Bug 467913

Summary: kwin_wayland crashed in KWin::GLVertexBufferPrivate::interleaveArrays when the cursor was moved to the top-left of the splash screen
Product: [Plasma] kwin Reporter: Matt Fagnani <matt.fagnani>
Component: generic-crashAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: nate
Priority: NOR    
Version First Reported In: 5.27.3   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Full trace of all threads of kwin_wayland crash

Description Matt Fagnani 2023-03-29 04:12:14 UTC 
Created attachment 157678 [details]
Full trace of all threads of kwin_wayland crash

SUMMARY

I logged in to Plasma 5.27.3 on Wayland in a Fedora 38 KDE Plasma installation. I moved the mouse cursor to the top-left of the screen when the splash screen was shown. The screen went black for a couple seconds with just a text cursor at the top-left. The effect where the splash screen shrinks and a grey blurred border is shown around it wasn't displayed. Plasma started after a few seconds. coredumpctl showed that kwin_wayland crashed in KWin::GLVertexBufferPrivate::interleaveArrays.

Core was generated by `/usr/bin/kwin_wayland --wayland-fd 7 --socket wayland-0 --xwayland-fd 8 --xwayl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007efe4c52e870 in KWin::GLVertexBufferPrivate::interleaveArrays (this=0x5651eaf62390, 
    count=4, texcoords=0x7ffdefec3e30, vertices=0x7ffdefec3e58, dim=<optimized out>, dst=0x4)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/libkwineffects/kwinglutils.cpp:1674
1674                *(dst++) = *(vertices++);

(gdb) bt
#0  0x00007efe4c52e870 in KWin::GLVertexBufferPrivate::interleaveArrays(float*, int, float const*, float const*, int)
    (this=0x5651eaf62390, count=4, texcoords=0x7ffdefec3e30, vertices=0x7ffdefec3e58, dim=<optimized out>, dst=0x4) at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/libkwineffects/kwinglutils.cpp:1674
#1  KWin::GLVertexBuffer::setData(int, int, float const*, float const*)
    (this=0x5651eb028160, vertexCount=<optimized out>, dim=<optimized out>, vertices=<optimized out>, texcoords=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/libkwineffects/kwinglutils.cpp:1894
#2  0x00007efe4c52987a in KWin::GLTexture::render(QRegion const&, QRect const&, double, bool)
    (this=0x5651eaf59520, region=..., rect=<optimized out>, scale=<optimized out>, hardwareClipping=<optimized out>) at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/libkwineffects/kwingltexture.cpp:546
#3  0x00007efe4c529aae in KWin::GLTexture::render(QRect const&, double)
    (this=this@entry=0x5651eaf59520, rect=..., scale=scale@entry=1)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/libkwineffects/kwingltexture.cpp:511
#4  0x00007efe4c040f32 in KWin::EffectsHandlerImpl::renderOffscreenQuickView(KWin::OffscreenQuickView*) const (this=0x5651e98374b0, w=0x5651eabce980)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:1793
#5  0x00007efe4c0347a9 in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x5651e98374b0, mask=<optimized out>, region=<optimized out>, data=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:396
#6  0x00007efe4c0347a9 in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x5651e98374b0, mask=<optimized out>, region=<optimized out>, data=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:396
--Type <RET> for more, q to quit, c to continue without paging--c
#7  0x00007efe4c0347a9 in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x5651e98374b0, mask=<optimized out>, region=<optimized out>, data=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:396
#8  0x00005651e87b4286 in KWin::ScreenEdgeEffect::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x5651ea7bd8d0, mask=<optimized out>, region=<optimized out>, data=...)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects/screenedge/screenedgeeffect.cpp:72
#9  0x00007efe4c0347a9 in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x5651e98374b0, mask=<optimized out>, region=<optimized out>, data=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:396
#10 0x00007efe4c0b6c0a in KWin::WorkspaceScene::paint(KWin::RenderTarget*, QRegion const&)
    (this=this@entry=0x5651e9b1f2a0, renderTarget=renderTarget@entry=0x7ffdefec42a0, region=...)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/scene/workspacescene.cpp:357
#11 0x00007efe4c0416f8 in KWin::EffectsHandlerImpl::renderScreen(KWin::EffectScreen*)
    (this=0x5651e98374b0, screen=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects.cpp:1868
#12 0x00005651e87ad999 in operator() (__closure=0x5651ea81f480)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/effects/screentransform/screentransform.cpp:90
#13 QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWin::ScreenTransformEffect::addScreen(KWin::EffectScreen*)::<lambda()> >::call (arg=<optimized out>, f=...)
    at /usr/include/qt5/QtCore/qobjectdefs_impl.h:146
#14 QtPrivate::Functor<KWin::ScreenTransformEffect::addScreen(KWin::EffectScreen*)::<lambda()>, 0>::call<QtPrivate::List<>, void> (arg=<optimized out>, f=...)
    at /usr/include/qt5/QtCore/qobjectdefs_impl.h:256
#15 QtPrivate::QFunctorSlotObject<KWin::ScreenTransformEffect::addScreen(KWin::EffectScreen*)::<lambda()>, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *)
    (which=<optimized out>, this_=0x5651ea81f470, r=<optimized out>, a=<optimized out>, ret=<optimized out>) at /usr/include/qt5/QtCore/qobjectdefs_impl.h:443
#16 0x00007efe4a6e84f1 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffdefec4480, r=<optimized out>, this=0x5651ea81f470)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#17 doActivate<false>(QObject*, int, void**)
    (sender=0x5651e9d668b0, signal_index=7, argv=0x7ffdefec4480) at kernel/qobject.cpp:3923
#18 0x00007efe4a6e84f1 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffdefec4550, r=<optimized out>, this=0x5651ea730ea0)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#19 doActivate<false>(QObject*, int, void**)
    (sender=0x5651e9c901b0, signal_index=8, argv=0x7ffdefec4550) at kernel/qobject.cpp:3923
#20 0x00007efe4c1bd5f3 in KWin::DrmOutput::applyQueuedChanges(KWin::OutputConfiguration const&)
    (config=..., this=0x5651e9c901b0)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/backends/drm/drm_output.cpp:426
#21 KWin::DrmOutput::applyQueuedChanges(KWin::OutputConfiguration const&)
    (this=0x5651e9c901b0, config=...)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/backends/drm/drm_output.cpp:421
#22 0x00007efe4c1962c0 in KWin::DrmBackend::applyOutputChanges(KWin::OutputConfiguration const&)
    (this=<optimized out>, config=...)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/backends/drm/drm_backend.cpp:496
#23 0x00007efe4c13ff5e in KWin::Workspace::applyOutputConfiguration(KWin::OutputConfiguration const&, QVector<KWin::Output*> const&) (this=0x5651e9cbfdc0, config=<optimized out>, outputOrder=...)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/workspace.cpp:520
#24 0x00007efe4c21870d in KWaylandServer::OutputConfigurationV2Interface::kde_output_configuration_v2_apply(QtWaylandServer::kde_output_configuration_v2::Resource*)
    (this=0x7efe0c0042e0, resource=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/wayland/outputmanagement_v2_interface.cpp:308
#25 0x00007efe4777abe6 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#26 0x00007efe477774bf in ffi_call_int
    (cif=cif@entry=0x7ffdefec4990, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
#27 0x00007efe4777a18e in ffi_call
    (cif=cif@entry=0x7ffdefec4990, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffdefec4a60) at ../src/x86/ffi64.c:710
#28 0x00007efe48dfc863 in wl_closure_invoke
    (closure=closure@entry=0x5651eadac080, target=<optimized out>, 
    target@entry=0x5651eadabda0, opcode=opcode@entry=5, data=<optimized out>, 
    data@entry=0x5651ea9cc7b0, flags=2) at ../src/connection.c:1025
#29 0x00007efe48e00fa4 in wl_client_connection_data
    (fd=<optimized out>, mask=<optimized out>, data=0x5651ea9cc7b0) at ../src/wayland-server.c:437
#30 0x00007efe48dff812 in wl_event_loop_dispatch (loop=0x5651e97bd840, timeout=<optimized out>)
    at ../src/event-loop.c:1027
#31 0x00007efe4c1f8279 in KWaylandServer::Display::dispatchEvents() (this=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/wayland/display.cpp:114
#32 0x00007efe4a6e84f1 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffdefec5090, r=<optimized out>, this=0x5651e9ef1270)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#33 doActivate<false>(QObject*, int, void**)
    (sender=0x5651e9ebd8f0, signal_index=3, argv=0x7ffdefec5090) at kernel/qobject.cpp:3923
#34 0x00007efe4a6e3377 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**)
    (sender=sender@entry=0x5651e9ebd8f0, m=m@entry=0x7efe4a967420 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffdefec5090)
    at kernel/qobject.cpp:3983
#35 0x00007efe4a6eaefd in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x5651e9ebd8f0, _t1=..., _t2=<optimized out>, _t3=...)
    at .moc/moc_qsocketnotifier.cpp:178
#36 0x00007efe4a6eb76b in QSocketNotifier::event(QEvent*) (this=0x5651e9ebd8f0, e=<optimized out>)
    at kernel/qsocketnotifier.cpp:302
#37 0x00007efe49daeca5 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
    (this=<optimized out>, receiver=0x5651e9ebd8f0, e=0x7ffdefec51a0) at kernel/qapplication.cpp:3640
#38 0x00007efe4a6b3bd8 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
    (receiver=0x5651e9ebd8f0, event=0x7ffdefec51a0) at kernel/qcoreapplication.cpp:1064
#39 0x00007efe4a6b3df2 in QCoreApplication::sendEvent(QObject*, QEvent*)
    (receiver=<optimized out>, event=<optimized out>) at kernel/qcoreapplication.cpp:1462
#40 0x00007efe4a70385f in QEventDispatcherUNIXPrivate::activateSocketNotifiers()
    (this=this@entry=0x5651e97891b0) at kernel/qeventdispatcher_unix.cpp:304
#41 0x00007efe4a703be0 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
    (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:511
#42 0x00005651e88501e2 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
#43 0x00007efe4a6b25ab in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
    (this=this@entry=0x7ffdefec5340, flags=..., flags@entry=...)
    at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#44 0x00007efe4a6ba82b in QCoreApplication::exec() ()
    at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#45 0x00007efe4ab5f61d in QGuiApplication::exec() () at kernel/qguiapplication.cpp:1863
#46 0x00007efe49daec19 in QApplication::exec() () at kernel/qapplication.cpp:2832
#47 0x00005651e876ad44 in main(int, char**) (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/kwin-5.27.3-2.fc38.x86_64/src/main_wayland.cpp:628

dst=0x4 was incremented and used as a pointer. vertices pointed to an address that had a null value and was incremented and used as a pointer.

(gdb) p vertices
$1 = (const float *) 0x7ffdefec3e58
(gdb) p *vertices
$2 = 0
(gdb) x 0x7ffdefec3e58
0x7ffdefec3e58: 0x00000000
(gdb) p dst
$3 = (float *) 0x4
(gdb) p *dst
Cannot access memory at address 0x4

I'm attaching the full trace of all threads. The problem happened 1/5 times when I moved the cursor to the top-left of the splash screen and might involve a race condition. The journal showed that other KDE programs failed after the kwin_wayland crash and Plasma was automatically restarted.

STEPS TO REPRODUCE
1. Boot a Fedora 38 KDE Plasma installation updated to 2023-3-28 with updates-testing repo enabled
2. Log in to Plasma 5.27.3 on Wayland from sddm on Wayland
3. Move the cursor to the top-left of the screen when the splash screen is shown
4. If the problem didn't happen, log out of Plasma and repeated 2-3 until it does

OBSERVED RESULT
kwin_wayland crashed in KWin::GLVertexBufferPrivate::interleaveArrays when the cursor was moved to the top-left of the splash screen

EXPECTED RESULT
No crash would happen.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 38
(available in About System)
KDE Plasma Version: 5.27.3
KDE Frameworks Version: 5.104.0
Qt Version: 5.15.8

ADDITIONAL INFORMATION
Comment 1 David Edmundson 2024-05-29 10:32:27 UTC 
This bug is a crash report that is over a year old without any activity, as our software is always changing, the information in this ticket is unlikely to still be useful.

If this issue is still reproducible in a newer version of kwin (5.27.5 or 6.0) please reopen this ticket with a bumped version number or it will be closed in 30 days.
Comment 2 Matt Fagnani 2024-06-01 18:25:20 UTC 
I tried to reproduce this problem in 6.0.5 several times. The crash didn't happen, but that might be just be because it was infrequent. I haven't tested this with 5.27.11 which might still be affected.
Comment 3 Nate Graham 2024-06-12 13:01:50 UTC 
Let's close this for now and re-open if it happens again.