Bug 436955

Summary:	systemsettings5 crashes due to segfault from null pointer access after Wayland client flushes display event dispatch queue
Product:	[Applications] systemsettings	Reporter:	achhaabhinav
Component:	generic-crash	Assignee:	Plasma Bugs List <plasma-bugs>
Status:	RESOLVED DUPLICATE
Severity:	crash	CC:	kde, nathan
Priority:	NOR	Keywords:	drkonqi, wayland
Version:	unspecified
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	systemsettings5 crash journald log systemsettings5 crash stacktrace

Description achhaabhinav 2021-05-12 05:18:33 UTC

Application: systemsettings5 (5.21.5)

Qt Version: 5.15.2
Frameworks Version: 5.81.0
Operating System: Linux 5.11.18-300.fc34.x86_64 x86_64
Windowing System: Wayland
Drkonqi Version: 5.21.5
Distribution: Fedora 34 (KDE Plasma)

-- Information about the crash:
- What I was doing when the application crashed:
	I was trying to change the theme and the application crashed

The reporter is unsure if this crash is reproducible.

-- Backtrace:
Application: System Settings (systemsettings5), signal: Segmentation fault

[KCrash Handler]
#4  0x00007fe9d01250d0 in ?? ()
#5  0x00007feace416ed7 in QWaylandClientExtensionPrivate::handleRegistryGlobal(void*, wl_registry*, unsigned int, QString const&, unsigned int) () from /lib64/libQt5WaylandClient.so.5
#6  0x00007feace4033e9 in QtWaylandClient::QWaylandDisplay::registry_global(unsigned int, QString const&, unsigned int) () from /lib64/libQt5WaylandClient.so.5
#7  0x00007feace41f783 in QtWayland::wl_registry::handle_global(void*, wl_registry*, unsigned int, char const*, unsigned int) () from /lib64/libQt5WaylandClient.so.5
#8  0x00007feacbde1c04 in ffi_call_unix64 () from /lib64/libffi.so.6
#9  0x00007feacbde1107 in ffi_call () from /lib64/libffi.so.6
#10 0x00007feace370d10 in wl_closure_invoke.constprop () from /lib64/libwayland-client.so.0
#11 0x00007feace37142b in dispatch_event.isra () from /lib64/libwayland-client.so.0
#12 0x00007feace37161c in wl_display_dispatch_queue_pending () from /lib64/libwayland-client.so.0
#13 0x00007feace3fb5ef in QtWaylandClient::QWaylandDisplay::flushRequests() () from /lib64/libQt5WaylandClient.so.5
#14 0x00007fead07884fd in void doActivate<false>(QObject*, int, void**) () from /lib64/libQt5Core.so.5
#15 0x00007fead07a478b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
#16 0x00007fead07569b2 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
#17 0x00007fead075e544 in QCoreApplication::exec() () from /lib64/libQt5Core.so.5
#18 0x00005630ed838d4c in main ()
[Inferior 1 (process 4316) detached]

Reported using DrKonqi

Comment 1 Nathan Lutterman 2021-05-13 03:17:43 UTC

This just happened to me as well, I was changing a different setting, however.  

I believe this is the same bug, and you managed to beat them out in reporting it by just a couple of hours: bug 436984

My stack trace:


    Application: System Settings (systemsettings5), signal: Segmentation fault
    
    [KCrash Handler]
    #4  0x00007f2f63d3fec4 in QWaylandClientExtensionPrivate::handleRegistryGlobal (data=0x5571ad67eab0, registry=0x5571ac05e0c0, id=53, interface=..., version=1) at global/qwaylandclientextension.cpp:67
    #5  0x00007f2f63d2c3d9 in QtWaylandClient::QWaylandDisplay::registry_global (this=<optimized out>, id=<optimized out>, interface=..., version=<optimized out>) at /usr/src/debug/qt5-qtwayland-5.15.2-6.fc35.x86_64/src/client/qwaylanddisplay.cpp:397
    #6  0x00007f2f63d48753 in QtWayland::wl_registry::handle_global (data=0x5571ac05a110, object=<optimized out>, name=53, interface=0x5571ad6fb320 "org_kde_kwin_blur_manager", version=1) at /usr/src/debug/qt5-qtwayland-5.15.2-6.fc35.x86_64/src/client/qwayland-wayland.cpp:94
    #7  0x00007f2f6170ac04 in ffi_call_unix64 () at ../src/x86/unix64.S:76
    #8  0x00007f2f6170a107 in ffi_call (cif=cif@entry=0x7ffe86f130d0, fn=<optimized out>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffe86f131a0) at ../src/x86/ffi64.c:525
    #9  0x00007f2f63c99d10 in wl_closure_invoke (closure=closure@entry=0x5571ad6fb240, target=<optimized out>, target@entry=0x5571ac05e0c0, opcode=opcode@entry=0, data=<optimized out>, flags=<optimized out>) at ../src/connection.c:1018
    #10 0x00007f2f63c9a42b in dispatch_event (display=0x5571ac05df70, queue=<optimized out>, queue=<optimized out>) at ../src/wayland-client.c:1452
    #11 0x00007f2f63c9a61c in dispatch_queue (queue=0x5571ac05e040, display=0x5571ac05df70) at ../src/wayland-client.c:1598
    #12 wl_display_dispatch_queue_pending (display=0x5571ac05df70, queue=0x5571ac05e040) at ../src/wayland-client.c:1840
    #13 0x00007f2f63d245df in QtWaylandClient::QWaylandDisplay::flushRequests (this=0x5571ac05a100) at /usr/src/debug/qt5-qtwayland-5.15.2-6.fc35.x86_64/src/client/qwaylanddisplay.cpp:222
    #14 0x00007f2f66114ce0 in void doActivate<false>(QObject*, int, void**) () from /lib64/libQt5Core.so.5
    #15 0x00007f2f6613272b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
    #16 0x00007f2f660dfab2 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
    #17 0x00007f2f660e7fe4 in QCoreApplication::exec() () from /lib64/libQt5Core.so.5
    #18 0x00005571ab1ced4c in main ()
    [Inferior 1 (process 5125) detached]
    
I don't have enough knowledge to be able to debug it myself.

Looking at the stack trace, it seems (in my very untrained eye and naive opinion) that `wl_display` isn't being created, or somehow isn't around by the time the requests are flushed?  It seems like the only way that could happen is if QWaylandDisplay couldn't be properly instantiated somehow, or maybe the call to get the data from the wayland client is failing?

I have some logs in `journalctl` from kate that seem interesting, and somewhat related:

```
May 12 19:15:30 computer kate[8154]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
May 12 19:15:30 computer kate[8154]: org.kde.kf5.kwindowsystem.kwayland: This compositor does not support the Plasma Window Management interface
```

...

Ahh!

This led me to look a little further, here's a dump of my `journald` log when I managed to get systemsettings5 to crash twice:


```
-- Journal begins at Tue 2021-05-04 13:34:06 PDT, ends at Wed 2021-05-12 19:44:24 PDT. --
May 12 18:51:03 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_AllowKDEAppsToRememberWindowPositions" ' was found but there is no setting named ' "AllowKDEAppsToRememberWindowPositions" '
May 12 18:51:03 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_ShadeHover" ' was found but there is no setting named ' "ShadeHover" '
May 12 18:51:03 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_ShadeHoverInterval" ' was found but there is no setting named ' "ShadeHoverInterval" '
May 12 18:51:03 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_Placement" ' was found but there is no setting named ' "Placement" '
May 12 18:51:03 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_HideUtilityWindowsForInactive" ' was found but there is no setting named ' "HideUtilityWindowsForInactive" '
May 12 18:51:04 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:04 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:04 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:04 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:04 mr-computer systemsettings5[4707]: file:///usr/lib64/qt5/qml/org/kde/kirigami.2/templates/InlineMessage.qml:259:9: QML ActionToolBar: Binding loop detected for property "atBottom"
May 12 18:51:06 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_AllowKDEAppsToRememberWindowPositions" ' was found but there is no setting named ' "AllowKDEAppsToRememberWindowPositions" '
May 12 18:51:06 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_ShadeHover" ' was found but there is no setting named ' "ShadeHover" '
May 12 18:51:06 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_ShadeHoverInterval" ' was found but there is no setting named ' "ShadeHoverInterval" '
May 12 18:51:06 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_Placement" ' was found but there is no setting named ' "Placement" '
May 12 18:51:06 mr-computer systemsettings5[4707]: kf.configwidgets: A widget named ' "kcfg_HideUtilityWindowsForInactive" ' was found but there is no setting named ' "HideUtilityWindowsForInactive" '
May 12 18:51:06 mr-computer systemd[2568]: Starting Cleanup of User's Temporary Files and Directories...
May 12 18:51:06 mr-computer systemd[2568]: systemd-tmpfiles-clean.service: Deactivated successfully.
May 12 18:51:06 mr-computer systemd[2568]: Finished Cleanup of User's Temporary Files and Directories.
May 12 18:51:07 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:07 mr-computer systemsettings5[4707]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:51:07 mr-computer systemsettings5[4707]: file:///usr/lib64/qt5/qml/org/kde/kirigami.2/templates/InlineMessage.qml:259:9: QML ActionToolBar: Binding loop detected for property "atBottom"
May 12 18:52:02 mr-computer plasmashell[4707]: KCrash: Application 'systemsettings5' crashing...
May 12 18:52:02 mr-computer plasmashell[4707]: KCrash: Attempting to start /usr/libexec/drkonqi
May 12 18:52:05 mr-computer systemsettings5[5125]: file:///usr/share/kpackage/genericqml/org.kde.systemsettings.sidebar/contents/ui/SubCategoryPage.qml:158:9: QML Connections: Implicitly defined onFoo properties in Connectio>
May 12 18:52:05 mr-computer systemsettings5[5125]: file:///usr/share/kpackage/genericqml/org.kde.systemsettings.sidebar/contents/ui/SubCategoryPage.qml:148:9: QML Connections: Implicitly defined onFoo properties in Connectio>
May 12 18:52:05 mr-computer systemsettings5[5125]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:52:05 mr-computer systemsettings5[5125]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
May 12 18:52:07 mr-computer systemsettings5[5125]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:52:07 mr-computer systemsettings5[5125]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:52:10 mr-computer systemsettings5[5125]: kf.configwidgets: A widget named ' "kcfg_AllowKDEAppsToRememberWindowPositions" ' was found but there is no setting named ' "AllowKDEAppsToRememberWindowPositions" '
May 12 18:52:10 mr-computer systemsettings5[5125]: kf.configwidgets: A widget named ' "kcfg_ShadeHover" ' was found but there is no setting named ' "ShadeHover" '
May 12 18:52:10 mr-computer systemsettings5[5125]: kf.configwidgets: A widget named ' "kcfg_ShadeHoverInterval" ' was found but there is no setting named ' "ShadeHoverInterval" '
May 12 18:52:10 mr-computer systemsettings5[5125]: kf.configwidgets: A widget named ' "kcfg_Placement" ' was found but there is no setting named ' "Placement" '
May 12 18:52:10 mr-computer systemsettings5[5125]: kf.configwidgets: A widget named ' "kcfg_HideUtilityWindowsForInactive" ' was found but there is no setting named ' "HideUtilityWindowsForInactive" '
May 12 18:52:11 mr-computer systemsettings5[5125]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:52:11 mr-computer systemsettings5[5125]: QQmlEngine::setContextForObject(): Object already has a QQmlContext
May 12 18:52:11 mr-computer systemsettings5[5125]: file:///usr/lib64/qt5/qml/org/kde/kirigami.2/templates/InlineMessage.qml:259:9: QML ActionToolBar: Binding loop detected for property "atBottom"
May 12 18:52:22 mr-computer plasmashell[5125]: KCrash: Application 'systemsettings5' crashing...
May 12 18:52:22 mr-computer plasmashell[5125]: KCrash: Attempting to start /usr/libexec/drkonqi
```

Although, this line in particular stands out to me:

```
#7  0x00007f985e0da753 in QtWayland::wl_registry::handle_global (data=0x556082693100, object=<optimized out>, name=62, interface=0x556084a6df70 "org_kde_kwin_blur_manager", version=1) at /usr/src/debug/qt5-qtwayland-5.15.2-6.fc35.x86_64/src/client/qwayland-wayland.cpp:94
```

Seeing `org_kde_kwin_blur_manager` leads me to believe that there's something amiss when registering the "BlurManager":

```
kf5-kwayland-5.82.0-1.fc35.x86_64/src/client/registry.cpp:679:BIND2(BlurManager, Blur, org_kde_kwin_blur_manager)
```

I did a little more searching for `org_kde_kwin_blur_manager` and it led me to this header file:  
https://api.kde.org/frameworks/kwayland/html/blur_8h_source.html#l00100

Check out the comment,

```
105 Q_SIGNALS:
106     /**
107      * The corresponding global for this interface on the Registry got removed.
108      *
109      * This signal gets only emitted if the BlurManager got created by
110      * Registry::createBlurManager
111      *
112      * @since 5.5
113      **/
114     void removed();
115
116 private:
117     class Private;
118     QScopedPointer<Private> d;
119 };
```

The offending function above is `QWaylandClientExtensionPrivate::handleRegistryGlobal`.  If the name `handleRegistryGlobal()` is indicative of something, it may be that we're trying to act on a removed global as per, "The corresponding global for this interface on the Registry got removed"

Well, that's all I have time for! I hope my information helps whoever picks this up!

Comment 2 Nathan Lutterman 2021-05-13 03:19:51 UTC

Created attachment 138379 [details]
systemsettings5 crash journald log

Attaching my journald log and crash log, I'll edit my comment to reference them to help remove visual noise.

Comment 3 Nathan Lutterman 2021-05-13 03:20:12 UTC

Created attachment 138380 [details]
systemsettings5 crash stacktrace

Comment 4 David Edmundson 2021-05-13 08:08:01 UTC


*** This bug has been marked as a duplicate of bug 414834 ***