Bug 466281

Summary: Nested kwin_wayland crashed in KWin::GLFramebuffer::size in VMs using the llvmpipe driver
Product: [Plasma] kwin Reporter: Matt Fagnani <matt.fagnani>
Component: wayland-genericAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED MOVED    
Severity: crash CC: nate
Priority: NOR    
Version First Reported In: 5.27.0   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=466302
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: The full trace of all threads of the nested kwin_wayland crash.

Description Matt Fagnani 2023-02-23 01:16:12 UTC 
Created attachment 156628 [details]
The full trace of all threads of the nested kwin_wayland crash.

SUMMARY

I booted the Fedora 38 KDE Plasma live image Fedora-KDE-Live-x86_64-38-20230221.n.1.iso in a QEMU/KVM VM using GNOME Boxes with 3D acceleration disabled using the llvmpipe driver from mesa-dri-drivers-23.0.0~rc4-3.fc38.x86_64.
Plasma 5.27.0 on Wayland started. I started Konsole. I tried to run a nested kwin_wayland session using the instructions at https://community.kde.org/KWin/Wayland
export $(dbus-launch)
kwin_wayland --xwayland 

The nested kwin_wayland window didn't appear except for a Wayland icon in the task manager. The following output was in Konsole which showed some Permission denied errors and a segmentation fault of kwin_wayland.

$ kwin_wayland --xwayland
No backend specified, automatically choosing Wayland because WAYLAND_DISPLAY is set
unable to lock lockfile /run/user/1000/wayland-0.lock, maybe another compositor is running
libEGL warning: egl: failed to create dri2 screen
OpenGL vendor string:                   Mesa
OpenGL renderer string:                 llvmpipe (LLVM 15.0.7, 256 bits)
OpenGL version string:                  4.5 (Core Profile) Mesa 23.0.0-rc4
OpenGL shading language version string: 4.50
Driver:                                 LLVMpipe
GPU class:                              Unknown
OpenGL version:                         4.5
GLSL version:                           4.50
Mesa version:                           23.0
Linux kernel version:                   6.2
Requires strict binding:                no
GLSL shaders:                           yes
Texture NPOT support:                   yes
Virtual Machine:                        no
kwin_core: Parse error in tiles configuration for monitor "7fb8c463-c102-5440-8fb7-5253b26b5d9c" : "illegal value" Creating default setup
kwin_xkbcommon: XKB: inet:323:58: unrecognized keysym "XF86EmojiPicker"
kwin_xkbcommon: XKB: inet:324:58: unrecognized keysym "XF86Dictate"
KMS: DRM_IOCTL_MODE_CREATE_DUMB failed: Permission denied
kwin_wayland_backend: Failed to allocate a buffer for an output layer
KMS: DRM_IOCTL_MODE_CREATE_DUMB failed: Permission denied
kwin_wayland_backend: Failed to allocate a buffer for an output layer
(WW) Option "-listen" for file descriptors is deprecated
Please use "-listenfd" instead.
(WW) Option "-listen" for file descriptors is deprecated
Please use "-listenfd" instead.
libEGL warning: egl: failed to create dri2 screen
libEGL warning: NEEDS EXTENSION: falling back to kms_swrast
(EE) could not connect to wayland server
Segmentation fault (core dumped)

The nested kwin_wayland crashed in KWin::GLFramebuffer::size. The crash might've been due to a null pointer dereference since this=0x0.

Core was generated by `kwin_wayland --xwayland'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f56fe3fcead in KWin::GLFramebuffer::size (this=0x0) at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/libkwineffects/kwinglutils.h:421
421             return mSize;
[Current thread is 1 (Thread 0x7f56fdaa9e40 (LWP 4389))]

(gdb) bt
#0  0x00007f56fe3fcead in KWin::GLFramebuffer::size (this=0x0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/libkwineffects/kwinglutils.h:421
#1  KWin::RenderTarget::size (this=0x7ffe85125500)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/core/rendertarget.cpp:30
#2  0x00007f56fe4a3fec in KWin::CursorScene::paint (this=this@entry=0x5564ab4fd200, 
    renderTarget=renderTarget@entry=0x7ffe85125500, region=...)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/scene/cursorscene.cpp:57
#3  0x00007f56fe4a8d91 in KWin::SceneDelegate::paint (this=this@entry=0x5564ab747590, 
    renderTarget=renderTarget@entry=0x7ffe85125500, region=...)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/scene/scene.cpp:55
#4  0x00007f56fe5de432 in KWin::Wayland::WaylandOutput::renderCursorOpengl (this=this@entry=0x5564aaef17f0, 
    backend=<optimized out>, source=source@entry=0x5564ab6448e0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/backends/wayland/wayland_output.cpp:229
#5  0x00007f56fe5de805 in KWin::Wayland::WaylandOutput::setCursor (source=0x5564ab6448e0, this=0x5564aaef17f0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/backends/wayland/wayland_output.cpp:191
#6  KWin::Wayland::WaylandOutput::setCursor (this=0x5564aaef17f0, source=0x5564ab6448e0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/backends/wayland/wayland_output.cpp:184
#7  0x00007f56fe3f0a42 in operator() (__closure=__closure@entry=0x7ffe851256a0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/composite.cpp:455
#8  0x00007f56fe3f4686 in KWin::Compositor::addOutput (this=this@entry=0x5564aaef8d10, output=0x5564aaef17f0)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/composite.cpp:471
#9  0x00007f56fe3f4988 in KWin::Compositor::startupWithWorkspace (this=0x5564aaef8d10)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/composite.cpp:383
#10 0x00007f56fcadf03b in QObject::event (this=0x5564aaef8d10, e=0x5564aaf7c090) at kernel/qobject.cpp:1347
#11 0x00007f56fc1aece5 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /lib64/libQt5Widgets.so.5
#12 0x00007f56fcab3648 in QCoreApplication::notifyInternal2 (receiver=0x5564aaef8d10, event=0x5564aaf7c090)
    at kernel/qcoreapplication.cpp:1064
--Type <RET> for more, q to quit, c to continue without paging--
#13 0x00007f56fcab6af5 in QCoreApplicationPrivate::sendPostedEvents (receiver=receiver@entry=0x0, 
    event_type=event_type@entry=0, data=data@entry=0x5564aae52900) at kernel/qcoreapplication.cpp:1821
#14 0x00007f56fcb03371 in QEventDispatcherUNIX::processEvents (this=0x5564aae557d0, flags=...)
    at kernel/qeventdispatcher_unix.cpp:468
#15 0x00005564aabd10c2 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
#16 0x00007f56fcab201b in QEventLoop::exec (this=this@entry=0x7ffe85125ac0, flags=..., flags@entry=...)
    at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#17 0x00007f56fcaba29b in QCoreApplication::exec ()
    at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#18 0x00005564aaaecc04 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/main_wayland.cpp:628

fbo pointed to a null pointer in KWin::RenderTarget::size in frame 1, so  (*fbo)->size() might've been the null pointer dereference.

(gdb) frame 1
#1  KWin::RenderTarget::size (this=0x7ffe85125500)
    at /usr/src/debug/kwin-5.27.0-2.fc38.x86_64/src/core/rendertarget.cpp:30
30              return (*fbo)->size();
(gdb) p fbo
$1 = (KWin::GLFramebuffer * const *) 0x7ffe85125500
(gdb) p *fbo
$2 = (KWin::GLFramebuffer * const) 0x0

The framebuffer might not have been properly initialized due to the Permission denied errors
KMS: DRM_IOCTL_MODE_CREATE_DUMB failed: Permission denied
kwin_wayland_backend: Failed to allocate a buffer for an output layer

I've frequently seen KDE programs showing warnings like "libEGL warning: egl: failed to create dri2 screen" in the journal of VMs using the llvmpipe driver e.g. https://bugs.kde.org/show_bug.cgi?id=464258 That warning didn't appear with the virgl or radeonsi mesa drivers. That warning led to a fallback to the kms_swrast driver.

This problem happened each of a few times I tried to run a nested kwin_wayland session in VMs using the llvmpipe driver. Nested kwin_wayland started normally in VMs with the same image using 3D acceleration enabled using the virgl mesa driver and on bare metal using the radeonsi mesa driver. The problem might be specific to the use of llvmpipe.

STEPS TO REPRODUCE
1. Boot a Fedora 37 KDE Plasma installation updated to 2023-2-22 with updates-testing enabled
2. Log in to Plasma 5.27.0 on Wayland from sddm
3. Download Fedora-KDE-Live-x86_64-38-20230221.n.1.iso from https://koji.fedoraproject.org/koji/buildinfo?buildID=2157026
4. Install GNOME Boxes if it isn't already with sudo dnf install gnome-boxes
5. Start GNOME Boxes
6. boot the Fedora 38 KDE Plasma live image Fedora-KDE-Live-x86_64-38-20230221.n.1.iso in a QEMU/KVM VM using GNOME Boxes with 3D acceleration disabled using the llvmpipe driver
7. Start Konsole in the VM
8. In Konsole, run
export $(dbus-launch)
kwin_wayland --xwayland

OBSERVED RESULT
Nested kwin_wayland crashed in KWin::GLFramebuffer::size in VMs using the llvmpipe driver

EXPECTED RESULT
Nested kwin_wayland wouldn't crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 38
(available in About System)
KDE Plasma Version: 5.27.0
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8

ADDITIONAL INFORMATION

I'm attaching the full trace of all threads.
Comment 1 Matt Fagnani 2023-02-23 02:38:59 UTC 
I booted the Fedora 38 KDE Plasma live image Fedora-KDE-Live-x86_64-38-20230221.n.1.iso in a QEMU/KVM VM using GNOME Boxes with 3D acceleration disabled using the llvmpipe driver. I ran nested kwin_wayland under valgrind in konsole with valgrind --log-file=valgrind-nested-kwin_wayland-5.27.0-1.txt --enable-debuginfod=no kwin_wayland --xwayland

The valgrind log showed the syscall param waitid(infop) pointed to unaddressable byte(s) 0x0 and an invalid read of the address 0x4 at UnknownInlinedFun (kwinglutils.h:421) causing the segmentation fault.

==4964== Memcheck, a memory error detector
==4964== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==4964== Using Valgrind-3.20.0 and LibVEX; rerun with -h for copyright info
==4964== Command: kwin_wayland --xwayland
==4964== Parent PID: 4142
==4964== 
==4964== Syscall param waitid(infop) points to unaddressable byte(s)
==4964==    at 0x78A3D2D: syscall (syscall.S:38)
==4964==    by 0x666F85E: sys_waitid (forkfd_linux.c:65)
==4964==    by 0x666F85E: detect_clone_pidfd_support (forkfd_linux.c:126)
==4964==    by 0x666F85E: system_forkfd (forkfd_linux.c:142)
==4964==    by 0x666F85E: forkfd (forkfd.c:651)
==4964==    by 0x6655118: QProcessPrivate::startProcess() (qprocess_unix.cpp:466)
==4964==    by 0x2137EE: KWin::Xwl::XwaylandLauncher::startInternal() [clone .isra.0] (xwaylandlauncher.cpp:186)
==4964==    by 0x66FBF50: call (qobjectdefs_impl.h:398)
==4964==    by 0x66FBF50: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3923)
==4964==    by 0x4CB93BE: KWin::Compositor::setupStart() [clone .part.0] (composite.cpp:335)
==4964==    by 0x4CBAE27: KWin::WaylandCompositor::start() (composite.cpp:799)
==4964==    by 0x66F303A: QObject::event(QEvent*) (qobject.cpp:1347)
==4964==    by 0x6E34CE4: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt5Widgets.so.5.15.8)
==4964==    by 0x66C7647: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==4964==    by 0x66CAAF4: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==4964==    by 0x6717370: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:468)
==4964==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4964== 
==4964== Invalid read of size 8
==4964==    at 0x4CC2EAD: UnknownInlinedFun (kwinglutils.h:421)
==4964==    by 0x4CC2EAD: KWin::RenderTarget::size() const (rendertarget.cpp:30)
==4964==    by 0x4D69FEB: KWin::CursorScene::paint(KWin::RenderTarget*, QRegion const&) (cursorscene.cpp:57)
==4964==    by 0x4D6ED90: KWin::SceneDelegate::paint(KWin::RenderTarget*, QRegion const&) (scene.cpp:55)
==4964==    by 0x4EA4431: KWin::Wayland::WaylandOutput::renderCursorOpengl(KWin::Wayland::WaylandEglBackend*, KWin::CursorSource*) (wayland_output.cpp:229)
==4964==    by 0x4EA4804: UnknownInlinedFun (wayland_output.cpp:191)
==4964==    by 0x4EA4804: KWin::Wayland::WaylandOutput::setCursor(KWin::CursorSource*) (wayland_output.cpp:184)
==4964==    by 0x4CB6A41: KWin::Compositor::addOutput(KWin::Output*)::{lambda()#2}::operator()() const (composite.cpp:455)
==4964==    by 0x4CBA685: KWin::Compositor::addOutput(KWin::Output*) (composite.cpp:471)
==4964==    by 0x4CBA987: KWin::Compositor::startupWithWorkspace() (composite.cpp:383)
==4964==    by 0x66F303A: QObject::event(QEvent*) (qobject.cpp:1347)
==4964==    by 0x6E34CE4: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt5Widgets.so.5.15.8)
==4964==    by 0x66C7647: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==4964==    by 0x66CAAF4: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==4964==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==4964== 
==4964== 
==4964== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4964==  Access not within mapped region at address 0x4
==4964==    at 0x4CC2EAD: UnknownInlinedFun (kwinglutils.h:421)
==4964==    by 0x4CC2EAD: KWin::RenderTarget::size() const (rendertarget.cpp:30)
==4964==    by 0x4D69FEB: KWin::CursorScene::paint(KWin::RenderTarget*, QRegion const&) (cursorscene.cpp:57)
==4964==    by 0x4D6ED90: KWin::SceneDelegate::paint(KWin::RenderTarget*, QRegion const&) (scene.cpp:55)
==4964==    by 0x4EA4431: KWin::Wayland::WaylandOutput::renderCursorOpengl(KWin::Wayland::WaylandEglBackend*, KWin::CursorSource*) (wayland_output.cpp:229)
==4964==    by 0x4EA4804: UnknownInlinedFun (wayland_output.cpp:191)
==4964==    by 0x4EA4804: KWin::Wayland::WaylandOutput::setCursor(KWin::CursorSource*) (wayland_output.cpp:184)
==4964==    by 0x4CB6A41: KWin::Compositor::addOutput(KWin::Output*)::{lambda()#2}::operator()() const (composite.cpp:455)
==4964==    by 0x4CBA685: KWin::Compositor::addOutput(KWin::Output*) (composite.cpp:471)
==4964==    by 0x4CBA987: KWin::Compositor::startupWithWorkspace() (composite.cpp:383)
==4964==    by 0x66F303A: QObject::event(QEvent*) (qobject.cpp:1347)
==4964==    by 0x6E34CE4: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt5Widgets.so.5.15.8)
==4964==    by 0x66C7647: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==4964==    by 0x66CAAF4: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==4964==  If you believe this happened as a result of a stack
==4964==  overflow in your program's main thread (unlikely but
==4964==  possible), you can try to increase the size of the
==4964==  main thread stack using the --main-stacksize= flag.
==4964==  The main thread stack size used in this run was 8388608.
==4964== 
==4964== HEAP SUMMARY:
==4964==     in use at exit: 9,111,453 bytes in 45,025 blocks
==4964==   total heap usage: 257,942 allocs, 212,917 frees, 90,565,412 bytes allocated
==4964== 
==4964== LEAK SUMMARY:
==4964==    definitely lost: 256 bytes in 2 blocks
==4964==    indirectly lost: 352 bytes in 2 blocks
==4964==      possibly lost: 83,504 bytes in 779 blocks
==4964==    still reachable: 9,025,325 bytes in 44,221 blocks
==4964==                       of which reachable via heuristic:
==4964==                         newarray           : 8,488 bytes in 5 blocks
==4964==         suppressed: 0 bytes in 0 blocks
==4964== Rerun with --leak-check=full to see details of leaked memory
==4964== 
==4964== For lists of detected and suppressed errors, rerun with: -s
==4964== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Comment 2 David Edmundson 2024-05-29 10:32:22 UTC 
This bug is a crash report that is over a year old without any activity, as our software is always changing, the information in this ticket is unlikely to still be useful.

If this issue is still reproducible in a newer version of kwin (5.27.5 or 6.0) please reopen this ticket with a bumped version number or it will be closed in 30 days.
Comment 3 Matt Fagnani 2024-05-29 12:39:04 UTC 
Nested kwin_wayland crashed with a different trace in Plasma 6.0.4 in VMs using the llvmpipe driver as I reported at https://bugs.kde.org/show_bug.cgi?id=487217