Bug 510781

Summary:	KWin Wayland crash in KWin::ItemRendererOpenGL::createRenderNode
Product:	[Plasma] kwin	Reporter:	nyanpasu64 <nyanpasu64>
Component:	scene-opengl	Assignee:	KWin default assignee <kwin-bugs-null>
Status:	RESOLVED DUPLICATE
Severity:	crash	CC:	xaver.hugl
Priority:	NOR
Version First Reported In:	6.4.91
Target Milestone:	---
Platform:	Arch Linux
OS:	Linux
Latest Commit:		Version Fixed/Implemented In:
Sentry Crash Report:

Description nyanpasu64 2025-10-19 09:36:12 UTC

SUMMARY
KWin crashed on my computer's lock screen. I'm not sure what caused it.

STEPS TO REPRODUCE
1. Lock the screen?
2. Fade to black? Let the machine sleep? (I can't reproduce this bug. One time I came back to my computer, pushed the power button, and all apps were gone as if I'd rebooted.)

OBSERVED RESULT
kwin crashes.
Journal:
Oct 19 01:51:07 ryzen dbus-broker[504]: A security policy denied :1.34 to send method call /org/freedesktop/login1/seat/seat0:org.freedesktop.login1.Seat.Inhibit to org.freedesktop.login1.
Oct 19 01:51:07 ryzen kwin_wayland[916]: Failed to delay sleep: Sender is not authorized to send message
Oct 19 01:51:07 ryzen kscreenlocker_greet[12600]: The backend got an unknown wallpaper provider type. The wallpaper will now fall back to the default. Please check your wallpaper configuration!
Oct 19 01:51:08 ryzen kscreenlocker_greet[12600]: file:///usr/share/plasma/shells/org.kde.plasma.desktop/contents/lockscreen/MediaControls.qml:31:13: QML Image: Blocked request.
Oct 19 01:51:18 ryzen kernel: kwin_wayland[916]: segfault at b1 ip 00007f689e14cc95 sp 00007ffffac58b90 error 4 in libkwin.so.6.4.91[34cc95,7f689df56000+521000] likely on CPU 1 (core 1, socket 0)
Oct 19 01:51:18 ryzen kernel: Code: 99 41 4b 00 48 89 07 31 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 8b 07 48 8b 36 48 8b 78 48 48 89 e5 48 8b 07 <ff> 90 b0 00 00 00 5d 83 f0 01 c3 f3 0f 1e fa 85 d2 74 20 83 fa 01

coredumpctl debug:
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f689e14cc95 in operator() (__closure=<optimized out>, item=<optimized out>) at /usr/src/debug/kwin/kwin-6.4.91/src/scene/workspacescene.cpp:708
708             return !painted_delegate->shouldRenderItem(item);
[Current thread is 1 (Thread 0x7f6894644400 (LWP 916))]
(gdb) bt
#0  0x00007f689e14cc95 in operator() (__closure=<optimized out>, item=<optimized out>) at /usr/src/debug/kwin/kwin-6.4.91/src/scene/workspacescene.cpp:708
#1  std::__invoke_impl<bool, KWin::WorkspaceScene::finalDrawWindow(const KWin::RenderTarget&, const KWin::RenderViewport&, KWin::EffectWindow*, int, const QRegion&, KWin::WindowPaintData&)::<lambda(KWin::Item*)>&, KWin::Item*> (__f=<optimized out>) at /usr/include/c++/15.2.1/bits/invoke.h:63
#2  std::__invoke_r<bool, KWin::WorkspaceScene::finalDrawWindow(const KWin::RenderTarget&, const KWin::RenderViewport&, KWin::EffectWindow*, int, const QRegion&, KWin::WindowPaintData&)::<lambda(KWin::Item*)>&, KWin::Item*> (__fn=<optimized out>) at /usr/include/c++/15.2.1/bits/invoke.h:116
#3  std::_Function_handler<bool(KWin::Item*), KWin::WorkspaceScene::finalDrawWindow(const KWin::RenderTarget&, const KWin::RenderViewport&, KWin::EffectWindow*, int, const QRegion&, KWin::WindowPaintData&)::<lambda(KWin::Item*)> >::_M_invoke(const std::_Any_data &, KWin::Item *&&) (__functor=<optimized out>, __args#0=<optimized out>) at /usr/include/c++/15.2.1/bits/std_function.h:292
#4  0x00007f689e13245e in std::function<bool(KWin::Item*)>::operator() (this=0x7ffffac59220, __args#0=0x5564bf3e2fa0) at /usr/include/c++/15.2.1/bits/std_function.h:593
#5  KWin::ItemRendererOpenGL::createRenderNode (this=this@entry=0x5564bd4d9450, item=item@entry=0x5564bf3e2fa0, context=context@entry=0x7ffffac59070, filter=..., holeFilter=...) at /usr/src/debug/kwin/kwin-6.4.91/src/scene/itemrenderer_opengl.cpp:127
#6  0x00007f689e1377dc in KWin::ItemRendererOpenGL::renderItem (this=this@entry=0x5564bd4d9450, renderTarget=..., viewport=..., item=0x5564bf3e2fa0, mask=mask@entry=6, region=..., data=..., filter=..., holeFilter=...) at /usr/src/debug/kwin/kwin-6.4.91/src/scene/itemrenderer_opengl.cpp:349
#7  0x00007f689e15283d in KWin::WorkspaceScene::finalDrawWindow (this=<optimized out>, renderTarget=..., viewport=..., w=<optimized out>, mask=6, region=..., data=...) at /usr/src/debug/kwin/kwin-6.4.91/src/scene/workspacescene.cpp:707
#8  0x00007f689e00ce3c in KWin::EffectsHandler::drawWindow (this=0x5564bd46ca30, renderTarget=<optimized out>, viewport=<optimized out>, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=...) at /usr/src/debug/kwin/kwin-6.4.91/src/effect/effecthandler.cpp:426
#9  0x00007f689e00ce3c in KWin::EffectsHandler::drawWindow (this=0x5564bd46ca30, renderTarget=<optimized out>, viewport=<optimized out>, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=...) at /usr/src/debug/kwin/kwin-6.4.91/src/effect/effecthandler.cpp:426
#10 0x00007f689e037102 in KWin::OffscreenData::maybeRender (this=0x5564be9bf4f0, window=window@entry=0x5564bc647160) at /usr/src/debug/kwin/kwin-6.4.91/src/effect/offscreeneffect.cpp:142
#11 0x00007f689e037932 in KWin::CrossFadeEffect::redirect (this=<optimized out>, window=0x5564bc647160) at /usr/include/c++/15.2.1/bits/unique_ptr.h:193
#12 0x00007f689e004d10 in KWin::AnimationEffect::p_animate (this=0x5564bdc363b0, w=<optimized out>, a=KWin::AnimationEffect::CrossFadePrevious, meta=<optimized out>, ms=250, to=..., curve=..., delay=0, from=..., keepAtTarget=false, fullScreenEffect=false, keepAlive=true, shader=0x0) at /usr/src/debug/kwin/kwin-6.4.91/src/effect/animationeffect.cpp:240
#13 0x00007f689e166937 in KWin::AnimationEffect::animate (to=..., from=..., this=0x5564bdc363b0, w=0x5564bc647160, a=KWin::AnimationEffect::CrossFadePrevious, meta=0, ms=250, curve=..., delay=0, fullScreen=<optimized out>, keepAlive=<optimized out>, shader=0x0) at /usr/src/debug/kwin/kwin-6.4.91/src/effect/animationeffect.h:378
#14 KWin::ScriptedEffect::animate (this=this@entry=0x5564bdc363b0, window=window@entry=0x5564bc647160, attribute=KWin::AnimationEffect::CrossFadePrevious, ms=250, to=..., from=..., metaData=0, curve=6, delay=0, fullScreen=false, keepAlive=true, shaderId=0) at /usr/src/debug/kwin/kwin-6.4.91/src/scripting/scriptedeffect.cpp:496
#15 0x00007f689e1670ca in KWin::ScriptedEffect::animate_helper (this=0x5564bdc363b0, object=<optimized out>, animationType=animationType@entry=KWin::ScriptedEffect::AnimationType::Animate) at /usr/src/debug/kwin/kwin-6.4.91/src/scripting/scriptedeffect.cpp:465
#16 0x00007f689e168565 in KWin::ScriptedEffect::animate (this=<optimized out>, object=<optimized out>) at /usr/src/debug/kwin/kwin-6.4.91/src/scripting/scriptedeffect.cpp:502
#17 0x00007f689e16cee1 in KWin::ScriptedEffect::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=0x7ffffac59ef8) at /usr/src/debug/kwin/build/src/kwin_autogen/include/moc_scriptedeffect.cpp:463
#18 0x00007f689e16d877 in KWin::ScriptedEffect::qt_metacall (this=0x5564bdc363b0, _c=<optimized out>, _id=27, _a=0x7ffffac59ef8) at /usr/src/debug/kwin/build/src/kwin_autogen/include/moc_scriptedeffect.cpp:813
#19 0x00007f689d137a03 in QQmlObjectOrGadget::metacall (this=<optimized out>, type=<optimized out>, index=<optimized out>, argv=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmlobjectorgadget.cpp:14
#20 0x00007f689cfe8311 in QV4::CallMethod (object=<optimized out>, index=<optimized out>, returnType=..., argCount=<optimized out>, argTypes=<optimized out>, engine=<optimized out>, callArgs=<optimized out>, callType=<optimized out>) at /usr/include/qt6/QtCore/qvarlengtharray.h:90
#21 QV4::QObjectMethod::callPrecise (object=<optimized out>, data=<optimized out>, engine=<optimized out>, callArgs=<optimized out>, callType=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2081
#22 0x00007f689cff20dd in operator() (__closure=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3113
#23 operator()<QV4::QObjectMethod::callInternal(const QV4::Value*, const QV4::Value*, int) const::<lambda()> > (__closure=<synthetic pointer>, call=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3090
#24 QV4::QObjectMethod::callInternal (this=0x7f685e2c4628, thisObject=<optimized out>, argv=0x7f685e2c45a8, argc=1) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3113
#25 0x00007f689d00f6eb in QV4::Runtime::CallName::call (engine=0x5564bdd58ac0, nameIndex=42, argv=0x7f685e2c45a8, argc=1) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1510
#26 0x00007f68936a9780 in ??? ()
#27 0x00007ffffac5a610 in ??? ()
#28 0x00005564bdd58ac0 in ??? ()
#29 0x00007ffffac5a610 in ??? ()
#30 0x0000000000000000 in ??? ()

EXPECTED RESULT
No kwin crash.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux 
KDE Plasma Version: 6.4.91
KDE Frameworks Version: 6.19.0
Qt Version: 6.10.0
Kernel Version: 6.17.3-arch2-1 (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-8559U CPU @ 2.70GHz
Memory: 16 GiB of RAM (15.5 GiB usable)
Graphics Processor: Intel® Iris® Plus Graphics 655
Manufacturer: Intel(R) Client Systems
Product Name: NUC8i7BEH
System Version: J72992-303

ADDITIONAL INFORMATION

Comment 1 nyanpasu64 2025-10-19 10:48:08 UTC

Loading libkwin.so.6.4.91 into Ghidra and navigating to file(0x34cc95) reveals we're trying to call [RAX + 0xb0] (vtable?) but gdb says RAX is 1.

gdb's disassembly says the crash site is in function (inhale): std::_Function_handler<bool(KWin::Item*), KWin::WorkspaceScene::finalDrawWindow(const KWin::RenderTarget&, const KWin::RenderViewport&, KWin::EffectWindow*, int, const QRegion&, KWin::WindowPaintData&)::<lambda(KWin::Item*)> >::_M_invoke(const std::_Any_data &, KWin::Item *&&)

It appears we're calling a std::function<bool(KWin::Item*)>, and invoking an internal specialization for KWin::WorkspaceScene::finalDrawWindow#lambda. Tracing the call tree, itemrenderer_opengl.cpp:127 is trying to call filter() not holeFilter(). filter is defined as:
[this](Item *item) {
        return !painted_delegate->shouldRenderItem(item);
    }
In class WorkplaceScene, `SceneView *painted_delegate` lives at offset 72 or 0x48.

I don't know all the layers of C++ stdlib function templating. From the disassembly, it seems we're passed a & (aka pointer) to std::_Any_data, which consists of a this pointer, rather than being passed a this pointer directly, and a & to Item *. Since the lambda has been inlined into the C++ implementation details, we must load this into RAX, (dereferencing RSI from Item*& to Item*), compute &painted_delegate by adding 0x48, and load `SceneView* painted_delegate` into RDI. Then we save the stack pointer into RBP, load the vtable address into RAX, and call shouldRenderItem (vtable + 0xb0) with painted_delegate in RDI and item in RSI.

(gdb) info reg
rax            0x1                 1
rbx            0x7ffffac59070      140737400639600
rcx            0x7ffffac59220      140737400640032
rdx            0x7ffffac59070      140737400639600
rsi            0x5564bf3e2fa0      93891193614240
rdi            0x5564bf30b830      93891192731696
rbp            0x7ffffac58b90      0x7ffffac58b90
rsp            0x7ffffac58b90      0x7ffffac58b90
r8             0x7ffffac59200      140737400640000
r9             0x7f689ae09ac0      140087251737280
r10            0x2                 2
r11            0x0                 0
r12            0x5564bf3e2fa0      93891193614240
r13            0x7ffffac59200      140737400640000
r14            0x5564bd4d9450      93891161068624
r15            0x7ffffac58cf0      140737400638704
rip            0x7f689e14cc95      0x7f689e14cc95 <(long method name omitted)+21>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43 (https://stackoverflow.com/questions/19502868/meaning-of-cs-and-ss-registers-on-x86-64-linux-in-userland ???)
...fs_base        0x7f6894644400      140087142925312
gs_base        0x0                 0

We crashed with RAX=1, meaning that our "SceneView" memory at *painted_delegate is corrupted with a vtable address of 1. gdb says (manually formatted, I hope I didn't break any indentation):

(gdb) print *(KWin::SceneView*)$rdi
$9 = {
	<KWin::RenderView> = {
		<QObject> = {
			_vptr.QObject = 0x1,
... (all non-static variables are 0xffffffffffffffff) ...
	m_underlayViews = {
		<QListSpecialMethods<KWin::RenderView*>> = {<QListSpecialMethodsBase<KWin::RenderView*>> = {<No data fields>}, <No data fields>},
		d = {d = 0xffffffffffffffff, ptr = 0xffffffffffffffff, size = 93891192044384}
	}
}

This memory looks well and truly trampled, though I don't know if it's a bad pointer or a use-after-free. Oddly that last size value is a valid heap pointer, to what I don't know:
(gdb) x /64xh 93891192044384
0x5564bf263b60: 0xea30  0xbf36  0x5564  0x0000  0x0000  0x0000  0x0000  0x0000
0x5564bf263b70: 0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x409e
0x5564bf263b80: 0x0000  0x0000  0xe000  0x4090  0x0002  0x0000  0x0000  0x0000
0x5564bf263b90: 0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x5564bf263ba0: 0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x5564bf263bb0: 0x0003  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x5564bf263bc0: 0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x5564bf263bd0: 0x0000  0x0000  0x0000  0x0000  0x0004  0x0000  0x0000  0x0000

In summary, it looks like WorkspaceScene's member SceneView *painted_delegate is pointing to invalid SceneView bytes. Whether the pointer was overwritten with a distinct pointer, or the target was corrupted or freed, I don't know.

Comment 2 nyanpasu64 2025-10-19 10:49:48 UTC

For completeness, since you don't have the same binary/disassembly as I do:
(gdb) set disassembly-flavor intel
(gdb) disas
Dump of assembler code for function std::_Function_handler<bool(KWin::Item*), KWin::WorkspaceScene::finalDrawWindow(const KWin::RenderTarget&, const KWin::RenderViewport&, KWin::EffectWindow*, int, const QRegion&, KWin::WindowPaintData&)::<lambda(KWin::Item*)> >::_M_invoke(const std::_Any_data &, KWin::Item *&&):
   0x00007f689e14cc80 <+0>:     endbr64
   0x00007f689e14cc84 <+4>:     push   rbp
   0x00007f689e14cc85 <+5>:     mov    rax,QWORD PTR [rdi]
   0x00007f689e14cc88 <+8>:     mov    rsi,QWORD PTR [rsi]
   0x00007f689e14cc8b <+11>:    mov    rdi,QWORD PTR [rax+0x48]
   0x00007f689e14cc8f <+15>:    mov    rbp,rsp
   0x00007f689e14cc92 <+18>:    mov    rax,QWORD PTR [rdi]
=> 0x00007f689e14cc95 <+21>:    call   QWORD PTR [rax+0xb0]
   0x00007f689e14cc9b <+27>:    pop    rbp
   0x00007f689e14cc9c <+28>:    xor    eax,0x1
   0x00007f689e14cc9f <+31>:    ret
End of assembler dump.

Comment 3 Zamundaaa 2025-10-19 14:00:58 UTC


*** This bug has been marked as a duplicate of bug 509690 ***