Bug 456817

Summary: kwin_wayland segfaults in KWaylandServer::TabletV2Interface::pad() while pressing some buttons on Tablet
Product: [Plasma] kwin Reporter: The Lounge Demo User <foraminutethere>
Component: wayland-genericAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: aleixpol, nate, postix
Priority: NOR    
Version: 5.25.3   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=456921
Latest Commit: https://invent.kde.org/plasma/kwin/commit/ea28596a1f8b97687721f527398c69542b3940c1 Version Fixed In: 5.25.4

Description The Lounge Demo User 2022-07-17 10:58:18 UTC 
SUMMARY

kwin_wayland segfaults while pressing buttons on the graphic tablet. (X11 Works fine)

Here a backtrace:

Core was generated by `/usr/bin/kwin_wayland --wayland-fd 7 --socket wayland-0 --xwayland-fd 8 --xwayl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f2402722088 in KWaylandServer::ClientConnection::operator wl_client*() () from /usr/lib/libkwin.so.5
[Current thread is 1 (Thread 0x7f23fb387a80 (LWP 16715))]
(gdb) bt
#0  0x00007f2402722088 in KWaylandServer::ClientConnection::operator wl_client*() () at /usr/lib/libkwin.so.5
#1  0x00007f24027687f9 in KWaylandServer::TabletPadV2Interface::setCurrentSurface(KWaylandServer::SurfaceInterface*, KWaylandServer::TabletV2Interface*) ()
    at /usr/lib/libkwin.so.5
#2  0x00007f24025e8986 in  () at /usr/lib/libkwin.so.5
#3  0x00007f240267bdb5 in  () at /usr/lib/libkwin.so.5
#4  0x00007f24012bd341 in  () at /usr/lib/libQt5Core.so.5
#5  0x00007f2402548c22 in KWin::InputDevice::tabletPadButtonEvent(unsigned int, bool, KWin::TabletPadId const&) () at /usr/lib/libkwin.so.5
#6  0x00007f240270fecc in KWin::LibInput::Connection::processEvents() () at /usr/lib/libkwin.so.5
#7  0x00007f24012b0440 in QObject::event(QEvent*) () at /usr/lib/libQt5Core.so.5
#8  0x00007f2400978b3c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/libQt5Widgets.so.5
#9  0x00007f240128cad8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/libQt5Core.so.5
#10 0x00007f240128d5e3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib/libQt5Core.so.5
#11 0x00007f24012d6c37 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/libQt5Core.so.5
#12 0x00005629ef6fd622 in  ()
#13 0x00007f240128527c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/libQt5Core.so.5
#14 0x00007f240128fda9 in QCoreApplication::exec() () at /usr/lib/libQt5Core.so.5
#15 0x00005629ef622eb5 in  ()
#16 0x00007f2400029290 in  () at /usr/lib/libc.so.6
#17 0x00007f240002934a in __libc_start_main () at /usr/lib/libc.so.6
#18 0x00005629ef6245d5 in  ()

STEPS TO REPRODUCE

I cannot find exactly reproduce steps (behavior changes from time to time)

1. Plug in tablet
2. Press some buttons on tablet (not a pen)

OBSERVED RESULT

kwin_wayland segfaults, thus every graphical session application crashes

EXPECTED RESULT

Normal operation

SOFTWARE/OS VERSIONS

OS: Arch Linux 64-bit Kernel: 5.18.11-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 12 Jul 2022 15:40:51 +0000 x86_64 GNU/Linux
KDE Plasma Version:  5.25.3
KDE Frameworks Version: 5.96.0
Qt Version: 5.15.5
Graphics Platform: Wayland

HARDWARE INFORMATION

Tablet: Ugee M708 (v1 with active pen), detects as "UC-LOIC Tablet 1060".
Comment 1 The Lounge Demo User 2022-07-17 11:12:15 UTC 
I found exact reproduce of this issue:

1. Press and hold any button on the tablet
2. Disconnect a tablet while pressing a button
Comment 2 Aleix Pol 2022-07-18 14:25:31 UTC 
This should have been fixed with the following commit.
Can you make sure you reboot and make sure you are running 5.25.3?

commit 98eb866418799ffccd501e15fcfd50bf834d1b15
Author: Aleix Pol aleixpol@kde.org
Date: Tue Jun 28 03:30:51 2022 +0200 
tablet: Leave the surface we were previously on, not the one we are going to

This sometimes results in a crash and it's logically wrong as it was.

(cherry picked from commit 3d3fcd7ab4ff7f13b6c0170cc204c2ee21b20866)
Comment 3 The Lounge Demo User 2022-07-18 20:02:00 UTC 
(In reply to Aleix Pol from comment #2)
> This should have been fixed with the following commit.
> Can you make sure you reboot and make sure you are running 5.25.3?
> 
> commit 98eb866418799ffccd501e15fcfd50bf834d1b15
> Author: Aleix Pol aleixpol@kde.org
> Date: Tue Jun 28 03:30:51 2022 +0200 
> tablet: Leave the surface we were previously on, not the one we are going to
> 
> This sometimes results in a crash and it's logically wrong as it was.
> 
> (cherry picked from commit 3d3fcd7ab4ff7f13b6c0170cc204c2ee21b20866)

Yes, I rebooted, and it's running on 5.25.3 version - bug still persists. But backtrace seems to be changed:

#0  0x00007f6ac4964324 in KWaylandServer::TabletV2Interface::pad() const () from /usr/lib/libkwin.so.5
[Current thread is 1 (Thread 0x7f6abd572a80 (LWP 3144))]
(gdb) bt
#0  0x00007f6ac4964324 in KWaylandServer::TabletV2Interface::pad() const () at /usr/lib/libkwin.so.5
#1  0x00007f6ac47e896f in  () at /usr/lib/libkwin.so.5
#2  0x00007f6ac487bdb5 in  () at /usr/lib/libkwin.so.5
#3  0x00007f6ac34bd341 in  () at /usr/lib/libQt5Core.so.5
#4  0x00007f6ac4748c22 in KWin::InputDevice::tabletPadButtonEvent(unsigned int, bool, KWin::TabletPadId const&) ()
    at /usr/lib/libkwin.so.5
#5  0x00007f6ac490fecc in KWin::LibInput::Connection::processEvents() () at /usr/lib/libkwin.so.5
#6  0x00007f6ac34b0440 in QObject::event(QEvent*) () at /usr/lib/libQt5Core.so.5
#7  0x00007f6ac2b78b3c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/libQt5Widgets.so.5
#8  0x00007f6ac348cad8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/libQt5Core.so.5
#9  0x00007f6ac348d5e3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
    at /usr/lib/libQt5Core.so.5
#10 0x00007f6ac34d6c37 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /usr/lib/libQt5Core.so.5
#11 0x0000556933db4622 in  ()
#12 0x00007f6ac348527c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/libQt5Core.so.5
#13 0x00007f6ac348fda9 in QCoreApplication::exec() () at /usr/lib/libQt5Core.so.5
#14 0x0000556933cd9eb5 in  ()
#15 0x00007f6ac2229290 in  () at /usr/lib/libc.so.6
#16 0x00007f6ac222934a in __libc_start_main () at /usr/lib/libc.so.6
#17 0x0000556933cdb5d5 in  ()
Comment 4 Aleix Pol 2022-07-18 22:53:58 UTC 
I am unable to reproduce. Can you be a bit more specific about how you get it to crash? Would it be possible for you to get full debug symbols maybe? It should be possible using debuginfod in archlinux nowadays.
Comment 5 Aleix Pol 2022-07-20 13:22:17 UTC 
*** Bug 456921 has been marked as a duplicate of this bug. ***
Comment 6 Bug Janitor Service 2022-07-20 13:24:42 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/2687
Comment 7 Aleix Pol 2022-07-20 13:57:43 UTC 
Git commit 4220e7ac25951ae3416e24c357f62decabb9fa15 by Aleix Pol.
Committed on 20/07/2022 at 13:23.
Pushed by apol into branch 'master'.

wayland/tablet_v2: Keep also the pad surface in a QPointer

This way we make sure that we don't explode if for some reason the
surface is destroyed (e.g. it's closed).
This will make it work exactly like the other references to
SurfaceInterface.

M  +1    -1    src/wayland/tablet_v2_interface.cpp

https://invent.kde.org/plasma/kwin/commit/4220e7ac25951ae3416e24c357f62decabb9fa15
Comment 8 Aleix Pol 2022-07-20 13:58:44 UTC 
Git commit ea28596a1f8b97687721f527398c69542b3940c1 by Aleix Pol Gonzalez, on behalf of Aleix Pol.
Committed on 20/07/2022 at 13:58.
Pushed by apol into branch 'Plasma/5.25'.

wayland/tablet_v2: Keep also the pad surface in a QPointer

This way we make sure that we don't explode if for some reason the
surface is destroyed (e.g. it's closed).
This will make it work exactly like the other references to
SurfaceInterface.


(cherry picked from commit 4220e7ac25951ae3416e24c357f62decabb9fa15)

M  +1    -1    src/wayland/tablet_v2_interface.cpp

https://invent.kde.org/plasma/kwin/commit/ea28596a1f8b97687721f527398c69542b3940c1