Bug 323383

Summary: KWin crash when did kwin_gles --replace and kwin --replace soon after.
Product: [Plasma] kwin Reporter: Marek Paśnikowski <mail>
Component: generalAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: crash Keywords: drkonqi
Priority: NOR Flags: thomas.luebking: ReviewRequest+
Version: 4.10.97   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
URL: https://git.reviewboard.kde.org/r/112020/
Latest Commit: http://commits.kde.org/kde-workspace/97f94f8805d47c092424017c7dc860ea1f5d0239 Version Fixed In:
Sentry Crash Report:

Description Marek Paśnikowski 2013-08-11 16:31:22 UTC 
Application: kwin (4.10.97)
KDE Platform Version: 4.10.97
Qt Version: 4.8.5
Operating System: Linux 3.10.5-1.g4e0ffc2-desktop x86_64
Distribution: "openSUSE 13.1 Milestone 4 (x86_64)"

-- Information about the crash:
- What I was doing when the application crashed:

I wanted to see how kwin_gles works in KDE 4.11 . When I issued kwin_gles --replace, all I got was black screen with cursor. So I issued kwin --replace and couple seconds later I found the crash report among my windows. So here you have the trace.

-- Backtrace:
Application: KWin (kwin), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fde4c5c4880 (LWP 1269))]

Thread 2 (Thread 0x7fde2757b700 (LWP 1278)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007fde2c6f637b in ?? () from /usr/lib64/dri/r600_dri.so
#2  0x00007fde465c7e0b in start_thread (arg=0x7fde2757b700) at pthread_create.c:308
#3  0x00007fde4bdaf04d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 1 (Thread 0x7fde4c5c4880 (LWP 1269)):
[KCrash Handler]
#6  0x00007fde469639c7 in QMetaObject::cast (this=0x7fde4c406f80 <KWin::Client::staticMetaObject>, obj=0x2af1fb0) at kernel/qmetaobject.cpp:274
#7  0x00007fde4c0eb053 in qobject_cast<KWin::Client*> (object=<optimized out>) at /usr/include/QtCore/qobject.h:380
#8  KWin::Placement::placeSmart (this=<optimized out>, c=0x2b815b0, area=...) at /usr/src/debug/kde-workspace-4.10.97/kwin/placement.cpp:211
#9  0x00007fde4c12525c in KWin::Client::changeMaximize (this=0x2b815b0, vertical=176, horizontal=7, adjust=adjust@entry=false) at /usr/src/debug/kde-workspace-4.10.97/kwin/geometry.cpp:2325
#10 0x00007fde4c1288c9 in KWin::Client::setMaximize (this=0x2b815b0, vertically=<optimized out>, horizontally=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/geometry.cpp:2124
#11 0x00007fde4c12a37a in KWin::Client::setQuickTileMode (this=0x2b815b0, mode=..., keyboard=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/geometry.cpp:3175
#12 0x00007fde4c0dbcac in KWin::Client::untab (this=0x2b815b0, toGeometry=..., clientRemoved=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/client.cpp:1894
#13 0x00007fde4c0e00f9 in KWin::Client::releaseWindow (this=0x2b815b0, on_shutdown=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/client.cpp:291
#14 0x00007fde4c0d3c57 in KWin::Workspace::~Workspace (this=0x23d1770, __in_chrg=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/workspace.cpp:429
#15 0x00007fde4c0d42a9 in KWin::Workspace::~Workspace (this=0x23d1770, __in_chrg=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/workspace.cpp:454
#16 0x00007fde4c0f21c7 in KWin::Application::lostSelection (this=0x7fff8267aac0) at /usr/src/debug/kde-workspace-4.10.97/kwin/main.cpp:406
#17 0x00007fde46971358 in QMetaObject::activate (sender=0x7fff8267aad8, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3556
#18 0x00007fde4aa5d223 in KSelectionOwner::filterEvent (this=0x7fff8267aad8, ev_P=<optimized out>) at /usr/src/debug/kdelibs-4.10.97/kdeui/util/kmanagerselection.cpp:224
#19 0x00007fde4a9fbdee in publicx11Event (e=<optimized out>, this=<optimized out>) at /usr/src/debug/kdelibs-4.10.97/kdeui/kernel/kapplication.cpp:918
#20 KApplication::x11EventFilter (this=0x2af1fb0, _event=0x7fff8267a6d0) at /usr/src/debug/kdelibs-4.10.97/kdeui/kernel/kapplication.cpp:930
#21 0x00007fde45b469cc in qt_x11EventFilter (ev=0x7fff8267a6d0) at kernel/qapplication_x11.cpp:435
#22 0x00007fde45b544d9 in QApplication::x11ProcessEvent (this=0x7fff8267aac0, event=0x7fff8267a6d0) at kernel/qapplication_x11.cpp:3363
#23 0x00007fde45b7c1f0 in QEventDispatcherX11::processEvents (this=0x2152110, flags=...) at kernel/qeventdispatcher_x11.cpp:132
#24 0x00007fde4695c2ff in QEventLoop::processEvents (this=this@entry=0x7fff8267a930, flags=...) at kernel/qeventloop.cpp:149
#25 0x00007fde4695c5f5 in QEventLoop::exec (this=0x7fff8267a930, flags=...) at kernel/qeventloop.cpp:204
#26 0x00007fde4696172b in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1221
#27 0x00007fde4c0f4106 in kdemain (argc=1, argv=0x7fff8267ac08) at /usr/src/debug/kde-workspace-4.10.97/kwin/main.cpp:589
#28 0x00007fde4bce8a35 in __libc_start_main (main=0x400730 <main(int, char**)>, argc=1, ubp_av=0x7fff8267ac08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff8267abf8) at libc-start.c:258
#29 0x0000000000400761 in _start () at ../sysdeps/x86_64/start.S:123

Reported using DrKonqi
Comment 1 Thomas Lübking 2013-08-11 16:55:59 UTC 
Crash on exit.

Untabbing unmaximizes a window which has no valid restore position and attempts to place it.

At this time, the stacking_order contains any amount of dangeling pointers (released clients) and the qobject_cast crashes.

Luckily a very remote case, but valid issue nevertheless.
Thanks for the report!
Comment 2 Marek Paśnikowski 2013-08-11 17:14:40 UTC 
Does the trace indicate that I had tabbed windows? I performed a quick reproduction with (1) and without (2) tabbed windows.
1. Crash happened and after kwin --replace the tabbed windows got separated.
2. No crash. The black screen happened anyway, so it's a separate bug.
Comment 3 Marek Paśnikowski 2013-08-11 17:18:45 UTC 
After submitting previous comment I got the idea to do just kwin --replace, as in kwin -> kwin; no kwin_gles. The crash happens then as well.
Comment 4 Thomas Lübking 2013-08-11 17:39:24 UTC 
#12 0x00007fde4c0dbcac in KWin::Client::untab (this=0x2b815b0, toGeometry=..., clientRemoved=<optimized out>) at /usr/src/debug/kde-workspace-4.10.97/kwin/client.cpp:1894

This is however no exclusive condition.
The problem (in this case, feel free to attach more bactraces) is that an unmaximization does not know where to place the unmaximized window directly ("from where it came"), thus falls back to a generic placement which needs to iterate over all windows.

Since some of those windows are already deleted, you end up resolving a dangeling pointer.

As mentioned in the RR (feel free to stress the patch as well ;-) this affects all calls to (at least) stackingOrder during shutdown.

As you figured, the entire thing has nothing to do with the compositor or the GL backend.
Comment 5 Marek Paśnikowski 2013-08-12 11:47:16 UTC 
Just in case, I want to clarify that I do not posses the skills to fix the code, yet. So do not expect me to provide patches, please. I have more to learn before I can start contributing code here. :)
Comment 6 Thomas Lübking 2013-08-12 11:52:35 UTC 
You don't have to *provide* a patch, it's already written:
https://git.reviewboard.kde.org/r/112020/
But you can test it if you want.
Comment 7 Marek Paśnikowski 2013-08-13 11:37:44 UTC 
I have tested the patch. Kwin doesn't crash anymore. The windows separate after kwin --replace.
Comment 8 Thomas Lübking 2013-08-13 11:59:06 UTC 
(In reply to comment #7)
> I have tested the patch. Kwin doesn't crash anymore.
Good ;-)

> The windows separate after kwin --replace.
IIrc there's only region matching in place, so if they got spread apart by the shutdown (and unmaximization) that's for the moment expectable (though not ideal)
Comment 9 Thomas Lübking 2013-08-13 19:56:05 UTC 
Git commit 97f94f8805d47c092424017c7dc860ea1f5d0239 by Thomas Lübking.
Committed on 11/08/2013 at 17:02.
Pushed by luebking into branch 'KDE/4.11'.

make stacking_order exclusive during shutdown

Client::releaseClient() deletes all Client objects
referenced by stacking_order, thus those pointers
dangle and everything trying to touch it died an ugly death.

REVIEW: 112020

M  +7    -2    kwin/workspace.cpp

http://commits.kde.org/kde-workspace/97f94f8805d47c092424017c7dc860ea1f5d0239