https://bugs.kde.org/show_bug.cgi?id=408971
Bug ID: 408971
Summary: Closing konsole with two tabs open in Plasma on
Wayland led to segmentation faults and invalid
reads/writes
Product: konsole
Version: 19.04.2
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: konsole-de...@kde.org
Reporter: matthew.fagn...@utoronto.ca
Target Milestone: ---
Created attachment 121046
--> https://bugs.kde.org/attachment.cgi?id=121046&action=edit
valgrind run on konsole with two tabs open showing invalid reads and writes
after closing
SUMMARY
I closed konsole 19.04.2-1.fc30 with two tabs in Plasma on Wayland. drkonqi
showed a segmentation fault each time, but drkonqi didn't allow the trace to be
submitted. When I ran gdb konsole, I opened a second tab, then I closed
konsole, I got the following segmentation fault in wl_map_insert_at at
wayland-util.c:247 of libwayland-client with more detailed information.
Thread 1 "konsole" received signal SIGSEGV, Segmentation fault.
0x00007fffe5466251 in wl_map_insert_at (map=<optimized out>,
flags=flags@entry=1, i=80,
data=data@entry=0x0) at src/wayland-util.c:247
247 start[i].next |= (flags & 0x1) << 1;
(gdb) thread apply all bt full
Thread 2 (Thread 0x7fffe4442700 (LWP 2248)):
#0 0x00007ffff7e915c7 in __GI___poll (fds=0x7fffdc005260, nfds=2, timeout=-1)
at ../sysdeps/unix/sysv/linux/poll.c:29
resultvar = 18446744073709551100
sc_cancel_oldtype = 0
sc_ret = <optimized out>
#1 0x00007ffff4be51de in g_main_context_poll (priority=<optimized out>,
n_fds=2, fds=0x7fffdc005260, timeout=<optimized out>, context=0x7fffdc000bf0)
at ../glib/gmain.c:4228
ret = <optimized out>
errsv = <optimized out>
poll_func = 0x7ffff4bf4d50 <g_poll>
poll_func = <optimized out>
ret = <optimized out>
errsv = <optimized out>
#2 g_main_context_iterate (context=context@entry=0x7fffdc000bf0,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
../glib/gmain.c:3922
max_priority = 2147483647
timeout = -1
some_ready = <optimized out>
nfds = 2
allocated_nfds = <optimized out>
fds = 0x7fffdc005260
#3 0x00007ffff4be5313 in g_main_context_iteration (context=0x7fffdc000bf0,
may_block=may_block@entry=1) at ../glib/gmain.c:3988
--Type <RET> for more, q to quit, c to continue without paging--c
retval = <optimized out>
#4 0x00007ffff670e3f5 in QEventDispatcherGlib::processEvents
(this=0x7fffdc000b20, flags=...) at kernel/qeventdispatcher_glib.cpp:422
d = 0x7fffdc000b40
canWait = true
savedFlags = {i = 0}
result = <optimized out>
#5 0x00007ffff66b82bb in QEventLoop::exec (this=this@entry=0x7fffe4441d30,
flags=..., flags@entry=...) at
../../include/QtCore/../../src/corelib/global/qflags.h:140
d = 0x7fffdc003a00
locker = {val = 93824992564160}
ref = {d = 0x7fffdc003a00, locker = @0x7fffe4441cb8, exceptionCaught =
true}
app = <optimized out>
#6 0x00007ffff6511675 in QThread::exec (this=this@entry=0x7ffff5c84060
<(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at
../../include/QtCore/../../src/corelib/global/qflags.h:120
d = 0x5555555a5350
locker = {val = 93824992564160}
eventLoop = {<QObject> = {_vptr.QObject = 0x7ffff6969a28 <vtable for
QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata =
0x7ffff6858e20 <qt_meta_stringdata_QObject>, data = 0x7ffff6858d00
<qt_meta_data_QObject>, static_metacall = 0x7ffff66eb810
<QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x7fffdc003a00},
static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7ffff685bd40
<qt_meta_stringdata_Qt>, data = 0x7ffff6858f40 <qt_meta_data_Qt>,
static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static
staticMetaObject = {d = {superdata = 0x7ffff6961fe0
<QObject::staticMetaObject>, stringdata = 0x7ffff6853260
<qt_meta_stringdata_QEventLoop>, data = 0x7ffff6853200
<qt_meta_data_QEventLoop>, static_metacall = 0x7ffff66b7fd0
<QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}}
returnCode = <optimized out>
#7 0x00007ffff5c00f4a in QDBusConnectionManager::run (this=0x7ffff5c84060
<(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at
qdbusconnection.cpp:178
locker = <optimized out>
#8 0x00007ffff65127c6 in QThreadPrivate::start (arg=0x7ffff5c84060 <(anonymous
namespace)::Q_QGS__q_manager::innerFunction()::holder>) at
thread/qthread_unix.cpp:361
thr = 0x7ffff5c84060 <(anonymous
namespace)::Q_QGS__q_manager::innerFunction()::holder>
data = <optimized out>
__clframe = {__cancel_routine = 0x7ffff6511f00
<QThreadPrivate::finish(void*)>, __cancel_arg = 0x7ffff5c84060 <(anonymous
namespace)::Q_QGS__q_manager::innerFunction()::holder>, __do_it = 1,
__cancel_type = <optimized out>}
#9 0x00007ffff54bd5a2 in start_thread (arg=<optimized out>) at
pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737023059712,
-7425004005232201654, 140737488345070, 140737488345071, 140737488345264,
140737023057600, 7424991827868528714, 7425024725548150858}, mask_was_saved =
0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0,
canceltype = 0}}}
not_first_call = <optimized out>
#10 0x00007ffff7e9c303 in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
Thread 1 (Thread 0x7ffff2530200 (LWP 2244)):
#0 0x00007fffe5466251 in wl_map_insert_at (map=<optimized out>,
flags=flags@entry=1, i=80, data=data@entry=0x0) at src/wayland-util.c:247
start = 0x4
count = <optimized out>
entries = 0x55555557dbc8
#1 0x00007fffe5462152 in proxy_destroy (proxy=0x555555d49b20) at
src/wayland-client.c:502
zombie = 0x0
#2 wl_proxy_destroy (proxy=proxy@entry=0x555555d49b20) at
src/wayland-client.c:533
display = 0x55555557db50
#3 0x00007fffe519de77 in org_kde_plasma_window_destroy
(org_kde_plasma_window=0x555555d49b20) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/x86_64-redhat-linux-gnu/src/client/wayland-plasma-window-management-client-protocol.h:694
No locals.
#4 KWayland::Client::WaylandPointer<org_kde_plasma_window,
org_kde_plasma_window_destroy>::release (this=0x555555d49670,
this=0x555555d49670) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/wayland_pointer_p.h:53
No locals.
#5 KWayland::Client::PlasmaWindow::release (this=this@entry=0x555555d49b70) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:787
No locals.
#6 0x00007fffe519de9f in KWayland::Client::PlasmaWindow::~PlasmaWindow
(this=0x555555d49b70, __in_chrg=<optimized out>) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:777
No locals.
#7 0x00007fffe519dfdd in KWayland::Client::PlasmaWindow::~PlasmaWindow
(this=0x555555d49b70, __in_chrg=<optimized out>) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:775
No locals.
#8 0x00007ffff66ea54c in QObjectPrivate::deleteChildren
(this=this@entry=0x555555a55210) at kernel/qobject.cpp:2006
i = 0
#9 0x00007ffff66eb49f in QObject::~QObject (this=<optimized out>,
__in_chrg=<optimized out>) at kernel/qobject.cpp:1032
d = <optimized out>
sharedRefcount = <optimized out>
d = <optimized out>
sharedRefcount = <optimized out>
signalSlotMutex = <optimized out>
locker = <optimized out>
node = <optimized out>
connectionListsCount = <optimized out>
signal = <optimized out>
connectionList = <optimized out>
c = <optimized out>
m = <optimized out>
needToUnlock = <optimized out>
sender = <optimized out>
m = <optimized out>
needToUnlock = <optimized out>
senderLists = <optimized out>
slotObj = <optimized out>
#10 0x00007fffe519e77d in
KWayland::Client::PlasmaWindowManagement::~PlasmaWindowManagement
(this=0x555555b8cce0, __in_chrg=<optimized out>) at
/usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:255
No locals.
#11 0x00007ffff66ea54c in QObjectPrivate::deleteChildren
(this=this@entry=0x555555ae2bc0) at kernel/qobject.cpp:2006
i = 4
#12 0x00007ffff66eb49f in QObject::~QObject (this=<optimized out>,
__in_chrg=<optimized out>) at kernel/qobject.cpp:1032
d = <optimized out>
sharedRefcount = <optimized out>
d = <optimized out>
sharedRefcount = <optimized out>
signalSlotMutex = <optimized out>
locker = <optimized out>
node = <optimized out>
connectionListsCount = <optimized out>
signal = <optimized out>
connectionList = <optimized out>
c = <optimized out>
m = <optimized out>
needToUnlock = <optimized out>
sender = <optimized out>
m = <optimized out>
needToUnlock = <optimized out>
senderLists = <optimized out>
slotObj = <optimized out>
#13 0x00007fffe3226387 in WaylandIntegration::~WaylandIntegration
(this=<optimized out>, __in_chrg=<optimized out>) at
/usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:54
No locals.
#14 WaylandIntegrationSingleton::~WaylandIntegrationSingleton (this=<optimized
out>, __in_chrg=<optimized out>) at
/usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:40
No locals.
#15 (anonymous namespace)::Q_QGS_privateWaylandIntegrationSelf::Holder::~Holder
(this=<optimized out>, __in_chrg=<optimized out>) at
/usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:46
No locals.
#16 0x00007ffff7ddb670 in __run_exit_handlers (status=0, listp=0x7ffff7f61738
<__exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:108
atfct = <optimized out>
onfct = <optimized out>
cxafct = <optimized out>
f = <optimized out>
new_exitfn_called = 2017
cur = 0x555555af32e0
#17 0x00007ffff7ddb7b0 in __GI_exit (status=<optimized out>) at exit.c:139
No locals.
#18 0x00007ffff7dc4f3a in __libc_start_main (main=0x555555555070 <main>,
argc=1, argv=0x7fffffffddd8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffddc8) at ../csu/libc-start.c:342
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 3629827189853663306,
93824992235648, 140737488346576, 0, 0, 7425004006348959818,
7425021310155501642}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0,
0x7fffffffdde8, 0x7ffff7ffe150}, data = {prev = 0x0, cleanup = 0x0, canceltype
= -8728}}}
not_first_call = <optimized out>
#19 0x00005555555550ae in _start ()
No symbol table info available.
The pointer start = 0x4 in wl_map_insert_at appeared to be invalid, and
start[i] pointed to an inaccessible address 0x284.
(gdb) p start
$1 = (union map_entry *) 0x4
(gdb) p start[i]
Cannot access memory at address 0x284
(gdb) p start[i].next
Cannot access memory at address 0x284
wl_map_insert was as follows.
224 int
225 wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void
*data)
226 {
227 union map_entry *start;
228 uint32_t count;
229 struct wl_array *entries;
230
231 if (i < WL_SERVER_ID_START) {
232 entries = &map->client_entries;
233 } else {
234 entries = &map->server_entries;
235 i -= WL_SERVER_ID_START;
236 }
237
238 count = entries->size / sizeof *start;
239 if (count < i)
240 return -1;
241
242 if (count == i)
243 wl_array_add(entries, sizeof *start);
244
245 start = entries->data;
246 start[i].data = data;
247 start[i].next |= (flags & 0x1) << 1;
248
249 return 0;
250 }
I ran valgrind --log-file=valgrind-konsole-wayland-2.txt konsole & (in konsole)
opened a second tab, and closed konsole. valgrind's log showed 21 invalid reads
and writes starting at wl_proxy_unref (wayland-client.c:229). 20 of those
invalid reads/writes seemed to be use-after-free errors since they contained
lines like "Address 0xa48852c is 44 bytes inside a block of size 72 free'd".
==2387== Invalid read of size 4
==2387== at 0x177ABBB4: wl_proxy_unref (wayland-client.c:229)
==2387== by 0x177ABCB3: destroy_queued_closure (wayland-client.c:291)
==2387== by 0x177ABEC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2387== by 0x177AD46B: dispatch_queue (wayland-client.c:1576)
==2387== by 0x177AD46B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2387== by 0x177AD8AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==2387== by 0x17A7BB73: KWayland::Client::ConnectionThread::roundtrip()
(connection_thread.cpp:290)
==2387== by 0x178AE189: KWaylandIntegration::init()
(kwaylandintegration.cpp:74)
==2387== by 0x178940C0: KdePlatformTheme::KdePlatformTheme()
(kdeplatformtheme.cpp:84)
==2387== by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&,
QStringList const&) (main.cpp:37)
==2387== by 0x5A781B8: QPlatformTheme* qLoadPlugin<QPlatformTheme,
QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&,
QStringList&) (qfactoryloader_p.h:108)
==2387== by 0x5A77B55: QPlatformThemeFactory::create(QString const&, QString
const&) (qplatformthemefactory.cpp:73)
==2387== by 0x5A813FF: init_platform (qguiapplication.cpp:1239)
==2387== by 0x5A813FF: QGuiApplicationPrivate::createPlatformIntegration()
(qguiapplication.cpp:1384)
==2387== Address 0xa48852c is 44 bytes inside a block of size 72 free'd
==2387== at 0x4839A0C: free (vg_replace_malloc.c:540)
==2387== by 0x17A92C14: destroy (wayland_pointer_p.h:63)
==2387== by 0x17A92C14:
KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned
int) (registry.cpp:539)
==2387== by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==2387== by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==2387== by 0x177AF606: wl_closure_invoke (connection.c:1014)
==2387== by 0x177ABF17: dispatch_event.isra.0 (wayland-client.c:1430)
==2387== by 0x177AD46B: dispatch_queue (wayland-client.c:1576)
==2387== by 0x177AD46B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==2387== by 0x177AD8AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==2387== by 0x17A7BB73: KWayland::Client::ConnectionThread::roundtrip()
(connection_thread.cpp:290)
==2387== by 0x178AE189: KWaylandIntegration::init()
(kwaylandintegration.cpp:74)
==2387== by 0x178940C0: KdePlatformTheme::KdePlatformTheme()
(kdeplatformtheme.cpp:84)
==2387== by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&,
QStringList const&) (main.cpp:37)
==2387== Block was alloc'd at
==2387== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2387== by 0x177ABD42: UnknownInlinedFun (wayland-private.h:236)
==2387== by 0x177ABD42: proxy_create.isra.0 (wayland-client.c:421)
==2387== by 0x177AC42B: create_outgoing_proxy (wayland-client.c:650)
==2387== by 0x177AC42B: wl_proxy_marshal_array_constructor_versioned
(wayland-client.c:735)
==2387== by 0x177AC782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2387== by 0x17A930BD: wl_display_sync (wayland-client-protocol.h:958)
==2387== by 0x17A930BD: KWayland::Client::Registry::create(wl_display*)
(registry.cpp:470)
==2387== by 0x17A9313A:
KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*)
(registry.cpp:479)
==2387== by 0x178AE10D: KWaylandIntegration::init()
(kwaylandintegration.cpp:56)
==2387== by 0x178940C0: KdePlatformTheme::KdePlatformTheme()
(kdeplatformtheme.cpp:84)
==2387== by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&,
QStringList const&) (main.cpp:37)
==2387== by 0x5A781B8: QPlatformTheme* qLoadPlugin<QPlatformTheme,
QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&,
QStringList&) (qfactoryloader_p.h:108)
==2387== by 0x5A77B55: QPlatformThemeFactory::create(QString const&, QString
const&) (qplatformthemefactory.cpp:73)
==2387== by 0x5A813FF: init_platform (qguiapplication.cpp:1239)
==2387== by 0x5A813FF: QGuiApplicationPrivate::createPlatformIntegration()
(qguiapplication.cpp:1384)
One invalid write in wl_map_insert_at (wayland-util.c:247) at 0x284 mentioned
above as what start[i] was pointing to showed up later in the valgrind log.
==2387== Invalid write of size 8
==2387== at 0x177B0251: wl_map_insert_at (wayland-util.c:247)
==2387== by 0x177AC151: proxy_destroy (wayland-client.c:502)
==2387== by 0x177AC151: wl_proxy_destroy (wayland-client.c:533)
==2387== by 0x17A8CE76: org_kde_plasma_window_destroy
(wayland-plasma-window-management-client-protocol.h:694)
==2387== by 0x17A8CE76: release (wayland_pointer_p.h:53)
==2387== by 0x17A8CE76: KWayland::Client::PlasmaWindow::release()
(plasmawindowmanagement.cpp:787)
==2387== by 0x17A8CE9E: KWayland::Client::PlasmaWindow::~PlasmaWindow()
(plasmawindowmanagement.cpp:777)
==2387== by 0x17A8CFDC: KWayland::Client::PlasmaWindow::~PlasmaWindow()
(plasmawindowmanagement.cpp:778)
==2387== by 0x613654B: QObjectPrivate::deleteChildren() (qobject.cpp:2006)
==2387== by 0x613749E: QObject::~QObject() (qobject.cpp:1032)
==2387== by 0x17A8D77C:
KWayland::Client::PlasmaWindowManagement::~PlasmaWindowManagement()
(plasmawindowmanagement.cpp:258)
==2387== by 0x613654B: QObjectPrivate::deleteChildren() (qobject.cpp:2006)
==2387== by 0x613749E: QObject::~QObject() (qobject.cpp:1032)
==2387== by 0x1A1E7386: (anonymous
namespace)::Q_QGS_privateWaylandIntegrationSelf::innerFunction()::Holder::~Holder()
(waylandintegration.cpp:54)
==2387== by 0x48E666F: __run_exit_handlers (exit.c:108)
==2387== Address 0x284 is not stack'd, malloc'd or (recently) free'd
The invalid reads/writes might have led to memory corruption which ended with
the segmentation faults. I'll attach the full valgrind log.
STEPS TO REPRODUCE
1. Install Fedora 30 Plasma spin
2. boot into Plasma spin
3. start Plasma on Wayland from sddm
4. sudo dnf upgrade --refresh --enablerepo=updates-testing
5. reboot
6. start Plasma on Wayland from sddm
7. start konsole
8. open a second tab in konsole
9. close konsole by clicking x at the top right then answering yes
10. start konsole
11. gdb konsole
12. r (in gdb)
13. open a second tab in konsole running in gdb
14. close the konsole running in gdb as above
15. thread apply all bt full (in gdb)
16. q (in gdb)
17. valgrind --log-file=valgrind-konsole-wayland-2.txt konsole & (in konsole)
18. opened a second tab in konsole running under valgrind
19. close konsole running under valgrind
20. read valgrind-konsole-wayland-2.txt
OBSERVED RESULT
Closing konsole with two tabs open in Plasma on Wayland led to segmentation
faults and invalid reads/writes. The segmentation faults have happened each of
a few times I've closed konsole with two tabs opened.
EXPECTED RESULT
No crashes of konsole.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 30, 5.1.12 kernel
(available in About System)
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.59.0
Qt Version: 5.12.1
kf5-kwayland-0:5.59.0-1.fc30.x86_64
konsole5-0:19.04.2-1.fc30.x86_64
libwayland-client-0:1.17.0-1.fc30.x86_64
plasma-desktop-0:5.15.5-1.fc30.x86_64
qt5-qtbase-0:5.12.1-7.fc30.x86_64
ADDITIONAL INFORMATION
I first saw these crashes with konsole-18.12.3-2.fc30 and
kf5-kwayland-5.58.0-1.fc30. The crashes didn't happen when only one tab was
opened or in Plasma on X.
The following reports have segmentation faults in konsole with similar traces
https://bugs.kde.org/show_bug.cgi?id=394484
https://bugs.kde.org/show_bug.cgi?id=385633
The report at https://bugs.kde.org/show_bug.cgi?id=390151 has many similar
traces in programs like systemsettings.
The segmentation faults in powerdevil when logging out of Plasma on Wayland I
reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713467#c15 also had
invalid reads/writes starting in wl_proxy_unref (wayland-client.c:229). I have
seen crashes in akonadi_sendlater_agent and kglobalaccel5 with invalid
reads/writes starting in wl_proxy_unref (wayland-client.c:229) which I have not
reported elsewhere yet in full. These use-after-free errors involving
libwayland-client, kf5-kwayland, and other packages might be involved in those
and other crashes when closing KDE programs on Wayland.
--
You are receiving this mail because:
You are watching all bug changes.
