Created attachment 121069 [details] trace of plasmashell segmentation fault in Plasma 5.15.5 on Wayland with Qt 5.12.4 SUMMARY I saw segmentation faults of plasmashell in wl_proxy_set_queue at wayland-client.c:2094 in libwayland-client in Plasma 5.15.5 on Wayland with Qt 5.12.4 in Fedora 30. These crashes occurred on startup of one session, and once in another session. These crashes started right after I updated from Qt 5.12.1 to 5.12.4 from koji along with the dependent Plasma and KF5 rebuilds. drkonqi wouldn't allow me to submit the attached trace which had the following segmentation fault and crashing thread. Application: Plasma (plasmashell), signal: Segmentation fault Using host libthread_db library "/lib64/libthread_db.so.1". futex_wait_cancelable (private=0, expected=0, futex_word=0x5653f336ece4) at ../sysdeps/unix/sysv/linux/futex-internal.h:88 88 int err = lll_futex_timed_wait (futex_word, expected, NULL, private); [Current thread is 1 (Thread 0x7f61ca7bbd00 (LWP 1499))] Thread 22 (Thread 0x7f616a7f9700 (LWP 1746)): [KCrash Handler] #6 0x00007f61c81846f9 in wl_proxy_set_queue (proxy=0x0, queue=0x5653f2af0370) at src/wayland-client.c:2094 #7 0x00007f61b78f2b50 in QtWaylandClient::QWaylandWindow::waitForFrameSync (this=0x5653f3779360, timeout=100) at qwaylandwindow.cpp:646 #8 0x00007f61b4b4f022 in QtWaylandClient::QWaylandGLContext::swapBuffers (this=0x5653f361ac70, surface=<optimized out>) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:566 #9 0x00007f61c8c98441 in QOpenGLContext::swapBuffers (this=0x5653f3930280, surface=<optimized out>) at kernel/qopenglcontext.cpp:1115 #10 0x00007f61ca4b7401 in QSGRenderThread::syncAndRender (this=this@entry=0x5653f3915590) at scenegraph/qsgthreadedrenderloop.cpp:652 #11 0x00007f61ca4bb168 in QSGRenderThread::run (this=0x5653f3915590) at scenegraph/qsgthreadedrenderloop.cpp:730 #12 0x00007f61c86e2786 in QThreadPrivate::start (arg=0x5653f3915590) at thread/qthread_unix.cpp:361 #13 0x00007f61c7b455a2 in start_thread (arg=<optimized out>) at pthread_create.c:486 #14 0x00007f61c8358303 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 I think that the segmentation faults might've been due to null pointer dereferences since proxy=0x0 in the wl_proxy_set_queue call, and proxy was dereferenced at wayland-client:2095 as proxy->queue without checking if proxy was null and queue was not null as shown in the wl_proxy_set_queue function. 2091 WL_EXPORT void 2092 wl_proxy_set_queue(struct wl_proxy *proxy, struct wl_event_queue *queue) 2093 { 2094 if (queue) 2095 proxy->queue = queue; 2096 else 2097 proxy->queue = &proxy->display->default_queue; 2098 } qt5-qtwayland functions at #7-8 in the crashing thread and other qt5 functions lower in the stack might be involved. STEPS TO REPRODUCE 1. Boot F30 Plasma spin fully updated with updates-testing enabled 2. Log in to Plasma on Wayland from sddm 3. if qt5-qtnetworkauth is installed, sudo dnf remove qt5-qtnetworkauth (due to dnf dependency problems since qt5-qtnetworkauth-5.12.4 was not available on koji) 4. dnf upgrade to qt5 5.12.4 with dependent Plasma and kf5 rebuilds from koji 5. reboot 6. Log in to Plasma on Wayland 7. coredumpctl 8. coredumpctl debug 9. gnome-abrt OBSERVED RESULT Crashes of plasmashell in Plasma on Wayland with Qt 5.12.4. EXPECTED RESULT No crashes. SOFTWARE/OS VERSIONS Operating System: Fedora 30, 5.1.12 kernel KDE Plasma Version: 5.15.5 KDE Frameworks Version: 5.59.0 Qt Version: 5.12.4 kf5-kwayland-0:5.59.0-2.fc30.x86_64 libwayland-client-0:1.17.0-1.fc30.x86_64 plasma-workspace-0:5.15.5-1.fc30.x86_64 qt5-qtwayland-0:5.12.4-1.fc30.x86_64 ADDITIONAL INFORMATION I haven't seen any such crashes in Plasma on X with Qt 5.12.4. I've commented on a report of a plasmashell crash in Plasma on Wayland with a similar trace at https://bugs.kde.org/show_bug.cgi?id=408847
Created attachment 121086 [details] valgrind run on plasmashell in Plasma 5.15.5 on Wayland with qt 5.12.4 showing invalid read and write and uninitialized value use plasmashell restarted after these crashes, but the application menu in the task bar, the menu in konsole, and the menu when right clicking didn't show up properly. I ran plasmashell under valgrind by editing /etc/xdg/autostart/org.kde.plasmashell.desktop like - Exec=plasmashell + Exec=valgrind --log-file=valgrind-plasmashell-wayland-3.txt --track-origins=yes plasmashell and then logging into Plasma on Wayland from sddm. A segmentation fault in ksplashqml in wl_proxy_set_queue at wayland-client.c:2094 was shown in drkonqi while the splash screen was being shown one such session. The trace of the crashing thread was similar if not the same as in the plasmashell crash I reported. Application: ksplashqml (ksplashqml), signal: Segmentation fault Using host libthread_db library "/lib64/libthread_db.so.1". futex_wait_cancelable (private=0, expected=0, futex_word=0x559d747f9c10) at ../sysdeps/unix/sysv/linux/futex-internal.h:88 88 int err = lll_futex_timed_wait (futex_word, expected, NULL, private); [Current thread is 1 (Thread 0x7f09a1d39840 (LWP 4083))] Thread 12 (Thread 0x7f09617e2700 (LWP 4114)): [KCrash Handler] #7 0x00007f09a09336f9 in wl_proxy_set_queue (proxy=0x0, queue=0x559d74782e40) at src/wayland-client.c:2094 #8 0x00007f098f901b50 in QtWaylandClient::QWaylandWindow::waitForFrameSync (this=0x559d74700940, timeout=100) at qwaylandwindow.cpp:646 #9 0x00007f098e5d6022 in QtWaylandClient::QWaylandGLContext::swapBuffers (this=0x559d7477fe40, surface=<optimized out>) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:566 #10 0x00007f09a194f441 in QOpenGLContext::swapBuffers (this=0x559d742d9a30, surface=<optimized out>) at kernel/qopenglcontext.cpp:1115 #11 0x00007f09a20ae401 in QSGRenderThread::syncAndRender (this=this@entry=0x559d747f8b50) at scenegraph/qsgthreadedrenderloop.cpp:652 #12 0x00007f09a20b2168 in QSGRenderThread::run (this=0x559d747f8b50) at scenegraph/qsgthreadedrenderloop.cpp:730 #13 0x00007f09a1399786 in QThreadPrivate::start (arg=0x559d747f8b50) at thread/qthread_unix.cpp:361 #14 0x00007f09a052c5a2 in start_thread (arg=<optimized out>) at pthread_create.c:486 #15 0x00007f09a100f303 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 An invalid read and write in wl_proxy_unref at wayland-client.c:229-230 were in the valgrind log which appear to be use-after-free errors since they both have lines like Address 0xac4affc is 44 bytes inside a block of size 72 free'd. These invalid read/writes might be involved in the segmentation faults as they appear to involve the proxy in wayland-client.c. ==8545== Invalid read of size 4 ==8545== at 0x736BBB4: wl_proxy_unref (wayland-client.c:229) ==8545== by 0x736BCB3: destroy_queued_closure (wayland-client.c:291) ==8545== by 0x736BEC7: dispatch_event.isra.0 (wayland-client.c:1436) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x736D8AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==8545== by 0x4A7AB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) ==8545== by 0x1806A189: KWaylandIntegration::init() (kwaylandintegration.cpp:74) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== by 0x659BE88: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108) ==8545== by 0x659B825: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73) ==8545== by 0x65A4A0F: init_platform (qguiapplication.cpp:1247) ==8545== by 0x65A4A0F: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1392) ==8545== Address 0xac4affc is 44 bytes inside a block of size 72 free'd ==8545== at 0x4839A0C: free (vg_replace_malloc.c:540) ==8545== by 0x4A91C14: destroy (wayland_pointer_p.h:63) ==8545== by 0x4A91C14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==8545== by 0x8596B27: ffi_call_unix64 (unix64.S:76) ==8545== by 0x8596338: ffi_call (ffi64.c:525) ==8545== by 0x736F606: wl_closure_invoke (connection.c:1014) ==8545== by 0x736BF17: dispatch_event.isra.0 (wayland-client.c:1430) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x736D8AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==8545== by 0x4A7AB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) ==8545== by 0x1806A189: KWaylandIntegration::init() (kwaylandintegration.cpp:74) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== Block was alloc'd at ==8545== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==8545== by 0x736BD42: UnknownInlinedFun (wayland-private.h:236) ==8545== by 0x736BD42: proxy_create.isra.0 (wayland-client.c:421) ==8545== by 0x736C42B: create_outgoing_proxy (wayland-client.c:650) ==8545== by 0x736C42B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==8545== by 0x736C782: wl_proxy_marshal_constructor (wayland-client.c:824) ==8545== by 0x4A920BD: wl_display_sync (wayland-client-protocol.h:958) ==8545== by 0x4A920BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==8545== by 0x4A9213A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==8545== by 0x1806A10D: KWaylandIntegration::init() (kwaylandintegration.cpp:56) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== by 0x659BE88: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108) ==8545== by 0x659B825: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73) ==8545== by 0x65A4A0F: init_platform (qguiapplication.cpp:1247) ==8545== by 0x65A4A0F: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1392) ==8545== ==8545== Invalid write of size 4 ==8545== at 0x736BBBE: wl_proxy_unref (wayland-client.c:230) ==8545== by 0x736BCB3: destroy_queued_closure (wayland-client.c:291) ==8545== by 0x736BEC7: dispatch_event.isra.0 (wayland-client.c:1436) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x736D8AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==8545== by 0x4A7AB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) ==8545== by 0x1806A189: KWaylandIntegration::init() (kwaylandintegration.cpp:74) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== by 0x659BE88: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108) ==8545== by 0x659B825: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73) ==8545== by 0x65A4A0F: init_platform (qguiapplication.cpp:1247) ==8545== by 0x65A4A0F: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1392) ==8545== Address 0xac4affc is 44 bytes inside a block of size 72 free'd ==8545== at 0x4839A0C: free (vg_replace_malloc.c:540) ==8545== by 0x4A91C14: destroy (wayland_pointer_p.h:63) ==8545== by 0x4A91C14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==8545== by 0x8596B27: ffi_call_unix64 (unix64.S:76) ==8545== by 0x8596338: ffi_call (ffi64.c:525) ==8545== by 0x736F606: wl_closure_invoke (connection.c:1014) ==8545== by 0x736BF17: dispatch_event.isra.0 (wayland-client.c:1430) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x736D8AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==8545== by 0x4A7AB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) ==8545== by 0x1806A189: KWaylandIntegration::init() (kwaylandintegration.cpp:74) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== Block was alloc'd at ==8545== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==8545== by 0x736BD42: UnknownInlinedFun (wayland-private.h:236) ==8545== by 0x736BD42: proxy_create.isra.0 (wayland-client.c:421) ==8545== by 0x736C42B: create_outgoing_proxy (wayland-client.c:650) ==8545== by 0x736C42B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==8545== by 0x736C782: wl_proxy_marshal_constructor (wayland-client.c:824) ==8545== by 0x4A920BD: wl_display_sync (wayland-client-protocol.h:958) ==8545== by 0x4A920BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==8545== by 0x4A9213A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==8545== by 0x1806A10D: KWaylandIntegration::init() (kwaylandintegration.cpp:56) ==8545== by 0x180500C0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84) ==8545== by 0x1806CDFA: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37) ==8545== by 0x659BE88: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108) ==8545== by 0x659B825: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73) ==8545== by 0x65A4A0F: init_platform (qguiapplication.cpp:1247) ==8545== by 0x65A4A0F: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1392) = I've seen segmentation faults in konsole and powerdevil and others which involved invalid reads/writes starting at wl_proxy_unref (wayland-client.c:229) https://bugs.kde.org/show_bug.cgi?id=408971 https://bugs.kde.org/show_bug.cgi?id=408553 The valgrind log showed use of a few uninitialized variables including at QtWaylandClient::QWaylandInputDevice::Keyboard::keyboard_key (qwaylandinputdevice.cpp:792) Thread 1: ==8545== Conditional jump or move depends on uninitialised value(s) ==8545== at 0x17ED1571: QtWaylandClient::QWaylandInputDevice::Keyboard::keyboard_key(unsigned int, unsigned int, unsigned int, unsigned int) (qwaylandinputdevice.cpp:792) ==8545== by 0x8596B27: ffi_call_unix64 (unix64.S:76) ==8545== by 0x8596338: ffi_call (ffi64.c:525) ==8545== by 0x736F606: wl_closure_invoke (connection.c:1014) ==8545== by 0x736BF17: dispatch_event.isra.0 (wayland-client.c:1430) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x17ED2361: QtWaylandClient::QWaylandDisplay::flushRequests() (qwaylanddisplay.cpp:187) ==8545== by 0x6C5BD7A: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3801) ==8545== by 0x6C86C16: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:429) ==8545== by 0x6C309EA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:225) ==8545== by 0x6C38725: QCoreApplication::exec() (qcoreapplication.cpp:1385) ==8545== by 0x12C808: main (main.cpp:212) ==8545== Uninitialised value was created by a heap allocation ==8545== at 0x4838E86: operator new(unsigned long) (vg_replace_malloc.c:344) ==8545== by 0x17ECF017: QtWaylandClient::QWaylandInputDevice::createKeyboard(QtWaylandClient::QWaylandInputDevice*) (qwaylandinputdevice.cpp:265) ==8545== by 0x17ECEFCC: QtWaylandClient::QWaylandInputDevice::seat_capabilities(unsigned int) (qwaylandinputdevice.cpp:231) ==8545== by 0x8596B27: ffi_call_unix64 (unix64.S:76) ==8545== by 0x8596338: ffi_call (ffi64.c:525) ==8545== by 0x736F606: wl_closure_invoke (connection.c:1014) ==8545== by 0x736BF17: dispatch_event.isra.0 (wayland-client.c:1430) ==8545== by 0x736D46B: dispatch_queue (wayland-client.c:1576) ==8545== by 0x736D46B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==8545== by 0x17ED2804: QtWaylandClient::QWaylandDisplay::forceRoundTrip() (qwaylanddisplay.cpp:420) ==8545== by 0x17ED35B6: QtWaylandClient::QWaylandDisplay::registry_global(unsigned int, QString const&, unsigned int) (qwaylanddisplay.cpp:282) ==8545== by 0x17EF9DA5: QtWayland::wl_registry::handle_global(void*, wl_registry*, unsigned int, char const*, unsigned int) (qwayland-wayland.cpp:71) ==8545== by 0x8596B27: ffi_call_unix64 (unix64.S:76) ==8545== I don't know if those uninitialized values being used might be related to the crashes. I'll attach the valgrind log and ksplashqml trace.
Created attachment 121087 [details] ksplashqml segmentation fault trace from drkonqi when running plasmashell under valgrind on Plasma on Wayland with qt 5.12.4
This crash happens in Qt. Not sure what we can do about it other than waiting for Qt to fix it. A temporary workaround seems to be downgrading to Qt 5.12.3.
>Not sure what we can do about it other than waiting for Qt to fix it. We (KDE) need to be proactive rather than just waiting. If possible please test with my QtWayland patch sets: https://codereview.qt-project.org/c/qt/qtwayland/+/265998/1 Though I think it's slightly unrelated.
*** Bug 409326 has been marked as a duplicate of this bug. ***
*** Bug 414486 has been marked as a duplicate of this bug. ***
I was using Plasma 5.19.4 on Wayland in Fedora 33 with KF 5.73.0 and Qt 5.14.2. I set the desktop to use the Application Menu by right-clicking on the button at the bottom left of the screen, selecting Show Alternatives > Application Menu > Switch. I quickly left-clicked to open the Application Menu many times. The Task Manager bar at the bottom of the screen disappeared and reappeared automatically. plasmashell segmentation faulted in wl_proxy_set_queue at src/wayland-client.c:2173 in libwayland-client-1.18.0-2.fc33.x86_64. Core was generated by `/usr/bin/plasmashell'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:49 49 return ret; [Current thread is 1 (Thread 0x7ff5eabe6640 (LWP 8221))] (gdb) bt #0 __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 <signal handler called> #2 0x00007ff688034ca5 in wl_proxy_set_queue (proxy=0x0, queue=0x55f4dc0e5790) at src/wayland-client.c:2173 #3 0x00007ff676c85f8d in QtWaylandClient::QWaylandWindow::waitForFrameSync (timeout=100, this=0x55f4dc0ae900) at qwaylandwindow.cpp:637 #4 QtWaylandClient::QWaylandWindow::waitForFrameSync (this=this@entry=0x55f4dc0ae900, timeout=timeout@entry=100) at qwaylandwindow.cpp:630 #5 0x00007ff6740181ea in QtWaylandClient::QWaylandGLContext::swapBuffers (this=0x55f4dcaacb10, surface=0x55f4dc0ae910) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:482 #6 0x00007ff68a00d0c4 in QSGRenderThread::syncAndRender (this=0x55f4dc923380, grabImage=0x0) at scenegraph/qsgthreadedrenderloop.cpp:841 #7 0x00007ff68a013e0f in QSGRenderThread::run (this=0x55f4dc923380) at scenegraph/qsgthreadedrenderloop.cpp:980 #8 0x00007ff68857b690 in QThreadPrivate::start (arg=0x55f4dc923380) at thread/qthread_unix.cpp:342 #9 0x00007ff6879df3f9 in start_thread (arg=0x7ff5eabe6640) at pthread_create.c:463 #10 0x00007ff6881ffb03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 The pointer proxy=0x0 passed to wl_proxy_set_queue might've led to a null pointer dereference like in the crash I reported here before. (gdb) l src/wayland-client.c:2173 2168 * \memberof wl_proxy 2169 */ 2170 WL_EXPORT void 2171 wl_proxy_set_queue(struct wl_proxy *proxy, struct wl_event_queue *queue) 2172 { 2173 if (queue) 2174 proxy->queue = queue; 2175 else 2176 proxy->queue = &proxy->display->default_queue; 2177 } The crashes might involve a race condition in which the Wayland proxy of the Application menu was occasionally freed or corrupted before it was used. The use-after-free errors I reported in comment 1 might still be happening and leading to the crashes. plasmashell crashed when I've quickly left-clicked to open the Application Menu many times in the last day with errors like The Wayland connection experienced a fatal error: Invalid argument https://bugs.kde.org/show_bug.cgi?id=424879 and a segmentation fault in update_buffers in mesa-libEGL https://bugs.kde.org/show_bug.cgi?id=414411 Those crashes might have been related to this one.
Created attachment 131441 [details] New crash information added by DrKonqi plasmashell (5.19.5) using Qt 5.14.2 - What I was doing when the application crashed: I logged into Plasma 5.19.5 on Wayland in Fedora 33 with KF 5.73.0, Qt 5.14.2, Mesa 20.2.0-rc4. I clicked on the NetworkManager applet button in the System Tray which was making an ethernet connection to a router that was booting. plasmashell crashed before the NetworkManager applet would have appeared. The screen went black. plasmashell restarted automatically. plasmashell had a segmentation fault in wl_proxy_set_queue at wayland-client.c:2173 in libwayland-client-1.18.0-2.fc33. The crash was likely due to a null pointer dereference since proxy=0x0 as in previous crashes I've reported here. -- Backtrace (Reduced): #4 0x00007f7ce0e80ca5 in wl_proxy_set_queue (proxy=0x0, queue=0x56491b6fb4d0) at src/wayland-client.c:2173 #5 0x00007f7ccfad9f8d in QtWaylandClient::QWaylandWindow::waitForFrameSync (timeout=100, this=0x56491b6fbfd0) at qwaylandwindow.cpp:637 #6 QtWaylandClient::QWaylandWindow::waitForFrameSync (this=this@entry=0x56491b6fbfd0, timeout=timeout@entry=100) at qwaylandwindow.cpp:630 #7 0x00007f7cccdcc1ea in QtWaylandClient::QWaylandGLContext::swapBuffers (this=0x56491c3ceac0, surface=0x56491b6fbfe0) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:482 #8 0x00007f7ce2e590c4 in QSGRenderThread::syncAndRender (this=0x56491b221ec0, grabImage=0x0) at scenegraph/qsgthreadedrenderloop.cpp:841
Created attachment 132017 [details] New crash information added by DrKonqi plasmashell (5.19.5) using Qt 5.15.1 - What I was doing when the application crashed: I logged into Plasma 5.19.5 on Wayland in Fedora 33 with KF 5.73.0, Qt 5.15.1, Mesa 20.2.0. I clicked on the updates applet button in the System Tray. plasmashell crashed before the updates applet would have appeared. The screen went black. plasmashell restarted automatically. plasmashell had a segmentation fault in wl_proxy_set_queue at wayland-client.c:2173 in libwayland-client-1.18.0-2.fc33. The crash was likely due to a null pointer dereference since proxy=0x0 as in previous crashes I've reported here. -- Backtrace (Reduced): #4 0x00007f1b52da3ca5 in wl_proxy_set_queue (proxy=0x0, queue=0x561f267c6780) at src/wayland-client.c:2173 #5 0x00007f1b41a19f5d in QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (timeout=100, this=0x561f266066c0) at qwaylandwindow.cpp:632 #6 QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (this=0x561f266066c0, timeout=100) at qwaylandwindow.cpp:625 #7 0x00007f1b4000f0aa in QtWaylandClient::QWaylandGLContext::swapBuffers(QPlatformSurface*) (this=0x561f268c9700, surface=0x561f266066d0) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:492 #8 0x00007f1b54df60fc in QSGRenderThread::syncAndRender(QImage*) (this=0x561f262a0ce0, grabImage=0x0) at scenegraph/qsgthreadedrenderloop.cpp:870
Created attachment 133126 [details] New crash information added by DrKonqi plasmashell (5.19.5) using Qt 5.15.1 - What I was doing when the application crashed: I was using Plasma 5.19.5 on Wayland in Fedora 33 with KF 5.75.0 and Qt 5.15.1. I'd set the desktop to use the Application Menu by right-clicking on the button at the bottom left of the screen, selecting Show Alternatives > Application Menu > Switch. I clicked to open the Application Menu several times. The screen went black and plasmashell restarted automatically. plasmashell segmentation faulted in wl_proxy_set_queue at src/wayland-client.c:2173 in libwayland-client-1.18.0-2.fc33.x86_64 due to a null pointer dereference where proxy=0x0. -- Backtrace (Reduced): #4 0x00007f8d7de37ca5 in wl_proxy_set_queue (proxy=0x0, queue=0x562e195913a0) at src/wayland-client.c:2173 #5 0x00007f8d6cc1df5d in QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (timeout=100, this=0x562e19591920) at qwaylandwindow.cpp:632 #6 QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (this=0x562e19591920, timeout=100) at qwaylandwindow.cpp:625 #7 0x00007f8d69f030aa in QtWaylandClient::QWaylandGLContext::swapBuffers(QPlatformSurface*) (this=0x562e1a3701a0, surface=0x562e19591930) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:492 #8 0x00007f8d7ffca0fc in QSGRenderThread::syncAndRender(QImage*) (this=0x562e1a3ecfb0, grabImage=0x0) at scenegraph/qsgthreadedrenderloop.cpp:870
Created attachment 133833 [details] New crash information added by DrKonqi plasmashell (5.20.3) using Qt 5.15.1 - What I was doing when the application crashed: I was browsing the web using Firefox (using XWayland) - Unusual behavior I noticed: The rendered web page looks like in minimized Firefox window but the the actual Firefox window size is maximized -- Backtrace (Reduced): #4 0x00007fcd76a09ca5 in wl_proxy_set_queue (proxy=0x0, queue=0x5652cbbef520) at src/wayland-client.c:2173 #5 0x00007fcd658dbf5d in QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (timeout=100, this=0x5652cbbf0080) at qwaylandwindow.cpp:632 #6 QtWaylandClient::QWaylandWindow::waitForFrameSync(int) (this=0x5652cbbf0080, timeout=100) at qwaylandwindow.cpp:625 #7 0x00007fcd621720aa in QtWaylandClient::QWaylandGLContext::swapBuffers(QPlatformSurface*) (this=0x5652cd9fb3e0, surface=0x5652cbbf0090) at ../../../../hardwareintegration/client/wayland-egl/qwaylandglcontext.cpp:492 #8 0x00007fcd78b0d0fc in QSGRenderThread::syncAndRender(QImage*) (this=0x5652cd882d10, grabImage=0x0) at scenegraph/qsgthreadedrenderloop.cpp:870
*** Bug 398533 has been marked as a duplicate of this bug. ***
*** Bug 410290 has been marked as a duplicate of this bug. ***
Can you still reproduce this? A bunch of things have been fixed since. This could also be related, although it wouldn't be easy to backport since RHI is involved. https://codereview.qt-project.org/c/qt/qtwayland/+/371043
.
(In reply to Aleix Pol from comment #14) > Can you still reproduce this? A bunch of things have been fixed since. > > This could also be related, although it wouldn't be easy to backport since > RHI is involved. > https://codereview.qt-project.org/c/qt/qtwayland/+/371043 I haven't seen plasmashell crash with this trace in Plasma on Wayland in many months at least. I didn't see any crash when I repeatedly clicked to open and close the Application Menu at the lower-left of the screen many times today in Plasma 5.23.4 on Wayland with KF 5.90.0, Qt 5.15.2 in Fedora 35. I guess this problem was fixed at some point. I'll mark it as fixed. Feel free to reopen it if someone else sees this again. Thanks.