https://bugs.kde.org/show_bug.cgi?id=517087
Bug ID: 517087
Summary: Plasma-keyboard crashed after alt+tabbing when there
is window marked as "keep above others"
Classification: Plasma
Product: Plasma Keyboard
Version First unspecified
Reported In:
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
Created attachment 190344
--> https://bugs.kde.org/attachment.cgi?id=190344&action=edit
full gdb backtrace
STEPS TO REPRODUCE:
1. Open a document reader containing a massive amount of text (e.g., a PDF) and
keep it maximized/focused.
2. Open the Vivaldi web browser, start playing a video, and set the browser
window to "Keep Above Others" (Always on Top) in KWin.
3. Trigger a rapid focus switch (e.g., using Alt+Tab) from the background
document reader to the Vivaldi window or another temporary surface.
OBSERVED RESULT:
A Z-Index race condition occurs. When focus switches to the new window,
Wayland's `zwp_input_method_context_v1` updates the `surroundingText` to an
empty string (u"", size = 0). However, the `cursorPosition` retains a massive
integer value (in my case, 3080295) from the previously focused PDF document.
The plasma-keyboard Hunspell plugin then tries to call `QString::at(3080294)`
on the empty string, resulting in an immediate Out-of-Bounds memory crash
(SIGSEGV).
#0 QString::at (this=0x7ffc57dec460, i=3080294) at
/usr/include/qt6/QtCore/qarraydatapointer.h:120
No locals.
#1 QtVirtualKeyboard::HunspellInputMethod::reselect (this=0x561c6d97b5e0,
cursorPosition=3080295, reselectFlags=...)
at
/usr/src/debug/qt6-qtvirtualkeyboard-6.10.2-1.fc43.x86_64/src/plugins/hunspell/module/hunspellinputmethod.cpp:270
c = {ucs = 65278 u'\xfefe'}
i = 3080294
surroundingText = {d = {d = 0x0, ptr = 0x561c38f24358 <QString::_empty>
u"", size = 0}}
replaceFrom = 0
EXPECTED RESULT:
The input method context should validate that `cursorPosition` is strictly less
than `surroundingText.length()` before attempting to access memory addresses.
Alternatively, `cursorPosition` should be safely reset to 0 the moment
`surroundingText` is cleared during a focus loss/gain event on Wayland.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 43 (Wayland session)
KDE Plasma Version: 6.6.1
Qt Version: 6.10.2
Hardware: Acer Predator Helios 16S (Intel Core Ultra 7 255HX / NVIDIA RTX 5070
Mobile Optimus)
ADDITIONAL INFORMATION:
I have attached the full GDB backtrace showing the exact local variables during
the crash. Note the critical mismatch in Frame #1: surroundingText size is 0,
but cursorPosition is 3080295.
Operating System: Fedora Linux 43
KDE Plasma Version: 6.6.1
KDE Frameworks Version: 6.23.0
Qt Version: 6.10.2
Kernel Version: 6.18.13-200.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 20 × Intel® Core™ Ultra 7 255HX
Memory: 34 GB of RAM (33,0 GB usable)
Graphics Processor 1: Mesa Intel® Graphics
Graphics Processor 2: NVIDIA GeForce RTX 5070 Laptop GPU/PCIe/SSE2
Manufacturer: Acer
Product Name: Predator PHN16S-71
System Version: V1.21
--
You are receiving this mail because:
You are watching all bug changes.
