https://bugs.kde.org/show_bug.cgi?id=409688
Bug ID: 409688
Summary: kwin_wayland aborted when shutting down involving
invalid reads and writes, use of uninitialized
variables etc.
Product: kwin
Version: 5.15.5
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: wayland-generic
Assignee: kwin-bugs-n...@kde.org
Reporter: matthew.fagn...@utoronto.ca
Target Milestone: ---
Created attachment 121444
--> https://bugs.kde.org/attachment.cgi?id=121444&action=edit
valgrind log file when run on kwin_wayland after shutting down
SUMMARY
I've seen audit messages in my journal indicating that kwin_wayland aborted
when shutting down the system in Plasma 5.15.5 on Wayland in Fedora 30 such as
the following.
Jul 09 21:01:21 audit[1399]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1399
comm="QDBusConnection" exe="/usr/bin/kwin_wayland" sig=6 res=1
Jul 09 21:01:21 systemd[1]: Requested transaction contradicts existing jobs:
Transaction for systemd-coredump@0-1970-0.service/start is destructive
(systemd-poweroff.service has 'start' job queued, but 'stop' is included in
transaction).
Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed to queue service
startup job (Maybe the service file is missing or not a non-template unit?):
Transaction for systemd-coredump@0-1970-0.service/start is destructive
(systemd-poweroff.service has 'start' job queued, but 'stop' is included in
transaction).
Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed with result
'resources'.
Jul 09 21:01:21 systemd-coredump[1970]: Failed to send coredump datagram:
Connection reset by peer
There are 149 such messages indicating kwin_wayland aborted when I shut down or
rebooted. The crashes were not in coredumpctl or abrt.
I edited /usr/bin/startplasmacompositor at line 239 to run kwin_wayland under
valgrind like
valgrind --log-file=/programs/kde/kwin/valgrind-kwin_wayland-3.txt
--track-origins=yes /usr/bin/kwin_wayland --xwayland --libinput
--exit-with-session=/usr/libexec/startplasma
I rebooted then logged into Plasma on wayland from sddm 0.18.1 under valgrind.
I shut down the system. The valgrind log showed 20 invalid reads and 2 invalid
writes overall. An invalid read in wl_proxy_unref (wayland-client.c:229) in
libwayland-client and invalid write in wl_proxy_unref (wayland-client.c:230)
happened before I started the shutdown. Those appear to be use-after-free
errors since they contained lines like "Address 0x1c2e4ffc is 44 bytes inside a
block of size 72 free'd".
==2115== Thread 3 QThread:
==2115== Invalid read of size 4
==2115== at 0x8844BB4: wl_proxy_unref (wayland-client.c:229)
==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291)
==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115== by 0x884646B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2115== by 0x6605F16: operator() (connection_thread.cpp:129)
==2115== by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115== by 0x6605F16: call<QtPrivate::List<>, void>
(qobjectdefs_impl.h:256)
==2115== by 0x6605F16:
QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x588FFCB: QSocketNotifier::activated(int,
QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115== by 0x5890330: QSocketNotifier::event(QEvent*)
(qsocketnotifier.cpp:266)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int
(*)(void*), void*) (qeventdispatcher_glib.cpp:106)
==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd
==2115== at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63)
==2115== by 0x661DC14:
KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned
int) (registry.cpp:539)
==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76)
==2115== by 0x8856338: ffi_call (ffi64.c:525)
==2115== by 0x8848606: wl_closure_invoke (connection.c:1014)
==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430)
==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115== by 0x884646B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2115== by 0x6605F16: operator() (connection_thread.cpp:129)
==2115== by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115== by 0x6605F16: call<QtPrivate::List<>, void>
(qobjectdefs_impl.h:256)
==2115== by 0x6605F16:
QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x588FFCB: QSocketNotifier::activated(int,
QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115== by 0x5890330: QSocketNotifier::event(QEvent*)
(qsocketnotifier.cpp:266)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== Block was alloc'd at
==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236)
==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421)
==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650)
==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned
(wayland-client.c:735)
==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958)
==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*)
(registry.cpp:470)
==2115== by 0x661E13A:
KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*)
(registry.cpp:479)
==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland()
(breezeshadowhelper.cpp:149)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==
==2115== Invalid write of size 4
==2115== at 0x8844BBE: wl_proxy_unref (wayland-client.c:230)
==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291)
==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115== by 0x884646B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2115== by 0x6605F16: operator() (connection_thread.cpp:129)
==2115== by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115== by 0x6605F16: call<QtPrivate::List<>, void>
(qobjectdefs_impl.h:256)
==2115== by 0x6605F16:
QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x588FFCB: QSocketNotifier::activated(int,
QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115== by 0x5890330: QSocketNotifier::event(QEvent*)
(qsocketnotifier.cpp:266)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int
(*)(void*), void*) (qeventdispatcher_glib.cpp:106)
==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd
==2115== at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63)
==2115== by 0x661DC14:
KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned
int) (registry.cpp:539)
==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76)
==2115== by 0x8856338: ffi_call (ffi64.c:525)
==2115== by 0x8848606: wl_closure_invoke (connection.c:1014)
==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430)
==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115== by 0x884646B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2115== by 0x6605F16: operator() (connection_thread.cpp:129)
==2115== by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115== by 0x6605F16: call<QtPrivate::List<>, void>
(qobjectdefs_impl.h:256)
==2115== by 0x6605F16:
QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x588FFCB: QSocketNotifier::activated(int,
QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115== by 0x5890330: QSocketNotifier::event(QEvent*)
(qsocketnotifier.cpp:266)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== Block was alloc'd at
==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236)
==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421)
==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650)
==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned
(wayland-client.c:735)
==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958)
==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*)
(registry.cpp:470)
==2115== by 0x661E13A:
KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*)
(registry.cpp:479)
==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland()
(breezeshadowhelper.cpp:149)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==
A use of uninitialized variables in ScreenLocker::KSldApp::event(QEvent*) at
ksldapp.cpp:733 in kscreenlocker and in the syscall writev (writev.c:26) also
happened before I selected Shut Down in Plasma.
==2115== Thread 1:
==2115== Conditional jump or move depends on uninitialised value(s)
==2115== at 0x64445BB: ScreenLocker::KSldApp::event(QEvent*)
(ksldapp.cpp:733)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x588B542: QObjectPrivate::setParent_helper(QObject*)
(qobject.cpp:2059)
==2115== by 0x588BF67: QObject::QObject(QObject*) (qobject.cpp:817)
==2115== by 0x645A5C3: ScreenLocker::WaylandServer::WaylandServer(QObject*)
(waylandserver.cpp:45)
==2115== by 0x6443955: ScreenLocker::KSldApp::KSldApp(QObject*)
(ksldapp.cpp:87)
==2115== by 0x6443AD4: ScreenLocker::KSldApp::self() (ksldapp.cpp:76)
==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker()
(wayland_server.cpp:439)
==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace()
(wayland_server.cpp:428)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== Uninitialised value was created by a heap allocation
==2115== at 0x4838E86: operator new(unsigned long) (vg_replace_malloc.c:344)
==2115== by 0x6443AC5: ScreenLocker::KSldApp::self() (ksldapp.cpp:76)
==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker()
(wayland_server.cpp:439)
==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace()
(wayland_server.cpp:428)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x116B51: KWin::ApplicationWayland::continueStartupWithX()
(main_wayland.cpp:265)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==
==2115== Syscall param writev(vector[...]) points to uninitialised byte(s)
==2115== at 0x5E29325: __writev (writev.c:26)
==2115== by 0x5E29325: writev (writev.c:24)
==2115== by 0x5B20626: write_vec (xcb_conn.c:277)
==2115== by 0x5B20626: _xcb_conn_wait (xcb_conn.c:522)
==2115== by 0x5B209F8: _xcb_out_send (xcb_out.c:464)
==2115== by 0x5B20C86: _xcb_out_flush_to (xcb_out.c:488)
==2115== by 0x5B2150F: xcb_flush (xcb_out.c:423)
==2115== by 0x114A29: operator() (main_wayland.cpp:236)
==2115== by 0x114A29: call (qobjectdefs_impl.h:146)
==2115== by 0x114A29: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115== by 0x114A29:
QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x58ABF99:
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qeventdispatcher_unix.cpp:465)
==2115== by 0x18D61ED0:
QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115== by 0x58589EA:
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:225)
==2115== by 0x5860725: QCoreApplication::exec() (qcoreapplication.cpp:1385)
==2115== by 0x113994: main (main_wayland.cpp:830)
==2115== Address 0x27f31ff2 is 4,530 bytes inside a block of size 21,152
alloc'd
==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345)
==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection()
(main_wayland.cpp:328)
==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX()
(main_wayland.cpp:223)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== by 0x58ABFA6:
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qeventdispatcher_unix.cpp:466)
==2115== by 0x18D61ED0:
QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115== Uninitialised value was created by a stack allocation
==2115== at 0x4F2DE35: KSelectionOwner::Private::gotTimestamp()
(kselectionowner.cpp:222)
19 invalid reads and 1 invalid write happened after the shutdown began starting
at poll_for_next_event (xcb_in.c:708). These invalid reads and write appeared
to be use-after-free errors also.
==2115== Invalid read of size 4
==2115== at 0x5B230A4: poll_for_next_event (xcb_in.c:708)
==2115== by 0x5B230A4: xcb_poll_for_event (xcb_in.c:722)
==2115== by 0x1149A1: operator() (main_wayland.cpp:231)
==2115== by 0x1149A1: call (qobjectdefs_impl.h:146)
==2115== by 0x1149A1: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115== by 0x1149A1:
QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1},
0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*,
void**, bool*) (qobjectdefs_impl.h:439)
==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**)
(qobject.cpp:3781)
==2115== by 0x58ABF99:
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qeventdispatcher_unix.cpp:465)
==2115== by 0x18D61ED0:
QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115== by 0x1157D1: KWin::ApplicationWayland::~ApplicationWayland()
(main_wayland.cpp:157)
==2115== by 0x112F29: main (main_wayland.cpp:557)
==2115== Address 0x27f30e40 is 0 bytes inside a block of size 21,152 free'd
==2115== at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115== by 0x1157A0: KWin::ApplicationWayland::~ApplicationWayland()
(main_wayland.cpp:151)
==2115== by 0x112F29: main (main_wayland.cpp:557)
==2115== Block was alloc'd at
==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345)
==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection()
(main_wayland.cpp:328)
==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX()
(main_wayland.cpp:223)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qapplication.cpp:3737)
==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*)
(qapplication.cpp:3483)
==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1084)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== by 0x58ABFA6:
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qeventdispatcher_unix.cpp:466)
==2115== by 0x18D61ED0:
QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
The trace of the kwin_wayland abort involved functions like
_dbus_warn_check_failed (dbus-internals.c:281) in dbus-libs-1.12.16-1 and
QDBusConnection related ones like QDBusConnectionPrivate::getNameOwnerNoCache
(qdbusintegrator.cpp:2502) in qt5-qtbase-5.12.4-1.
==2115== Process terminating with default action of signal 6 (SIGABRT): dumping
core
==2115== at 0x5D6EE75: raise (raise.c:51)
==2115== by 0x5D5995D: abort (abort.c:100)
==2115== by 0x7BF3B31: _dbus_abort.cold (dbus-sysdeps.c:93)
==2115== by 0x7C161BF: _dbus_warn_check_failed (dbus-internals.c:281)
==2115== by 0x4DE60F8: q_dbus_pending_call_block (qdbus_symbols_p.h:448)
==2115== by 0x4DE60F8: QDBusConnectionPrivate::getNameOwnerNoCache(QString
const&) (qdbusintegrator.cpp:2502)
==2115== by 0x4DE67FF: QDBusConnectionPrivate::addSignalHook(QString const&,
QDBusConnectionPrivate::SignalHook const&) (qdbusintegrator.cpp:2249)
==2115== by 0x4DE7B94: call (qobjectdefs_impl.h:152)
==2115== by 0x4DE7B94: call<QtPrivate::List<const QString&, const
QDBusConnectionPrivate::SignalHook&>, bool> (qobjectdefs_impl.h:185)
==2115== by 0x4DE7B94: QtPrivate::QSlotObject<bool
(QDBusConnectionPrivate::*)(QString const&, QDBusConnectionPrivate::SignalHook
const&), QtPrivate::List<QString const&, QDBusConnectionPrivate::SignalHook
const&>, bool>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*)
(qobjectdefs_impl.h:414)
==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115== by 0x5859A54: doNotify(QObject*, QEvent*)
(qcoreapplication.cpp:1174)
==2115== by 0x5859B60: QCoreApplication::notifyInternal2(QObject*, QEvent*)
(qcoreapplication.cpp:1083)
==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== by 0x58AEE46: postEventSourceDispatch(_GSource*, int (*)(void*),
void*) (qeventdispatcher_glib.cpp:276)
==2115==
The use of QDBusConnections agrees with the audit message of the abort which
included comm="QDBusConnection",
STEPS TO REPRODUCE
1. boot into Fedora 30 KDE Plasma spin fully updated with updates-testing
enabled
2. Log into Plasma on Wayland from sddm
3. Shut down
Troubleshooting
4. boot again
5. Log into Plasma on Wayland from sddm
6. journalctl -b -1
7. edit /usr/bin/startplasmacompositor to run kwin_wayland under valgrind as
described above
8. reboot
9. Log into Plasma on Wayland from sddm
10. shut down
11. boot
12. Log into Plasma on Wayland from sddm
13. read valgrind log
OBSERVED RESULT
kwin_wayland aborted when shutting down
EXPECTED RESULT
kwin_wayland stops normally when shutting down
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 30, 5.1.16 kernel
(available in About System)
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.59.0
Qt Version: 5.12.4
ADDITIONAL INFORMATION
I've noticed similarities in the first invalid read at wl_proxy_unref
(wayland-client.c:229) I reported and invalid reads starting at
wayland-client.c:229 in in plasmashell
https://bugs.kde.org/show_bug.cgi?id=409021#c1
konsole https://bugs.kde.org/show_bug.cgi?id=408971
powerdevil https://bugs.kde.org/show_bug.cgi?id=408553
kglobalaccel5 and akonadi_sendlater_agent
The address freed had the following common functions and source lines and was
44 bytes inside a block of size 72 free'd
==4203== Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd
==4203== at 0x4839A0C: free (vg_replace_malloc.c:540)
==4203== by 0x1949F844: destroy (wayland_pointer_p.h:63)
==4203== by 0x1949F844:
KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned
int) (registry.cpp:539)
==4203== by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==4203== by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==4203== by 0x172C3606: wl_closure_invoke (connection.c:1014)
==4203== by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430)
==4203== by 0x172C146B: dispatch_queue (wayland-client.c:1576)
==4203== by 0x172C146B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==4203== by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==4203== by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip()
(connection_thread.cpp:290)
Functions in those stacks might have freed the pointer before the other
programs used it. KWayland::Client::Registry::Private::globalSync
(registry.cpp:539) might be where the freeing was done too early.
Memory corruption due to the use-after-free errors might have led to the
segmentation faults I saw. These errors might be in kwayland or
libwayland-client. This report could be reassigned to frameworks-kwayland.
I've attached the full valgrind log.
--
You are receiving this mail because:
You are watching all bug changes.
