https://bugs.kde.org/show_bug.cgi?id=437862
--- Comment #11 from nyanpasu64 <nyanpas...@tuta.io> --- I think I found the crash (or at least one cause of it). Crash call stack: #0 KSysGuard::Process::parent (this=<optimized out>) at /usr/src/debug/libksysguard-5.22.4/processcore/process.cpp:248 #1 0x00007fffe011dd76 in KSysGuard::ProcessDataModel::parent (this=<optimized out>, index=...) at /usr/src/debug/libksysguard-5.22.4/processcore/process_data_model.cpp:181 #2 0x00007ffff5d52f83 in QIdentityProxyModel::parent(QModelIndex const&) const () from /usr/lib/libQt5Core.so.5 #3 0x00007ffff5d52f83 in QIdentityProxyModel::parent(QModelIndex const&) const () from /usr/lib/libQt5Core.so.5 #4 0x00007ffff5d65b41 in ?? () from /usr/lib/libQt5Core.so.5 #5 0x00007ffff5dc8790 in ?? () from /usr/lib/libQt5Core.so.5 #6 0x00007ffff5d2a186 in QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) () from /usr/lib/libQt5Core.so.5 #7 0x00007fffe015c95b in ComponentCacheProxyModel::createPendingInstance (this=<optimized out>) at /usr/src/debug/plasma-systemmonitor-5.22.4/src/table/ComponentCacheProxyModel.cpp:126 #8 ComponentCacheProxyModel::createPendingInstance (this=0x555557efe9b0) at /usr/src/debug/plasma-systemmonitor-5.22.4/src/table/ComponentCacheProxyModel.cpp:106 #9 0x00007ffff5dbe4ff in QObject::event(QEvent*) () from /usr/lib/libQt5Core.so.5 For some reason, plasma-systemmonitor creates a ComponentCacheProxyModel (https://github.com/KDE/plasma-systemmonitor/blob/1612127fb300a71dfa187cb78128f6728e489352/src/table/ComponentCacheProxyModel.cpp) to wrap a KSysGuard::ProcessDataModel. When a ComponentCacheProxyModel receives a ComponentCacheProxyModel::data() request with role CachedComponentRole, it *queues* the QModelIndex passed in (whose internalPointer() points to a KSysGuard::Process) into ComponentCacheProxyModel::m_pendingInstances, and *schedules* a call to ComponentCacheProxyModel::createPendingInstance(). By the time createPendingInstance() is called, Processes::processesUpdated() has been called which deletes the KSysGuard::Process. createPendingInstance() calls Q_EMIT dataChanged(index, index, {CachedComponentRole}) on a QModelIndex index, whose internalPointer() is dangling, but gets used anyway (use-after-free) with unpredictable results. I think it's wrong for ComponentCacheProxyModel to be caching QModelIndex values (which are ephemeral and "borrowed" from Processes) across event loop iterations, since they can get invalidated by other event loop callbacks. I think that looking for bugs in Processes::processesUpdated() was a false lead. The code is confusing to follow and not obviously correct, but I haven't found any errors that occur in practice (d->mAbstractProcesses->getParentPid(pid) never returns a Pid not found in d->mAbstractProcesses->getAllPids()). However, Processes is *very* precarious and may segfault if mAbstractProcesses's AbstractProcesses subclass returns malformed data. -- You are receiving this mail because: You are watching all bug changes.
