514123 – Konsole crashes in Wayland scroll code due to null mFrontBuffer

Bug 514123 - Konsole crashes in Wayland scroll code due to null mFrontBuffer

Summary: Konsole crashes in Wayland scroll code due to null mFrontBuffer

Status:	RESOLVED DUPLICATE of bug 511945

Alias:	None

Product:	konsole
Classification:	Applications
Component:	general (other bugs)
Version First Reported In:	25.12.0
Platform:	Fedora RPMs Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konsole Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-01-03 20:01 UTC by nyanpasu64
Modified:	2026-01-05 16:39 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Backtrace of Konsole crash. (8.56 KB, text/plain) 2026-01-03 20:01 UTC, nyanpasu64	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description nyanpasu64 2026-01-03 20:01:34 UTC

Created attachment 188197 [details]
Backtrace of Konsole crash.

SUMMARY
While debugging a plasmashell hang with `gdb -p`, my entire system hung and I couldn't Ctrl+Alt+F2, kwin started spamming `kwin_wayland_wrapper[1744]: Key repeat discarded, Wayland compositor doesn't seem to be processing events fast enough!`, then konsole segfaulted.

STEPS TO REPRODUCE
1. Trigger a plasmashell hang? Not sure how, I suspect it was from a Signal notification?
2. Launch Konsole?
3. `gdb -p (pgrep plasmashell)`?

OBSERVED RESULT
Konsole segfaults. The stack trace is attached. Here's the most relevant stack frames:

#4  0x00007f584dc27290 in <signal handler called> () at /lib64/libc.so.6
#5  QImage::isNull (this=this@entry=0x18) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/image/qimage.cpp:1342
#6  0x00007f584ec98b22 in QPainter::drawImage (this=this@entry=0x7ffed4687478, targetRect=..., image=..., sourceRect=..., flags=flags@entry=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.cpp:5201
#7  0x00007f584a1236b4 in QPainter::drawImage (this=0x7ffed4687478, targetRect=<synthetic pointer>..., image=<optimized out>, sourceRect=<synthetic pointer>..., flags=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.h:777
#8  QtWaylandClient::QWaylandShmBackingStore::scroll (this=0x55bb79f103d0, region=<optimized out>, dx=0, dy=-14) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp:271
#9  0x00007f584eb7ac3b in QBackingStore::scroll (this=this@entry=0x55bb79f109a0, area=..., dx=dx@entry=0, dy=dy@entry=-14) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qbackingstore.cpp:265

In frame 8, it seems that while calling `painter.drawImage(destinationRect, *mFrontBuffer->image(), sourceRect); `, the near-null pointer comes from *mFrontBuffer->image().

I think the bug is that mFrontBuffer is a null pointer. How do we call a method `mFrontBuffer->image()` on it? This is UB, but presumably it merely returns a pointer offset without dereferencing this, which doesn't crash (yet).

An identical bug has been reported on the Fedora forums at https://discussion.fedoraproject.org/t/crashing-konsole-since-upgrade-to-f43/177471, but I don't see a similar report on the KDE bug tracker.

Is this a Qt bug rather than a KDE one? I don't know.

Unfortunately I was not able to debug the plasmashell hang, as it started responding again a few seconds after Konsole died, and there were no relevant entries in my journalctl.

EXPECTED RESULT
No crash.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 43
KDE Plasma Version: 6.5.4
KDE Frameworks Version: 6.21.0
Qt Version: 6.10.1
Kernel Version: 6.17.12-300.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-8559U CPU @ 2.70GHz
Memory: 16 GiB of RAM (15.5 GiB usable)
Graphics Processor: Intel® Iris® Plus Graphics 655
Manufacturer: Intel(R) Client Systems
Product Name: NUC8i7BEH
System Version: J72992-303

ADDITIONAL INFORMATION

Comment 1 TraceyC 2026-01-05 16:23:01 UTC

Searchable backtrace

Program terminated with signal SIGSEGV, Segmentation fault.
Downloading 4.48 K source file /usr/src/debug/glibc-2.42-5.fc43.x86_64/nptl/pthread_kill.c...
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f5845cf7f40 (LWP 343357))]
Missing rpms, try: dnf --enablerepo='*debug*' install mesa-va-drivers-freeworld-debuginfo-25.2.7-2.fc43.x86_64
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=11, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f584dc81493 in __pthread_kill_internal (threadid=<optimized out>, signo=11) at pthread_kill.c:89
#2  0x00007f584dc2715e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
#3  0x00007f584ffbb041 in KCrash::defaultCrashHandler (sig=11) at /usr/src/debug/kf6-kcrash-6.21.0-1.fc43.x86_64/src/kcrash.cpp:605
#4  0x00007f584dc27290 in <signal handler called> () at /lib64/libc.so.6
#5  QImage::isNull (this=this@entry=0x18) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/image/qimage.cpp:1342
#6  0x00007f584ec98b22 in QPainter::drawImage (this=this@entry=0x7ffed4687478, targetRect=..., image=..., sourceRect=..., flags=flags@entry=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.cpp:5201
#7  0x00007f584a1236b4 in QPainter::drawImage (this=0x7ffed4687478, targetRect=<synthetic pointer>..., image=<optimized out>, sourceRect=<synthetic pointer>..., flags=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.h:777
#8  QtWaylandClient::QWaylandShmBackingStore::scroll (this=0x55bb79f103d0, region=<optimized out>, dx=0, dy=-14) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp:271
#9  0x00007f584eb7ac3b in QBackingStore::scroll (this=this@entry=0x55bb79f109a0, area=..., dx=dx@entry=0, dy=dy@entry=-14) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qbackingstore.cpp:265
#10 0x00007f584f6b266e in QWidgetRepaintManager::bltRect (this=this@entry=0x55bb7a4cf120, rect=..., dx=dx@entry=0, dy=dy@entry=-14, widget=widget@entry=0x55bb7a31cc50) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qwidgetrepaintmanager.cpp:533
#11 0x00007f584f6b8f0c in QWidgetPrivate::scrollRect (this=0x55bb7a31d100, rect=..., dx=dx@entry=0, dy=-14) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qwidgetrepaintmanager.cpp:491
#12 0x00007f584f68b482 in QWidgetPrivate::scroll_sys (this=<optimized out>, dx=dx@entry=0, dy=<optimized out>, r=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qwidget.cpp:11195
#13 0x00007f584f68b6ac in QWidget::scroll (this=this@entry=0x55bb7a31cc50, dx=dx@entry=0, dy=<optimized out>, r=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qwidget.cpp:11190
#14 0x00007f58502f3a9c in Konsole::TerminalScrollBar::scrollImage (this=<optimized out>, lines=1, screenWindowRegion=<optimized out>, image=<optimized out>, imageSize=<optimized out>) at /usr/src/debug/konsole-25.12.0-1.fc43.x86_64/src/terminalDisplay/TerminalScrollBar.cpp:243
#15 0x00007f58502e1dca in Konsole::TerminalDisplay::updateImage (this=0x55bb7a31cc50) at /usr/src/debug/konsole-25.12.0-1.fc43.x86_64/src/terminalDisplay/TerminalDisplay.cpp:478
#16 0x00007f584e36759a in QtPrivate::QSlotObjectBase::call (this=0x55bb7a414610, r=0x55bb7a31cc50, a=0x7ffed46879d8) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobjectdefs_impl.h:461
#17 doActivate<false> (sender=0x55bb7a40f6d0, signal_index=<optimized out>, argv=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:4257
#18 0x00007f584e36759a in QtPrivate::QSlotObjectBase::call (this=0x55bb7a414580, r=0x55bb7a40f6d0, a=0x7ffed4687aa8) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobjectdefs_impl.h:461
#19 doActivate<false> (sender=0x55bb7a3127a0, signal_index=<optimized out>, argv=0x7ffed4687aa8, argv@entry=0x0) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:4257
#20 0x00007f584e35de69 in QMetaObject::activate (sender=sender@entry=0x55bb7a3127a0, m=m@entry=0x7f585044b220 <Konsole::Emulation::staticMetaObject>, local_signal_index=local_signal_index@entry=8, argv=argv@entry=0x0) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:4317
#21 0x00007f58502275e7 in Konsole::Emulation::outputChanged (this=this@entry=0x55bb7a3127a0) at /usr/src/debug/konsole-25.12.0-1.fc43.x86_64/redhat-linux-build/src/konsoleprivate_autogen/include/moc_Emulation.cpp:443
#22 0x00007f585022e317 in Konsole::Emulation::showBulk (this=0x55bb7a3127a0) at /usr/src/debug/konsole-25.12.0-1.fc43.x86_64/src/Emulation.cpp:287
#23 0x00007f584e36759a in QtPrivate::QSlotObjectBase::call (this=0x55bb7a314600, r=0x55bb7a3127a0, a=0x7ffed4687c10) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobjectdefs_impl.h:461
#24 doActivate<false> (sender=0x55bb7a312860, signal_index=<optimized out>, argv=argv@entry=0x7ffed4687c10) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:4257
#25 0x00007f584e35de69 in QMetaObject::activate (sender=<optimized out>, m=m@entry=0x7f584e8b6d80 <QTimer::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffed4687c10) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:4317
#26 0x00007f584e377d93 in QMetaObject::activate<void, QTimer::QPrivateSignal> (sender=<optimized out>, mo=0x7f584e8b6d80 <QTimer::staticMetaObject>, local_signal_index=0, ret=0x0) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobjectdefs.h:319
#27 QTimer::timeout (this=<optimized out>, _t1=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/redhat-linux-build/src/corelib/Core_autogen/include/moc_qtimer.cpp:182
#28 0x00007f584e358f55 in QObject::event (this=<optimized out>, e=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qobject.cpp:1443
#29 0x00007f584f63db9f in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x55bb7a312860, e=0x7ffed4687dc0) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qapplication.cpp:3305
#30 0x00007f584e2fc4e8 in QCoreApplication::notifyInternal2 (receiver=0x55bb7a312860, event=0x7ffed4687dc0) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1109
#31 0x00007f584e2fc74d in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1549
#32 0x00007f584e4d01f8 in QTimerInfoList::activateTimers (this=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qtimerinfo_unix.cpp:426
#33 0x00007f584e61e551 in timerSourceDispatch (source=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:152
#34 idleTimerSourceDispatch (source=<optimized out>) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:199
#35 0x00007f584b2eb2a3 in g_main_dispatch (context=0x7f5830000f60) at ../glib/gmain.c:3565
#36 g_main_context_dispatch_unlocked (context=0x7f5830000f60) at ../glib/gmain.c:4425
#37 0x00007f584b2f41f8 in g_main_context_iterate_unlocked (context=context@entry=0x7f5830000f60, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4490
#38 0x00007f584b2f43a3 in g_main_context_iteration (context=0x7f5830000f60, may_block=1) at ../glib/gmain.c:4556
#39 0x00007f584e61e80d in QEventDispatcherGlib::processEvents (this=0x55bb79d12c00, flags=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:399
#40 0x00007f584e309063 in QEventLoop::exec (this=this@entry=0x7ffed4688070, flags=..., flags@entry=...) at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/global/qflags.h:77
#41 0x00007f584e304819 in QCoreApplication::exec () at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/corelib/kernel/qcoreapplication.cpp:1452
#42 0x00007f584eadf19d in QGuiApplication::exec () at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/kernel/qguiapplication.cpp:1973
#43 0x00007f584f63db09 in QApplication::exec () at /usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/widgets/kernel/qapplication.cpp:2575
#44 0x000055bb3c7d59e1 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/konsole-25.12.0-1.fc43.x86_64/src/main.cpp:288

Comment 2 TraceyC 2026-01-05 16:25:36 UTC

Thank you for the bug report. Based on the backtrace this looks like a duplicate of bug 511945. This one is a little tricky. As mentioned in that report:

> The problem is caused by distributions downstream-patching Qt, so it's them that need to apply the fix. OpenSUSE has done it already, Fedora should do it soon.

This will be fixed on your system when Fedora completes that work.

*** This bug has been marked as a duplicate of bug 511945 ***

Comment 3 nyanpasu64 2026-01-05 16:39:24 UTC

I still think that it would be easier to not create duplicates if the default Bugzilla search included closed bugs (so we can find existing reports of bugs that are closed but people still hit them in distros). It does seem to include reply comments (eg. search for EncodedDataStream).