Bug 359664

Summary: xembedsniproxy random crashes (w/core dumps)
Product: [Plasma] plasmashell Reporter: Fabio Coatti <fabio.coatti>
Component: XembedSNIProxyAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: bernhardu, kde, macieksitarz, mischa.salle, rdieter
Priority: NOR    
Version: 5.5.4   
Target Milestone: 1.0   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Check if image returned by xcb_image_get is null

Description Fabio Coatti 2016-02-22 11:46:43 UTC 
I get several core dumps in my home dir coming from /usr/bin/xembedsniproxy
This happens with 5.5.4 of plasmashell /workspace; I've been able to get the backtrace, hope this will be useful.

Of course, I'm available for additional info.

Thanks,

Reproducible: Always




Core was generated by `/usr/bin/xembedsniproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000040f8b6 in SNIProxy::getImageNonComposite (this=this@entry=0x727e30)
    at /usr/src/debug/kde-plasma/plasma-workspace-5.5.4/plasma-workspace-5.5.4/xembed-sni-proxy/sniproxy.cpp:263
263         QImage naiveConversion = QImage(image->data, image->width, image->height, QImage::Format_ARGB32);
[Current thread is 1 (Thread 0x7fd1f19027c0 (LWP 28591))]
(gdb) bt
#0  0x000000000040f8b6 in SNIProxy::getImageNonComposite (this=this@entry=0x727e30)
    at /usr/src/debug/kde-plasma/plasma-workspace-5.5.4/plasma-workspace-5.5.4/xembed-sni-proxy/sniproxy.cpp:263
#1  0x000000000040fb87 in SNIProxy::update (this=0x727e30)
    at /usr/src/debug/kde-plasma/plasma-workspace-5.5.4/plasma-workspace-5.5.4/xembed-sni-proxy/sniproxy.cpp:204
#2  0x000000000040cb0f in FdoSelectionManager::nativeEventFilter (this=0x7ffc9577c220, eventType=..., message=<optimized out>, result=<optimized out>)
    at /usr/src/debug/kde-plasma/plasma-workspace-5.5.4/plasma-workspace-5.5.4/xembed-sni-proxy/fdoselectionmanager.cpp:140
#3  0x00007fd1f096eb7c in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) () from /usr/lib64/libQt5Core.so.5
#4  0x00007fd1ea22f1e4 in QXcbConnection::handleXcbEvent(xcb_generic_event_t*) () from /usr/lib64/libQt5XcbQpa.so.5
#5  0x00007fd1ea22ff93 in QXcbConnection::processXcbEvents() () from /usr/lib64/libQt5XcbQpa.so.5
#6  0x00007fd1f09bb9af in QObject::event(QEvent*) () from /usr/lib64/libQt5Core.so.5
#7  0x00007fd1f09702a9 in QCoreApplication::notify(QObject*, QEvent*) () from /usr/lib64/libQt5Core.so.5
#8  0x00007fd1f097341d in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib64/libQt5Core.so.5
#9  0x00007fd1f09737b3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib64/libQt5Core.so.5
#10 0x00007fd1f09a5cb3 in ?? () from /usr/lib64/libQt5Core.so.5
#11 0x00007fd1ed7fdd37 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#12 0x00007fd1ed7fdf90 in ?? () from /usr/lib64/libglib-2.0.so.0
#13 0x00007fd1ed7fe03c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#14 0x00007fd1f09a248f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#15 0x00007fd1f097b49a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#16 0x00007fd1f097b79c in QCoreApplication::exec() () from /usr/lib64/libQt5Core.so.5
#17 0x000000000040a1b8 in main (argc=1, argv=<optimized out>)
    at /usr/src/debug/kde-plasma/plasma-workspace-5.5.4/plasma-workspace-5.5.4/xembed-sni-proxy/main.cpp:68
Comment 1 David Edmundson 2016-02-22 13:36:09 UTC 
Can you tell me what legacy apps you have running?
Comment 2 Fabio Coatti 2016-02-22 13:47:06 UTC 
Not really sure about how to exacltly identify legacy apps, however when the crash happened the apps running were:

hp-systray; 
akonaditray, kleopatra,knotes  (kde4/qt4)
smplayer (qt5 based)
Comment 3 Bernhard Übelacker 2017-05-02 21:00:59 UTC 
I received a similar crash in Debian Stretch with plasma-workspace and
plasma-workspace-dbgsym in version 4:5.8.6-2.
At the time it crashed I assume just kradio4 tray icon was running
additionally to the default ones. (Saw just later the crash in dmesg.)


# coredumpctl gdb
Core was generated by `/usr/bin/xembedsniproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  SNIProxy::getImageNonComposite (this=this@entry=0x5636e8f4b460) at ./xembed-sni-proxy/sniproxy.cpp:273
273         QImage naiveConversion = QImage(image->data, image->width, image->height, QImage::Format_ARGB32);
[Current thread is 1 (Thread 0x7f15c8ff25c0 (LWP 1559))]
(gdb) bt
#0  SNIProxy::getImageNonComposite (this=this@entry=0x5636e8f4b460) at ./xembed-sni-proxy/sniproxy.cpp:273
#1  0x00005636e7509507 in SNIProxy::update (this=0x5636e8f4b460) at ./xembed-sni-proxy/sniproxy.cpp:214
#2  0x00005636e7506583 in FdoSelectionManager::nativeEventFilter (this=0x7fff86289810, eventType=..., message=<optimized out>, result=<optimized out>) at ./xembed-sni-proxy/fdoselectionmanager.cpp:154
#3  0x00007f15c7b0ab0f in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#4  0x00007f15beaa2334 in QXcbConnection::handleXcbEvent(xcb_generic_event_t*) () from /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#5  0x00007f15beaa3015 in QXcbConnection::processXcbEvents() () from /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#6  0x00007f15c7b3a499 in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#7  0x00007f15c7b0d87a in QCoreApplication::notify(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8  0x00007f15c7b0d9e0 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9  0x00007f15c7b1016d in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#10 0x00007f15c7b61c43 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#11 0x00007f15c3b757f7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007f15c3b75a60 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007f15c3b75b0c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007f15c7b6204f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#15 0x00007f15c7b0b9ca in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#16 0x00007f15c7b1413c in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#17 0x00005636e7503972 in main (argc=<optimized out>, argv=<optimized out>) at ./xembed-sni-proxy/main.cpp:68


(gdb) list SNIProxy::getImageNonComposite
...
270         xcb_image_t *image = xcb_image_get(c, m_windowId, 0, 0, geom->width, geom->height, 0xFFFFFFFF, XCB_IMAGE_FORMAT_Z_PIXMAP);
271
272         // Don't hook up cleanup yet, we may use a different QImage after all
273         QImage naiveConversion = QImage(image->data, image->width, image->height, QImage::Format_ARGB32);


(gdb) print/x image
$1 = <optimized out>


(gdb) disassemble SNIProxy::getImageNonComposite
...
   0x00005636e750922a <+106>:   mov    %rax,%r12
   0x00005636e750922d <+109>:   callq  0x5636e7502bf0 <xcb_image_get@plt>
=> 0x00005636e7509232 <+114>:   movzwl 0x2(%rax),%ecx
   0x00005636e7509236 <+118>:   movzwl (%rax),%edx


(gdb) print/x $ecx
$3 = 0xc6f61ffa
(gdb) print/x $rax
$4 = 0x0


As far as I found the callq instruction is supposed to write the
return value into the rax register.

So I assume function xcb_image_get returned a NULL pointer.
Shouldn't there be a "if (image)" before
the QImage construction?

Are some more informations needed from the core dump?

Kind regards,
Bernhard
Comment 4 Christoph Feck 2017-05-05 16:35:57 UTC 
Thanks for the feedback; changing status.
Comment 5 Maciej Sitarz 2017-12-15 14:28:12 UTC 
I can confirm this problem occurs in my environment.
OS: Fedora 27
$ rpm -qf /usr/bin/xembedsniproxy
plasma-workspace-5.11.3-2.fc27.x86_64

I think it occurs when accidentally pressing "AltGr" + "PrtSc" on the notebooks keyboard. Immediately whole KDE crashes.

I'm attaching similar debug as Bernhard did:
# coredumpctl gdb /usr/bin/xembedsniproxy
           PID: 2465 (xembedsniproxy)
           UID: 500 (username)
           GID: 500 (username)
        Signal: 11 (SEGV)
     Timestamp: Fri 2017-12-15 08:24:13 CET (6h ago)
  Command Line: /usr/bin/xembedsniproxy
    Executable: /usr/bin/xembedsniproxy
 Control Group: /user.slice/user-500.slice/session-1.scope
          Unit: session-1.scope
         Slice: user-500.slice
       Session: 1
     Owner UID: 500 (username)
       Boot ID: BOOT_ID
    Machine ID: MACHINE_ID
      Hostname: username.domain
       Storage: /var/lib/systemd/coredump/core.xembedsniproxy.500.7393c2684dc648f1aba76839af1e6948.2465.1513322653000000.lz4
       Message: Process 2465 (xembedsniproxy) of user 500 dumped core.
                
                Stack trace of thread 2465:
                #0  0x000055e790410157 _ZNK8SNIProxy20getImageNonCompositeEv (xembedsniproxy)
                #1  0x000055e790410424 _ZN8SNIProxy6updateEv (xembedsniproxy)
                #2  0x000055e79040d5ad _ZN19FdoSelectionManager17nativeEventFilterERK10QByteArrayPvPl (xembedsniproxy)
                #3  0x00007fbcd6ebbbe4 _ZN24QAbstractEventDispatcher17filterNativeEventERK10QByteArrayPvPl (libQt5Core.so.5)
                #4  0x00007fbcc8076fe0 _ZN14QXcbConnection14handleXcbEventEP19xcb_generic_event_t (libQt5XcbQpa.so.5)
                #5  0x00007fbcc8077c6c _ZN14QXcbConnection16processXcbEventsEv (libQt5XcbQpa.so.5)
                #6  0x00007fbcd6ee791a _ZN7QObject5eventEP6QEvent (libQt5Core.so.5)
                #7  0x00007fbcd6ebe27a _ZL8doNotifyP7QObjectP6QEvent (libQt5Core.so.5)
                #8  0x00007fbcd6ebe367 _ZN16QCoreApplication15notifyInternal2EP7QObjectP6QEvent (libQt5Core.so.5)
                #9  0x00007fbcd6ec0aeb _ZN23QCoreApplicationPrivate16sendPostedEventsEP7QObjectiP11QThreadData (libQt5Core.so.5)
                #10 0x00007fbcd6f0f553 _ZL23postEventSourceDispatchP8_GSourcePFiPvES1_ (libQt5Core.so.5)
                #11 0x00007fbcd0fc8bb7 g_main_context_dispatch (libglib-2.0.so.0)
                #12 0x00007fbcd0fc8f60 g_main_context_iterate.isra.25 (libglib-2.0.so.0)
                #13 0x00007fbcd0fc8fec g_main_context_iteration (libglib-2.0.so.0)
                #14 0x00007fbcd6f0f33f _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt5Core.so.5)
                #15 0x00007fbcd6ebd0ea _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt5Core.so.5)
                #16 0x00007fbcd6ec5744 _ZN16QCoreApplication4execEv (libQt5Core.so.5)
                #17 0x000055e79040aa53 main (xembedsniproxy)
                #18 0x00007fbcd5ba603a __libc_start_main (libc.so.6)
                #19 0x000055e79040af3a _start (xembedsniproxy)
                
                Stack trace of thread 2474:
                #0  0x00007fbcd5c928bb __poll (libc.so.6)
                #1  0x00007fbcd945cfe7 _xcb_conn_wait (libxcb.so.1)
                #2  0x00007fbcd945edda xcb_wait_for_event (libxcb.so.1)
                #3  0x00007fbcc8075a49 _ZN15QXcbEventReader3runEv (libQt5XcbQpa.so.5)
                #4  0x00007fbcd6d12b92 _ZN14QThreadPrivate5startEPv (libQt5Core.so.5)
                #5  0x00007fbcd596d609 start_thread (libpthread.so.0)
                #6  0x00007fbcd5c9ee6f __clone (libc.so.6)
                
                Stack trace of thread 2707:
                #0  0x00007fbcd5c928bb __poll (libc.so.6)
                #1  0x00007fbcd0fc8ed9 g_main_context_iterate.isra.25 (libglib-2.0.so.0)
                #2  0x00007fbcd0fc8fec g_main_context_iteration (libglib-2.0.so.0)
                #3  0x00007fbcd6f0f33f _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt5Core.so.5)
                #4  0x00007fbcd6ebd0ea _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt5Core.so.5)
                #5  0x00007fbcd6d0e8ba _ZN7QThread4execEv (libQt5Core.so.5)
                #6  0x00007fbcd98dc479 _ZN22QDBusConnectionManager3runEv (libQt5DBus.so.5)
                #7  0x00007fbcd6d12b92 _ZN14QThreadPrivate5startEPv (libQt5Core.so.5)
                #8  0x00007fbcd596d609 start_thread (libpthread.so.0)
                #9  0x00007fbcd5c9ee6f __clone (libc.so.6)

GNU gdb (GDB) Fedora 8.0.1-33.fc27
<LINES REMOVED>
Reading symbols from /usr/bin/xembedsniproxy...Reading symbols from /usr/lib/debug/usr/bin/xembedsniproxy-5.11.3-2.fc27.x86_64.debug...done.
done.
[New LWP 2465]
[New LWP 2474]
[New LWP 2707]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/bin/xembedsniproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  SNIProxy::getImageNonComposite (this=this@entry=0x55e791fc3d30) at /usr/src/debug/plasma-workspace-5.11.3-2.fc27.x86_64/xembed-sni-proxy/sniproxy.cpp:291
291         QImage naiveConversion = QImage(image->data, image->width, image->height, QImage::Format_ARGB32);
[Current thread is 1 (Thread 0x7fbcd9d20d40 (LWP 2465))]
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-24.fc27.x86_64
<LINES REMOVED>
(gdb) list SNIProxy::getImageNonComposite
273
274         return true;
275     }
276
277     QImage SNIProxy::getImageNonComposite() const
278     {
279         auto c = QX11Info::connection();
280         auto cookie = xcb_get_geometry(c, m_windowId);
281         QScopedPointer<xcb_get_geometry_reply_t, QScopedPointerPodDeleter>
282             geom(xcb_get_geometry_reply(c, cookie, Q_NULLPTR));
(gdb) disassemble SNIProxy::getImageNonComposite
Dump of assembler code for function SNIProxy::getImageNonComposite() const:
<LINES REMOVED>
   0x000055e790410142 <+98>:    xor    %edx,%edx
   0x000055e790410144 <+100>:   mov    0x18(%rbx),%esi
   0x000055e790410147 <+103>:   mov    %r13,%rdi
   0x000055e79041014a <+106>:   mov    %rax,%rbp
   0x000055e79041014d <+109>:   lea    0x30(%rsp),%r13
   0x000055e790410152 <+114>:   callq  0x55e790409cb0 <xcb_image_get@plt>
=> 0x000055e790410157 <+119>:   movzwl 0x2(%rax),%ecx
   0x000055e79041015b <+123>:   movzwl (%rax),%edx
   0x000055e79041015e <+126>:   xor    %r9d,%r9d
   0x000055e790410161 <+129>:   mov    0x28(%rax),%rsi
   0x000055e790410165 <+133>:   mov    $0x5,%r8d
<LINES REMOVED>
   0x000055e7904101a7 <+199>:   mov    $0x5,%r9d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) print/x $ecx
$1 = 0xd5974685
(gdb) print/x $rax
$2 = 0x0
(gdb)
Comment 6 Maciej Sitarz 2018-01-08 13:09:45 UTC 
Created attachment 109733 [details]
Check if image returned by xcb_image_get is null
Comment 7 Maciej Sitarz 2018-01-08 13:10:57 UTC 
I added simple patch to mitigate the problem. Just checks if the 'image' is not null'. If it is just return QImage().
Comment 8 Rex Dieter 2018-01-08 17:57:54 UTC 
https://cgit.kde.org/plasma-workspace.git/commit/?id=e2b7c395ecdb660b7bec960f3c938fba175ca4f8

Be nice if this were backported to 5.11 branch too (for 5.11.5 release).  I can help do that... is cherry-picking acceptable?
Comment 9 Rex Dieter 2018-01-08 18:27:22 UTC 
Confirmed backport to 5.8 lts branch, skipped 5.11 as 5.11.5 is already out (and 5.11 is now closed)