Bug 351839

Summary: segfault in QV4::ExecutionEngine::newStringObject
Product: [Plasma] kwin Reporter: Josh <jsh.janssen>
Component: auroraeAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: a.skembris, davidsboogs, dutchgigalo, eloysgr, fabian, kde, kdebugs, krejzi, L.Bonnaud, mike.cloaked, nate, sdtrial, simonandric5, vincenzo.romano, xpr1927, zexx86
Priority: NOR    
Version: 5.3.2   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=349921
https://bugs.kde.org/show_bug.cgi?id=351767
https://bugs.kde.org/show_bug.cgi?id=351763
https://bugs.kde.org/show_bug.cgi?id=357742
https://bugs.kde.org/show_bug.cgi?id=358966
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: KWin supportInformation
Backtrace of KWin stopped process when crash happens

Description Josh 2015-08-27 07:01:19 UTC 
kwin_x11 crashes if multiple windows are launched soon (seems to be about 15 seconds in) after plasma 5 has started (SDDM).

Firstly i apologize if this report isn't up to standard, haven't filed a bug report before, since this is reproducible with drivers (Arch packaged): "nvidia-340xx", "nvidia" and nouveau, I thought it would be worth reporting.

I've tried removing ~/.kde4 with no fix, i've disabled all Desktop effects, installed themes and icons, still the issue persists.



Reproducible: Always

Steps to Reproduce:
1.Start Plasma
2.Open "System Settings" then "Konsole" from Application Launcher quickly
3.kwin locks up

Actual Results:  
With Nvidia drivers, Kwin normally relaunches and starts error reporting. otherwise locks up as soon as the second window is drawn

With Nouveau, Kwin freezes before second window is launched (instantly after click)

Expected Results:  
Kwin doesn't lock up

Application: KWin (kwin_x11), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f00ec765840 (LWP 2733))]

full backtrace pulled when using nvidia drivers,
http://pastebin.com/GcSgDcfH

hardware configuration:

GPU: GTX 570 (primary)
# GPU: AMD R9 290 (added to pci-stub so not relevant)
CPU: AMD FX8320
RAM: 16gb ddr3
Comment 1 Thomas Lübking 2015-08-27 07:05:32 UTC 
Do never use pastebin for relevant bug information.
------------------

Application: KWin (kwin_x11), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f00ec765840 (LWP 2733))]

Thread 6 (Thread 0x7f00ca0e4700 (LWP 2743)):
#0  0x00007f00eba02428 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f00e9d08c66 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQt5Core.so.5
#2  0x00007f00e9d04723 in ?? () from /usr/lib/libQt5Core.so.5
#3  0x00007f00e9d07a9e in ?? () from /usr/lib/libQt5Core.so.5
#4  0x00007f00eb9fc4a4 in start_thread () from /usr/lib/libpthread.so.0
#5  0x00007f00ec19612d in clone () from /usr/lib/libc.so.6

Thread 5 (Thread 0x7f00c941c700 (LWP 2747)):
#0  0x00007f00ec18ee23 in select () from /usr/lib/libc.so.6
#1  0x00007f00e9f3a91f in qt_safe_select(int, fd_set*, fd_set*, fd_set*, timespec const*) () from /usr/lib/libQt5Core.so.5
#2  0x00007f00e9f3c3f7 in QEventDispatcherUNIXPrivate::doSelect(QFlags<QEventLoop::ProcessEventsFlag>, timespec*) () from /usr/lib/libQt5Core.so.5
#3  0x00007f00e9f3c8fe in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#4  0x00007f00e9ee626a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#5  0x00007f00e9d02af4 in QThread::exec() () from /usr/lib/libQt5Core.so.5
#6  0x00007f00e41bd335 in ?? () from /usr/lib/libQt5Qml.so.5
#7  0x00007f00e9d07a9e in ?? () from /usr/lib/libQt5Core.so.5
#8  0x00007f00eb9fc4a4 in start_thread () from /usr/lib/libpthread.so.0
#9  0x00007f00ec19612d in clone () from /usr/lib/libc.so.6

Thread 4 (Thread 0x7f00c3dfa700 (LWP 2752)):
#0  0x00007f00eba02428 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f00e9d08c66 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/libQt5Core.so.5
#2  0x00007f00e9d04723 in ?? () from /usr/lib/libQt5Core.so.5
#3  0x00007f00e9d07a9e in ?? () from /usr/lib/libQt5Core.so.5
#4  0x00007f00eb9fc4a4 in start_thread () from /usr/lib/libpthread.so.0
#5  0x00007f00ec19612d in clone () from /usr/lib/libc.so.6

Thread 3 (Thread 0x7f00c349c700 (LWP 2753)):
#0  0x00007f00eba0207f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f00e8c44564 in ?? () from /usr/lib/libQt5Script.so.5
#2  0x00007f00e8c445a9 in ?? () from /usr/lib/libQt5Script.so.5
#3  0x00007f00eb9fc4a4 in start_thread () from /usr/lib/libpthread.so.0
#4  0x00007f00ec19612d in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x7f0036364700 (LWP 2974)):
#0  0x00007f00ec18ee23 in select () from /usr/lib/libc.so.6
#1  0x00007f00e9f3a91f in qt_safe_select(int, fd_set*, fd_set*, fd_set*, timespec const*) () from /usr/lib/libQt5Core.so.5
#2  0x00007f00e9f3c3f7 in QEventDispatcherUNIXPrivate::doSelect(QFlags<QEventLoop::ProcessEventsFlag>, timespec*) () from /usr/lib/libQt5Core.so.5
#3  0x00007f00e9f3c8fe in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#4  0x00007f00e9ee626a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
#5  0x00007f00e9d02af4 in QThread::exec() () from /usr/lib/libQt5Core.so.5
#6  0x00007f00e41bd335 in ?? () from /usr/lib/libQt5Qml.so.5
#7  0x00007f00e9d07a9e in ?? () from /usr/lib/libQt5Core.so.5
#8  0x00007f00eb9fc4a4 in start_thread () from /usr/lib/libpthread.so.0
#9  0x00007f00ec19612d in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x7f00ec765840 (LWP 2733)):
[KCrash Handler]
#5  0x00007f00e411453a in QV4::Heap::String::append(QV4::Heap::String const*, QChar*) () from /usr/lib/libQt5Qml.so.5
#6  0x00007f00e4114615 in QV4::Heap::String::simplifyString() const () from /usr/lib/libQt5Qml.so.5
#7  0x00007f00e40cf818 in ?? () from /usr/lib/libQt5Qml.so.5
#8  0x00007f00e4076973 in QV4::ExecutionEngine::newStringObject(QV4::Value const&) () from /usr/lib/libQt5Qml.so.5
#9  0x00007f00e410f922 in QV4::Runtime::getProperty(QV4::ExecutionEngine*, QV4::Value const&, int) () from /usr/lib/libQt5Qml.so.5
#10 0x00007f00eb364b39 in ?? ()
#11 0x00007f00e4ad4fc2 in QQuickItem::staticMetaObject () from /usr/lib/libQt5Quick.so.5
#12 0x00007f002cea6260 in ?? ()
#13 0x0000000003c6cfb0 in ?? ()
#14 0x00007f002cea6258 in ?? ()
#15 0x0000000002771190 in ?? ()
#16 0x00007f00ea46d7f9 in ?? () from /usr/lib/libQt5Gui.so.5
#17 0x0000000002771190 in ?? ()
#18 0x0000000002771190 in ?? ()
#19 0x0000000003c69ff8 in ?? ()
#20 0x0000000000000003 in ?? ()
#21 0x0000000003c71500 in ?? ()
#22 0x00007f00e44fe300 in ?? () from /usr/lib/libQt5Qml.so.5
#23 0x00007f002cea61f8 in ?? ()
#24 0x0000000002771190 in ?? ()
#25 0x00007ffddd2df4f0 in ?? ()
#26 0x00007f00c82136b0 in ?? ()
#27 0x0000000000000000 in ?? ()
Comment 2 Thomas Lübking 2015-08-27 07:09:13 UTC 
Looks related to bug #351767 or bug #349921

Can you please attach (to the bug) the output of
    qdbus org.kde.KWin /KWin supportInformation
Comment 3 Josh 2015-08-27 07:23:32 UTC 
Created attachment 94243 [details]
KWin supportInformation
Comment 4 Thomas Lübking 2015-08-27 07:28:49 UTC 
> Plugin: org.kde.kwin.aurorae
> Theme: __aurorae__svg__PapirusDark

Please try to select the "breeze" decoration (not an aurorae theme) in "kcmshell5 kwindecoration"

> OpenGL vendor string: nouveau
> OpenGL renderer string: Gallium 0.4 on NVC8

nouveau is at this point considered to be generally less reliable than the nvidia blob.
Comment 5 Josh 2015-08-27 07:41:24 UTC 
(In reply to Thomas Lübking from comment #4)
> > Plugin: org.kde.kwin.aurorae
> > Theme: __aurorae__svg__PapirusDark
> 
> Please try to select the "breeze" decoration (not an aurorae theme) in
> "kcmshell5 kwindecoration"
> 
> > OpenGL vendor string: nouveau
> > OpenGL renderer string: Gallium 0.4 on NVC8
> 
> nouveau is at this point considered to be generally less reliable than the
> nvidia blob.

Thats awkward, changing the theme back to "breeze" appears to have solved the crashing, tested with both nvidia and nouveau. thanks
Comment 6 Josh 2015-08-28 00:24:27 UTC 
Seems to be resolved with Plasma 5.4 in Arch testing repos, themes working with kwin as expected (no crashing). I'll mark as  resolved.
Comment 7 Thomas Lübking 2015-12-14 15:52:36 UTC 
*** Bug 356480 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Lübking 2016-01-19 11:11:24 UTC 
*** Bug 357742 has been marked as a duplicate of this bug. ***
Comment 9 Thomas Lübking 2016-01-19 11:11:35 UTC 
*** Bug 358204 has been marked as a duplicate of this bug. ***
Comment 10 Thomas Lübking 2016-01-19 11:12:53 UTC 
*** Bug 349921 has been marked as a duplicate of this bug. ***
Comment 11 Angelos Skembris 2016-01-26 10:47:07 UTC 
Created attachment 96847 [details]
Backtrace of KWin stopped process when crash happens
Comment 12 Angelos Skembris 2016-01-26 10:53:47 UTC 
I was informed I came across this bug, see https://forum.kde.org/viewtopic.php?f=111&t=130565 for the investigation that took place.

In order to reproduce the bug consistently, using an aurorae-based theme and a dual monitor set up, I do the following:

1) Open a VM in Virtualbox in the second monitor and close Virtualbox Manager so that only the VM window is in the second monitor, maximized.
2) Open Firefox (via taskbar icon).

Firefox will try to open on the main monitor and kwin will crash, with no DrKonqi to help out. Breeze decorations don't have this problem.

The VM window needs to be the last active window before opening firefox, otherwise it's not triggered.

I have attached a backtrace using gdb, but some symbols are missing, not sure from which packages.

I am on OpenSUSE Tumbleweed, with KWin 5.5.3. Can reproduce consistently on Intel graphics laptop and ATI graphics desktop.
Comment 13 Martin Flöser 2016-01-26 12:03:42 UTC 
> 2) Open Firefox (via taskbar icon).

you mean launching a firefox instance?
Comment 14 Angelos Skembris 2016-01-26 12:08:03 UTC 
 (In reply to Martin Gräßlin from comment #13)
> > 2) Open Firefox (via taskbar icon).
> 
> you mean launching a firefox instance?

Yes, It definitely triggers when the only and last activated window is the Virtualbox window, and I click on the taskbar icon of Firefox. I also have an icon in the  "Desktop folder" widget, but I hardly use it.
Comment 15 Martin Flöser 2016-01-26 12:15:32 UTC 
For me the steps don't work. This could either mean there is more in it to reproduce it or it's fixed with Qt 5.6 (which I doubt).

The backtraces never show from where in KWin the crash happens. If there is a chance to get the ?? sections in the backtrace filled, I have hope that we can fix it.
Comment 16 Martin Flöser 2016-01-26 12:32:25 UTC 
> or it's fixed with Qt 5.6

which might be the case. The code in question changed significantly. The line 
QV4::Heap::StringObject::StringObject (this=<optimized out>, engine=0x2ac1220, val=...)
    at /usr/src/debug/qtdeclarative-opensource-src-5.5.1/src/qml/jsruntime/qv4stringobject.cpp:91

doesn't exist at all in 5.6 branch.
Comment 17 Fabian Vogt 2016-01-26 12:44:55 UTC 
I can reproduce it reliably by running

while true; do (kwrite &); sleep 1; killall kwrite; done

for a few minutes and then switching to an aurorae based theme.
I'm also using Qt 5.5.1, so it might be fixed.

The backtrace looks like:

#25 0x00007fffef9c6c70 in QQmlComponent::create(QQmlContext*) () at /usr/lib64/libQt5Qml.so.5
#26 0x00007fffc42b5474 in  () at /usr/lib64/qt5/plugins/org.kde.kdecoration2/kwin5_aurorae.so
#27 0x00007ffff73278c0 in  () at /usr/lib64/libkwin.so.5
#28 0x00007ffff721cba9 in  () at /usr/lib64/libkwin.so.5
#29 0x00007ffff7225c3b in  () at /usr/lib64/libkwin.so.5
#30 0x00007ffff725b669 in  () at /usr/lib64/libkwin.so.5
#31 0x00007ffff73273ec in  () at /usr/lib64/libkwin.so.5
#32 0x00007ffff7329942 in  () at /usr/lib64/libkwin.so.5
#33 0x00007ffff5727e17 in QMetaObject::activate(QObject*, int, int, void**) () at /usr/lib64/libQt5Core.so.5
#34 0x00007ffff720cef1 in KWin::Workspace::slotReconfigure() () at /usr/lib64/libkwin.so.5

with full debug info. Somehow gdb does not like kwin debugging, it does not show some symbols.
Comment 18 Thomas Lübking 2016-01-26 12:58:46 UTC 
No idea whether it's "fixed", but QML apparently gets a completely new data allocation mechanism:
http://code.qt.io/cgit/qt/qtdeclarative.git/commit/src/qml/jsruntime/qv4stringobject.cpp?id=17a0c271e0ec606d15fc87dab23b2e3750c0e301

So we won't see *this* backtrace for sure on Qt 5.6
The problem is however the nullptr deref of the "string" member and that "merely" changed from "string = ic->engine->newString();" to "string = internalClass->engine->id_empty()->d();" - neither looks like there should ever be a nullptr. Maybe even the StringObject is nullptr.
Comment 19 Thomas Lübking 2016-01-26 13:00:32 UTC 
Stupid question: FF is gtk3 on at least fedora. Do your FFs have a system titlebar?
Comment 20 Thomas Lübking 2016-01-26 14:04:37 UTC 
Another thing I could think of because of the described pattern would be a problem w/ the Helper::ref/unref stuff - eg. if anything in QtQuick keeps/kept a dead engine around?

Also what about operating on m_context /after/ the ::unref() call might have nuked engine and components and stuff?
Comment 21 Martin Flöser 2016-01-26 14:27:07 UTC 
> if anything in QtQuick keeps/kept a dead engine around?

I can add asserts to my local build.
Comment 22 Thomas Lübking 2016-02-06 12:18:02 UTC 
*** Bug 359064 has been marked as a duplicate of this bug. ***
Comment 23 Thomas Lübking 2016-03-09 18:31:25 UTC 
*** Bug 360323 has been marked as a duplicate of this bug. ***
Comment 24 Martin Flöser 2016-04-01 13:40:52 UTC 
seems like we have a Qt 5.6 variant: https://bugs.kde.org/show_bug.cgi?id=361236
Comment 25 Thomas Lübking 2016-05-15 11:51:25 UTC 
*** Bug 363094 has been marked as a duplicate of this bug. ***
Comment 26 Martin Flöser 2016-08-04 15:49:04 UTC 
*** Bug 366385 has been marked as a duplicate of this bug. ***
Comment 27 Martin Flöser 2016-09-02 12:12:36 UTC 
*** Bug 358966 has been marked as a duplicate of this bug. ***
Comment 28 Martin Flöser 2016-09-09 10:51:16 UTC 
*** Bug 368297 has been marked as a duplicate of this bug. ***
Comment 29 Steven Dobai 2016-10-25 07:04:51 UTC 
Hello,
 These crashes happen with KDE neon too.
Comment 30 Christoph Feck 2017-01-04 14:50:21 UTC 
*** Bug 357631 has been marked as a duplicate of this bug. ***
Comment 31 David Edmundson 2022-02-24 00:06:59 UTC 
This is super old with no duplicates. Closing