517087 – Plasma-keyboard crashed in QtVirtualKeyboard::HunspellInputMethod::reselect() after alt+tabbing when there is window marked as "keep above others"

Bug 517087 - Plasma-keyboard crashed in QtVirtualKeyboard::HunspellInputMethod::reselect() after alt+tabbing when there is window marked as "keep above others"

Summary: Plasma-keyboard crashed in QtVirtualKeyboard::HunspellInputMethod::reselect()...

Status:	RESOLVED FIXED

Alias:	None

Product:	Plasma Keyboard
Classification:	Plasma
Component:	general (other bugs)
Version First Reported In:	unspecified
Platform:	Fedora RPMs Linux

Importance:	VHI crash
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:

Duplicates (6):	516307 516713 517122 517204 517286 518085 (view as bug list)
Depends on:
Blocks:

Reported:	2026-03-04 15:14 UTC by Talip Can
Modified:	2026-04-09 16:17 UTC (History)
CC List:	11 users (show)

See Also:
Latest Commit:	https://invent.kde.org/plasma/plasma-keyboard/-/commit/eaa535815a9f2e9d119c3b87fd58b6f02444a5cb
Version Fixed/Implemented In:	6.6.4
Sentry Crash Report:	https://crash-reports.kde.org/organizations/kde/issues/392170

Attachments
full gdb backtrace (81.72 KB, text/plain) 2026-03-04 15:14 UTC, Talip Can	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Talip Can 2026-03-04 15:14:52 UTC

Created attachment 190344 [details]
full gdb backtrace

STEPS TO REPRODUCE:
1. Open a document reader containing a massive amount of text (e.g., a PDF) and keep it maximized/focused.
2. Open the Vivaldi web browser, start playing a video, and set the browser window to "Keep Above Others" (Always on Top) in KWin.
3. Trigger a rapid focus switch (e.g., using Alt+Tab) from the background document reader to the Vivaldi window or another temporary surface.

OBSERVED RESULT:
A Z-Index race condition occurs. When focus switches to the new window, Wayland's `zwp_input_method_context_v1` updates the `surroundingText` to an empty string (u"", size = 0). However, the `cursorPosition` retains a massive integer value (in my case, 3080295) from the previously focused PDF document. 
The plasma-keyboard Hunspell plugin then tries to call `QString::at(3080294)` on the empty string, resulting in an immediate Out-of-Bounds memory crash (SIGSEGV).

#0  QString::at (this=0x7ffc57dec460, i=3080294) at /usr/include/qt6/QtCore/qarraydatapointer.h:120
No locals.
#1  QtVirtualKeyboard::HunspellInputMethod::reselect (this=0x561c6d97b5e0, cursorPosition=3080295, reselectFlags=...)
    at /usr/src/debug/qt6-qtvirtualkeyboard-6.10.2-1.fc43.x86_64/src/plugins/hunspell/module/hunspellinputmethod.cpp:270
        c = {ucs = 65278 u'\xfefe'}
        i = 3080294
        surroundingText = {d = {d = 0x0, ptr = 0x561c38f24358 <QString::_empty> u"", size = 0}}
        replaceFrom = 0

EXPECTED RESULT:
The input method context should validate that `cursorPosition` is strictly less than `surroundingText.length()` before attempting to access memory addresses. Alternatively, `cursorPosition` should be safely reset to 0 the moment `surroundingText` is cleared during a focus loss/gain event on Wayland.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 43 (Wayland session)
KDE Plasma Version: 6.6.1
Qt Version: 6.10.2
Hardware: Acer Predator Helios 16S (Intel Core Ultra 7 255HX / NVIDIA RTX 5070 Mobile Optimus)

ADDITIONAL INFORMATION:
I have attached the full GDB backtrace showing the exact local variables during the crash. Note the critical mismatch in Frame #1: surroundingText size is 0, but cursorPosition is 3080295.

Operating System: Fedora Linux 43
KDE Plasma Version: 6.6.1
KDE Frameworks Version: 6.23.0
Qt Version: 6.10.2
Kernel Version: 6.18.13-200.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 20 × Intel® Core™ Ultra 7 255HX
Memory: 34 GB of RAM (33,0 GB usable)
Graphics Processor 1: Mesa Intel® Graphics
Graphics Processor 2: NVIDIA GeForce RTX 5070 Laptop GPU/PCIe/SSE2
Manufacturer: Acer
Product Name: Predator PHN16S-71
System Version: V1.21

Comment 1 TraceyC 2026-03-04 17:08:59 UTC

*** Bug 516307 has been marked as a duplicate of this bug. ***

Comment 2 TraceyC 2026-03-04 17:09:30 UTC

Thanks for the detailed analysis, that's very helpful.

Comment 3 TraceyC 2026-03-05 17:50:40 UTC

*** Bug 516713 has been marked as a duplicate of this bug. ***

Comment 4 TraceyC 2026-03-05 17:51:16 UTC

*** Bug 517122 has been marked as a duplicate of this bug. ***

Comment 5 Talip Can 2026-03-09 04:31:19 UTC

(In reply to TraceyC from comment #4)
> *** Bug 517122 has been marked as a duplicate of this bug. ***

You put in a lot of hard work, Tracey. I truly appreciate the effort and time you dedicate to this. Please remember to take a break and go for a long walk sometimes. Sending hugs...

Comment 6 TraceyC 2026-03-09 21:17:22 UTC

*** Bug 517204 has been marked as a duplicate of this bug. ***

Comment 7 TraceyC 2026-03-09 21:18:20 UTC

*** Bug 517286 has been marked as a duplicate of this bug. ***

Comment 8 TraceyC 2026-03-24 16:48:46 UTC

*** Bug 518085 has been marked as a duplicate of this bug. ***

Comment 9 Nate Graham 2026-03-28 15:44:09 UTC

Almost 4,000 crashes in the past week. Raising to VHI priority.

Comment 10 Bug Janitor Service 2026-04-04 01:14:04 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-keyboard/-/merge_requests/106

Comment 11 Devin Lin 2026-04-07 04:12:46 UTC

Git commit 8a405a8fd7fc84b7d1e8f5aa8d3580a84da6da16 by Devin Lin.
Committed on 07/04/2026 at 04:12.
Pushed by devinlin into branch 'master'.

inputlisteneritem: Add bytes bound check and deactivate signal handling

Add bytes bound check for responses to input method queries. Sometimes
the returned cursor position from inputplugin is invalid or out of date (still needs more investigation) leading to out of bound substrings.

Also implement deactivate signal handling from inputplugin to ensure the
input plugin is reset upon deactivation.

M  +20   -9    src/inputlisteneritem.cpp
M  +2    -0    src/inputplugin.cpp
M  +2    -0    src/inputplugin.h

https://invent.kde.org/plasma/plasma-keyboard/-/commit/8a405a8fd7fc84b7d1e8f5aa8d3580a84da6da16

Comment 12 Devin Lin 2026-04-07 04:19:53 UTC

Git commit eaa535815a9f2e9d119c3b87fd58b6f02444a5cb by Devin Lin.
Committed on 07/04/2026 at 04:13.
Pushed by devinlin into branch 'Plasma/6.6'.

inputlisteneritem: Add bytes bound check and deactivate signal handling

Add bytes bound check for responses to input method queries. Sometimes
the returned cursor position from inputplugin is invalid or out of date (still needs more investigation) leading to out of bound substrings.

Also implement deactivate signal handling from inputplugin to ensure the
input plugin is reset upon deactivation.

M  +20   -9    src/inputlisteneritem.cpp
M  +2    -0    src/inputplugin.cpp
M  +2    -0    src/inputplugin.h

https://invent.kde.org/plasma/plasma-keyboard/-/commit/eaa535815a9f2e9d119c3b87fd58b6f02444a5cb