Bug 461327

Summary: kscreenlocker_greet crashed in ScreenLocker::UnlockApp::createViewForScreen()
Product: [Unmaintained] kscreenlocker Reporter: Matt Fagnani <matt.fagnani>
Component: greeterAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED DOWNSTREAM    
Severity: crash CC: bshah, hgblob, jr, kde, nate
Priority: NOR    
Version First Reported In: 5.26.2   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: valgrind log for kscreenlocker_greeter --testing crash

Description Matt Fagnani 2022-11-02 17:37:45 UTC 
SUMMARY

I booted the Fedora Rawhide live image Fedora-KDE-Live-x86_64-Rawhide-20221102.n.0.iso https://koji.fedoraproject.org/koji/buildinfo?buildID=2083154 in GNOME Boxes QEMU/KVM VM with 3 GiB RAM and 3D acceleration enabled in a Fedora 37 KDE Plasma installation. Plasma 5.26.2 on Wayland started. I left the VM idle for several minutes. The VM's screen had the following message when I used it again. "The screen locker is broken and unlocking isn't possible anymore. In order to unlock switch to a virtual terminal (e.g. Ctrl+Alt+F2), log in and execute the command: loginctl unlock-session 1 Then log out of the virtual session with Ctrl+D, and switch back to the running session (Ctrl+Alt+F1)." After I followed those instructions, I saw /usr/libexec/kscreenlocker_greet crashed in the journal, but coredumpctl didn't show the crash. I reproduced the crash by running /usr/libexec/kscreenlocker_greet and /usr/libexec/kscreenlocker_greet --testing in konsole. coredumpctl gdb showed that QtWayland::wl_surface::object with an argument this=0x10 which looked like an invalid pointer (null plus an offset)

Core was generated by `/usr/libexec/kscreenlocker_greet --testing'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f64ad9c8da6 in QtWayland::wl_surface::object (this=0x10)
    at /usr/include/qt5/QtWaylandClient/5.15.6/QtWaylandClient/private/qwayland-wayland.h:637
637     /usr/include/qt5/QtWaylandClient/5.15.6/QtWaylandClient/private/qwayland-wayland.h: No such file or directory.
[Current thread is 1 (Thread 0x7f64ad5cfe80 (LWP 2622))]
(gdb) bt
#0  0x00007f64ad9c8da6 in QtWayland::wl_surface::object (this=0x10)
    at /usr/include/qt5/QtWaylandClient/5.15.6/QtWaylandClient/private/qwayland-wayland.h:637
#1  LayerShellQt::QWaylandLayerSurface::QWaylandLayerSurface (this=<optimized out>, shell=<optimized out>, 
    window=<optimized out>, this=<optimized out>, shell=<optimized out>, window=<optimized out>)
    at /usr/src/debug/layer-shell-qt-5.26.2-1.fc38.x86_64/src/qwaylandlayersurface.cpp:38
#2  0x00007f64ad9c95b9 in LayerShellQt::QWaylandLayerShell::createLayerSurface (this=0x55af214b65e0, 
    window=0x55af217cf540) at /usr/src/debug/layer-shell-qt-5.26.2-1.fc38.x86_64/src/qwaylandlayershell.cpp:26
#3  0x00007f64ab929515 in QtWaylandClient::QWaylandWindow::initWindow (this=0x55af217cf540)
    at /usr/src/debug/qt5-qtwayland-5.15.7-1.fc38.x86_64/src/client/qwaylandwindow.cpp:141
#4  0x00007f64ab92984d in QtWaylandClient::QWaylandWindow::setVisible (visible=<optimized out>, 
    this=0x55af217cf540) at /usr/src/debug/qt5-qtwayland-5.15.7-1.fc38.x86_64/src/client/qwaylandwindow.cpp:436
#5  QtWaylandClient::QWaylandWindow::setVisible (this=0x55af217cf540, visible=<optimized out>)
    at /usr/src/debug/qt5-qtwayland-5.15.7-1.fc38.x86_64/src/client/qwaylandwindow.cpp:428
#6  0x00007f64ac176097 in QWindowPrivate::setVisible(bool) () from /lib64/libQt5Gui.so.5
#7  0x000055af1f7097bf in ScreenLocker::UnlockApp::createViewForScreen (this=this@entry=0x7ffd63c765e0, 
    screen=screen@entry=0x55af2112c790)
    at /usr/src/debug/kscreenlocker-5.26.2-1.fc38.x86_64/greeter/greeterapp.cpp:417
#8  0x000055af1f709f34 in ScreenLocker::UnlockApp::handleScreen (this=this@entry=0x7ffd63c765e0, 
    screen=0x55af2112c790) at /usr/src/debug/kscreenlocker-5.26.2-1.fc38.x86_64/greeter/greeterapp.cpp:306
#9  0x000055af1f700de0 in ScreenLocker::UnlockApp::initialViewSetup (this=0x7ffd63c765e0)
    at /usr/src/debug/kscreenlocker-5.26.2-1.fc38.x86_64/greeter/greeterapp.cpp:296
#10 main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/kscreenlocker-5.26.2-1.fc38.x86_64/greeter/main.cpp:187

The journal showed errors like the following at the times of the crashes.

Nov 02 12:32:44 kscreenlocker_greet[2291]: kscreenlocker_greet: Lockscreen QML outdated, falling back to default
Nov 02 12:32:46 kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Nov 02 12:32:46 kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Nov 02 12:32:46 kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Nov 02 12:32:46 kscreenlocker_greet[2291]: kf.kirigami: Failed to find a Kirigami platform plugin
Nov 02 12:32:47 kernel: show_signal_msg: 3 callbacks suppressed
Nov 02 12:32:47 kernel: kscreenlocker_g[2291]: segfault at 18 ip 00007ff9e1838da6 sp 00007fff131564d0 error 4 in libLayerShellQtInterface.so.5.26.2[7ff9e1837000+3000] likely on CPU 3 (core 3, socket 0)
Nov 02 12:32:47 kernel: Code: 8d 64 24 38 48 89 44 24 28 48 89 ee 4c 89 e7 e8 10 e8 ff ff 48 89 ef e8 08 e9 ff ff 4c 89 e6 4c 89 ef 89 44 24 24 49 8b 46 30 <4c> 8b 48 18 4c 89 4c 24 18 e8 cc e9 ff ff 48 8b 44 24 40 4d 8b 7f
Nov 02 12:32:47 audit[2291]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2291 comm="kscreenlocker_g" exe="/usr/libexec/kscreenlocker_greet" sig=11 res=1
Nov 02 12:32:47 kwin_wayland_wrapper[1467]: not a valid new object id (2), message get_registry(n)
Nov 02 12:32:47 kwin_wayland_wrapper[1467]: error in client communication (pid 1467)
Nov 02 12:32:47 kwin_wayland_wrapper[2312]: wl_display@1: error 1: invalid arguments for wl_display@1.get_registry
Nov 02 12:32:47 kscreenlocker_greet[2312]: qt.qpa.wayland: Creating a fake screen in order for Qt not to crash
Nov 02 12:32:47 kscreenlocker_greet[2312]: The Wayland connection experienced a fatal error: Invalid argument
Nov 02 12:32:47 kscreenlocker_greet[2316]: qt.qpa.wayland: Creating a fake screen in order for Qt not to crash
Nov 02 12:32:47 kscreenlocker_greet[2316]: The Wayland connection broke. Did the Wayland compositor die?
Nov 02 12:32:48 kscreenlocker_greet[2320]: qt.qpa.wayland: Creating a fake screen in order for Qt not to crash
Nov 02 12:32:48 kscreenlocker_greet[2320]: The Wayland connection broke. Did the Wayland compositor die?

STEPS TO REPRODUCE
1. Boot a Fedora 37 KDE Plasma installation updated to 2022-11-2 with the updates-testing repo enabled.
2. Log in to Plasma 5.26.2 on Wayland
3. Install GNOME Boxes if it isn't already with sudo dnf install gnome-boxes
4. Download the Fedora Rawhide live image Fedora-KDE-Live-x86_64-Rawhide-20221102.n.0.iso https://koji.fedoraproject.org/koji/buildinfo?buildID=2083154 
5. start GNOME Boxes
6. start a QEMU/KVM VM using the image Fedora-KDE-Live-x86_64-Rawhide-20221102.n.0.iso  with 3 GiB RAM and 3D acceleration enabled in the settings
7. Once Plasma 5.26.2 on Wayland started, leave the VM idle for several minutes until the screen locker error screen appears. The screen locking time is set to 5 minutes in System Settings.

OBSERVED RESULT
kscreenlocker_greet crashed in QtWayland::wl_surface::object each of a few times that kscreenlocker_greet ran

EXPECTED RESULT
kscreenlocker_greet wouldn't crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Rawhide/38
(available in About System)
KDE Plasma Version: 5.26.2
KDE Frameworks Version: 5.99.0
Qt Version: 5.15.7

ADDITIONAL INFORMATION
Comment 1 Nate Graham 2022-11-02 18:52:33 UTC 
Possible issue where it thinks it has no screens and tried to create a view for a null screen?

Specifically, it's dying in createViewForScreen() when it gets to markViewsAsVisible():

    auto onFrameSwapped = [this, view] {
        markViewsAsVisible(view);
    };
Comment 2 Matt Fagnani 2022-11-03 02:40:53 UTC 
Created attachment 153422 [details]
valgrind log for kscreenlocker_greeter --testing crash

Your interpretation agrees with lines like kscreenlocker_greet[2312]: qt.qpa.wayland: Creating a fake screen in order for Qt not to crash in the journal and QtWayland::wl_surface::object having this=0x10. I ran valgrind --log-file=valgrind-kscreenlocker_greet-1.txt --enable-debuginfod=no /usr/libexec/kscreenlocker_greet --testing in a VM like the one I described. Nine invalid reads of 16 bytes were shown in the valgrind log which were less than 16 bytes from the end of the buffers, and so they might've been overreads. The first such invalid read was

==3353== Invalid read of size 16
==3353==    at 0x2B3566D8: ???
==3353==    by 0x2B222C6B: ???
==3353==  Address 0x2b223c6e is 46,222 bytes inside a block of size 46,228 alloc'd
==3353==    at 0x484186F: malloc (vg_replace_malloc.c:393)
==3353==    by 0x6330581: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:218)
==3353==    by 0x63B225D: allocate (qarraydata.h:225)
==3353==    by 0x63B225D: QString::fromLatin1_helper(char const*, int) (qstring.cpp:5464)
==3353==    by 0x263DF999: UnknownInlinedFun (qstring.h:701)
==3353==    by 0x263DF999: UnknownInlinedFun (qstring.h:713)
==3353==    by 0x263DF999: Plasma::SharedSvgRenderer::load(QByteArray const&, QString const&, QHash<QString, QRectF>&) [clone .isra.0] (svg.cpp:134)
==3353==    by 0x263CD0B3: UnknownInlinedFun (svg.cpp:81)
==3353==    by 0x263CD0B3: Plasma::SvgPrivate::createRenderer() [clone .part.0] (svg.cpp:681)
==3353==    by 0x263BE617: UnknownInlinedFun (qbasicatomic.h:118)
==3353==    by 0x263BE617: UnknownInlinedFun (svg.cpp:756)
==3353==    by 0x263BE617: Plasma::SvgPrivate::elementRect(QString const&) (svg.cpp:745)
==3353==    by 0x263BE8ED: Plasma::Svg::hasElement(QString const&) const (svg.cpp:1074)
==3353==    by 0x2659B6AC: UnknownInlinedFun (iconitem.cpp:169)
==3353==    by 0x2659B6AC: IconItem::setSource(QVariant const&) (iconitem.cpp:370)
==3353==    by 0x2658971A: IconItem::qt_metacall(QMetaObject::Call, int, void**) (moc_iconitem.cpp:385)
==3353==    by 0x582CCD4: QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) (in /usr/lib64/libQt5Qml.so.5.15.7)
==3353==    by 0x58B5DDD: ??? (in /usr/lib64/libQt5Qml.so.5.15.7)
==3353==    by 0x58B8362: QQmlObjectCreator::setPropertyValue(QQmlPropertyData const*, QV4::CompiledData::Binding const*) (in /usr/lib64/libQt5Qml.so.5.15.7)
==3353== 

The traces where the invalid reads happened all had ??? instead of the functions and lines so they're harder to interpret. Some Conditional jump or move depends on uninitialised value(s) lines were shown. Then there was an invalid read of 8 bytes at 0x18 in UnknownInlinedFun (qwayland-wayland.h:637) with a trace like I reported resulting in the segmentation fault.

==3353== Invalid read of size 8
==3353==    at 0x4ACEDA6: UnknownInlinedFun (qwayland-wayland.h:637)
==3353==    by 0x4ACEDA6: LayerShellQt::QWaylandLayerSurface::QWaylandLayerSurface(LayerShellQt::QWaylandLayerShell*, QtWaylandClient::QWaylandWindow*) (qwaylandlayersurface.cpp:38)
==3353==    by 0x4ACF5B8: LayerShellQt::QWaylandLayerShell::createLayerSurface(QtWaylandClient::QWaylandWindow*) (qwaylandlayershell.cpp:26)
==3353==    by 0x6C7D514: QtWaylandClient::QWaylandWindow::initWindow() (qwaylandwindow.cpp:141)
==3353==    by 0x6C7D84C: UnknownInlinedFun (qwaylandwindow.cpp:436)
==3353==    by 0x6C7D84C: .LTHUNK9.lto_priv.0 (qwaylandwindow.cpp:428)
==3353==    by 0x5D76096: QWindowPrivate::setVisible(bool) (in /usr/lib64/libQt5Gui.so.5.15.7)
==3353==    by 0x11F7BE: ScreenLocker::UnlockApp::createViewForScreen(QScreen*) (greeterapp.cpp:417)
==3353==    by 0x11FF33: ScreenLocker::UnlockApp::handleScreen(QScreen*) (greeterapp.cpp:306)
==3353==    by 0x116DDF: UnknownInlinedFun (greeterapp.cpp:296)
==3353==    by 0x116DDF: main (main.cpp:187)
==3353==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==3353== 
==3353== 
==3353== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3353==  Access not within mapped region at address 0x18
==3353==    at 0x4ACEDA6: UnknownInlinedFun (qwayland-wayland.h:637)
==3353==    by 0x4ACEDA6: LayerShellQt::QWaylandLayerSurface::QWaylandLayerSurface(LayerShellQt::QWaylandLayerShell*, QtWaylandClient::QWaylandWindow*) (qwaylandlayersurface.cpp:38)
==3353==    by 0x4ACF5B8: LayerShellQt::QWaylandLayerShell::createLayerSurface(QtWaylandClient::QWaylandWindow*) (qwaylandlayershell.cpp:26)
==3353==    by 0x6C7D514: QtWaylandClient::QWaylandWindow::initWindow() (qwaylandwindow.cpp:141)
==3353==    by 0x6C7D84C: UnknownInlinedFun (qwaylandwindow.cpp:436)
==3353==    by 0x6C7D84C: .LTHUNK9.lto_priv.0 (qwaylandwindow.cpp:428)
==3353==    by 0x5D76096: QWindowPrivate::setVisible(bool) (in /usr/lib64/libQt5Gui.so.5.15.7)
==3353==    by 0x11F7BE: ScreenLocker::UnlockApp::createViewForScreen(QScreen*) (greeterapp.cpp:417)
==3353==    by 0x11FF33: ScreenLocker::UnlockApp::handleScreen(QScreen*) (greeterapp.cpp:306)
==3353==    by 0x116DDF: UnknownInlinedFun (greeterapp.cpp:296)
==3353==    by 0x116DDF: main (main.cpp:187)

I'm attached the full valgrind log.
Comment 3 Matt Fagnani 2022-11-03 06:36:20 UTC 
My Fedora 37 KDE Plasma installation and Fedora-KDE-Live-x86_64-Rawhide-20221029.n.0.iso don't seem to be affected by this problem; they have Plasma 5.26.2, KF 5.99.0, and Qt 5.15.6. The problem might've been introduced in Qt 5.15.7.
Comment 4 Matt Fagnani 2022-11-03 15:41:24 UTC 
layer-shell-qt-5.26.2-1.fc38 needed to be rebuilt with Qt 5.15.7 since it used the private Qt API, and not doing so resulted in sddm crashes reported at https://bugzilla.redhat.com/show_bug.cgi?id=2139465 I found the sddm crashes with Fedora-KDE-Live-x86_64-Rawhide-20221102.n.0.iso had similar functions at the tops of their stacks like LayerShellQt::QWaylandLayerSurface::QWaylandLayerSurface to the kscreenlocker_greet crashes I reported. kscreenlocker_greet didn't crash in VMs with Fedora-KDE-Live-x86_64-Rawhide-20221103.n.0.iso https://koji.fedoraproject.org/koji/buildinfo?buildID=2083580 which contained the layer-shell-qt-5.26.2-2.fc38 rebuild with Qt 5.15.7 https://koji.fedoraproject.org/koji/buildinfo?buildID=2083363
Comment 5 H.G.Blob 2022-11-05 13:13:43 UTC 
I'm seeing the same crash on Neon 20.04 after updating to plasma 5.26 on two different computers. Should I report the bug again for neon or reopen this one?
Comment 6 Nate Graham 2022-11-05 14:04:00 UTC 
Can you upgrade to Neon 22.04 and try again? If you are, it might be a Neon packaging bug, like Matt's issue was a Fedora packaging bug. In that case, a new bug report for the Neon folks would be appropriate.
Comment 7 H.G.Blob 2022-11-05 16:21:29 UTC 
Can't upgrade to 22.04 at the moment, too big disruption but as Matt suggested I recompiled layer-shell-qt with the latest qt version and the greeter started working again. So for sure neon has the same issue as Fedora.