Created attachment 121046 [details]
valgrind run on konsole with two tabs open showing invalid reads and writes after closing

SUMMARY

I closed konsole 19.04.2-1.fc30 with two tabs in Plasma on Wayland. drkonqi showed a segmentation fault each time, but drkonqi didn't allow the trace to be submitted. When I ran gdb konsole, I opened a second tab, then I closed konsole, I got the following segmentation fault in wl_map_insert_at at wayland-util.c:247 of libwayland-client with more detailed information.

Thread 1 "konsole" received signal SIGSEGV, Segmentation fault.
0x00007fffe5466251 in wl_map_insert_at (map=<optimized out>, flags=flags@entry=1, i=80, 
    data=data@entry=0x0) at src/wayland-util.c:247
247             start[i].next |= (flags & 0x1) << 1;


(gdb) thread apply all bt full

Thread 2 (Thread 0x7fffe4442700 (LWP 2248)):
#0  0x00007ffff7e915c7 in __GI___poll (fds=0x7fffdc005260, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
        resultvar = 18446744073709551100
        sc_cancel_oldtype = 0
        sc_ret = <optimized out>
#1  0x00007ffff4be51de in g_main_context_poll (priority=<optimized out>, n_fds=2, fds=0x7fffdc005260, timeout=<optimized out>, context=0x7fffdc000bf0) at ../glib/gmain.c:4228
        ret = <optimized out>
        errsv = <optimized out>
        poll_func = 0x7ffff4bf4d50 <g_poll>
        poll_func = <optimized out>
        ret = <optimized out>
        errsv = <optimized out>
#2  g_main_context_iterate (context=context@entry=0x7fffdc000bf0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3922
        max_priority = 2147483647
        timeout = -1
        some_ready = <optimized out>
        nfds = 2
        allocated_nfds = <optimized out>
        fds = 0x7fffdc005260
#3  0x00007ffff4be5313 in g_main_context_iteration (context=0x7fffdc000bf0, may_block=may_block@entry=1) at ../glib/gmain.c:3988
--Type <RET> for more, q to quit, c to continue without paging--c
        retval = <optimized out>
#4  0x00007ffff670e3f5 in QEventDispatcherGlib::processEvents (this=0x7fffdc000b20, flags=...) at kernel/qeventdispatcher_glib.cpp:422
        d = 0x7fffdc000b40
        canWait = true
        savedFlags = {i = 0}
        result = <optimized out>
#5  0x00007ffff66b82bb in QEventLoop::exec (this=this@entry=0x7fffe4441d30, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:140
        d = 0x7fffdc003a00
        locker = {val = 93824992564160}
        ref = {d = 0x7fffdc003a00, locker = @0x7fffe4441cb8, exceptionCaught = true}
        app = <optimized out>
#6  0x00007ffff6511675 in QThread::exec (this=this@entry=0x7ffff5c84060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at ../../include/QtCore/../../src/corelib/global/qflags.h:120
        d = 0x5555555a5350
        locker = {val = 93824992564160}
        eventLoop = {<QObject> = {_vptr.QObject = 0x7ffff6969a28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7ffff6858e20 <qt_meta_stringdata_QObject>, data = 0x7ffff6858d00 <qt_meta_data_QObject>, static_metacall = 0x7ffff66eb810 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x7fffdc003a00}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7ffff685bd40 <qt_meta_stringdata_Qt>, data = 0x7ffff6858f40 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7ffff6961fe0 <QObject::staticMetaObject>, stringdata = 0x7ffff6853260 <qt_meta_stringdata_QEventLoop>, data = 0x7ffff6853200 <qt_meta_data_QEventLoop>, static_metacall = 0x7ffff66b7fd0 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = <optimized out>
#7  0x00007ffff5c00f4a in QDBusConnectionManager::run (this=0x7ffff5c84060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:178
        locker = <optimized out>
#8  0x00007ffff65127c6 in QThreadPrivate::start (arg=0x7ffff5c84060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:361
        thr = 0x7ffff5c84060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>
        data = <optimized out>
        __clframe = {__cancel_routine = 0x7ffff6511f00 <QThreadPrivate::finish(void*)>, __cancel_arg = 0x7ffff5c84060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>, __do_it = 1, __cancel_type = <optimized out>}
#9  0x00007ffff54bd5a2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737023059712, -7425004005232201654, 140737488345070, 140737488345071, 140737488345264, 140737023057600, 7424991827868528714, 7425024725548150858}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#10 0x00007ffff7e9c303 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

Thread 1 (Thread 0x7ffff2530200 (LWP 2244)):
#0  0x00007fffe5466251 in wl_map_insert_at (map=<optimized out>, flags=flags@entry=1, i=80, data=data@entry=0x0) at src/wayland-util.c:247
        start = 0x4
        count = <optimized out>
        entries = 0x55555557dbc8
#1  0x00007fffe5462152 in proxy_destroy (proxy=0x555555d49b20) at src/wayland-client.c:502
        zombie = 0x0
#2  wl_proxy_destroy (proxy=proxy@entry=0x555555d49b20) at src/wayland-client.c:533
        display = 0x55555557db50
#3  0x00007fffe519de77 in org_kde_plasma_window_destroy (org_kde_plasma_window=0x555555d49b20) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/x86_64-redhat-linux-gnu/src/client/wayland-plasma-window-management-client-protocol.h:694
No locals.
#4  KWayland::Client::WaylandPointer<org_kde_plasma_window, org_kde_plasma_window_destroy>::release (this=0x555555d49670, this=0x555555d49670) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/wayland_pointer_p.h:53
No locals.
#5  KWayland::Client::PlasmaWindow::release (this=this@entry=0x555555d49b70) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:787
No locals.
#6  0x00007fffe519de9f in KWayland::Client::PlasmaWindow::~PlasmaWindow (this=0x555555d49b70, __in_chrg=<optimized out>) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:777
No locals.
#7  0x00007fffe519dfdd in KWayland::Client::PlasmaWindow::~PlasmaWindow (this=0x555555d49b70, __in_chrg=<optimized out>) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:775
No locals.
#8  0x00007ffff66ea54c in QObjectPrivate::deleteChildren (this=this@entry=0x555555a55210) at kernel/qobject.cpp:2006
        i = 0
#9  0x00007ffff66eb49f in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1032
        d = <optimized out>
        sharedRefcount = <optimized out>
        d = <optimized out>
        sharedRefcount = <optimized out>
        signalSlotMutex = <optimized out>
        locker = <optimized out>
        node = <optimized out>
        connectionListsCount = <optimized out>
        signal = <optimized out>
        connectionList = <optimized out>
        c = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        sender = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        senderLists = <optimized out>
        slotObj = <optimized out>
#10 0x00007fffe519e77d in KWayland::Client::PlasmaWindowManagement::~PlasmaWindowManagement (this=0x555555b8cce0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-kwayland-5.59.0-1.fc30.x86_64/src/client/plasmawindowmanagement.cpp:255
No locals.
#11 0x00007ffff66ea54c in QObjectPrivate::deleteChildren (this=this@entry=0x555555ae2bc0) at kernel/qobject.cpp:2006
        i = 4
#12 0x00007ffff66eb49f in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1032
        d = <optimized out>
        sharedRefcount = <optimized out>
        d = <optimized out>
        sharedRefcount = <optimized out>
        signalSlotMutex = <optimized out>
        locker = <optimized out>
        node = <optimized out>
        connectionListsCount = <optimized out>
        signal = <optimized out>
        connectionList = <optimized out>
        c = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        sender = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        senderLists = <optimized out>
        slotObj = <optimized out>
#13 0x00007fffe3226387 in WaylandIntegration::~WaylandIntegration (this=<optimized out>, __in_chrg=<optimized out>) at /usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:54
No locals.
#14 WaylandIntegrationSingleton::~WaylandIntegrationSingleton (this=<optimized out>, __in_chrg=<optimized out>) at /usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:40
No locals.
#15 (anonymous namespace)::Q_QGS_privateWaylandIntegrationSelf::Holder::~Holder (this=<optimized out>, __in_chrg=<optimized out>) at /usr/src/debug/kwayland-integration-5.15.5-1.fc30.x86_64/src/windowsystem/waylandintegration.cpp:46
No locals.
#16 0x00007ffff7ddb670 in __run_exit_handlers (status=0, listp=0x7ffff7f61738 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
        atfct = <optimized out>
        onfct = <optimized out>
        cxafct = <optimized out>
        f = <optimized out>
        new_exitfn_called = 2017
        cur = 0x555555af32e0
#17 0x00007ffff7ddb7b0 in __GI_exit (status=<optimized out>) at exit.c:139
No locals.
#18 0x00007ffff7dc4f3a in __libc_start_main (main=0x555555555070 <main>, argc=1, argv=0x7fffffffddd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddc8) at ../csu/libc-start.c:342
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 3629827189853663306, 93824992235648, 140737488346576, 0, 0, 7425004006348959818, 7425021310155501642}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffdde8, 0x7ffff7ffe150}, data = {prev = 0x0, cleanup = 0x0, canceltype = -8728}}}
        not_first_call = <optimized out>
#19 0x00005555555550ae in _start ()
No symbol table info available.

The pointer start = 0x4 in wl_map_insert_at appeared to be invalid, and start[i] pointed to an inaccessible address 0x284.

(gdb) p start
$1 = (union map_entry *) 0x4
(gdb) p start[i]
Cannot access memory at address 0x284
(gdb) p start[i].next
Cannot access memory at address 0x284

wl_map_insert was as follows.

224     int
225     wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
226     {
227             union map_entry *start;
228             uint32_t count;
229             struct wl_array *entries;
230
231             if (i < WL_SERVER_ID_START) {
232                     entries = &map->client_entries;
233             } else {
234                     entries = &map->server_entries;
235                     i -= WL_SERVER_ID_START;
236             }
237
238             count = entries->size / sizeof *start;
239             if (count < i)
240                     return -1;
241
242             if (count == i)
243                     wl_array_add(entries, sizeof *start);
244
245             start = entries->data;
246             start[i].data = data;
247             start[i].next |= (flags & 0x1) << 1;
248
249             return 0;
250     }


I ran valgrind --log-file=valgrind-konsole-wayland-2.txt konsole & (in konsole) opened a second tab, and closed konsole. valgrind's log showed 21 invalid reads and writes starting at wl_proxy_unref (wayland-client.c:229). 20 of those invalid reads/writes seemed to be use-after-free errors since they contained lines like "Address 0xa48852c is 44 bytes inside a block of size 72 free'd".

==2387== Invalid read of size 4
==2387==    at 0x177ABBB4: wl_proxy_unref (wayland-client.c:229)
==2387==    by 0x177ABCB3: destroy_queued_closure (wayland-client.c:291)
==2387==    by 0x177ABEC7: dispatch_event.isra.0 (wayland-client.c:1436)
==2387==    by 0x177AD46B: dispatch_queue (wayland-client.c:1576)
==2387==    by 0x177AD46B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2387==    by 0x177AD8AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==2387==    by 0x17A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==2387==    by 0x178AE189: KWaylandIntegration::init() (kwaylandintegration.cpp:74)
==2387==    by 0x178940C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==2387==    by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==2387==    by 0x5A781B8: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==2387==    by 0x5A77B55: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==2387==    by 0x5A813FF: init_platform (qguiapplication.cpp:1239)
==2387==    by 0x5A813FF: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1384)
==2387==  Address 0xa48852c is 44 bytes inside a block of size 72 free'd
==2387==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==2387==    by 0x17A92C14: destroy (wayland_pointer_p.h:63)
==2387==    by 0x17A92C14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==2387==    by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==2387==    by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==2387==    by 0x177AF606: wl_closure_invoke (connection.c:1014)
==2387==    by 0x177ABF17: dispatch_event.isra.0 (wayland-client.c:1430)
==2387==    by 0x177AD46B: dispatch_queue (wayland-client.c:1576)
==2387==    by 0x177AD46B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==2387==    by 0x177AD8AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==2387==    by 0x17A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==2387==    by 0x178AE189: KWaylandIntegration::init() (kwaylandintegration.cpp:74)
==2387==    by 0x178940C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==2387==    by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==2387==  Block was alloc'd at
==2387==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==2387==    by 0x177ABD42: UnknownInlinedFun (wayland-private.h:236)
==2387==    by 0x177ABD42: proxy_create.isra.0 (wayland-client.c:421)
==2387==    by 0x177AC42B: create_outgoing_proxy (wayland-client.c:650)
==2387==    by 0x177AC42B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735)
==2387==    by 0x177AC782: wl_proxy_marshal_constructor (wayland-client.c:824)
==2387==    by 0x17A930BD: wl_display_sync (wayland-client-protocol.h:958)
==2387==    by 0x17A930BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470)
==2387==    by 0x17A9313A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479)
==2387==    by 0x178AE10D: KWaylandIntegration::init() (kwaylandintegration.cpp:56)
==2387==    by 0x178940C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==2387==    by 0x178B0DFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==2387==    by 0x5A781B8: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==2387==    by 0x5A77B55: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==2387==    by 0x5A813FF: init_platform (qguiapplication.cpp:1239)
==2387==    by 0x5A813FF: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1384)


One invalid write in wl_map_insert_at (wayland-util.c:247) at 0x284 mentioned above as what start[i] was pointing to showed up later in the valgrind log.

==2387== Invalid write of size 8
==2387==    at 0x177B0251: wl_map_insert_at (wayland-util.c:247)
==2387==    by 0x177AC151: proxy_destroy (wayland-client.c:502)
==2387==    by 0x177AC151: wl_proxy_destroy (wayland-client.c:533)
==2387==    by 0x17A8CE76: org_kde_plasma_window_destroy (wayland-plasma-window-management-client-protocol.h:694)
==2387==    by 0x17A8CE76: release (wayland_pointer_p.h:53)
==2387==    by 0x17A8CE76: KWayland::Client::PlasmaWindow::release() (plasmawindowmanagement.cpp:787)
==2387==    by 0x17A8CE9E: KWayland::Client::PlasmaWindow::~PlasmaWindow() (plasmawindowmanagement.cpp:777)
==2387==    by 0x17A8CFDC: KWayland::Client::PlasmaWindow::~PlasmaWindow() (plasmawindowmanagement.cpp:778)
==2387==    by 0x613654B: QObjectPrivate::deleteChildren() (qobject.cpp:2006)
==2387==    by 0x613749E: QObject::~QObject() (qobject.cpp:1032)
==2387==    by 0x17A8D77C: KWayland::Client::PlasmaWindowManagement::~PlasmaWindowManagement() (plasmawindowmanagement.cpp:258)
==2387==    by 0x613654B: QObjectPrivate::deleteChildren() (qobject.cpp:2006)
==2387==    by 0x613749E: QObject::~QObject() (qobject.cpp:1032)
==2387==    by 0x1A1E7386: (anonymous namespace)::Q_QGS_privateWaylandIntegrationSelf::innerFunction()::Holder::~Holder() (waylandintegration.cpp:54)
==2387==    by 0x48E666F: __run_exit_handlers (exit.c:108)
==2387==  Address 0x284 is not stack'd, malloc'd or (recently) free'd


The invalid reads/writes might have led to memory corruption which ended with the segmentation faults. I'll attach the full valgrind log.


STEPS TO REPRODUCE
1. Install Fedora 30 Plasma spin
2. boot into Plasma spin
3. start Plasma on Wayland from sddm
4. sudo dnf upgrade --refresh --enablerepo=updates-testing
5. reboot
6. start Plasma on Wayland from sddm
7. start konsole
8. open a second tab in konsole
9. close konsole by clicking x at the top right then answering yes
10. start konsole
11. gdb konsole
12. r (in gdb)
13. open a second tab in konsole running in gdb
14. close the konsole running in gdb as above
15. thread apply all bt full (in gdb)
16. q (in gdb)
17. valgrind --log-file=valgrind-konsole-wayland-2.txt konsole & (in konsole) 18. opened a second tab in konsole running under valgrind
19. close konsole running under valgrind
20. read valgrind-konsole-wayland-2.txt

OBSERVED RESULT

Closing konsole with two tabs open in Plasma on Wayland led to segmentation faults and invalid reads/writes. The segmentation faults have happened each of a few times I've closed konsole with two tabs opened. 


EXPECTED RESULT

No crashes of konsole.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 30, 5.1.12 kernel
(available in About System)
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.59.0
Qt Version: 5.12.1

kf5-kwayland-0:5.59.0-1.fc30.x86_64
konsole5-0:19.04.2-1.fc30.x86_64
libwayland-client-0:1.17.0-1.fc30.x86_64
plasma-desktop-0:5.15.5-1.fc30.x86_64
qt5-qtbase-0:5.12.1-7.fc30.x86_64

ADDITIONAL INFORMATION

I first saw these crashes with konsole-18.12.3-2.fc30 and kf5-kwayland-5.58.0-1.fc30. The crashes didn't happen when only one tab was opened or in Plasma on X.

The following reports have segmentation faults in konsole with similar traces
https://bugs.kde.org/show_bug.cgi?id=394484
https://bugs.kde.org/show_bug.cgi?id=385633

The report at https://bugs.kde.org/show_bug.cgi?id=390151 has many similar traces in programs like systemsettings.

The segmentation faults in powerdevil when logging out of Plasma on Wayland I reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713467#c15 also had invalid reads/writes starting in wl_proxy_unref (wayland-client.c:229). I have seen crashes in akonadi_sendlater_agent and kglobalaccel5 with invalid reads/writes starting in wl_proxy_unref (wayland-client.c:229) which I have not reported elsewhere yet in full. These use-after-free errors involving libwayland-client, kf5-kwayland, and other packages might be involved in those and other crashes when closing KDE programs on Wayland.