7efebe390240 (LWP 1780)):
[KCrash Handler]
#5  0x00007efec5d336f2 in QQmlData::wasDeleted (priv=0x3ff0000000000000) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmldata_p.h:309
#6  QQmlData::wasDeleted (object=0x560f670aeb60) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmldata_p.h:322
#7  QV4::QObjectWrapper::wrap (engine=0x560f65154730, object=0x560f670aeb60) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper_p.h:240
#8  0x00007efec5da9008 in QV4::loadProperty (v4=0x560f65154730, wrapper=<optimized out>, object=0x7efe80dfae50, property=...) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:126
#9  0x00007efec5dab144 in QV4::QObjectWrapper::virtualResolveLookupGetter (object=0x7efe949be5a8, engine=0x560f65154730, lookup=0x560f663ae720) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4qobjectwrapper.cpp:1135
#10 0x00007efec5e22c17 in QV4::Moth::VME::interpret (frame=0x560f65154730, frame@entry=0x7fffd8a13430, engine=0x560f65154730, code=0x7efe43fe23c0 "=\207") at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4vme_moth.cpp:674
#11 0x00007efec5e2709f in QV4::Moth::VME::exec (frame=frame@entry=0x7fffd8a13430, engine=engine@entry=0x560f65154730) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4vme_moth.cpp:487
#12 0x00007efec5d5161f in qfoDoCall (fo=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4functionobject.cpp:527
#13 0x00007efec5e21af8 in QV4::FunctionObject::call (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4functionobject_p.h:187
#14 QV4::Moth::VME::interpret (frame=0x560f65154730, frame@entry=0x7fffd8a13710, engine=0x560f65154730, code=0x7efe949be550 "\200\204x\224\376~") at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4vme_moth.cpp:798
#15 0x00007efec5e2709f in QV4::Moth::VME::exec (frame=frame@entry=0x7fffd8a13710, engine=engine@entry=0x560f65154730) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4vme_moth.cpp:487
#16 0x00007efec5d4c444 in QV4::doCall (self=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>, context=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4function.cpp:52
#17 0x00007efec5d4cc48 in QV4::Function::call (this=this@entry=0x560f674ad5b0, thisObject=<optimized out>, argv=argv@entry=0x7efe949be4f8, argc=<optimized out>, context=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4function.cpp:77
#18 0x00007efec5d4cf8f in operator() (__closure=<synthetic pointer>, thisObject=<optimized out>, argv=0x7efe949be4f8, argc=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4function.cpp:28
#19 QV4::convertAndCall<QV4::Function::call(QObject*, void**, const QMetaType*, int, QV4::ExecutionContext*)::<lambda(const QV4::Value*, const QV4::Value*, int)> > (engine=<optimized out>, thisObject=<optimized out>, a=0x7fffd8a154d0, types=0x7fffd8a13a28, argc=<optimized out>, call=...) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4jscall_p.h:199
#20 QV4::Function::call (this=0x560f674ad5b0, thisObject=<optimized out>, a=a@entry=0x7fffd8a154d0, types=0x7fffd8a13a28, argc=<optimized out>, context=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/jsruntime/qv4function.cpp:25
#21 0x00007efec5ed96e7 in QQmlJavaScriptExpression::evaluate (this=this@entry=0x560f6749a400, a=a@entry=0x7fffd8a154d0, types=<optimized out>, argc=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmljavascriptexpression_p.h:248
#22 0x00007efec5e6f51b in QQmlBoundSignalExpression::evaluate (this=0x560f6749a400, a=a@entry=0x7fffd8a154d0) at /usr/include/qt6/QtCore/qvarlengtharray.h:86
#23 0x00007efec5e700d0 in QQmlBoundSignal_callback (e=0x560f674af120, a=0x7fffd8a154d0) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/ftw/qqmlrefcount_p.h:73
#24 0x00007efec5f0a195 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=0x7fffd8a154d0) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/qml/qml/qqmlnotifier.cpp:70
#25 0x00007efec4b59c2d in doActivate<false> (sender=0x560f674aebf0, signal_index=49, argv=0x7fffd8a154d0) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4005
#26 0x00007efec4b50867 in QMetaObject::activate (sender=sender@entry=0x560f674aebf0, m=m@entry=0x7efec6b52080 <QQuickMouseArea::staticMetaObject>, local_signal_index=local_signal_index@entry=16, argv=argv@entry=0x7fffd8a154d0) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4175
#27 0x00007efec64cfc44 in QQuickMouseArea::clicked (this=this@entry=0x560f674aebf0, _t1=<optimized out>, _t1@entry=0x560f674cd448) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/redhat-linux-build/src/quick/Quick_autogen/include/moc_qquickmousearea_p.cpp:700
#28 0x00007efec64d1804 in QQuickMouseArea::setPressed (this=this@entry=0x560f674aebf0, button=<optimized out>, p=p@entry=false, source=<optimized out>) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/items/qquickmousearea.cpp:1284
#29 0x00007efec64d29df in QQuickMouseArea::mouseReleaseEvent (this=0x560f674aebf0, event=0x7fffd8a16240) at /usr/include/qt6/QtGui/qevent.h:116
#30 0x00007efec64b36ff in QQuickItemPrivate::deliverPointerEvent (this=this@entry=0x560f674cd250, event=event@entry=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/items/qquickitem.cpp:5643
#31 0x00007efec64b388b in QQuickItem::event (this=0x560f674aebf0, ev=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/items/qquickitem.cpp:9076
#32 0x00007efec6e3d9b8 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x560f674aebf0, e=0x7fffd8a16240) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/widgets/kernel/qapplication.cpp:3296
#33 0x00007efec4af3590 in QCoreApplication::notifyInternal2 (receiver=0x560f674aebf0, event=0x7fffd8a16240) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1172
#34 0x00007efec4af37ed in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1612
#35 0x00007efec6691ac8 in QQuickDeliveryAgentPrivate::deliverMatchingPointsToItem (this=this@entry=0x560f65db65b0, item=item@entry=0x560f674aebf0, isGrabber=isGrabber@entry=true, pointerEvent=pointerEvent@entry=0x7fffd8a16240, handlersOnly=handlersOnly@entry=false) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/util/qquickdeliveryagent.cpp:2408
#36 0x00007efec6692c1a in QQuickDeliveryAgentPrivate::deliverUpdatedPoints (this=this@entry=0x560f65db65b0, event=event@entry=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/util/qquickdeliveryagent.cpp:2186
#37 0x00007efec6693d83 in QQuickDeliveryAgentPrivate::deliverPointerEvent (this=this@entry=0x560f65db65b0, event=event@entry=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/util/qquickdeliveryagent.cpp:2026
#38 0x00007efec66950d3 in QQuickDeliveryAgentPrivate::handleMouseEvent (this=this@entry=0x560f65db65b0, event=event@entry=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/util/qquickdeliveryagent.cpp:1783
#39 0x00007efec6696dab in QQuickDeliveryAgent::event (this=<optimized out>, ev=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/util/qquickdeliveryagent.cpp:823
#40 0x00007efec6565ab9 in QQuickWindow::event (this=this@entry=0x560f64f6de10, event=event@entry=0x7fffd8a16240) at /usr/src/debug/qt6-qtdeclarative-6.8.2-1.fc41.x86_64/src/quick/items/qquickwindow.cpp:1552
#41 0x0000560f474486eb in PanelView::event (this=0x560f64f6de10, e=0x7fffd8a16240) at /usr/src/debug/plasma-workspace-6.3.0-1.fc41.x86_64/shell/panelview.cpp:1331
#42 0x00007efec6e3d9b8 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x560f64f6de10, e=0x7fffd8a16240) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/widgets/kernel/qapplication.cpp:3296
#43 0x00007efec4af3590 in QCoreApplication::notifyInternal2 (receiver=0x560f64f6de10, event=0x7fffd8a16240) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1172
#44 0x00007efec4af37fd in QCoreApplication::sendSpontaneousEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1626
#45 0x00007efec52eaca9 in QGuiApplicationPrivate::processMouseEvent (e=0x560f66c42250) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/gui/kernel/qguiapplication.cpp:2461
#46 0x00007efec535311c in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/gui/kernel/qwindowsysteminterface.cpp:1113
#47 0x00007efec58ca814 in userEventSourceDispatch (source=<optimized out>) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/gui/platform/unix/qeventdispatcher_glib.cpp:38
#48 0x00007efec34c128c in g_main_dispatch (context=0x7efea8000f00) at ../glib/gmain.c:3357
#49 g_main_context_dispatch_unlocked (context=0x7efea8000f00) at ../glib/gmain.c:4208
#50 0x00007efec35217b8 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7efea8000f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4273
#51 0x00007efec34c2783 in g_main_context_iteration (context=0x7efea8000f00, may_block=1) at ../glib/gmain.c:4338
#52 0x00007efec4def2b3 in QEventDispatcherGlib::processEvents (this=0x560f649fa470, flags=...) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:399
#53 0x00007efec4b00993 in QEventLoop::exec (this=this@entry=0x7fffd8a16670, flags=..., flags@entry=...) at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/global/qflags.h:34
#54 0x00007efec4afbf6e in QCoreApplication::exec () at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/corelib/global/qflags.h:74
#55 0x00007efec52d7cfd in QGuiApplication::exec () at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/gui/kernel/qguiapplication.cpp:1975
#56 0x00007efec6e3d929 in QApplication::exec () at /usr/src/debug/qt6-qtbase-6.8.2-2.fc41.x86_64/src/widgets/kernel/qapplication.cpp:2564
#57 0x0000560f474312c1 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace-6.3.0-1.fc41.x86_64/shell/main.cpp:191