Bug 303244

Summary: Kwin 4.9 beta crashes on logout
Product: [Plasma] kwin Reporter: l.mierzwa
Component: generalAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: aacid, bugs.kde.org3, ivan.stetsenko, rtdvrs, salsa_temps, sinozzuke, vkrevs
Priority: NOR Flags: thomas.luebking: ReviewRequest+
Version: unspecified   
Target Milestone: 4.9.2   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In: 4.9.2
Attachments: New crash information added by DrKonqi
New crash information added by DrKonqi
New crash information added by DrKonqi
New crash information added by DrKonqi
Track unmanaged
Clear Unmanaged
Erase unmanaged
Valgrind trace #1
Valgrind trace #2
Output with Track patch
test Unmanaged pointer on shutdown
Track adding
Fix releasing unmanaged windows
New crash information added by DrKonqi

Description l.mierzwa 2012-07-09 16:48:15 UTC
Application: kwin (4.8.90 (4.8.90))
KDE Platform Version: 4.8.90 (4.8.90)
Qt Version: 4.8.1
Operating System: Linux 3.2.0-27-generic x86_64
Distribution: Ubuntu 12.04 LTS

-- Information about the crash:
Kwin once in a while crashes during logout/reboot/shutdown, it happened in 4.8 and it is still happening with 4.9 beta. It might be different bug but crash is still a crash ;/

The crash can be reproduced some of the time.

-- Backtrace:
Application: KWin (kwin), signal: Bus error
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[KCrash Handler]
#6  QMetaObject::activate (sender=0x146cd20, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff672c0de0) at kernel/qobject.cpp:3497
#7  0x00007f8019ab4d5f in KWin::Toplevel::windowClosed (this=<optimized out>, _t1=0x146cd20, _t2=0x0) at ./toplevel.moc:347
#8  0x00007f8019ab59f3 in KWin::Unmanaged::release (this=0x146cd20, on_shutdown=true) at ../../kwin/unmanaged.cpp:89
#9  0x00007f8019a47192 in KWin::Workspace::~Workspace (this=0xac75b0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:534
#10 0x00007f8019a479d9 in KWin::Workspace::~Workspace (this=0xac75b0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:561
#11 0x00007f8019a62f05 in KWin::Application::~Application (this=0x7fff672c0f60, __in_chrg=<optimized out>) at ../../kwin/main.cpp:343
#12 0x00007f8019a657b4 in kdemain (argc=<optimized out>, argv=<optimized out>) at ../../kwin/main.cpp:545
#13 0x00007f801966676d in __libc_start_main (main=0x400640 <main(int, char**)>, argc=1, ubp_av=0x7fff672c1658, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff672c1648) at libc-start.c:226
#14 0x0000000000400671 in _start ()

Reported using DrKonqi
Comment 1 l.mierzwa 2012-07-09 19:34:15 UTC
Created attachment 72407 [details]
New crash information added by DrKonqi

kwin (4.8.90 (4.8.90)) on KDE Platform 4.8.90 (4.8.90) using Qt 4.8.1

Another logout another crash

-- Backtrace (Reduced):
#7  0x00007fa426d4dd5f in KWin::Toplevel::windowClosed (this=<optimized out>, _t1=0x1bf1270, _t2=0x0) at ./toplevel.moc:347
#8  0x00007fa426d4e9f3 in KWin::Unmanaged::release (this=0x1bf1270, on_shutdown=true) at ../../kwin/unmanaged.cpp:89
#9  0x00007fa426ce0192 in KWin::Workspace::~Workspace (this=0xe26590, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:534
#10 0x00007fa426ce09d9 in KWin::Workspace::~Workspace (this=0xe26590, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:561
#11 0x00007fa426cfbf05 in KWin::Application::~Application (this=0x7fff8b921140, __in_chrg=<optimized out>) at ../../kwin/main.cpp:343
Comment 2 rtdvrs 2012-07-16 06:54:23 UTC
Created attachment 72550 [details]
New crash information added by DrKonqi

kwin (4.8.90 (4.8.90)) on KDE Platform 4.8.90 (4.8.90) using Qt 4.8.1

- What I was doing when the application crashed:
I logged out, just like the others have mentioned.

-- Backtrace (Reduced):
#6  0x00007f41c48ef9f9 in KWin::Unmanaged::release (this=0x20abdd0, on_shutdown=true) at ../../kwin/unmanaged.cpp:90
#7  0x00007f41c4881192 in KWin::Workspace::~Workspace (this=0x18c9e80, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:534
#8  0x00007f41c48819d9 in KWin::Workspace::~Workspace (this=0x18c9e80, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:561
#9  0x00007f41c489cf05 in KWin::Application::~Application (this=0x7fffdf0739f0, __in_chrg=<optimized out>) at ../../kwin/main.cpp:343
#10 0x00007f41c489f7b4 in kdemain (argc=<optimized out>, argv=<optimized out>) at ../../kwin/main.cpp:545
Comment 3 Thomas Lübking 2012-07-16 15:01:13 UTC
Can anyone here try a patch?

Reason:
I guess i know what happens* but not why for it should not.
Since it doesn't crash here it would be great if someone who gets those crashes could ensure that the assumed fix actually fixes the  *assumed* issue.


* ~Workspace() as very first action calls finishCompositing(); what calls scene->windowClosed(c, NULL); for all windows and then deletes effects and the scene.
Next step is to unrelease all windows what emits windowClosed(this, del);

This is where the code crashes, but should not, because the signal is only bound by effects and scene - which should at this point no longer exist.


A trivial patch would be to not "emit windowClosed(this, del);" "on_shutdown" on ::release() - it's not necessary anyway because finishCompositing just called that on the scene and the effects (which should no longer exist!) don't have anything reasonable to do anymore anyway.
Comment 4 Thomas Lübking 2012-07-23 16:28:13 UTC
http://git.reviewboard.kde.org/r/105697/
Comment 5 Martin Flöser 2012-07-23 18:35:32 UTC
random observations: all three crashes are with Qt 4.8.1 and I would assume Ubuntu? Maybe something is fishy there...
Comment 6 Thomas Lübking 2012-07-23 19:59:42 UTC
"2" crashes - OP and comment #1 is the same system.
Also both are on x86_64 (fwwi)
Comment 7 Thomas Lübking 2012-08-04 11:24:53 UTC
*** Bug 304538 has been marked as a duplicate of this bug. ***
Comment 8 sinozzuke 2012-08-13 18:39:53 UTC
Created attachment 73143 [details]
New crash information added by DrKonqi

kwin (4.9.00) on KDE Platform 4.9.00 using Qt 4.8.1

- What I was doing when the application crashed:
Launching Firefox from the plasma icontask manager.

-- Backtrace (Reduced):
#7  0x00007f817689491f in KWin::Toplevel::windowClosed (this=<optimized out>, _t1=0x15a1460, _t2=0x0) at ./toplevel.moc:350
#8  0x00007f81768955d3 in KWin::Unmanaged::release (this=0x15a1460, on_shutdown=true) at ../../kwin/unmanaged.cpp:89
#9  0x00007f8176826902 in KWin::Workspace::~Workspace (this=0x14ef3f0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:537
#10 0x00007f8176827149 in KWin::Workspace::~Workspace (this=0x14ef3f0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:564
#11 0x00007f8176843da7 in KWin::Application::lostSelection (this=0x7fff429b2c00) at ../../kwin/main.cpp:354
Comment 9 Thomas Lübking 2012-08-28 19:44:03 UTC
*** Bug 305944 has been marked as a duplicate of this bug. ***
Comment 10 Albert Astals Cid 2012-09-05 08:13:37 UTC
Created attachment 73667 [details]
New crash information added by DrKonqi

kwin (4.9.00) on KDE Platform 4.9.00 using Qt 4.8.2

- What I was doing when the application crashed:

Started compiz/unity while kwin was running

-- Backtrace (Reduced):
#6  0x00007f3a29ba48b9 in KWin::Unmanaged::release (this=0xb06c50, on_shutdown=<optimized out>) at ../../kwin/unmanaged.cpp:90
#7  0x00007f3a29b3b962 in KWin::Workspace::~Workspace (this=0xa1c4d0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:537
#8  0x00007f3a29b3c039 in KWin::Workspace::~Workspace (this=0xa1c4d0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:564
#9  0x00007f3a29b58a07 in KWin::Application::lostSelection (this=0x7fff9305f890) at ../../kwin/main.cpp:354
[...]
#11 0x00007f3a2937fb13 in KSelectionOwner::filterEvent (this=0x7fff9305f8a8, ev_P=<optimized out>) at ../../kdeui/util/kmanagerselection.cpp:224
Comment 11 Thomas Lübking 2012-09-05 12:29:32 UTC
Relevant info from bug #305944 - best trace we have so far:

#9  0x00007fbff8fa89f3 in KWin::Unmanaged::release (this=0x1b6c6a0, on_shutdown=true) at ../../kwin/unmanaged.cpp:89
--> watch the "this" pointer
#8  0x00007fbff8fa7d5f in KWin::Toplevel::windowClosed (this=<optimized out>, _t1=0x1b6c6a0, _t2=0x0) at ./toplevel.moc:347
--> _t2 is ok to be NULL
#7  QMetaObject::activate (sender=0x1b6c6a0, m=<optimized out>, local_signal_index=6, argv=0x7fffcead1b90) at kernel/qobject.cpp:3456
--> watch sender, matches Unmanaged this pointer
#6  isSignalConnected (signal_index=8, this=0x0) at kernel/qobject_p.h:229
this is NULL, so segfault inevitable - BUT "this" is "sender->d_func()"

options
a) Qt bug
b) dangeling Unmanaged pointer

where (b) either means that the window is twice in the unmanaged list or the workspace deconstructor gets called twice.

Could anybody halfwise reliably reproducing this crash compile in a short patch to monitor deconstructors and releases resp. try whether and how erasing the unmanaged list (on the run or after processing) fixes this?
Comment 12 Albert Astals Cid 2012-09-05 12:56:16 UTC
Sure, where's the patch?
Comment 13 Thomas Lübking 2012-09-05 18:03:13 UTC
Many thanks but i spotted an apparent double delete on the first debug out - i'll check whether i can track that down and if not come back with a "fixes perhaps" patch later
Comment 14 Thomas Lübking 2012-09-05 18:25:00 UTC
Created attachment 73676 [details]
Track unmanaged

No, sorry - gcc is just really good at re-using existing memory (and that's probably the "problem")

Attached is a patch that tracks memory usage by Unmanaged and aborts if there's an attempt to release a window that was not re/created

However, i got some crash messages in konsole (w/o DrKonqui, though) and those seem to have gone after the first of the following patches.
Comment 15 Thomas Lübking 2012-09-05 18:27:42 UTC
Created attachment 73677 [details]
Clear Unmanaged

This patch clears the unmanaged list after releasing all unmanaged windows in it and to correct my before observation: the compositor got auto-deactivated and reactivating it brought back the silent crashes

Nevertheless it may fix /this/ issue
Comment 16 Thomas Lübking 2012-09-05 18:29:49 UTC
Created attachment 73678 [details]
Erase unmanaged

Last patch for now. It *replaces* "clear unmanaged" with in loop erasing, this has no functional difference but might expose an issue in Qt (but i frankly doubt)

The two latter patches are orthogonal to the (quite talky) first one.
Comment 17 Albert Astals Cid 2012-09-05 18:37:32 UTC
Just to make sure, want me to compile and try to repro the crash with these 3 patches, right?
Comment 18 Thomas Lübking 2012-09-05 19:11:02 UTC
No, the last two ones are mutually exclusive.
The one to initially test to fix the crash is "Clear Unmanaged"

The "Track Unmanaged" adds much debug out and aborts before a double delete. so it will pot. give us more information esp. if "Clear Unmanaged" doesn' t work.

"Erase Unmanaged" is just a wild shot catching a rare and unlikely incident in QList - i bet your right arm it will not fix anything that is not fixed by "Clear Unmanaged" as well.
Comment 19 Albert Astals Cid 2012-09-05 22:22:11 UTC
Created attachment 73685 [details]
Valgrind trace #1

This is the valgrind trace that leads to the crash with both unpatched and "Clear unmanaged"
Comment 20 Albert Astals Cid 2012-09-05 22:23:00 UTC
Created attachment 73686 [details]
Valgrind trace #2

This is the valgrind trace with the "Erase unmanaged" patch applied (you crashed valgrind!)
Comment 21 Albert Astals Cid 2012-09-05 22:23:37 UTC
Created attachment 73687 [details]
Output with Track patch
Comment 22 Thomas Lübking 2012-09-07 15:25:24 UTC
Created attachment 73723 [details]
test Unmanaged pointer on shutdown

Ok, thanks - crashing valgrind looks more than suspicious to me (ie. i doubt that this is a simple heap invalidation)

However, attached is another patch that tries to access the Unmanaged pointer on shutdown so we can figure whether the unmanaged pointer dangles or this is a deeper issue (if the object is sane, but the d_ptr is NULL there should be sth. _severely_ broken, yesno?!)

Btw: i only have an unmanaged window if i explicitly show a tooltip when restarting kwin (or another WM) so i wonder whether there's maybe some notification system or similar kicking in here (since you seem to get this bug on every shutdown/replace, correct?)
Comment 23 Albert Astals Cid 2012-09-08 11:06:50 UTC
Maybe it is a double free?
Yes, i can reproduce this all the time by just starting kwin and then starting unity (which replaces the window manager)

testing pointer sanity of 0x1b06cb20 
seems sane 
testing pointer sanity of 0x18746930 
seems sane 
testing pointer sanity of 0x1b193d10 
seems sane 
testing pointer sanity of 0x1c591070 
seems sane 
testing pointer sanity of 0x1e82c920 
seems sane 
testing pointer sanity of 0x1e8991f0 
seems sane 
testing pointer sanity of 0x1ebcffc0 
seems sane 
testing pointer sanity of 0x21398b40 
seems sane 
testing pointer sanity of 0x21398b40 
==8256== Invalid read of size 4
==8256==    at 0x95A8390: QRect::contains(QPoint const&, bool) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D83D: KWin::Unmanaged::release(bool) (unmanaged.cpp:92)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256==    by 0x9C0459B: qt_x11EventFilter(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==    by 0x9C1453F: QApplication::x11ProcessEvent(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==  Address 0x21398b50 is 16 bytes inside a block of size 208 free'd
==8256==    at 0x4C2A4BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8256==    by 0x4F0D4BF: KWin::Unmanaged::~Unmanaged() (unmanaged.cpp:40)
==8256==    by 0x4F0D9E0: KWin::Unmanaged::deleteUnmanaged(KWin::Unmanaged*, KWin::allowed_t) (unmanaged.cpp:113)
==8256==    by 0x4F0D9AB: KWin::Unmanaged::release(bool) (unmanaged.cpp:108)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256== 
==8256== Invalid read of size 4
==8256==    at 0x95A8392: QRect::contains(QPoint const&, bool) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D83D: KWin::Unmanaged::release(bool) (unmanaged.cpp:92)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256==    by 0x9C0459B: qt_x11EventFilter(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==    by 0x9C1453F: QApplication::x11ProcessEvent(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==  Address 0x21398b58 is 24 bytes inside a block of size 208 free'd
==8256==    at 0x4C2A4BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8256==    by 0x4F0D4BF: KWin::Unmanaged::~Unmanaged() (unmanaged.cpp:40)
==8256==    by 0x4F0D9E0: KWin::Unmanaged::deleteUnmanaged(KWin::Unmanaged*, KWin::allowed_t) (unmanaged.cpp:113)
==8256==    by 0x4F0D9AB: KWin::Unmanaged::release(bool) (unmanaged.cpp:108)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256== 
seems sane 
==8256== Invalid read of size 8
==8256==    at 0x968A0B5: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D06C: KWin::Toplevel::windowClosed(KWin::Toplevel*, KWin::Deleted*) (toplevel.moc:354)
==8256==    by 0x4F0D882: KWin::Unmanaged::release(bool) (unmanaged.cpp:95)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256==    by 0x9C0459B: qt_x11EventFilter(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==  Address 0x21398b48 is 8 bytes inside a block of size 208 free'd
==8256==    at 0x4C2A4BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8256==    by 0x4F0D4BF: KWin::Unmanaged::~Unmanaged() (unmanaged.cpp:40)
==8256==    by 0x4F0D9E0: KWin::Unmanaged::deleteUnmanaged(KWin::Unmanaged*, KWin::allowed_t) (unmanaged.cpp:113)
==8256==    by 0x4F0D9AB: KWin::Unmanaged::release(bool) (unmanaged.cpp:108)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256== 
==8256== Invalid read of size 4
==8256==    at 0x968A0C9: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D06C: KWin::Toplevel::windowClosed(KWin::Toplevel*, KWin::Deleted*) (toplevel.moc:354)
==8256==    by 0x4F0D882: KWin::Unmanaged::release(bool) (unmanaged.cpp:95)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x582FB12: KSelectionOwner::filterEvent(_XEvent*) (kmanagerselection.cpp:224)
==8256==    by 0x57CF83D: KApplication::x11EventFilter(_XEvent*) (kapplication.cpp:918)
==8256==    by 0x4EAE3A9: KWin::Application::x11EventFilter(_XEvent*) (main.cpp:364)
==8256==    by 0x9C0459B: qt_x11EventFilter(_XEvent*) (in /usr/lib/x86_64-linux-gnu/libQtGui.so.4.8.2)
==8256==  Address 0x60 is not stack'd, malloc'd or (recently) free'd
==8256== 
Application::crashHandler() called with signal 11; recent crashes: 1
KCrash: Application 'kwin' crashing...
KCrash: Attempting to start /usr/lib/kde4/libexec/drkonqi from kdeinit
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
==8256== Invalid read of size 4
==8256==    at 0x5829FA0: startFromKdeinit(int, char const**) (kcrash.cpp:781)
==8256==    by 0x582AA25: KCrash::startProcess(int, char const**, bool) (kcrash.cpp:537)
==8256==    by 0x582AE30: KCrash::defaultCrashHandler(int) (kcrash.cpp:435)
==8256==    by 0x521E47F: ??? (in /lib/x86_64-linux-gnu/libc-2.15.so)
==8256==    by 0x968A0C8: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D06C: KWin::Toplevel::windowClosed(KWin::Toplevel*, KWin::Deleted*) (toplevel.moc:354)
==8256==    by 0x4F0D882: KWin::Unmanaged::release(bool) (unmanaged.cpp:95)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==    by 0x968A31E: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==  Address 0x1b219590 is 0 bytes inside a block of size 3 alloc'd
==8256==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8256==    by 0x5829F00: startFromKdeinit(int, char const**) (kcrash.cpp:660)
==8256==    by 0x582AA25: KCrash::startProcess(int, char const**, bool) (kcrash.cpp:537)
==8256==    by 0x582AE30: KCrash::defaultCrashHandler(int) (kcrash.cpp:435)
==8256==    by 0x521E47F: ??? (in /lib/x86_64-linux-gnu/libc-2.15.so)
==8256==    by 0x968A0C8: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==8256==    by 0x4F0D06C: KWin::Toplevel::windowClosed(KWin::Toplevel*, KWin::Deleted*) (toplevel.moc:354)
==8256==    by 0x4F0D882: KWin::Unmanaged::release(bool) (unmanaged.cpp:95)
==8256==    by 0x4E73509: KWin::Workspace::~Workspace() (workspace.cpp:537)
==8256==    by 0x4E73B1D: KWin::Workspace::~Workspace() (workspace.cpp:564)
==8256==    by 0x4EAE31C: KWin::Application::lostSelection() (main.cpp:354)
==8256==    by 0x4EAF57C: KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (main.moc:51)
==8256==
Comment 24 Thomas Lübking 2012-09-08 11:48:01 UTC
Created attachment 73742 [details]
Track adding

testing pointer sanity of 0x21398b40 
seems sane 
testing pointer sanity of 0x21398b40 
==8256== Invalid read of size 4

An etry is twice in the list, so yes - clearly a double free.

New attachment tracks adding of unmanaged and if a present pointer is attempted to be added to the list, the code aborts and tries to provide as much info as possible about the unmanaged (while most fields will likely be junk)

Let's hope the backtrace tells us about what causes the double add. (but the reason will be that there two mapnotify events w/o an unmap notification inbetween...)
The former tracking patch however did not suggest so (or at least i can't see)
Comment 25 Albert Astals Cid 2012-09-08 13:17:25 UTC
Nope, never triggers
Comment 26 Thomas Lübking 2012-09-08 13:57:16 UTC
Created attachment 73745 [details]
Fix releasing unmanaged windows

Thanks alot.
The list is corrupted during the pass because Unmanaged::releaseWindow unlike Cient::releaseWindow  manipulates it onShutdown

please for a final try confirm that the new patch fixes the issue.
Comment 27 Albert Astals Cid 2012-09-08 15:13:39 UTC
Yes, that fixes the crashes and valgrind warnings for me when replacity kwin with unity/compiz
Comment 28 Thomas Lübking 2012-09-08 18:49:09 UTC
New and better RR https://git.reviewboard.kde.org/r/106382/
Comment 29 Thomas Lübking 2012-09-11 11:14:18 UTC
*** Bug 306597 has been marked as a duplicate of this bug. ***
Comment 30 Martin Flöser 2012-09-13 06:16:30 UTC
*** Bug 306715 has been marked as a duplicate of this bug. ***
Comment 31 Mebuntu 2012-09-15 18:32:35 UTC
Created attachment 73949 [details]
New crash information added by DrKonqi

kwin (4.9.1) on KDE Platform 4.9.1 using Qt 4.8.2

- What I was doing when the application crashed:

15 sept 2012 shutting down latest pushed version of kwin and it crashed

-- Backtrace (Reduced):
#7  0x00007f304a1fcf7f in KWin::Toplevel::windowClosed (this=<optimized out>, _t1=0x10723c0, _t2=0x0) at ./toplevel.moc:354
#8  0x00007f304a1fdc63 in KWin::Unmanaged::release (this=0x10723c0, on_shutdown=true) at ../../kwin/unmanaged.cpp:89
#9  0x00007f304a18ec22 in KWin::Workspace::~Workspace (this=0x8a7fa0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:537
#10 0x00007f304a18f469 in KWin::Workspace::~Workspace (this=0x8a7fa0, __in_chrg=<optimized out>) at ../../kwin/workspace.cpp:564
#11 0x00007f304a1aac95 in KWin::Application::~Application (this=0x7fff2955a170, __in_chrg=<optimized out>) at ../../kwin/main.cpp:343
Comment 32 Thomas Lübking 2012-09-19 19:09:19 UTC
Git commit f90b52838b1bc35d580935cd4aa64fc12792f501 by Thomas Lübking.
Committed on 14/09/2012 at 16:10.
Pushed by luebking into branch 'KDE/4.9'.

Do not unlist Unmanaged when released onShutdown
FIXED-IN: 4.9.2
REVIEW: 106382

M  +1    -1    kwin/unmanaged.cpp

http://commits.kde.org/kde-workspace/f90b52838b1bc35d580935cd4aa64fc12792f501