Bug 290482 - KWin crash, when trying to use the new qml-based switcher
Summary: KWin crash, when trying to use the new qml-based switcher
Status: RESOLVED FIXED
Alias: None
Product: kwin
Classification: Plasma
Component: tabbox (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: 4.9 Beta 1
Assignee: KWin default assignee
URL: https://git.reviewboard.kde.org/r/105...
Keywords:
: 292589 293031 299871 300340 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-01-03 11:05 UTC by Andreas Krohn
Modified: 2012-05-29 05:55 UTC (History)
4 users (show)

See Also:
Latest Commit: http://commits.kde.org/kde-workspace/19c0fa5abd90a46de2ef6949a15de31111f930f4
Version Fixed In: 4.8.4
mgraesslin: ReviewRequest+

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Krohn 2012-01-03 11:05:28 UTC 
Application: kwin (4.7.95 (4.8 RC1 (4.7.95))
KDE Platform Version: 4.7.95 (4.8 RC1 (4.7.95)
Qt Version: 4.8.0
Operating System: Linux 3.1.6-1.fc16.x86_64 x86_64
Distribution: "Fedora release 16 (Verne)"

-- Information about the crash:
- What I was doing when the application crashed:

* System was under quite heavy load
* Attempted to switch to another window (qml/layout based switcher)
* Crash

The crash can be reproduced some of the time.

-- Backtrace:
Application: KWin (kwin), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
82	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
[Current thread is 1 (Thread 0x7fd125d91840 (LWP 14374))]

Thread 2 (Thread 0x7fd111698700 (LWP 14482)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:165
#1  0x0000003b76584e62 in QTWTF::TCMalloc_PageHeap::scavengerThread (this=0x3b7687e240) at ../3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp:2359
#2  0x0000003b76584e99 in QTWTF::TCMalloc_PageHeap::runScavengerThread (context=<optimized out>) at ../3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp:1464
#3  0x0000003b61c07d90 in start_thread (arg=0x7fd111698700) at pthread_create.c:309
#4  0x0000003b610ef48d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7fd125d91840 (LWP 14374)):
[KCrash Handler]
#6  0x0000003b7def3090 in KWin::TabBox::ClientModel::data (this=0x1704090, index=<optimized out>, role=<optimized out>) at /usr/src/debug/kde-workspace-4.7.95/kwin/tabbox/clientmodel.cpp:80
#7  0x0000003b77d8ca12 in QDeclarativeVisualDataModelDataMetaObject::initialValue (this=<optimized out>, propId=3) at graphicsitems/qdeclarativevisualitemmodel.cpp:534
#8  0x0000003b77cfbf25 in QDeclarativeOpenMetaObjectPrivate::getData (this=0x2042080, idx=3) at util/qdeclarativeopenmetaobject.cpp:149
#9  0x0000003b77cfaacf in QDeclarativeOpenMetaObject::metaCall (this=0x1f19bc0, c=<optimized out>, id=<optimized out>, a=<optimized out>) at util/qdeclarativeopenmetaobject.cpp:230
#10 0x0000003b68182088 in QMetaProperty::read (this=0x7fff2f10de30, object=0x2153f80) at kernel/qmetaobject.cpp:2267
#11 0x0000003b77e56e5d in QDeclarativeObjectScriptClass::property (this=<optimized out>, obj=0x2153f80, name=<optimized out>) at qml/qdeclarativeobjectscriptclass.cpp:319
#12 0x0000003b77e5c4ee in QDeclarativeContextScriptClass::property (this=0x1e8d190, object=<optimized out>, name=<optimized out>) at qml/qdeclarativecontextscriptclass.cpp:289
#13 0x0000003b765fd8a0 in QScript::DeclarativeObjectDelegate::getOwnPropertySlot (this=0x2218220, object=0x7fd10994f9c0, exec=0x7fd1099a50f8, propertyName=..., slot=...) at bridge/qscriptdeclarativeobject.cpp:76
#14 0x0000003b764d4bc5 in fastGetOwnPropertySlot (this=0x7fd10994f9c0, slot=..., propertyName=..., exec=0x7fd1099a50f8) at ../3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.h:382
#15 getPropertySlot (slot=<optimized out>, propertyName=<optimized out>, exec=<optimized out>, this=<optimized out>) at ../3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.h:391
#16 QTJSC::cti_op_resolve_skip (args=0x7fff2f10e1a0) at ../3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.cpp:2307
#17 0x00007fd112faf572 in ?? ()
#18 0x0000000000000000 in ?? ()

Reported using DrKonqi
Comment 1 Martin Flöser 2012-01-03 16:34:10 UTC 
any way to reproduce the crash? Being just under heavy load is rather 
difficult to test :-)
Comment 2 Andreas Krohn 2012-01-03 23:56:01 UTC 
well - that's the only situation I remember.. if I observe this behavior in other situations, i'll add another comment.

'heavy load' was 'building calligra and digikam' ;-)
Comment 3 Thomas Lübking 2012-02-01 15:15:05 UTC 
*** Bug 293031 has been marked as a duplicate of this bug. ***
Comment 4 Thomas Lübking 2012-02-01 15:18:22 UTC 
*** Bug 292589 has been marked as a duplicate of this bug. ***
Comment 5 Martin Flöser 2012-03-09 07:31:09 UTC 
we need a reproducable way how to reproduce this crash. In case anyone is able to reproduce the crash, please provide steps on how to reproduce it. Thanks.
Comment 6 Andreas Krohn 2012-03-10 18:12:06 UTC 
I didn't observe this behavior in quite a while - maybe it was just an incompatibility with different qt/kms/intel libraries/drivers. I guess we can close this bug if noone else triggers this problem..?!
Comment 7 Martin Flöser 2012-03-10 18:21:25 UTC 
thanks for the feedback. I think we can just keep it in this state and reopen it if it happens again :-)

Btw I had seen the crash in the past, too. But had never been able to reproduce and haven't seen it for some weeks.
Comment 8 g111 2012-03-11 11:41:08 UTC 
Well, the crash does happen for me (using ubuntu backports) at least once a day. Sometimes it happens when using the hotkey function "Walk Through Desktops", sometimes I think it also happend with "Walk Through Windows". I do not know if it is always the same crash reason. The problem is that I cannot find a way to reproduce it. Sometimes I have the feeling that it happens after opening or maybe closing some windows or changing the stack order or something. Sometimes I think that it happens more often after working on one desktop for a bit longer or after unlocking the desktop lock after a break. But I do not know.

I am very happen that kwin restarts and resets itself automatically afterwards, so I can continue to work.
Comment 9 Thomas Lübking 2012-03-11 13:19:31 UTC 
please have a look at bug #294534

it's just a wild guess, but do you (your distro) compile w/ -ftree-vectorize?
Comment 10 g111 2012-03-12 11:00:47 UTC 
Well, I am using ubuntu 10.10 with the KDE 4.8.1 backports at work. How can I find out if it was compiled with the  -ftree-vectorize flag?
Comment 11 g111 2012-03-12 11:02:23 UTC 
Argh, sorry. it is today one year later than I thought. I am using ubuntu 11/10 (oneric or what the name is. well, version "O").
Comment 12 Thomas Lübking 2012-03-12 17:02:44 UTC 
(In reply to comment #10)
> Well, I am using ubuntu 10.10 with the KDE 4.8.1 backports at work. How can
> I find out if it was compiled with the  -ftree-vectorize flag?

probably only by asking ubuntu / package maintainer - i can't see compiler flags listed in the .dsc
Comment 13 Thomas Lübking 2012-05-12 11:54:24 UTC 
*** Bug 299871 has been marked as a duplicate of this bug. ***
Comment 14 Thomas Lübking 2012-05-20 08:08:50 UTC 
*** Bug 300340 has been marked as a duplicate of this bug. ***
Comment 15 Thomas Lübking 2012-05-20 08:09:41 UTC 
Anyone experiencing this bug:
what is your shortcut configuration for window and desktop switching?
Comment 16 Sendil 2012-05-20 11:57:19 UTC 
The shortcut I had set was Win+Tab for workspace cycle List, and Alt+tab for window-list current desktop. What I have noticed is that usually (heavy loaded conditions - my case when google-chrome browsing activity was running with multiple tabs or kdevelop or qtcreator code writing) it crashes. 

[Seems solved]
- Recently I installed bumblebee based on the instructions here https://help.ubuntu.com/community/Asus_U31SD
- Switched to OpenGL mode 
- Disabled OpenGL 2 Shaders & Use VSync from Desktop Effects (Advanced Settings)

I find that recently it has not happened after that.




====
System :
Kubuntu 12.04 upgraded from 11.10
Kernel 3.2.0-24-generic-pae (32bit)
Asus : U31S 
Nvidia GT520
Comment 17 Martin Flöser 2012-05-20 15:20:19 UTC 
I think I found a way to reproduce the crash:
1. Configure both primary and secondary TabBox with different layouts
2. Use primary TabBox
3. Close a window, best the one which used to be active
4. Use secondary TabBox
-> Crash

Review Request on the way
Comment 18 Martin Flöser 2012-05-22 16:36:43 UTC 
Git commit 05a3420175c88c7a106a245071d4bb3a75694e00 by Martin Gräßlin.
Committed on 20/05/2012 at 15:52.
Pushed by graesslin into branch 'master'.

Use smart pointers to protect access to TabBoxClient

Client holds a SharedPointer to the TabBoxClient and only
provides access to a WeakPointer which is passed to TabBox.
ClientModel is adjusted to hold a list of WeakPointers instead
of the direct pointers.

This fixes the following reproducable crash:
1. Configure both primary and secondary TabBox with different
   layouts
2. Use primary TabBox
3. Close a window, best the one which used to be active
4. Use secondary TabBox
-> Crash

The reason is that the ClientModel still contains the pointer
to the deleted TabBoxClient in step 3 and while creating the
layout access to the TabBoxClient is needed to get the Client's
icon.

By using the weak pointer it can be ensured that we don't try
to dereference the deleted pointer and prevent the crash.
Related: bug 285747, bug 237345
REVIEW: 105000

M  +1    -4    kwin/client.cpp
M  +3    -3    kwin/client.h
M  +40   -28   kwin/tabbox/clientmodel.cpp
M  +1    -1    kwin/tabbox/clientmodel.h
M  +26   -14   kwin/tabbox/tabbox.cpp
M  +4    -4    kwin/tabbox/tabbox.h
M  +28   -6    kwin/tabbox/tabboxhandler.cpp
M  +6    -6    kwin/tabbox/tabboxhandler.h

http://commits.kde.org/kde-workspace/05a3420175c88c7a106a245071d4bb3a75694e00
Comment 19 Martin Flöser 2012-05-22 16:43:39 UTC 
unfortunately backporting to 4.8 results in too many merge conflicts, so it's just a fix in 4.9
Comment 20 Sendil 2012-05-23 04:52:22 UTC 
The reproducible steps, is that by writing a small test application. Or it relates to multiple-tabs in the APPLICATION kwin's titlebar (by grouping applications)?

Hope I did not sound very silly in this question !!
Comment 21 Martin Flöser 2012-05-29 05:55:23 UTC 
Git commit 19c0fa5abd90a46de2ef6949a15de31111f930f4 by Martin Gräßlin.
Committed on 20/05/2012 at 15:52.
Pushed by graesslin into branch 'KDE/4.8'.

Use smart pointers to protect access to TabBoxClient

Client holds a SharedPointer to the TabBoxClient and only
provides access to a WeakPointer which is passed to TabBox.
ClientModel is adjusted to hold a list of WeakPointers instead
of the direct pointers.

This fixes the following reproducable crash:
1. Configure both primary and secondary TabBox with different
   layouts
2. Use primary TabBox
3. Close a window, best the one which used to be active
4. Use secondary TabBox
-> Crash

The reason is that the ClientModel still contains the pointer
to the deleted TabBoxClient in step 3 and while creating the
layout access to the TabBoxClient is needed to get the Client's
icon.

By using the weak pointer it can be ensured that we don't try
to dereference the deleted pointer and prevent the crash.

Cherry-Picked from 05a3420175c88c7a106a245071d4bb3a75694e00
Related: bug 285747, bug 237345
FIXED-IN: 4.8.4
REVIEW: 105000
REVIEW: 105069

M  +1    -4    kwin/client.cpp
M  +3    -3    kwin/client.h
M  +31   -22   kwin/tabbox/clientmodel.cpp
M  +1    -1    kwin/tabbox/clientmodel.h
M  +4    -2    kwin/tabbox/desktopitemdelegate.cpp
M  +19   -12   kwin/tabbox/tabbox.cpp
M  +4    -4    kwin/tabbox/tabbox.h
M  +28   -6    kwin/tabbox/tabboxhandler.cpp
M  +6    -6    kwin/tabbox/tabboxhandler.h

http://commits.kde.org/kde-workspace/19c0fa5abd90a46de2ef6949a15de31111f930f4