more info on the TaskGroupItem crash

David Faure faure at kde.org
Thu Sep 10 20:55:45 CEST 2009 

I finally took the time to investigate the plasma crash that was happening so often to me.

Almost reproduceable testcase: 4.3 branch, enable task grouping, have some grouping in one
desktop, then hit the "next desktop" key shortcut like a mad man (but at varying speeds)
until it crashes. Well... last week this was quite reproduceable this way. This week I can't do it
that way, I can only use kde and wait until it crashes again. Weird. Anyway.

As suspected from the start, the problem was in the "task group item"
code, and timing-related (so the "deleteLater" looked suspicious), but my earlier 
backtraces weren't really enough to figure out the problem. Now after valgrind'ing and adding tons 
of kDebug, I found the problem.

It's a race between the "deleteLater" and the actual deletion. In between those two events,
the item is re-added to the layout. So just after the actual deletion takes place, we have a dangling
pointer in the layout's m_itemPositions list.

TaskGroupItem::itemRemoved: groupItem= 0x202db80 item= 0x3a48370 m_tasksLayout= 0x202e6a0
TaskItemLayout::remove: this= 0x202e6a0 removing AbstractTaskItem 0x3a48370
TaskGroupItem::itemRemoved: Calling deleteLater on item 0x3a48370 m_applet= 0x1d07380
[...]
QGraphicsScene::removeItem: item 0x3a48380's scene (0x0) is different from this scene (0x19e80d0) << interesting, a QGraphicsScene warning too
TaskItemLayout::insert: this= 0x202e6a0 inserting item 0x3a48370 into m_itemPositions
TaskItemLayout::preferredColumns: 0x202e6a0 First AbstractTaskItem in m_itemPositions: 0x3a48370
[...]
[then the deleteLater kicks in]
WindowTaskItem::~WindowTaskItem: 0x3a48370
AbstractTaskItem::~AbstractTaskItem: Deleting taskitem 0x3a48370 m_applet= 0x1d07380
TaskItemLayout::preferredColumns: 0x202e6a0 First AbstractTaskItem in m_itemPositions: 0x3a48370
AbstractTaskItem::basicPreferredSize: 0x3a48370
CRASH.
(0x3a48370 is a dangling pointer to a deleted item)

The only part that is not clear to me is where the insert() comes from, but maybe you guys know that part anyway?
Any ideas?

PS: please CC me on replies.

-- 
David Faure, faure at kde.org, sponsored by Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).

More information about the Plasma-devel mailing list