Bug 385372 - Crash when changing compositing backend
Summary: Crash when changing compositing backend
Status: RESOLVED FIXED
Alias: None
Product: kwin
Classification: Plasma
Component: platform-drm (show other bugs)
Version: git master
Platform: Other Linux
: NOR crash
Target Milestone: ---
Assignee: KWin default assignee
URL: https://phabricator.kde.org/D8152
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-04 19:32 UTC by Martin Flöser
Modified: 2017-10-09 19:05 UTC (History)
1 user (show)

See Also:
Latest Commit: https://commits.kde.org/kwin/47343fb8f75909f6491c0534004df56ee1e53737
Version Fixed In: 5.11.0
Sentry Crash Report:
mgraesslin: Wayland+
mgraesslin: X11-
mgraesslin: ReviewRequest+

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Flöser 2017-10-04 19:32:40 UTC 
Thread 1 "kwin_wayland" received signal SIGSEGV, Segmentation fault.
0x0000000000730065 in ?? ()
(gdb) bt
#0  0x0000000000730065 in  ()
#1  0x00007fb94a376c7a in KWin::DrmSurfaceBuffer::releaseGbm() (this=0x5611037230a0) at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_buffer_gbm.cpp:64
#2  0x00007fb94a376c06 in KWin::DrmSurfaceBuffer::~DrmSurfaceBuffer() (this=0x5611037230a0, __in_chrg=<optimized out>)
    at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_buffer_gbm.cpp:58
#3  0x00007fb94a376c32 in KWin::DrmSurfaceBuffer::~DrmSurfaceBuffer() (this=0x5611037230a0, __in_chrg=<optimized out>)
    at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_buffer_gbm.cpp:59
#4  0x00007fb94a36297f in KWin::DrmPlane::flipBufferWithDelete() (this=0x5611035bd340) at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_object_plane.cpp:146
#5  0x00007fb94a366c6d in KWin::DrmOutput::pageFlipped() (this=0x5611035c1b40) at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_output.cpp:741
#6  0x00007fb94a34cb20 in KWin::DrmBackend::pageFlipHandler(int, unsigned int, unsigned int, unsigned int, void*) (fd=40, frame=2354045, sec=39257, usec=793270, data=0x5611035c1b40)
    at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_backend.cpp:217
#7  0x00007fb952436b7c in drmHandleEvent () at /usr/lib/x86_64-linux-gnu/libdrm.so.2
#8  0x00007fb94a34cbf1 in KWin::DrmBackend::<lambda()>::operator()(void) const (__closure=0x56110356aa50)
    at /home/martin/src/kf5/kde/workspace/kwin/plugins/platforms/drm/drm_backend.cpp:259
#9  0x00007fb94a352883 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWin::DrmBackend::openDrm()::<lambda()> >::call(KWin::DrmBackend::<lambda()> &, void **) (f=..., arg=0x7ffc291d8a70) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:130
#10 0x00007fb94a351dce in QtPrivate::Functor<KWin::DrmBackend::openDrm()::<lambda()>, 0>::call<QtPrivate::List<>, void>(KWin::DrmBackend::<lambda()> &, void *, void **) (f=..., arg=0x7ffc291d8a70) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:240
#11 0x00007fb94a350f8e in QtPrivate::QFunctorSlotObject<KWin::DrmBackend::openDrm()::<lambda()>, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *) (which=1, this_=0x56110356aa40, r=0x561103472dc0, a=0x7ffc291d8a70, ret=0x0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:168
#12 0x00007fb95d15e97f in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7ffc291d8a70, r=0x561103472dc0, this=0x56110356aa40)
    at ../../include/QtCore/../../src/corelib/kernel/qobject_impl.h:101
#13 0x00007fb95d15e97f in QMetaObject::activate(QObject*, int, int, void**) (sender=sender@entry=0x56110356aa20, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffc291d8a70) at kernel/qobject.cpp:3749
#14 0x00007fb95d15ef37 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=sender@entry=0x56110356aa20, m=m@entry=0x7fb95d5e7d60 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffc291d8a70) at kernel/qobject.cpp:3628
#15 0x00007fb95d16ad48 in QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (this=this@entry=0x56110356aa20, _t1=<optimized out>, _t2=...)
---Type <return> to continue, or q <return> to quit---
    at .moc/moc_qsocketnotifier.cpp:137
#16 0x00007fb95d16b112 in QSocketNotifier::event(QEvent*) (this=0x56110356aa20, e=0x7ffc291d8ce0) at kernel/qsocketnotifier.cpp:266
#17 0x00007fb95e0ae46c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#18 0x00007fb95e0b5d34 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#19 0x00007fb95d12fd68 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=receiver@entry=0x56110356aa20, event=event@entry=0x7ffc291d8ce0)
    at kernel/qcoreapplication.cpp:1018
#20 0x00007fb95d185498 in QCoreApplication::sendEvent(QObject*, QEvent*) (event=0x7ffc291d8ce0, receiver=<optimized out>)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:233
#21 0x00007fb95d185498 in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=this@entry=0x56110342e7f0) at kernel/qeventdispatcher_unix.cpp:304
#22 0x00007fb95d185b18 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:509
#23 0x00007fb94c6395fd in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /opt/kf5/lib/x86_64-linux-gnu/plugins/platforms/KWinQpaPlugin.so
#24 0x00007fb95d12ddba in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffc291d8e90, flags=..., flags@entry=...) at kernel/qeventloop.cpp:212
#25 0x00007fb95d136d24 in QCoreApplication::exec() () at kernel/qcoreapplication.cpp:1291
#26 0x0000561102b838e4 in main(int, char**) (argc=4, argv=0x7ffc291d97b8) at /home/martin/src/kf5/kde/workspace/kwin/main_wayland.cpp:818
Comment 1 Martin Flöser 2017-10-09 19:05:01 UTC 
Git commit 47343fb8f75909f6491c0534004df56ee1e53737 by Martin Flöser.
Committed on 05/10/2017 at 19:32.
Pushed by graesslin into branch 'Plasma/5.11'.

[platforms/drm] Use a shared pointer for gbm_surface

Summary:
The gbm_surface is owned by the EglGbmBackend, but it's not the only one
using it. The DrmSurfaceBuffer is also using it and needs it to destroy
the gbm_bo. Now this can become a problem in the following situation:

* a page flip is still pending
* the EglGbmBackend destroys the gbm_surface

-> when the page flip happens the DrmSurfaceBuffer will try to destroy
the gbm_bo and crash as the gbm_surface is no longer valid. This
situation can happen when switching screens or when switching compositing
backend (OpenGL 2 -> OpenGL 3).

To address this problem a class GbmSurface is added which wrapps the
gbm_surface pointer. The EglGbmBackend creates and holds a shared pointer
to the GbmSurface and passes that one to the DrmSurfaceBuffer. So when
cleaning up the gbm_surface only the shared pointer is reset and in case
the DrmSurfaceBuffer still needs it, it can access it without problems.
FIXED-IN: 5.11.0

Test Plan: Not yet

Reviewers: #kwin, #plasma, subdiff

Subscribers: plasma-devel, kwin

Tags: #kwin

Differential Revision: https://phabricator.kde.org/D8152

M  +7    -0    autotests/CMakeLists.txt
A  +119  -0    autotests/test_gbm_surface.cpp     [License: GPL (v2)]
M  +1    -1    plugins/platforms/drm/CMakeLists.txt
M  +1    -1    plugins/platforms/drm/drm_backend.cpp
M  +4    -1    plugins/platforms/drm/drm_backend.h
M  +5    -6    plugins/platforms/drm/drm_buffer_gbm.cpp
M  +5    -3    plugins/platforms/drm/drm_buffer_gbm.h
M  +5    -6    plugins/platforms/drm/egl_gbm_backend.cpp
M  +4    -1    plugins/platforms/drm/egl_gbm_backend.h
C  +24   -30   plugins/platforms/drm/gbm_surface.cpp [from: plugins/platforms/drm/drm_buffer_gbm.h - 052% similarity]
C  +17   -23   plugins/platforms/drm/gbm_surface.h [from: plugins/platforms/drm/drm_buffer_gbm.h - 056% similarity]

https://commits.kde.org/kwin/47343fb8f75909f6491c0534004df56ee1e53737