https://bugs.kde.org/show_bug.cgi?id=408553
Matt Fagnani <matthew.fagn...@utoronto.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|wayland-generic |general Assignee|kwin-bugs-n...@kde.org |mgraess...@kde.org Product|kwin |frameworks-kwayland Version|5.15.5 |5.59.0 --- Comment #5 from Matt Fagnani <matthew.fagn...@utoronto.ca> --- I've noticed similarities in the first invalid read at wl_proxy_unref (wayland-client.c:229) I reported and invalid reads starting at wayland-client.c:229 in in plasmashell https://bugs.kde.org/show_bug.cgi?id=409021#c1 konsole https://bugs.kde.org/show_bug.cgi?id=408971 kglobalaccel5 and akonadi_sendlater_agent The address freed had the following common functions and source lines and was 44 bytes inside a block of size 72 free'd ==4203== Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd ==4203== at 0x4839A0C: free (vg_replace_malloc.c:540) ==4203== by 0x1949F844: destroy (wayland_pointer_p.h:63) ==4203== by 0x1949F844: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==4203== by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x172C3606: wl_closure_invoke (connection.c:1014) ==4203== by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430) ==4203== by 0x172C146B: dispatch_queue (wayland-client.c:1576) ==4203== by 0x172C146B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==4203== by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==4203== by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) Functions in those stacks might have freed the pointer before the other programs used it. KWayland::Client::Registry::Private::globalSync (registry.cpp:539) might be where the freeing was done too early. (gdb) list registry.cpp:533,540 533 void Registry::Private::globalSync(void* data, wl_callback* callback, uint32_t serial) 534 { 535 Q_UNUSED(serial) 536 auto r = reinterpret_cast<Registry::Private*>(data); 537 Q_ASSERT(r->callback == callback); 538 r->handleGlobalSync(); 539 r->callback.destroy(); 540 } Memory corruption due to the use-after-free errors might have led to the segmentation faults I saw. I'm reassigning this to frameworks-kwayland based on the above. kwayland-integration or libwayland-client are other possible packages involved. -- You are receiving this mail because: You are watching all bug changes.