Bug 489764

Summary:	kwin_wayland crashed in convert_ubyte_rgba_to_bgra when clicking on Konsole's icon in the task manager such that the wallpaper was shown
Product:	[Plasma] kwin	Reporter:	Matt Fagnani <matt.fagnani>
Component:	generic-crash	Assignee:	KWin default assignee <kwin-bugs-null>
Status:	RESOLVED FIXED
Severity:	crash	CC:	agurenko, nate
Priority:	HI	Keywords:	qt6
Version First Reported In:	6.1.1
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:	https://invent.kde.org/plasma/kwin/-/commit/e72f88042873db7b4d98065fc14f1e3eb5a2189e	Version Fixed/Implemented In:	6.1.3
Sentry Crash Report:

Description Matt Fagnani 2024-07-05 03:39:58 UTC

SUMMARY

I booted the Fedora Rawhide KDE live image Fedora-KDE-Live-x86_64-Rawhide-20240704.n.0.iso in a QEMU/KVM VM in GNOME Boxes with 3D acceleration enabled using the virgl driver from mesa 24.1.2 and virtio-gpu from the 6.10.0-0.rc6.20240703gite9d22f7a6655.53.fc41 kernel. Plasma 6.1.1 on Wayland started. I started Konsole. I ran sudo dnf upgrade https://kojipkgs.fedoraproject.org//packages/selinux-policy/41.7/1.fc41/noarch/selinux-policy-41.7-1.fc41.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/41.7/1.fc41/noarch/selinux-policy-targeted-41.7-1.fc41.noarch.rpm The upgrade took a few minutes because the selinux-policy-targeted-41.7-1.fc41 post-install scriptlet looked like it was relabelling the / filesystem with restorecon. I might've run journalctl --no-host in another Konsole tab while the update was happening. The VM's screen went black. drkonqi appeared. I clicked Developer information. I selected to automatically download debug info in drkonqi and reloaded. The debuginfod data filled the 1.7 GB / partition completely so I deleted it. I installed the kwin, mesa, qt6-qtbase debug info packages manually. I unselected to automatically load the debug info and reloaded the trace, but drkonqi showed the debuginfod file downloads and the / partition ran out of space again. I closed drkonqi. gdb crashed and the kwin_wayland core dump was automatically removed. coredumpctl info showed that kwin_wayland 6.1.1.2 crashed in convert_ubyte_rgba_to_bgra in virtio_gpu_dri.so likely in virgl in mesa. The trace seems to involve the virgl driver converting a texture image from rgba to bgra, so the problem might be in mesa.

Stack trace of thread 1802:
                #0  0x00007fd161abee21 convert_ubyte_rgba_to_bgra (virtio_gpu_dri.so + 0x2bee21)
                #1  0x00007fd161b6f144 _mesa_GetTexSubImage_sw (virtio_gpu_dri.so + 0x36f144)
                #2  0x00007fd161901a6c st_GetTexSubImage (virtio_gpu_dri.so + 0x101a6c)
                #3  0x00007fd161b6e4e9 get_texture_image.isra.0 (virtio_gpu_dri.so + 0x36e4e9)
                #4  0x00007fd161b6e6ba _get_texture_image (virtio_gpu_dri.so + 0x36e6ba)
                #5  0x00007fd161b6fc36 _mesa_GetTexImage (virtio_gpu_dri.so + 0x36fc36)
                #6  0x00007fd168c456a0 _ZN4KWinL13doGrabTextureEPNS_9GLTextureEP6QImage (screencast.so + 0xe6a0)
                #7  0x00007fd168c4aa3a _ZN4KWinL11grabTextureEPNS_9GLTextureEP6QImage.lto_priv.1 (screencast.so + 0x13a3a)
                #8  0x00007fd168c52681 _ZN4KWin22WindowScreenCastSource6renderEP6QImage (screencast.so + 0x1b681)
                #9  0x00007fd168c51572 _ZN4KWin16ScreenCastStream11recordFrameERK7QRegion6QFlagsINS0_7ContentEE (screencast.so + 0x1a572)
                #10 0x00007fd17f9fc7f2 _Z10doActivateILb0EEvP7QObjectiPPv (libQt6Core.so.6 + 0x1fc7f2)
                #11 0x00007fd168c52138 _ZN9QtPrivate15QCallableObjectIZN4KWin22WindowScreenCastSourceC4EPNS1_6WindowEP7QObjectEUlvE_NS_4ListIJEEEvE4implEiPNS_15QSlotObjectBaseES6_PPvPb.lto_priv.0 (screencast.so + 0x1b138)
                #12 0x00007fd17f9fc7f2 _Z10doActivateILb0EEvP7QObjectiPPv (libQt6Core.so.6 + 0x1fc7f2)
                #13 0x00007fd17fa0bb3d _ZN6QTimer7timeoutENS_14QPrivateSignalE (libQt6Core.so.6 + 0x20bb3d)
                #14 0x00007fd17f9edc5f _ZN7QObject5eventEP6QEvent (libQt6Core.so.6 + 0x1edc5f)
                #15 0x00007fd180d8b218 _ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent (libQt6Widgets.so.6 + 0x18b218)
                #16 0x00007fd17f996d48 _ZN16QCoreApplication15notifyInternal2EP7QObjectP6QEvent (libQt6Core.so.6 + 0x196d48)
                #17 0x00007fd17fb52947 _ZN14QTimerInfoList14activateTimersEv (libQt6Core.so.6 + 0x352947)
                #18 0x00007fd17fb56f1b _ZN20QEventDispatcherUNIX13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt6Core.so.6 + 0x356f1b)
                #19 0x00007fd180763392 _ZN23QUnixEventDispatcherQPA13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt6Gui.so.6 + 0x763392)
                #20 0x00007fd17f9a3a83 _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt6Core.so.6 + 0x1a3a83)
                #21 0x00007fd17f99f93c _ZN16QCoreApplication4execEv (libQt6Core.so.6 + 0x19f93c)
                #22 0x000055d3e478d3d1 main (kwin_wayland + 0x473d1)
                #23 0x00007fd17f231248 __libc_start_call_main (libc.so.6 + 0x2a248)
                #24 0x00007fd17f23130b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2a30b)
                #25 0x000055d3e4793385 _start (kwin_wayland + 0x4d385)
                
                Stack trace of thread 1887:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29ddb2 pthread_cond_clockwait@GLIBC_2.30 (libc.so.6 + 0x96db2)
                #2  0x00007fd182a2b9ce _ZNSt17_Function_handlerIFSt10unique_ptrINSt13__future_base12_Result_baseENS2_8_DeleterEEvENS1_12_Task_setterIS0_INS1_7_ResultIvEES3_ENSt6thread8_InvokerISt5tupleIJZN7QThread6createIZN4KWin15DrmCommitThreadC4EPNSF_6DrmGpuERK7QStringEUlvE_JEEEPSD_OT_DpOT0_EUlDpOT_E_EEEEvEEE9_M_invokeERKSt9_Any_data (libkwin.so.6 + 0x42b9ce)
                #3  0x00007fd182a20926 _ZNSt13__future_base13_State_baseV29_M_do_setEPSt8functionIFSt10unique_ptrINS_12_Result_baseENS3_8_DeleterEEvEEPb (libkwin.so.6 + 0x420926)
                #4  0x00007fd17f2a398b __pthread_once_slow.isra.0 (libc.so.6 + 0x9c98b)
                #5  0x00007fd17f2a39f9 pthread_once@GLIBC_2.2.5 (libc.so.6 + 0x9c9f9)
                #6  0x00007fd182a29083 _ZNSt13__future_base15_Deferred_stateINSt6thread8_InvokerISt5tupleIJZN7QThread6createIZN4KWin15DrmCommitThreadC4EPNS6_6DrmGpuERK7QStringEUlvE_JEEEPS4_OT_DpOT0_EUlDpOT_E_EEEEvE17_M_complete_asyncEv (libkwin.so.6 + 0x429083)
                #7  0x00007fd17fab8217 _ZN19QThreadCreateThread3runEv (libQt6Core.so.6 + 0x2b8217)
                #8  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #9  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #10 0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 1876:
                #0  0x00007fd17f3148bd __poll (libc.so.6 + 0x10d8bd)
                #1  0x00007fd17e4a5eb4 g_main_context_iterate_unlocked.isra.0 (libglib-2.0.so.0 + 0xbeeb4)
                #2  0x00007fd17e4455c3 g_main_context_iteration (libglib-2.0.so.0 + 0x5e5c3)
                #3  0x00007fd17fc84f23 _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt6Core.so.6 + 0x484f23)
                #4  0x00007fd17f9a3a83 _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt6Core.so.6 + 0x1a3a83)
                #5  0x00007fd17fab7d4f _ZN7QThread4execEv (libQt6Core.so.6 + 0x2b7d4f)
                #6  0x00007fd180b6be41 _ZN22QDBusConnectionManager3runEv (libQt6DBus.so.6 + 0x3ce41)
                #7  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #8  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #9  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 1886:
                #0  0x00007fd17f3148bd __poll (libc.so.6 + 0x10d8bd)
                #1  0x00007fd17e4a5eb4 g_main_context_iterate_unlocked.isra.0 (libglib-2.0.so.0 + 0xbeeb4)
                #2  0x00007fd17e4455c3 g_main_context_iteration (libglib-2.0.so.0 + 0x5e5c3)
                #3  0x00007fd17fc84f23 _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt6Core.so.6 + 0x484f23)
                #4  0x00007fd17f9a3a83 _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt6Core.so.6 + 0x1a3a83)
                #5  0x00007fd17fab7d4f _ZN7QThread4execEv (libQt6Core.so.6 + 0x2b7d4f)
                #6  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #7  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #8  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 5310:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29daa2 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x96aa2)
                #2  0x00007fd17fb60d7d _ZN14QWaitCondition4waitEP6QMutex14QDeadlineTimer (libQt6Core.so.6 + 0x360d7d)
                #3  0x00007fd17fb5db45 _ZN17QThreadPoolThread3runEv (libQt6Core.so.6 + 0x35db45)
                #4  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #5  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #6  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 5311:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29daa2 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x96aa2)
                #2  0x00007fd17fb60d7d _ZN14QWaitCondition4waitEP6QMutex14QDeadlineTimer (libQt6Core.so.6 + 0x360d7d)
                #3  0x00007fd17fb5db45 _ZN17QThreadPoolThread3runEv (libQt6Core.so.6 + 0x35db45)
                #4  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #5  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #6  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 5312:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29daa2 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x96aa2)
                #2  0x00007fd17fb60d7d _ZN14QWaitCondition4waitEP6QMutex14QDeadlineTimer (libQt6Core.so.6 + 0x360d7d)
                #3  0x00007fd17fb5db45 _ZN17QThreadPoolThread3runEv (libQt6Core.so.6 + 0x35db45)
                #4  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #5  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #6  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 5309:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29daa2 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x96aa2)
                #2  0x00007fd17fb60d7d _ZN14QWaitCondition4waitEP6QMutex14QDeadlineTimer (libQt6Core.so.6 + 0x360d7d)
                #3  0x00007fd17fb5db45 _ZN17QThreadPoolThread3runEv (libQt6Core.so.6 + 0x35db45)
                #4  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #5  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #6  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 1883:
                #0  0x00007fd17f3148bd __poll (libc.so.6 + 0x10d8bd)
                #1  0x00007fd17e4a5eb4 g_main_context_iterate_unlocked.isra.0 (libglib-2.0.so.0 + 0xbeeb4)
                #2  0x00007fd17e4455c3 g_main_context_iteration (libglib-2.0.so.0 + 0x5e5c3)
                #3  0x00007fd17fc84f23 _ZN20QEventDispatcherGlib13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE (libQt6Core.so.6 + 0x484f23)
                #4  0x00007fd17f9a3a83 _ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE (libQt6Core.so.6 + 0x1a3a83)
                #5  0x00007fd17fab7d4f _ZN7QThread4execEv (libQt6Core.so.6 + 0x2b7d4f)
                #6  0x00007fd17fb54526 _ZN14QThreadPrivate5startEPv (libQt6Core.so.6 + 0x354526)
                #7  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #8  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                
                Stack trace of thread 1882:
                #0  0x00007fd17f29ad09 __futex_abstimed_wait_common (libc.so.6 + 0x93d09)
                #1  0x00007fd17f29d739 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x96739)
                #2  0x00007fd1618a7cfd cnd_wait (virtio_gpu_dri.so + 0xa7cfd)
                #3  0x00007fd161884acb util_queue_thread_func (virtio_gpu_dri.so + 0x84acb)
                #4  0x00007fd1618a7c2c impl_thrd_routine (virtio_gpu_dri.so + 0xa7c2c)
                #5  0x00007fd17f29e607 start_thread (libc.so.6 + 0x97607)
                #6  0x00007fd17f32260c __clone3 (libc.so.6 + 0x11b60c)
                ELF object binary architecture: AMD x86-64

I tried to reproduce the problem but it didn't happen. I'll try again to get a trace with debug info.

STEPS TO REPRODUCE
1. boot the Fedora Rawhide KDE live image Fedora-KDE-Live-x86_64-Rawhide-20240704.n.0.iso https://koji.fedoraproject.org/koji/buildinfo?buildID=2482412 in a QEMU/KVM VM in GNOME Boxes with 3D acceleration enabled in a Fedora 40 KDE installation
2. start Konsole
3. Run sudo dnf upgrade https://kojipkgs.fedoraproject.org//packages/selinux-policy/41.7/1.fc41/noarch/selinux-policy-41.7-1.fc41.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/41.7/1.fc41/noarch/selinux-policy-targeted-41.7-1.fc41.noarch.rpm 
4. Open a new Konsole tab
5. run journalctl --no-host in the second Konsole tab and scroll up and down the journal
6. If the problem didn't happen, repeat 1-5 until it does. I don't know which of 2-5 are related to the problem, if any.

OBSERVED RESULT
kwin_wayland crashed in convert_ubyte_rgba_to_bgra

EXPECTED RESULT
kwin shouldn't crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Rawhide/41
(available in About System)
KDE Plasma Version: 6.1.1
KDE Frameworks Version: 6.3.0
Qt Version: 6.7.2

ADDITIONAL INFORMATION

Comment 1 Matt Fagnani 2024-07-05 21:20:41 UTC

I reproduced this problem four times. I started as I described. When I clicked on the Konsole icon in the task manager and Konsole disappeared and the wallpaper was shown, kwin_wayland crashed sometimes with the kind of trace I reported. Clicking on the Konsole icon about 12 times was the most it took for the crash to happen. The following is the trace from coredumpctl gdb with debuginfo packages installed manually.

Core was generated by `/usr/bin/kwin_wayland --wayland-fd 7 --socket wayland-0 --xwayland-fd 8 --xwayl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fd5ec8bee21 in convert_ubyte_rgba_to_bgra (width=<optimized out>, height=<optimized out>, src=<optimized out>, src_stride=5464, dst=<optimized out>, 
    dst_stride=5464) at ../src/mesa/main/format_utils.c:219
219                         ((s[i] &       0xff000000ff) << 16) |
[Current thread is 1 (Thread 0x7fd6067fbb40 (LWP 1782))]

(gdb) bt
#0  0x00007fd5ec8bee21 in convert_ubyte_rgba_to_bgra (width=<optimized out>, height=<optimized out>, src=<optimized out>, src_stride=5464, dst=<optimized out>, 
    dst_stride=5464) at ../src/mesa/main/format_utils.c:219
#1  0x00007fd5ec96f144 in get_tex_rgba_uncompressed (ctx=<optimized out>, dimensions=<optimized out>, xoffset=<optimized out>, yoffset=<optimized out>, 
    zoffset=<optimized out>, width=1366, height=608, depth=<optimized out>, format=<optimized out>, type=<optimized out>, pixels=<optimized out>, 
    texImage=<optimized out>, transferOps=<optimized out>) at ../src/mesa/main/texgetimage.c:549
#2  get_tex_rgba (ctx=<optimized out>, dimensions=<optimized out>, xoffset=<optimized out>, yoffset=<optimized out>, zoffset=<optimized out>, width=1366, height=608, 
    depth=<optimized out>, format=<optimized out>, type=<optimized out>, pixels=<optimized out>, texImage=<optimized out>) at ../src/mesa/main/texgetimage.c:605
#3  _mesa_GetTexSubImage_sw (ctx=ctx@entry=0x7fd5e0176010, xoffset=xoffset@entry=0, yoffset=<optimized out>, yoffset@entry=0, zoffset=<optimized out>, 
    zoffset@entry=0, width=width@entry=1366, height=<optimized out>, height@entry=608, depth=<optimized out>, format=<optimized out>, type=<optimized out>, 
    pixels=<optimized out>, texImage=<optimized out>) at ../src/mesa/main/texgetimage.c:760
#4  0x00007fd5ec701a6c in st_GetTexSubImage (ctx=ctx@entry=0x7fd5e0176010, xoffset=xoffset@entry=0, yoffset=yoffset@entry=0, zoffset=zoffset@entry=0, 
    width=width@entry=1366, height=height@entry=608, depth=1, format=32993, type=5121, pixels=0x7fd5b6fc2000, texImage=0x55e77350f920)
    at ../src/mesa/state_tracker/st_cb_texture.c:2733
#5  0x00007fd5ec96e4e9 in get_texture_image (ctx=0x7fd5e0176010, texObj=0x55e773616b20, target=<optimized out>, level=<optimized out>, xoffset=<optimized out>, 
    yoffset=<optimized out>, zoffset=<optimized out>, width=<optimized out>, height=<optimized out>, depth=<optimized out>, format=<optimized out>, 
    type=<optimized out>, pixels=<optimized out>, caller=<optimized out>) at ../src/mesa/main/texgetimage.c:1441
#6  0x00007fd5ec96e6ba in _get_texture_image (ctx=0x7fd5e0176010, texObj=0x55e773616b20, texObj@entry=0x0, target=3553, level=0, format=32993, type=5121, 
    bufSize=2147483647, pixels=0x7fd5b6fc2000, caller=0x7fd5ede88637 "glGetTexImage") at ../src/mesa/main/texgetimage.c:1479
#7  0x00007fd5ec96fc36 in _mesa_GetTexImage (target=<optimized out>, level=<optimized out>, format=<optimized out>, type=<optimized out>, pixels=<optimized out>)
    at ../src/mesa/main/texgetimage.c:1514
#8  0x00007fd5e7fc06a0 in KWin::doGrabTexture (texture=texture@entry=0x55e773619fd0, target=target@entry=0x55e7734ef1e8)
    at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/src/plugins/screencast/screencastutils.h:65
#9  0x00007fd5e7fc5a3a in KWin::grabTexture (texture=0x55e773619fd0, target=0x55e7734ef1e8)
    at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/src/plugins/screencast/screencastutils.h:81
#10 0x00007fd5e7fcd681 in KWin::WindowScreenCastSource::render (this=this@entry=0x55e7735fe840, target=0x55e7734ef1e8) at /usr/include/c++/14/bits/unique_ptr.h:193
#11 0x00007fd5e7fcc572 in KWin::ScreenCastStream::recordFrame (this=0x55e7734ddd40, damage=..., contents=...)
    at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/src/plugins/screencast/screencaststream.cpp:523
#12 0x00007fd6043fc7f2 in QtPrivate::QSlotObjectBase::call (this=0x55e7734bb480, r=<optimized out>, a=0x7fff38bc1c10)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobjectdefs_impl.h:469
#13 doActivate<false> (sender=0x55e7735fe840, signal_index=3, argv=0x7fff38bc1c10)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4086
#14 0x00007fd6043f2ac7 in QMetaObject::activate (sender=sender@entry=0x55e7735fe840, m=<optimized out>, local_signal_index=local_signal_index@entry=0, 
    argv=argv@entry=0x7fff38bc1c10) at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4146
#15 0x00007fd5e7fcd138 in KWin::ScreenCastSource::frame (this=0x55e7735fe840, _t1=...)
    at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/redhat-linux-build/src/plugins/screencast/screencast_autogen/include/moc_screencastsource.cpp:154
#16 operator() (__closure=<optimized out>) at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/src/plugins/screencast/windowscreencastsource.cpp:33
#17 QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWin::WindowScreenCastSource::WindowScreenCastSource(KWin::Window*, QObject*)::<lambda()> >::call (f=..., arg=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:137
#18 QtPrivate::FunctorCallable<KWin::WindowScreenCastSource::WindowScreenCastSource(KWin::Window*, QObject*)::<lambda()> >::call<QtPrivate::List<>, void> (f=..., 
    arg=<optimized out>) at /usr/include/qt6/QtCore/qobjectdefs_impl.h:345
#19 QtPrivate::QCallableObject<KWin::WindowScreenCastSource::WindowScreenCastSource(KWin::Window*, QObject*)::<lambda()>, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *) (which=<optimized out>, this_=<optimized out>, r=<optimized out>, a=<optimized out>, ret=<optimized out>)
    at /usr/include/qt6/QtCore/qobjectdefs_impl.h:555
#20 0x00007fd6043fc7f2 in QtPrivate::QSlotObjectBase::call (this=0x55e772cceb00, r=<optimized out>, a=0x7fff38bc1d40)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobjectdefs_impl.h:469
#21 doActivate<false> (sender=0x55e7735fe860, signal_index=3, argv=0x7fff38bc1d40)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4086
#22 0x00007fd6043f2ac7 in QMetaObject::activate (sender=<optimized out>, m=m@entry=0x7fd60488b080, local_signal_index=local_signal_index@entry=0, 
    argv=argv@entry=0x7fff38bc1d40) at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:4146
#23 0x00007fd60440bb3d in QTimer::timeout (this=<optimized out>, _t1=...)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/redhat-linux-build/src/corelib/Core_autogen/include/moc_qtimer.cpp:224
#24 0x00007fd6043edc5f in QObject::event (this=0x55e7735fe860, e=0x7fff38bc1ef0) at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qobject.cpp:1482
#25 0x00007fd60598b218 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQt6Widgets.so.6
#26 0x00007fd604396d48 in QCoreApplication::notifyInternal2 (receiver=0x55e7735fe860, event=0x7fff38bc1ef0)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1142
#27 0x00007fd604396fad in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qcoreapplication.cpp:1583
#28 0x00007fd604552947 in QTimerInfoList::activateTimers (this=this@entry=0x55e771e9c4c8)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qtimerinfo_unix.cpp:434
#29 0x00007fd604554cc0 in QEventDispatcherUNIXPrivate::activateTimers (this=this@entry=0x55e771e9c3f0)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qeventdispatcher_unix.cpp:196
#30 0x00007fd604556f1b in QEventDispatcherUNIX::processEvents (this=<optimized out>, flags=...)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/kernel/qeventdispatcher_unix.cpp:472
#31 0x00007fd605163392 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt6Gui.so.6
#32 0x00007fd6043a3a83 in QEventLoop::exec (this=this@entry=0x7fff38bc20c0, flags=..., flags@entry=...)
    at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/global/qflags.h:34
#33 0x00007fd60439f93c in QCoreApplication::exec () at /usr/src/debug/qt6-qtbase-6.7.2-2.fc41.x86_64/src/corelib/global/qflags.h:74
#34 0x000055e74363f3d1 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/kwin-6.1.1.2-1.fc41.x86_64/src/main_wayland.cpp:641

There might be a race condition. The texture image in the trace might be the wallpaper as the crash seemed to happen when clicking on the Konsole icon when Konsole was shown so that it disappeared and the wallpaper was shown, but not vice versa.

Comment 2 Matt Fagnani 2024-07-06 14:28:06 UTC

I saw this type of crash when clicking on Konsole and Dolphin's icons in the task manager as they were running and the wallpaper was shown and disappeared so that those programs were shown, so the wallpaper might not be the image being processed in the trace. The texture image might be related to the animation of the window expanding or shrinking when the program was maximized or minimized in front of the wallpaper. I didn't see the problem when clicking on the task manager icons of one of two maximized programs, and that animation didn't appear when I did so. I didn't notice this problem with the radeonsi and amdgpu drivers on bare metal and llvmpipe and virtio-gpu drivers in VMs, so the problem might be specific to virgl. 

I reproduced the program in nested kwin_wayland under valgrind by clicking on the Konsole icon in the task manager a few times. There were many conditional jumps or moves depending on uninitialized values involving kwin and mesa which might have resulted in undefined behaviour and memory corruption. An invalid read in convert_ubyte_rgba_to_bgra (format_utils.c:219) with an access not within the mapped region at address 0x3BDEC000 was where the segmentation fault happened.

==5466== Memcheck, a memory error detector
==5466== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==5466== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==5466== Command: kwin_wayland --exit-with-session=plasmashell
==5466== Parent PID: 5037
==5466== 
==5466== Syscall param waitid(infop) points to unaddressable byte(s)
==5466==    at 0x81723DD: syscall (in /usr/lib64/libc.so.6)
==5466==    by 0x7A64692: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x7A44DE0: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4D04209: KWin::InputMethod::startInputMethod() (inputmethod.cpp:914)
==5466==    by 0x4D043AF: KWin::InputMethod::setInputMethodCommand(QString const&) (inputmethod.cpp:857)
==5466==    by 0x15DEAF: UnknownInlinedFun (main_wayland.cpp:192)
==5466==    by 0x15DEAF: KWin::ApplicationWayland::refreshSettings(KConfigGroup const&, QList<QByteArray> const&) (main_wayland.cpp:188)
==5466==    by 0x15E19C: UnknownInlinedFun (main_wayland.cpp:205)
==5466==    by 0x15E19C: KWin::ApplicationWayland::continueStartupWithScene() (main_wayland.cpp:184)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4C4C857: KWin::WaylandCompositor::start() (compositor_wayland.cpp:196)
==5466==    by 0x7856CCA: QObject::event(QEvent*) (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x644B217: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt6Widgets.so.6.7.2)
==5466==    by 0x77FFD47: QCoreApplication::notifyInternal2(QObject*, QEvent*) (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x180FF9: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x180FF9: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x180FF9: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:246)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x1814B6: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x1814B6: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x1814B6: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:246)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x18101A: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:246)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x181112: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x181112: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x181112: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:258)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x181505: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x181505: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x181505: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:258)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x18112E: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:258)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x181168: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x181168: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x181168: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:263)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x1814DE: UnknownInlinedFun (qnumeric.h:328)
==5466==    by 0x1814DE: UnknownInlinedFun (qnumeric.h:371)
==5466==    by 0x1814DE: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:263)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x181186: KWin::ContrastEffect::colorMatrix(double, double, double) (contrast.cpp:263)
==5466==    by 0x183F63: KWin::ContrastEffect::updateContrastRegion(KWin::EffectWindow*) (contrast.cpp:147)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x4FA52E4: KWin::SurfaceInterfacePrivate::applyState(KWin::SurfaceState*) (surface.cpp:692)
==5466==    by 0x4FD0012: KWin::Transaction::apply() (transaction.cpp:229)
==5466==    by 0x4FD0170: KWin::Transaction::tryApply() (transaction.cpp:262)
==5466==    by 0x4FD0808: KWin::Transaction::commit() (transaction.cpp:296)
==5466==    by 0x4FA8D50: KWin::SurfaceInterfacePrivate::surface_commit(QtWaylandServer::wl_surface::Resource*) (surface.cpp:379)
==5466==    by 0xA317055: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA31368C: ??? (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0xA3164DD: ffi_call (in /usr/lib64/libffi.so.8.1.4)
==5466==    by 0x8664B22: ??? (in /usr/lib64/libwayland-server.so.0.23.0)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x4851E1E: bcmp (vg_replace_strmem.c:1233)
==5466==    by 0x1F791E27: copy_uniform_matrix_to_storage(gl_context*, gl_constant_value*, gl_uniform_storage*, unsigned int, void const*, unsigned int, unsigned int, unsigned int, unsigned int, bool, unsigned int, unsigned int, glsl_base_type, bool) [clone .isra.0] (uniform_query.cpp:1736)
==5466==    by 0x1F793A18: _mesa_uniform_matrix (uniform_query.cpp:1959)
==5466==    by 0x1F7958CF: _mesa_UniformMatrix4fv (uniforms.c:648)
==5466==    by 0x4D3FBA7: KWin::GLShader::setUniform(int, QMatrix4x4 const&) (glshader.cpp:404)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:58)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:51)
==5466==    by 0x185FA0: UnknownInlinedFun (contrast.cpp:462)
==5466==    by 0x185FA0: KWin::ContrastEffect::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (contrast.cpp:425)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4DA5EDE: UnknownInlinedFun (workspacescene.cpp:485)
==5466==    by 0x4DA5EDE: KWin::WorkspaceScene::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::WindowItem*, int, QRegion const&) (workspacescene.cpp:478)
==5466==    by 0x4DA61E5: KWin::WorkspaceScene::paintSimpleScreen(KWin::RenderTarget const&, KWin::RenderViewport const&, int, QRegion const&) (workspacescene.cpp:458)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x4851DF5: bcmp (vg_replace_strmem.c:1233)
==5466==    by 0x1F791E27: copy_uniform_matrix_to_storage(gl_context*, gl_constant_value*, gl_uniform_storage*, unsigned int, void const*, unsigned int, unsigned int, unsigned int, unsigned int, bool, unsigned int, unsigned int, glsl_base_type, bool) [clone .isra.0] (uniform_query.cpp:1736)
==5466==    by 0x1F793A18: _mesa_uniform_matrix (uniform_query.cpp:1959)
==5466==    by 0x1F7958CF: _mesa_UniformMatrix4fv (uniforms.c:648)
==5466==    by 0x4D3FBA7: KWin::GLShader::setUniform(int, QMatrix4x4 const&) (glshader.cpp:404)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:58)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:51)
==5466==    by 0x185FA0: UnknownInlinedFun (contrast.cpp:462)
==5466==    by 0x185FA0: KWin::ContrastEffect::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (contrast.cpp:425)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4DA5EDE: UnknownInlinedFun (workspacescene.cpp:485)
==5466==    by 0x4DA5EDE: KWin::WorkspaceScene::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::WindowItem*, int, QRegion const&) (workspacescene.cpp:478)
==5466==    by 0x4DA61E5: KWin::WorkspaceScene::paintSimpleScreen(KWin::RenderTarget const&, KWin::RenderViewport const&, int, QRegion const&) (workspacescene.cpp:458)
==5466== 
==5466== Conditional jump or move depends on uninitialised value(s)
==5466==    at 0x1F791E2A: copy_uniform_matrix_to_storage(gl_context*, gl_constant_value*, gl_uniform_storage*, unsigned int, void const*, unsigned int, unsigned int, unsigned int, unsigned int, bool, unsigned int, unsigned int, glsl_base_type, bool) [clone .isra.0] (uniform_query.cpp:1736)
==5466==    by 0x1F793A18: _mesa_uniform_matrix (uniform_query.cpp:1959)
==5466==    by 0x1F7958CF: _mesa_UniformMatrix4fv (uniforms.c:648)
==5466==    by 0x4D3FBA7: KWin::GLShader::setUniform(int, QMatrix4x4 const&) (glshader.cpp:404)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:58)
==5466==    by 0x185FA0: UnknownInlinedFun (contrastshader.cpp:51)
==5466==    by 0x185FA0: UnknownInlinedFun (contrast.cpp:462)
==5466==    by 0x185FA0: KWin::ContrastEffect::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (contrast.cpp:425)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABC12: KWin::EffectsHandler::drawWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:375)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4CABB42: KWin::EffectsHandler::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (effecthandler.cpp:346)
==5466==    by 0x4DA5EDE: UnknownInlinedFun (workspacescene.cpp:485)
==5466==    by 0x4DA5EDE: KWin::WorkspaceScene::paintWindow(KWin::RenderTarget const&, KWin::RenderViewport const&, KWin::WindowItem*, int, QRegion const&) (workspacescene.cpp:478)
==5466==    by 0x4DA61E5: KWin::WorkspaceScene::paintSimpleScreen(KWin::RenderTarget const&, KWin::RenderViewport const&, int, QRegion const&) (workspacescene.cpp:458)
==5466==    by 0x4CABA55: KWin::EffectsHandler::paintScreen(KWin::RenderTarget const&, KWin::RenderViewport const&, int, QRegion const&, KWin::Output*) (effecthandler.cpp:318)
==5466== 
==5466== Invalid write of size 8
==5466==    at 0x1F6D3E21: convert_ubyte_rgba_to_bgra (format_utils.c:219)
==5466==    by 0x1F784143: get_tex_rgba_uncompressed (texgetimage.c:549)
==5466==    by 0x1F784143: get_tex_rgba (texgetimage.c:605)
==5466==    by 0x1F784143: _mesa_GetTexSubImage_sw (texgetimage.c:760)
==5466==    by 0x1F516A6B: st_GetTexSubImage (st_cb_texture.c:2733)
==5466==    by 0x1F7834E8: get_texture_image.isra.0 (texgetimage.c:1441)
==5466==    by 0x1F7836B9: _get_texture_image (texgetimage.c:1479)
==5466==    by 0x1F784C35: _mesa_GetTexImage (texgetimage.c:1514)
==5466==    by 0x2C32A69F: KWin::doGrabTexture(KWin::GLTexture*, QImage*) (screencastutils.h:65)
==5466==    by 0x2C32FA39: KWin::grabTexture(KWin::GLTexture*, QImage*) [clone .lto_priv.1] (screencastutils.h:81)
==5466==    by 0x2C337680: KWin::WindowScreenCastSource::render(QImage*) (windowscreencastsource.cpp:64)
==5466==    by 0x2C336571: KWin::ScreenCastStream::recordFrame(QRegion const&, QFlags<KWin::ScreenCastStream::Content>) (screencaststream.cpp:523)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x2C337137: UnknownInlinedFun (moc_screencastsource.cpp:154)
==5466==    by 0x2C337137: UnknownInlinedFun (windowscreencastsource.cpp:33)
==5466==    by 0x2C337137: UnknownInlinedFun (qobjectdefs_impl.h:137)
==5466==    by 0x2C337137: UnknownInlinedFun (qobjectdefs_impl.h:345)
==5466==    by 0x2C337137: QtPrivate::QCallableObject<KWin::WindowScreenCastSource::WindowScreenCastSource(KWin::Window*, QObject*)::{lambda()#1}, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) [clone .lto_priv.0] (qobjectdefs_impl.h:555)
==5466==  Address 0x3bdec000 is not stack'd, malloc'd or (recently) free'd
==5466== 
==5466== 
==5466== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==5466==  Access not within mapped region at address 0x3BDEC000
==5466==    at 0x1F6D3E21: convert_ubyte_rgba_to_bgra (format_utils.c:219)
==5466==    by 0x1F784143: get_tex_rgba_uncompressed (texgetimage.c:549)
==5466==    by 0x1F784143: get_tex_rgba (texgetimage.c:605)
==5466==    by 0x1F784143: _mesa_GetTexSubImage_sw (texgetimage.c:760)
==5466==    by 0x1F516A6B: st_GetTexSubImage (st_cb_texture.c:2733)
==5466==    by 0x1F7834E8: get_texture_image.isra.0 (texgetimage.c:1441)
==5466==    by 0x1F7836B9: _get_texture_image (texgetimage.c:1479)
==5466==    by 0x1F784C35: _mesa_GetTexImage (texgetimage.c:1514)
==5466==    by 0x2C32A69F: KWin::doGrabTexture(KWin::GLTexture*, QImage*) (screencastutils.h:65)
==5466==    by 0x2C32FA39: KWin::grabTexture(KWin::GLTexture*, QImage*) [clone .lto_priv.1] (screencastutils.h:81)
==5466==    by 0x2C337680: KWin::WindowScreenCastSource::render(QImage*) (windowscreencastsource.cpp:64)
==5466==    by 0x2C336571: KWin::ScreenCastStream::recordFrame(QRegion const&, QFlags<KWin::ScreenCastStream::Content>) (screencaststream.cpp:523)
==5466==    by 0x78657F1: ??? (in /usr/lib64/libQt6Core.so.6.7.2)
==5466==    by 0x2C337137: UnknownInlinedFun (moc_screencastsource.cpp:154)
==5466==    by 0x2C337137: UnknownInlinedFun (windowscreencastsource.cpp:33)
==5466==    by 0x2C337137: UnknownInlinedFun (qobjectdefs_impl.h:137)
==5466==    by 0x2C337137: UnknownInlinedFun (qobjectdefs_impl.h:345)
==5466==    by 0x2C337137: QtPrivate::QCallableObject<KWin::WindowScreenCastSource::WindowScreenCastSource(KWin::Window*, QObject*)::{lambda()#1}, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) [clone .lto_priv.0] (qobjectdefs_impl.h:555)
==5466==  If you believe this happened as a result of a stack
==5466==  overflow in your program's main thread (unlikely but
==5466==  possible), you can try to increase the size of the
==5466==  main thread stack using the --main-stacksize= flag.
==5466==  The main thread stack size used in this run was 8388608.
==5466== 
==5466== HEAP SUMMARY:
==5466==     in use at exit: 26,235,704 bytes in 157,102 blocks
==5466==   total heap usage: 870,785 allocs, 713,683 frees, 229,346,218 bytes allocated
==5466== 
==5466== LEAK SUMMARY:
==5466==    definitely lost: 70,656 bytes in 131 blocks
==5466==    indirectly lost: 2,905,980 bytes in 916 blocks
==5466==      possibly lost: 7,754,088 bytes in 50,728 blocks
==5466==    still reachable: 15,502,964 bytes in 105,306 blocks
==5466==                       of which reachable via heuristic:
==5466==                         newarray           : 647,152 bytes in 635 blocks
==5466==         suppressed: 0 bytes in 0 blocks
==5466== Rerun with --leak-check=full to see details of leaked memory
==5466== 
==5466== Use --track-origins=yes to see where uninitialised values come from
==5466== For lists of detected and suppressed errors, rerun with: -s
==5466== ERROR SUMMARY: 17 errors from 14 contexts (suppressed: 0 from 0)

Comment 3 Matt Fagnani 2024-07-07 13:13:20 UTC

I reported this problem at https://gitlab.freedesktop.org/mesa/mesa/-/issues/11473 When I disabled the Maximize and Squash (on minimize) effects in System Settings, the problem happened once when I clicked on Dolphin's icon in the task bar to maximize it, but the problem seemed much less frequent.

Comment 4 Vlad Zahorodnii 2024-07-09 10:03:41 UTC

Could you check whether downgrading mesa to 24.1.0 helps?

Comment 5 Vlad Zahorodnii 2024-07-09 10:04:52 UTC

update: 24.0.9

Comment 6 Matt Fagnani 2024-07-09 10:52:22 UTC

(In reply to Vlad Zahorodnii from comment #4)
> Could you check whether downgrading mesa to 24.1.0 helps?

The problem happened after I downgraded to mesa 24.1.0-rc2 - 24.1.1 and 24.0.6. 24.0.9 hasn't been built for Fedora Rawhide. The problem also happened with kwin 6.1.0 to 6.1.2. Plasma didn't start with kwin 6.0.90.1 due to https://bugs.kde.org/show_bug.cgi?id=487777 

This type of crash happened once when I just hovered over the Konsole icon in the task manger without clicking on it and the window preview popup appeared but the window preview was blank. The crash seemed more frequent when the window preview was shown and then I clicked on Konsole's icon in the task manager to maximize or minimize it. I disable window previews, and the crash didn't happen without them in brief testing. The window preview popups and animations when maximizing and minimizing might be involved in some kind of race condition. Thanks.

Comment 7 Vlad Zahorodnii 2024-07-09 11:41:27 UTC

(In reply to Matt Fagnani from comment #6)
> (In reply to Vlad Zahorodnii from comment #4)
> > Could you check whether downgrading mesa to 24.1.0 helps?
> 
> The problem happened after I downgraded to mesa 24.1.0-rc2 - 24.1.1 and
> 24.0.6. 24.0.9 hasn't been built for Fedora Rawhide. The problem also
> happened with kwin 6.1.0 to 6.1.2. Plasma didn't start with kwin 6.0.90.1
> due to https://bugs.kde.org/show_bug.cgi?id=487777 
> 
> This type of crash happened once when I just hovered over the Konsole icon
> in the task manger without clicking on it and the window preview popup
> appeared but the window preview was blank. The crash seemed more frequent
> when the window preview was shown and then I clicked on Konsole's icon in
> the task manager to maximize or minimize it. I disable window previews, and
> the crash didn't happen without them in brief testing. The window preview
> popups and animations when maximizing and minimizing might be involved in
> some kind of race condition. Thanks.

It looks like I can reproduce the issue. I'll have a closer look to check if it's something that kwin is at fault.

Comment 8 Vlad Zahorodnii 2024-07-09 11:50:09 UTC

Is the issue reproducible with maximized windows? Also if you increase the scale factor, can you reproduce the crash then?

Comment 9 Matt Fagnani 2024-07-09 13:39:19 UTC

(In reply to Vlad Zahorodnii from comment #8)
> Is the issue reproducible with maximized windows? Also if you increase the
> scale factor, can you reproduce the crash then?

The problem happened when I had one maximized window for Konsole or Dolphin open but not if there were two maximized windows open at the same time. I haven't seen a crash when Konsole or Dolphin weren't maximized, but I normally had them maximized. I increased the Window open scale and Window close scale to 1.00 in Scale in Desktop Effects in System Settings, and I saw the same crash when clicking on the Konsole icon to maximize it. Thanks.

Comment 10 Matt Fagnani 2024-07-09 17:00:15 UTC

The crashing line in convert_ubyte_rgba_to_bgra was using the s[i] source image pointers with what looked like bit-wise and left bit shifting values https://gitlab.freedesktop.org/mesa/mesa/-/blob/mesa-24.1.2/src/mesa/main/format_utils.c#L219

        for (i = 0; i < width/2; i++) {
            d[i] = ( (s[i] & 0xff00ff00ff00ff00) |
                    ((s[i] &       0xff000000ff) << 16) |
                    ((s[i] &   0xff000000ff0000) >> 16));
         }

While s was optimized out as were most other variables, i = 144 in each of a few core dumps I looked at with gdb. In get_tex_rgba_uncompressed in frame 1, width=1366 and height=608. A source texture image pointer of the animation of maximizing or minimizing the window or the window preview might've sometimes been uninitialized or corrupted, so that s[i] might been an invalid pointer.

Comment 11 Bug Janitor Service 2024-07-10 15:01:20 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/6084

Comment 12 Vlad Zahorodnii 2024-07-11 10:01:48 UTC

Git commit 9240d75e5101a69e9a67a44f0ac2432f2d0bb340 by Vlad Zahorodnii.
Committed on 11/07/2024 at 09:49.
Pushed by vladz into branch 'master'.

plugins/screencast: Don't download texture data if target size and texture size mismatch

If glGetTexImage() gets called, it can write beyond the bounds of the
target size. In long term, it would be nice to relax this check.

M  +4    -0    src/plugins/screencast/screencastutils.h

https://invent.kde.org/plasma/kwin/-/commit/9240d75e5101a69e9a67a44f0ac2432f2d0bb340

Comment 13 Vlad Zahorodnii 2024-07-11 10:01:56 UTC

Git commit a6743fd2f59a60460d48107ff321ddad969d7bae by Vlad Zahorodnii.
Committed on 11/07/2024 at 09:49.
Pushed by vladz into branch 'master'.

plugins/screencast: Allocate offscreen texture in WindowScreenCastSource::render(QImage) as big as the memfd buffer

textureSize() can temporarily mismatch the target buffer size. It can be
a problem if glGetTexImage() gets called. glGetTexImage() assumes that
the provided buffer is as big as the texture. If it's not, it will write
data outside the bounds of the buffer.

M  +1    -1    src/plugins/screencast/windowscreencastsource.cpp

https://invent.kde.org/plasma/kwin/-/commit/a6743fd2f59a60460d48107ff321ddad969d7bae

Comment 14 Vlad Zahorodnii 2024-07-11 10:30:27 UTC

Git commit e72f88042873db7b4d98065fc14f1e3eb5a2189e by Vlad Zahorodnii.
Committed on 11/07/2024 at 10:20.
Pushed by vladz into branch 'Plasma/6.1'.

plugins/screencast: Allocate offscreen texture in WindowScreenCastSource::render(QImage) as big as the memfd buffer

textureSize() can temporarily mismatch the target buffer size. It can be
a problem if glGetTexImage() gets called. glGetTexImage() assumes that
the provided buffer is as big as the texture. If it's not, it will write
data outside the bounds of the buffer.
(cherry picked from commit a6743fd2f59a60460d48107ff321ddad969d7bae)

M  +1    -1    src/plugins/screencast/windowscreencastsource.cpp

https://invent.kde.org/plasma/kwin/-/commit/e72f88042873db7b4d98065fc14f1e3eb5a2189e

Comment 15 Vlad Zahorodnii 2024-07-11 10:30:36 UTC

Git commit 8d23766d103368dd809d74ce11b374db5c5f3a54 by Vlad Zahorodnii.
Committed on 11/07/2024 at 10:20.
Pushed by vladz into branch 'Plasma/6.1'.

plugins/screencast: Don't download texture data if target size and texture size mismatch

If glGetTexImage() gets called, it can write beyond the bounds of the
target size. In long term, it would be nice to relax this check.
(cherry picked from commit 9240d75e5101a69e9a67a44f0ac2432f2d0bb340)

M  +4    -0    src/plugins/screencast/screencastutils.h

https://invent.kde.org/plasma/kwin/-/commit/8d23766d103368dd809d74ce11b374db5c5f3a54