https://bugs.kde.org/show_bug.cgi?id=514123
Bug ID: 514123
Summary: Konsole crashes in Wayland scroll code due to null
mFrontBuffer
Classification: Applications
Product: konsole
Version First 25.12.0
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 188197
--> https://bugs.kde.org/attachment.cgi?id=188197&action=edit
Backtrace of Konsole crash.
SUMMARY
While debugging a plasmashell hang with `gdb -p`, my entire system hung and I
couldn't Ctrl+Alt+F2, kwin started spamming `kwin_wayland_wrapper[1744]: Key
repeat discarded, Wayland compositor doesn't seem to be processing events fast
enough!`, then konsole segfaulted.
STEPS TO REPRODUCE
1. Trigger a plasmashell hang? Not sure how, I suspect it was from a Signal
notification?
2. Launch Konsole?
3. `gdb -p (pgrep plasmashell)`?
OBSERVED RESULT
Konsole segfaults. The stack trace is attached. Here's the most relevant stack
frames:
#4 0x00007f584dc27290 in <signal handler called> () at /lib64/libc.so.6
#5 QImage::isNull (this=this@entry=0x18) at
/usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/image/qimage.cpp:1342
#6 0x00007f584ec98b22 in QPainter::drawImage (this=this@entry=0x7ffed4687478,
targetRect=..., image=..., sourceRect=..., flags=flags@entry=...) at
/usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.cpp:5201
#7 0x00007f584a1236b4 in QPainter::drawImage (this=0x7ffed4687478,
targetRect=<synthetic pointer>..., image=<optimized out>, sourceRect=<synthetic
pointer>..., flags=...) at
/usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qpainter.h:777
#8 QtWaylandClient::QWaylandShmBackingStore::scroll (this=0x55bb79f103d0,
region=<optimized out>, dx=0, dy=-14) at
/usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp:271
#9 0x00007f584eb7ac3b in QBackingStore::scroll
(this=this@entry=0x55bb79f109a0, area=..., dx=dx@entry=0, dy=dy@entry=-14) at
/usr/src/debug/qt6-qtbase-6.10.1-2.fc43.x86_64/src/gui/painting/qbackingstore.cpp:265
In frame 8, it seems that while calling `painter.drawImage(destinationRect,
*mFrontBuffer->image(), sourceRect); `, the near-null pointer comes from
*mFrontBuffer->image().
I think the bug is that mFrontBuffer is a null pointer. How do we call a method
`mFrontBuffer->image()` on it? This is UB, but presumably it merely returns a
pointer offset without dereferencing this, which doesn't crash (yet).
An identical bug has been reported on the Fedora forums at
https://discussion.fedoraproject.org/t/crashing-konsole-since-upgrade-to-f43/177471,
but I don't see a similar report on the KDE bug tracker.
Is this a Qt bug rather than a KDE one? I don't know.
Unfortunately I was not able to debug the plasmashell hang, as it started
responding again a few seconds after Konsole died, and there were no relevant
entries in my journalctl.
EXPECTED RESULT
No crash.
SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 43
KDE Plasma Version: 6.5.4
KDE Frameworks Version: 6.21.0
Qt Version: 6.10.1
Kernel Version: 6.17.12-300.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-8559U CPU @ 2.70GHz
Memory: 16 GiB of RAM (15.5 GiB usable)
Graphics Processor: Intel® Iris® Plus Graphics 655
Manufacturer: Intel(R) Client Systems
Product Name: NUC8i7BEH
System Version: J72992-303
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
