Bug 409688

Summary:	kwin_wayland aborted when shutting down involving invalid reads and writes, use of uninitialized variables etc.
Product:	[Plasma] kwin	Reporter:	Matt Fagnani <matt.fagnani>
Component:	wayland-generic	Assignee:	KWin default assignee <kwin-bugs-null>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kde, meven29, rdieter, subdiff
Priority:	NOR	Keywords:	wayland
Version:	5.18.3
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	valgrind log file when run on kwin_wayland after shutting down

Description Matt Fagnani 2019-07-10 14:04:25 UTC

Created attachment 121444 [details]
valgrind log file when run on kwin_wayland after shutting down

SUMMARY

I've seen audit messages in my journal indicating that kwin_wayland aborted when shutting down the system in Plasma 5.15.5 on Wayland in Fedora 30 such as the following. 

Jul 09 21:01:21 audit[1399]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1399 comm="QDBusConnection" exe="/usr/bin/kwin_wayland" sig=6 res=1
Jul 09 21:01:21 systemd[1]: Requested transaction contradicts existing jobs: Transaction for systemd-coredump@0-1970-0.service/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction).
Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed to queue service startup job (Maybe the service file is missing or not a non-template unit?): Transaction for systemd-coredump@0-1970-0.service/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction).
Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed with result 'resources'.
Jul 09 21:01:21 systemd-coredump[1970]: Failed to send coredump datagram: Connection reset by peer

There are 149 such messages indicating kwin_wayland aborted when I shut down or rebooted. The crashes were not in coredumpctl or abrt.

I edited /usr/bin/startplasmacompositor at line 239 to run kwin_wayland under valgrind like
valgrind --log-file=/programs/kde/kwin/valgrind-kwin_wayland-3.txt --track-origins=yes /usr/bin/kwin_wayland --xwayland --libinput --exit-with-session=/usr/libexec/startplasma

I rebooted then logged into Plasma on wayland from sddm 0.18.1 under valgrind. I  shut down the system. The valgrind log showed 20 invalid reads and 2 invalid writes overall. An invalid read in wl_proxy_unref (wayland-client.c:229) in libwayland-client and invalid write in wl_proxy_unref (wayland-client.c:230) happened before I started the shutdown. Those appear to be use-after-free errors since they contained lines like "Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd".

==2115== Thread 3 QThread:
==2115== Invalid read of size 4
==2115==    at 0x8844BB4: wl_proxy_unref (wayland-client.c:229)
==2115==    by 0x8844CB3: destroy_queued_closure (wayland-client.c:291)
==2115==    by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2115==    by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115==    by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2115==    by 0x6605F16: operator() (connection_thread.cpp:129)
==2115==    by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115==    by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115==    by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106)
==2115==  Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd
==2115==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115==    by 0x661DC14: destroy (wayland_pointer_p.h:63)
==2115==    by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==2115==    by 0x8856B27: ffi_call_unix64 (unix64.S:76)
==2115==    by 0x8856338: ffi_call (ffi64.c:525)
==2115==    by 0x8848606: wl_closure_invoke (connection.c:1014)
==2115==    by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430)
==2115==    by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115==    by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2115==    by 0x6605F16: operator() (connection_thread.cpp:129)
==2115==    by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115==    by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115==    by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==  Block was alloc'd at
==2115==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115==    by 0x8844D42: UnknownInlinedFun (wayland-private.h:236)
==2115==    by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421)
==2115==    by 0x884542B: create_outgoing_proxy (wayland-client.c:650)
==2115==    by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735)
==2115==    by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2115==    by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958)
==2115==    by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470)
==2115==    by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479)
==2115==    by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== 
==2115== Invalid write of size 4
==2115==    at 0x8844BBE: wl_proxy_unref (wayland-client.c:230)
==2115==    by 0x8844CB3: destroy_queued_closure (wayland-client.c:291)
==2115==    by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2115==    by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115==    by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2115==    by 0x6605F16: operator() (connection_thread.cpp:129)
==2115==    by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115==    by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115==    by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106)
==2115==  Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd
==2115==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115==    by 0x661DC14: destroy (wayland_pointer_p.h:63)
==2115==    by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==2115==    by 0x8856B27: ffi_call_unix64 (unix64.S:76)
==2115==    by 0x8856338: ffi_call (ffi64.c:525)
==2115==    by 0x8848606: wl_closure_invoke (connection.c:1014)
==2115==    by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430)
==2115==    by 0x884646B: dispatch_queue (wayland-client.c:1576)
==2115==    by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2115==    by 0x6605F16: operator() (connection_thread.cpp:129)
==2115==    by 0x6605F16: call (qobjectdefs_impl.h:146)
==2115==    by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140)
==2115==    by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==  Block was alloc'd at
==2115==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115==    by 0x8844D42: UnknownInlinedFun (wayland-private.h:236)
==2115==    by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421)
==2115==    by 0x884542B: create_outgoing_proxy (wayland-client.c:650)
==2115==    by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735)
==2115==    by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2115==    by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958)
==2115==    by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470)
==2115==    by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479)
==2115==    by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== 

A use of uninitialized variables in ScreenLocker::KSldApp::event(QEvent*) at ksldapp.cpp:733 in kscreenlocker and in the syscall writev (writev.c:26) also happened before I selected Shut Down in Plasma.

==2115== Thread 1:
==2115== Conditional jump or move depends on uninitialised value(s)
==2115==    at 0x64445BB: ScreenLocker::KSldApp::event(QEvent*) (ksldapp.cpp:733)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x588B542: QObjectPrivate::setParent_helper(QObject*) (qobject.cpp:2059)
==2115==    by 0x588BF67: QObject::QObject(QObject*) (qobject.cpp:817)
==2115==    by 0x645A5C3: ScreenLocker::WaylandServer::WaylandServer(QObject*) (waylandserver.cpp:45)
==2115==    by 0x6443955: ScreenLocker::KSldApp::KSldApp(QObject*) (ksldapp.cpp:87)
==2115==    by 0x6443AD4: ScreenLocker::KSldApp::self() (ksldapp.cpp:76)
==2115==    by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439)
==2115==    by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==  Uninitialised value was created by a heap allocation
==2115==    at 0x4838E86: operator new(unsigned long) (vg_replace_malloc.c:344)
==2115==    by 0x6443AC5: ScreenLocker::KSldApp::self() (ksldapp.cpp:76)
==2115==    by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439)
==2115==    by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x116B51: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:265)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115== 
==2115== Syscall param writev(vector[...]) points to uninitialised byte(s)
==2115==    at 0x5E29325: __writev (writev.c:26)
==2115==    by 0x5E29325: writev (writev.c:24)
==2115==    by 0x5B20626: write_vec (xcb_conn.c:277)
==2115==    by 0x5B20626: _xcb_conn_wait (xcb_conn.c:522)
==2115==    by 0x5B209F8: _xcb_out_send (xcb_out.c:464)
==2115==    by 0x5B20C86: _xcb_out_flush_to (xcb_out.c:488)
==2115==    by 0x5B2150F: xcb_flush (xcb_out.c:423)
==2115==    by 0x114A29: operator() (main_wayland.cpp:236)
==2115==    by 0x114A29: call (qobjectdefs_impl.h:146)
==2115==    by 0x114A29: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x114A29: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465)
==2115==    by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115==    by 0x58589EA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:225)
==2115==    by 0x5860725: QCoreApplication::exec() (qcoreapplication.cpp:1385)
==2115==    by 0x113994: main (main_wayland.cpp:830)
==2115==  Address 0x27f31ff2 is 4,530 bytes inside a block of size 21,152 alloc'd
==2115==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115==    by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345)
==2115==    by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328)
==2115==    by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==    by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466)
==2115==    by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115==  Uninitialised value was created by a stack allocation
==2115==    at 0x4F2DE35: KSelectionOwner::Private::gotTimestamp() (kselectionowner.cpp:222)

19 invalid reads and 1 invalid write happened after the shutdown began starting at poll_for_next_event (xcb_in.c:708). These invalid reads and write appeared to be use-after-free errors also.

==2115== Invalid read of size 4
==2115==    at 0x5B230A4: poll_for_next_event (xcb_in.c:708)
==2115==    by 0x5B230A4: xcb_poll_for_event (xcb_in.c:722)
==2115==    by 0x1149A1: operator() (main_wayland.cpp:231)
==2115==    by 0x1149A1: call (qobjectdefs_impl.h:146)
==2115==    by 0x1149A1: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256)
==2115==    by 0x1149A1: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439)
==2115==    by 0x5883EBF: call (qobjectdefs_impl.h:394)
==2115==    by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781)
==2115==    by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465)
==2115==    by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)
==2115==    by 0x1157D1: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:157)
==2115==    by 0x112F29: main (main_wayland.cpp:557)
==2115==  Address 0x27f30e40 is 0 bytes inside a block of size 21,152 free'd
==2115==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==2115==    by 0x1157A0: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:151)
==2115==    by 0x112F29: main (main_wayland.cpp:557)
==2115==  Block was alloc'd at
==2115==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2115==    by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345)
==2115==    by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328)
==2115==    by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991)
==2115==    by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737)
==2115==    by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483)
==2115==    by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==    by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466)
==2115==    by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so)


The trace of the kwin_wayland abort involved functions like _dbus_warn_check_failed (dbus-internals.c:281) in dbus-libs-1.12.16-1 and QDBusConnection related ones like QDBusConnectionPrivate::getNameOwnerNoCache (qdbusintegrator.cpp:2502) in qt5-qtbase-5.12.4-1. 

==2115== Process terminating with default action of signal 6 (SIGABRT): dumping core
==2115==    at 0x5D6EE75: raise (raise.c:51)
==2115==    by 0x5D5995D: abort (abort.c:100)
==2115==    by 0x7BF3B31: _dbus_abort.cold (dbus-sysdeps.c:93)
==2115==    by 0x7C161BF: _dbus_warn_check_failed (dbus-internals.c:281)
==2115==    by 0x4DE60F8: q_dbus_pending_call_block (qdbus_symbols_p.h:448)
==2115==    by 0x4DE60F8: QDBusConnectionPrivate::getNameOwnerNoCache(QString const&) (qdbusintegrator.cpp:2502)
==2115==    by 0x4DE67FF: QDBusConnectionPrivate::addSignalHook(QString const&, QDBusConnectionPrivate::SignalHook const&) (qdbusintegrator.cpp:2249)
==2115==    by 0x4DE7B94: call (qobjectdefs_impl.h:152)
==2115==    by 0x4DE7B94: call<QtPrivate::List<const QString&, const QDBusConnectionPrivate::SignalHook&>, bool> (qobjectdefs_impl.h:185)
==2115==    by 0x4DE7B94: QtPrivate::QSlotObject<bool (QDBusConnectionPrivate::*)(QString const&, QDBusConnectionPrivate::SignalHook const&), QtPrivate::List<QString const&, QDBusConnectionPrivate::SignalHook const&>, bool>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:414)
==2115==    by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260)
==2115==    by 0x5859A54: doNotify(QObject*, QEvent*) (qcoreapplication.cpp:1174)
==2115==    by 0x5859B60: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1083)
==2115==    by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==2115==    by 0x58AEE46: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:276)
==2115== 

The use of QDBusConnections agrees with the audit message of the abort which included comm="QDBusConnection", 

STEPS TO REPRODUCE
1. boot into Fedora 30 KDE Plasma spin fully updated with updates-testing enabled
2. Log into Plasma on Wayland from sddm
3. Shut down

Troubleshooting
4. boot again
5. Log into Plasma on Wayland from sddm
6. journalctl -b -1
7. edit /usr/bin/startplasmacompositor to run kwin_wayland under valgrind as described above
8. reboot
9. Log into Plasma on Wayland from sddm
10. shut down
11. boot
12. Log into Plasma on Wayland from sddm
13. read valgrind log

OBSERVED RESULT
kwin_wayland aborted when shutting down

EXPECTED RESULT
kwin_wayland stops normally when shutting down


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 30, 5.1.16 kernel
(available in About System)
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.59.0
Qt Version: 5.12.4

ADDITIONAL INFORMATION

I've noticed similarities in the first invalid read at wl_proxy_unref (wayland-client.c:229) I reported and invalid reads starting at wayland-client.c:229 in in plasmashell https://bugs.kde.org/show_bug.cgi?id=409021#c1
konsole https://bugs.kde.org/show_bug.cgi?id=408971
powerdevil https://bugs.kde.org/show_bug.cgi?id=408553
kglobalaccel5 and akonadi_sendlater_agent

The address freed had the following common functions and source lines and was 44 bytes inside a block of size 72 free'd

==4203==  Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd
==4203==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==4203==    by 0x1949F844: destroy (wayland_pointer_p.h:63)
==4203==    by 0x1949F844: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==4203==    by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==4203==    by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==4203==    by 0x172C3606: wl_closure_invoke (connection.c:1014)
==4203==    by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430)
==4203==    by 0x172C146B: dispatch_queue (wayland-client.c:1576)
==4203==    by 0x172C146B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==4203==    by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==4203==    by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)

Functions in those stacks might have freed the pointer before the other programs used it. KWayland::Client::Registry::Private::globalSync (registry.cpp:539) might be where the freeing was done too early.

Memory corruption due to the use-after-free errors might have led to the segmentation faults I saw. These errors might be in kwayland or libwayland-client. This report could be reassigned to frameworks-kwayland. 

I've attached the full valgrind log.

Comment 1 Roman Gilg 2020-03-16 14:36:10 UTC

Thanks for the awesome protocols! But your version of Plasma is super-old. Would you be able to retry with current 5.18?

I'm asking this because I'm currently looking into KScreenLocker.

Comment 2 Matt Fagnani 2020-03-16 15:39:08 UTC

(In reply to Roman Gilg from comment #1)
> Thanks for the awesome protocols! But your version of Plasma is super-old.
> Would you be able to retry with current 5.18?
> 
> I'm asking this because I'm currently looking into KScreenLocker.

Roman, kwin_wayland aborted or segmentation faulted each time I've shutdown or rebooted with Plasma 5.18.3 and earlier, KF 5.67, Qt 5.13.2 in Fedora 32. Some examples from the journal are the following.

Mar 16 07:32:01 audit[1249]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1249 comm="kwin_wayland" exe="/usr/bin/kwin_wayland" sig=11 res=1
Mar 16 07:32:01 kernel: kwin_wayland[1249]: segfault at 564b57f98f80 ip 0000564b57f98f80 sp 00007ffdf4350278 error 15

Mar 16 10:34:40 audit[1253]: ANOM_ABEND auid=1001 uid=1001 gid=1001 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1253 comm="QDBusConnection" exe="/usr/bin/kwin_wayland" sig=6 res=1

systemd-coredump doesn't try to save the coredumps during shutdown and reboots though. /usr/bin/startplasmacompositor doesn't seem to exist in Plasma 5.18.3. the kwin_wayland command line shows /usr/libexec/startplasma-waylandsession is used. /usr/libexec/startplasma-waylandsession is an ELF binary, so I guess I'd need to know the source file /usr/libexec/startplasma-waylandsession is created from, edit it to run kwin_wayland under valgrind, rebuild and update the rpms, then shutdown/reboot. I'll look into that and comment here if I can get it going.

kwin_wayland also segmentation faulted when I've logged out of Plasma on Wayland, and the traces involved the mesa radeonsi driver as reported at https://bugs.kde.org/show_bug.cgi?id=416147 Those kwin_wayland logout crashes might be related to those when shutting down and rebooting. 

The commit Registry: don't destroy the callback on globalsync by Daniel Vrátil at https://cgit.kde.org/kwayland.git/commit/?id=4ceb35672dfa3378776a926c452b9f83ffe2bc41 looks like it should fix the invalid reads/writes in wl_proxy_unref in libwayland-client which I've seen with every KDE program I've run on Wayland under valgrind. The patch was added for kwayland 5.68.0. KF 5.68.0 hasn't been built yet for Fedora from what I can see.

Thanks for checking out this problem.

Comment 3 David Redondo 2022-01-19 15:21:22 UTC

This indeed used to be a problem but kwin currently does not crash anymore when shutting down. If you ancounter any crash please file a new bug report