461723 2022-11-12 10:37:49 +0000 konsole (or other applications) crash at disabling second screen 2023-10-04 10:29:33 +0000 1 1 8 I don't know kde general unspecified Debian testing Linux RESOLVED DUPLICATE 473602 HI crash --- 0 bernhardu unassigned-bugs-null barracha.afonso biggestsonicfan junjun607 kcomain marcin me nate nicolas.fella stakanov 0 oldest_to_newest 2172536 0 bernhardu 2022-11-12 10:37:49 +0000 Hello, I received a crash of konsole when I disabled a second screen via systemsettings. This screen is left of my main screen and has a lower resolution. The crash looks like caused by a calculation in copy_unswapped, which does some pointer arithmetic, but unfortunately the offset gets negative, and therefore unmapped memory is tried to be accessed. Otherwise it looks like yy might be related to a pixel resolution, but my screens are nowhere near a height of 8256 pixel. I received this crash two weeks ago also in konsole and dolphin. This bug might be a duplicate of Bug 461563 and/or Bug 451110. I collected the cores of the three crashes, so I can lookup somthing if needed. STEPS TO REPRODUCE Unfortunately I did not yet try to reproduce it this time. Last time I could not get it crash when I tried to reproduce it. SOFTWARE/OS VERSIONS Operating System: Debian GNU/Linux KDE Plasma Version: 5.26.0 KDE Frameworks Version: 5.98.0 Qt Version: 5.15.6 Kernel Version: 6.0.0-2-amd64 (64-bit) Graphics Platform: X11 Processors: 16 × AMD Ryzen 7 1700 Eight-Core Processor Memory: 31.1 GiB of RAM Graphics Processor: AMD Radeon RX 460 Graphics ADDITIONAL INFORMATION (gdb) bt #0 0x00007f009bcfe32f in __GI___poll (fds=0x7ffc26bb9058, nfds=1, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:29 #1 0x00007f009d975160 in ?? () from /lib/x86_64-linux-gnu/libKF5Crash.so.5 #2 0x00007f009d975b67 in KCrash::defaultCrashHandler(int) () from /lib/x86_64-linux-gnu/libKF5Crash.so.5 #3 <signal handler called> #4 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:228 #5 0x00007f00962f142a in memmove (__len=262112, __src=0x7efb8bbe8810, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:36 #6 copy_unswapped (rect=<synthetic pointer>..., img=..., dstBytesPerLine=262112, dst=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:547 #7 native_sub_image (swap=false, rect=<synthetic pointer>..., src=..., dstStride=262112, buffer=0x5557a9af9130) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:590 #8 QXcbBackingStoreImage::flushPixmap (this=0x5557a9af90b0, region=..., fullRegion=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:669 #9 0x00007f00962f1a29 in QXcbBackingStoreImage::flushPixmap (fullRegion=false, region=..., this=0x5557a9af90b0) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:627 #10 QXcbBackingStoreImage::put (this=0x5557a9af90b0, dst=85983245, region=..., offset=...) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:741 #11 0x00007f00962f2369 in QXcbBackingStore::flush (this=this@entry=0x5557a9a3b4d0, window=window@entry=0x5557a98d7c10, region=..., offset=...) at ./src/plugins/platforms/xcb/qxcbwindow.h:128 #12 0x00007f009cd017b2 in QBackingStore::flush (this=this@entry=0x5557a9a4f510, region=..., window=0x5557a98d7c10, offset=...) at painting/qbackingstore.cpp:252 #13 0x00007f009d37059f in QWidgetRepaintManager::flush (this=this@entry=0x5557a9d8fad0, widget=0x5557a98df320, region=..., widgetTextures=<optimized out>) at kernel/qwidgetrepaintmanager.cpp:1184 #14 0x00007f009d372129 in QWidgetRepaintManager::flush (this=0x5557a9d8fad0) at kernel/qwidgetrepaintmanager.cpp:1082 #15 0x00007f009d374270 in QWidgetRepaintManager::paintAndFlush (this=0x5557a9d8fad0) at kernel/qwidgetrepaintmanager.cpp:1014 #16 0x00007f009d3bd341 in QWidgetWindow::handleResizeEvent (this=0x5557a98d7c10, event=0x7ffc26bba560) at kernel/qwidgetwindow.cpp:841 #17 0x00007f009d3c10db in QWidgetWindow::event (this=0x5557a98d7c10, event=0x7ffc26bba560) at kernel/qwidgetwindow.cpp:322 #18 0x00007f009d362f5e in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x5557a98d7c10, e=0x7ffc26bba560) at kernel/qapplication.cpp:3637 #19 0x00007f009c6b1718 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /lib/x86_64-linux-gnu/libQt5Core.so.5 #20 0x00007f009cb39bac in QGuiApplicationPrivate::processGeometryChangeEvent (e=<optimized out>) at kernel/qguiapplication.cpp:2610 #21 0x00007f009cb11e1c in QWindowSystemInterface::sendWindowSystemEvents (flags=flags@entry=...) at kernel/qwindowsysteminterface.cpp:1169 #22 0x00007f00962fc0fa in xcbSourceDispatch (source=<optimized out>) at ./src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:105 #23 0x00007f009a9da799 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #24 0x00007f009a9daa28 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #25 0x00007f009a9daabc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #26 0x00007f009c7094b6 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5 #27 0x00007f009c6b019b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5 #28 0x00007f009c6b8306 in QCoreApplication::exec() () from /lib/x86_64-linux-gnu/libQt5Core.so.5 #29 0x00005557a933ee4c in ?? () #30 0x00007f009bc2920a in __libc_start_call_main (main=main@entry=0x5557a933e690, argc=argc@entry=4, argv=argv@entry=0x7ffc26bbab08) at ../sysdeps/nptl/libc_start_call_main.h:58 #31 0x00007f009bc292bc in __libc_start_main_impl (main=0x5557a933e690, argc=4, argv=0x7ffc26bbab08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc26bbaaf8) at ../csu/libc-start.c:389 #32 0x00005557a933f301 in ?? () (gdb) up (gdb) up (gdb) up (gdb) up #4 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:228 228 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: Datei oder Verzeichnis nicht gefunden. (gdb) display/i $pc 1: x/i $pc => 0x7f009bd5457d <__memcpy_avx_unaligned+13>: vmovdqu (%rsi),%ymm0 (gdb) print/x $rsi $1 = 0x7efb8bbe8810 (gdb) up #5 0x00007f00962f142a in memmove (__len=262112, __src=0x7efb8bbe8810, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:36 36 return __builtin___memmove_chk (__dest, __src, __len, ( (gdb) up #6 copy_unswapped (rect=<synthetic pointer>..., img=..., dstBytesPerLine=262112, dst=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:547 547 ::memmove(dst, src, dstBytesPerLine); https://sources.debian.org/src/qtbase-opensource-src/5.15.6+dfsg-2/src/plugins/platforms/xcb/qxcbbackingstore.cpp/#L547 https://github.com/qt/qtbase/blob/7c4b3648cad7faf990397af0b8a81664658c2d4f/src/plugins/platforms/xcb/qxcbbackingstore.cpp#L514 https://github.com/qt/qtbase/blob/dev/src/plugins/platforms/xcb/qxcbbackingstore.cpp#L514 537 static inline void copy_unswapped(char *dst, int dstBytesPerLine, const QImage &img, const QRect &rect) 538 { 539 const uchar *srcData = img.constBits(); 540 const int srcBytesPerLine = img.bytesPerLine(); 541 542 const int leftOffset = rect.left() * img.depth() >> 3; 543 const int bottom = rect.bottom() + 1; 544 545 for (int yy = rect.top(); yy < bottom; ++yy) { 546 const uchar *src = srcData + yy * srcBytesPerLine + leftOffset; 547 ::memmove(dst, src, dstBytesPerLine); 548 dst += dstBytesPerLine; 549 } 550 } (gdb) print img.d->data $2 = (uchar *) 0x7efc0ac29010 "\361\360\357\377\361... (gdb) print bottom $3 = 8320 (gdb) print yy $4 = 8256 (gdb) print srcBytesPerLine $5 = 262112 (gdb) print yy * srcBytesPerLine $7 = -2130970624 # if calculation uses int, it overflows and the offset gets negative (gdb) print/x 0x7efc0ac29010 + yy * srcBytesPerLine $9 = 0x7efb8bbe8810 # the resulting pointer 0x7efb8bbe8810 is smaller than img.d->data 0x7efc0ac29010 (gdb) up (gdb) up (gdb) up #8 QXcbBackingStoreImage::flushPixmap (this=0x5557a9af90b0, region=..., fullRegion=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:669 669 const QImage subImage = native_sub_image(&m_flushBuffer, stride, m_qimage, subRect, needsByteSwap); (gdb) print x $12 = 0 (gdb) print y $13 = 8256 (gdb) print width $14 = <optimized out> (gdb) print rows $15 = <optimized out> (gdb) print rect $16 = (const QRect &) @0x5557aad282d0: {x1 = 0, y1 = 0, x2 = 65527, y2 = 65504} (gdb) print stride $17 = 262112 (gdb) print rows_per_put $18 = 64 $ xrandr Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 16384 x 16384 DisplayPort-0 disconnected (normal left inverted right x axis y axis) HDMI-A-0 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 476mm x 268mm 1920x1080 60.00*+ 50.00 59.94 ... DVI-D-0 connected (normal left inverted right x axis y axis) 1280x1024 60.02 + 75.02 ... 2173354 1 nate 2022-11-14 21:14:46 +0000 Looks like all the action is in Qt. Since you seem to be very accomplished at debugging, would you be able to submit a Qt patch to fix it? If not, please do submit bug report for them at bugreports.qt.io. Thanks a lot! 2182009 2 bernhardu 2022-12-06 14:05:18 +0000 Hello Nate, thanks for looking into this report. I opened now https://bugreports.qt.io/browse/QTBUG-109226 2184497 3 bernhardu 2022-12-12 23:44:42 +0000 Hello, upstream bug QTBUG-109226 got closed now with a commit: qtbase/dev: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=6a3627b6c5aa5109a80024f3d7b0f938504f7ffe qtbase/6.4: https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.4&id=003d30fac2a75ee5f942917dbd4901536a742cbc Unfortunately it looks like the qt-5.15 cerry-pick is not publicly visible ... 2246722 4 nicolas.fella 2023-08-15 13:35:06 +0000 The fix will be part of 5.15.12, which will be open-source released later this year. Meanwhile it has been added to our Qt Patch collection: https://invent.kde.org/qt/qt/qtbase/-/merge_requests/230 2246726 5 nicolas.fella 2023-08-15 13:36:24 +0000 *** Bug 473405 has been marked as a duplicate of this bug. *** 2246728 6 nicolas.fella 2023-08-15 13:37:00 +0000 *** Bug 470450 has been marked as a duplicate of this bug. *** 2246730 7 nicolas.fella 2023-08-15 13:38:02 +0000 *** Bug 451110 has been marked as a duplicate of this bug. *** 2246732 8 nicolas.fella 2023-08-15 13:38:10 +0000 *** Bug 462022 has been marked as a duplicate of this bug. *** 2246734 9 nicolas.fella 2023-08-15 13:38:20 +0000 *** Bug 462487 has been marked as a duplicate of this bug. *** 2246736 10 nicolas.fella 2023-08-15 13:38:38 +0000 *** Bug 466503 has been marked as a duplicate of this bug. *** 2246738 11 nicolas.fella 2023-08-15 13:38:45 +0000 *** Bug 467010 has been marked as a duplicate of this bug. *** 2246741 12 nicolas.fella 2023-08-15 13:39:40 +0000 *** Bug 467191 has been marked as a duplicate of this bug. *** 2249020 13 bernhardu 2023-08-28 12:46:14 +0000 Hello, unfortunately this Qt upstream modifiction seems not to avoid this issue. Further debugging leads to kwin_x11 as causing this, details added in https://bugs.kde.org/show_bug.cgi?id=473602 2256858 14 nicolas.fella 2023-10-04 10:29:33 +0000 *** This bug has been marked as a duplicate of bug 473602 ***