503464 – Krita crashes randomly when drawing, stack trace shows it's during tablet event handling (qt6+wayland)

Bug 503464 - Krita crashes randomly when drawing, stack trace shows it's during tablet event handling (qt6+wayland)

Summary: Krita crashes randomly when drawing, stack trace shows it's during tablet eve...

Status:	RESOLVED LATER

Alias:	None

Product:	krita
Classification:	Applications
Component:	* Unknown (other bugs)
Version First Reported In:	git master (please specify the git hash!)
Platform:	NixOS Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Krita Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-28 07:38 UTC by Ming Chuan
Modified:	2025-06-19 09:05 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ming Chuan 2025-04-28 07:38:09 UTC

SUMMARY

The crash happened when I'm trying out qt6+wayland. However, I have also experienced crashes on qt5 + X11 setup, so it could actually be unrelated to qt6/wayland.

STEPS TO REPRODUCE
1. Open krita
2. Use tablet to draw for a while (~30 minute)
3. crashes (Program terminated with signal SIGSEGV, Segmentation fault)

OBSERVED RESULT


EXPECTED RESULT


SOFTWARE/OS VERSIONS
Qt Version: 6.9.0
Krita version: e970ad017f26c085c7e70e46cbe322c14baf8c20 (master branch at Apr. 28, 2025)

ADDITIONAL INFORMATION

stack trace:
```
#0  std::__lower_bound<int const*, int, __gnu_cxx::__ops::_Iter_comp_val<std::less<int> > > (__first=<optimized out>, __last=0x27fffbb3dc2a0, __val=<optimized out>, __comp=...) at /nix/store/qs54xir5n4vhhbi22aydbkvyyq4v8p0l-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/stl_function.h:404
#1  std::lower_bound<int const*, int, std::less<int> > (__first=0x7ffff23f8d60 <main_arena+672>, __last=0x27fffbb3dc2a0, __val=<optimized out>, __comp=...) at /nix/store/qs54xir5n4vhhbi22aydbkvyyq4v8p0l-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/stl_algo.h:1973
#2  QFlatMap<int, QPointingDevicePrivate::EventPointData, std::less<int>, QVarLengthArray<int, 20ll>, QVarLengthArray<QPointingDevicePrivate::EventPointData, 20ll> >::lower_bound (key=<optimized out>, this=<optimized out>) at /build/qtbase-everywhere-src-6.9.0/src/corelib/tools/qflatmap_p.h:807
#3  QFlatMap<int, QPointingDevicePrivate::EventPointData, std::less<int>, QVarLengthArray<int, 20ll>, QVarLengthArray<QPointingDevicePrivate::EventPointData, 20ll> >::lower_bound (this=<optimized out>, key=<optimized out>) at /build/qtbase-everywhere-src-6.9.0/src/corelib/tools/qflatmap_p.h:794
#4  QFlatMap<int, QPointingDevicePrivate::EventPointData, std::less<int>, QVarLengthArray<int, 20ll>, QVarLengthArray<QPointingDevicePrivate::EventPointData, 20ll> >::try_emplace<>(int const&) (this=<optimized out>, key=<optimized out>) at /build/qtbase-everywhere-src-6.9.0/src/corelib/tools/qflatmap_p.h:702
#5  QPointingDevicePrivate::pointById (this=0x7ffff23f8c70 <main_arena+432>, id=id@entry=0) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qpointingdevice.cpp:440
#6  0x00007ffff33e804b in QSinglePointEvent::QSinglePointEvent (this=0x7ffffffdb7c0, type=QEvent::TabletLeaveProximity, dev=<optimized out>, localPos=..., scenePos=..., globalPos=..., button=Qt::NoButton, buttons=..., modifiers=..., source=Qt::MouseEventNotSynthesized) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qevent.cpp:529
#7  0x00007ffff33e8a0b in QTabletEvent::QTabletEvent (this=this@entry=0x7ffffffdb7c0, type=type@entry=QEvent::TabletLeaveProximity, dev=dev@entry=0xe6be5a0, pos=..., globalPos=..., pressure=pressure@entry=0, xTilt=xTilt@entry=0, yTilt=yTilt@entry=0, tangentialPressure=tangentialPressure@entry=0, rotation=rotation@entry=0, z=z@entry=0, keyState=..., button=Qt::NoButton, buttons=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qevent.cpp:2560
#8  0x00007ffff33fd211 in QGuiApplicationPrivate::processTabletLeaveProximityEvent (e=0xe762b10) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:3052
#9  0x00007ffff346ce64 in QWindowSystemInterface::sendWindowSystemEvents (flags=flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1113
#10 0x00007ffff346d08f in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1082
#11 0x00007ffff2c1ca5e in doActivate<false> (sender=0x144dd60, signal_index=4, argv=0x7ffffffdb988) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4150
#12 0x00007ffff2c128e7 in QMetaObject::activate (sender=sender@entry=0x144dd60, m=m@entry=0x7ffff30b0fa0 <QAbstractEventDispatcher::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x0) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4198
#13 0x00007ffff2bab647 in QAbstractEventDispatcher::awake (this=this@entry=0x144dd60) at /build/qtbase-everywhere-src-6.9.0/build/src/corelib/Core_autogen/include/moc_qabstracteventdispatcher.cpp:128
#14 0x00007ffff2ec39db in QEventDispatcherGlib::processEvents (this=0x144dd60, flags=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qeventdispatcher_glib.cpp:406
#15 0x00007ffff2bc0beb in QEventLoop::exec (this=this@entry=0x7ffffffdbad0, flags=..., flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#16 0x00007ffff2bbc02e in QCoreApplication::exec () at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#17 0x000000000040a088 in main ()
```

Comment 1 Ming Chuan 2025-04-28 07:46:01 UTC

FWIW I also have patched [Fix cursor shapes from multiple windows after restoreOverrideCursor() (637622) · Gerrit Code Review](https://codereview.qt-project.org/c/qt/qtwayland/+/637622). I believe it has nothing to do with this crash though

Comment 2 Halla Rempt 2025-04-28 10:43:38 UTC

Interesting... All that code happens inside Qt, before even Krita code is involved...

Comment 3 Joshua Goins 2025-04-28 13:43:03 UTC

What environment are you testing it on? And does the same stacktrace happen on Qt5 + X11 or is it different?

Comment 4 Ming Chuan 2025-04-28 17:04:09 UTC

> What environment are you testing it on? And does the same stacktrace happen on Qt5 + X11 or is it different?

Software: Linux, NixOS, Hyprland (which implements https://wayland.app/protocols/tablet-v2)

Hardware-wise there are 2 mouse input devices (which are idling when the crash happens) and a wacom PTH-660 tablet, with touch feature disabled.

> And does the same stacktrace happen on Qt5 + X11 or is it different?

Unfortunately I have no idea. Recently I tried to repro but it's just not happening. Looking at the stacktrace I don't feel there is anything specific to qt6 or wayland, not sure if you folks feel the same way.

Comment 5 Ming Chuan 2025-05-07 08:04:07 UTC

I thought maybe the qt6+wayland configuration was the recipe for reproducing crash as it happened under and hour after I tried it, but it ends up not crashing anymore for me. Maybe it's not more likely to crash than other configurations. I'll report back in this ticket if I got another crash with the same/similar stack trace.

Comment 6 Halla Rempt 2025-05-07 08:32:22 UTC

Okay, then let's mark this report as Later.

Comment 7 Ming Chuan 2025-05-27 05:44:33 UTC

I got another segfault crash related to tablet event processing, this time stack trace is more straightforward (crash at https://codebrowser.dev/qt6/qtbase/src/gui/kernel/qpointingdevice.cpp.html#279)

```
#0  0x00007ffff3447808 in QPointingDevice::uniqueId (this=this@entry=0x1ec49350) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qpointingdevice.cpp:279
#1  0x00007ffff34011e9 in QGuiApplicationPrivate::processTabletEvent (e=0xef7ea30) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:2939
#2  0x00007ffff346ce64 in QWindowSystemInterface::sendWindowSystemEvents (flags=flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1113
#3  0x00007ffff346d08f in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1082
#4  0x00007ffff2c1ca5e in doActivate<false> (sender=0xe3add0, signal_index=4, argv=0x7ffffffdc538) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4150
#5  0x00007ffff2c128e7 in QMetaObject::activate (sender=sender@entry=0xe3add0, m=m@entry=0x7ffff30b0fa0 <QAbstractEventDispatcher::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x0) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4198
#6  0x00007ffff2bab647 in QAbstractEventDispatcher::awake (this=this@entry=0xe3add0) at /build/qtbase-everywhere-src-6.9.0/build/src/corelib/Core_autogen/include/moc_qabstracteventdispatcher.cpp:128
#7  0x00007ffff2ec39db in QEventDispatcherGlib::processEvents (this=0xe3add0, flags=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qeventdispatcher_glib.cpp:406
#8  0x00007ffff2bc0beb in QEventLoop::exec (this=this@entry=0x7ffffffdc680, flags=..., flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#9  0x00007ffff2bbc02e in QCoreApplication::exec () at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#10 0x000000000040a088 in main ()
```

gdb says the value of `d` is `0x114`
```
(gdb) print d
$7 = (const QPointingDevicePrivate * const) 0x114
```

so this likely is some kind of use-after-free bug of `QPointingDevice` or some related class?

Comment 8 Ming Chuan 2025-05-30 15:37:28 UTC

(In reply to Ming Chuan from comment #7)
> I got another segfault crash related to tablet event processing, this time
> stack trace is more straightforward (crash at
> https://codebrowser.dev/qt6/qtbase/src/gui/kernel/qpointingdevice.cpp.
> html#279)
> 
> ```
> #0  0x00007ffff3447808 in QPointingDevice::uniqueId
> (this=this@entry=0x1ec49350) at
> /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qpointingdevice.cpp:279
> #1  0x00007ffff34011e9 in QGuiApplicationPrivate::processTabletEvent
> (e=0xef7ea30) at
> /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:2939
> #2  0x00007ffff346ce64 in QWindowSystemInterface::sendWindowSystemEvents
> (flags=flags@entry=...) at
> /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:
> 1113
> #3  0x00007ffff346d08f in QWindowSystemInterface::flushWindowSystemEvents
> (flags=...) at
> /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:
> 1082
> #4  0x00007ffff2c1ca5e in doActivate<false> (sender=0xe3add0,
> signal_index=4, argv=0x7ffffffdc538) at
> /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4150
> #5  0x00007ffff2c128e7 in QMetaObject::activate
> (sender=sender@entry=0xe3add0, m=m@entry=0x7ffff30b0fa0
> <QAbstractEventDispatcher::staticMetaObject>,
> local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x0) at
> /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:4198
> #6  0x00007ffff2bab647 in QAbstractEventDispatcher::awake
> (this=this@entry=0xe3add0) at
> /build/qtbase-everywhere-src-6.9.0/build/src/corelib/Core_autogen/include/
> moc_qabstracteventdispatcher.cpp:128
> #7  0x00007ffff2ec39db in QEventDispatcherGlib::processEvents
> (this=0xe3add0, flags=...) at
> /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qeventdispatcher_glib.
> cpp:406
> #8  0x00007ffff2bc0beb in QEventLoop::exec (this=this@entry=0x7ffffffdc680,
> flags=..., flags@entry=...) at
> /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
> #9  0x00007ffff2bbc02e in QCoreApplication::exec () at
> /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
> #10 0x000000000040a088 in main ()
> ```
> 
> gdb says the value of `d` is `0x114`
> ```
> (gdb) print d
> $7 = (const QPointingDevicePrivate * const) 0x114
> ```
> 
> so this likely is some kind of use-after-free bug of `QPointingDevice` or
> some related class?

Got this crash 3 times, 2 out of 3 times the value of `d` are `0x114`, the other one is null

```
(gdb) print d
$1 = (const QPointingDevicePrivate * const) 0x0
```

Comment 9 Ming Chuan 2025-05-30 17:48:12 UTC

Got another crash similar to the stack trace in comment #0, the only difference being type of tablet event
```
#6  0x00007ffff33e804b in QSinglePointEvent::QSinglePointEvent (this=0x7ffffffdc320, type=QEvent::TabletMove, dev=<optimized out>, localPos=..., scenePos=..., globalPos=..., button=Qt::NoButton, buttons=..., modifiers=..., source=Qt::MouseEventNotSynthesized) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qevent.cpp:529
```

(leaving this comment just for the record, hopefully would be useful for debugging)

Comment 10 Ming Chuan 2025-06-19 09:05:40 UTC

Another crash with similar stack trace:
```
#0  QFlatMap<int, QPointingDevicePrivate::EventPointData, std::less<int>, QVarLengthArray<int, 20ll>, QVarLengthArray<QPointingDevicePrivate::EventPointData, 20ll> >::find (key=<synthetic pointer>: 0, this=0x7fff44007910)
    at /nix/store/9ds850ifd4jwcccpp3v14818kk74ldf2-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/stl_function.h:404
#1  QFlatMap<int, QPointingDevicePrivate::EventPointData, std::less<int>, QVarLengthArray<int, 20ll>, QVarLengthArray<QPointingDevicePrivate::EventPointData, 20ll> >::find (this=0x7fff44007910, key=<synthetic pointer>: 0)
    at /build/qtbase-everywhere-src-6.9.0/src/corelib/tools/qflatmap_p.h:818
#2  QPointingDevicePrivate::queryPointById (this=this@entry=0x7fff44007820, id=0) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qpointingdevice.cpp:428
#3  0x00007ffff344821f in QPointingDevicePrivate::setExclusiveGrabber (this=0x7fff44007820, event=0x7ffffffdbae0, point=..., exclusiveGrabber=0x0) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qpointingdevice.cpp:505
#4  0x00007ffff33e169c in QPointerEvent::setExclusiveGrabber (this=<optimized out>, point=..., exclusiveGrabber=<optimized out>) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qevent.cpp:373
#5  0x00007ffff3400c1b in QGuiApplicationPrivate::processMouseEvent (e=0x7ffffffdc010) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:2529
#6  0x00007ffff34009ba in QGuiApplicationPrivate::processMouseEvent (e=e@entry=0x7ffffffdc010) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:2374
#7  0x00007ffff34017e8 in QGuiApplicationPrivate::processTabletEvent (e=0x1614a80) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qguiapplication.cpp:3025
#8  0x00007ffff346ce64 in QWindowSystemInterface::sendWindowSystemEvents (flags=flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1113
#9  0x00007ffff346d08f in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at /build/qtbase-everywhere-src-6.9.0/src/gui/kernel/qwindowsysteminterface.cpp:1082
#10 0x00007ffff2c0dd97 in QObject::event (this=0xd21480, e=0x7fffe0002e80) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qobject.cpp:1431
#11 0x00007ffff3fa1baa in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0xd21480, e=0x7fffe0002e80) at /build/qtbase-everywhere-src-6.9.0/src/widgets/kernel/qapplication.cpp:3301
#12 0x00007ffff7ad36ae in KisApplication::notify(QObject*, QEvent*) () from /home/user/sources/krita/outputs/out/lib/libkritaui.so.21
#13 0x00007ffff2bb2698 in QCoreApplication::notifyInternal2 (receiver=0xd21480, event=0x7fffe0002e80) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qcoreapplication.cpp:1106
#14 0x00007ffff2bb28ed in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qcoreapplication.cpp:1546
#15 0x00007ffff2bb63e4 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0xa7cc50) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qcoreapplication.cpp:1879
#16 0x00007ffff2ec42c7 in postEventSourceDispatch (s=0x1149a40) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qeventdispatcher_glib.cpp:246
#17 0x00007ffff249d81e in g_main_context_dispatch_unlocked () from /nix/store/bkpj51fz88rbyjd60i6lrp0xdax1b24g-glib-2.84.1/lib/libglib-2.0.so.0
#18 0x00007ffff249fa90 in g_main_context_iterate_unlocked.isra () from /nix/store/bkpj51fz88rbyjd60i6lrp0xdax1b24g-glib-2.84.1/lib/libglib-2.0.so.0
#19 0x00007ffff24a02bc in g_main_context_iteration () from /nix/store/bkpj51fz88rbyjd60i6lrp0xdax1b24g-glib-2.84.1/lib/libglib-2.0.so.0
#20 0x00007ffff2ec39a3 in QEventDispatcherGlib::processEvents (this=0xd1f290, flags=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/kernel/qeventdispatcher_glib.cpp:399
#21 0x00007ffff2bc0beb in QEventLoop::exec (this=this@entry=0x7ffffffdc650, flags=..., flags@entry=...) at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#22 0x00007ffff2bbc02e in QCoreApplication::exec () at /build/qtbase-everywhere-src-6.9.0/src/corelib/global/qflags.h:77
#23 0x000000000040a088 in main ()
```