Bug 416147 - kwin_wayland segmentation faults and black screen when logging out of Plasma on Wayland
Summary: kwin_wayland segmentation faults and black screen when logging out of Plasma ...
Status: RESOLVED UPSTREAM
Alias: None
Product: kwin
Classification: Plasma
Component: wayland-generic (show other bugs)
Version: 5.17.4
Platform: Fedora RPMs Linux
: NOR normal
Target Milestone: ---
Assignee: KWin default assignee
URL: https://gitlab.freedesktop.org/mesa/m...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-12 06:12 UTC by Matt Fagnani
Modified: 2020-01-13 08:05 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fagnani 2020-01-12 06:12:20 UTC 
SUMMARY

I've seen kwin_wayland segmentation faults in the journal with black screens when logging out of Plasma 5.17.4 on Wayland in Fedora rawhide with KF 5.65 and Qt 5.13.2. The core dumps were 2.1 GB uncompressed and were being truncated because the systemd-coredump default core dump limit was 2 GB. I changed /etc/systemd/coredump.conf to have ProcessSizeMax=3G and ExternalSizeMax=3G. I logged out of Plasma on Wayland and got the full kwin_wayland core dump. Using coredumpctl gdb, the kwin_wayland segmentation fault in frame #0 was at an address 0x0000560ba76632b0 pointing to an inaccessible address 0x5a200000.
The functions in frames #1-11 appeared to be in Mesa 19.3.1 including in the radeonsi driver. I've seen two kwin_wayland crashes with traces like this.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000560ba76632b0 in ?? ()
[Current thread is 1 (Thread 0x7f49e66c8e00 (LWP 1291))]
(gdb) bt
#0  0x0000560ba76632b0 in  ()
#1  0x00007f49c3418f23 in util_hash_table_remove (ht=0x560ba7717e00, key=0x560ba8ab3740)
    at ../src/gallium/auxiliary/util/u_hash_table.c:213
#2  0x00007f49c2d0ce01 in amdgpu_bo_destroy (_buf=0x560ba85817c0)
    at ../src/gallium/winsys/amdgpu/drm/amdgpu_bo.c:185
#3  0x00007f49c2cb9e6e in pb_destroy (buf=<optimized out>)
    at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:238
#4  pb_reference (src=0x0, dst=0x560ba87e59e0) at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:249
#5  si_texture_destroy (screen=<optimized out>, ptex=0x560ba87e5980)
    at ../src/gallium/drivers/radeonsi/si_texture.c:1125
#6  0x00007f49c2ad432c in pipe_resource_reference (src=0x0, dst=0x560ba8aba2e0)
    at ../src/gallium/auxiliary/util/u_inlines.h:148
#7  dri2_destroy_image (img=0x560ba8aba2e0) at ../src/gallium/state_trackers/dri/dri_helpers.c:318
#8  0x00007f49d086e7e7 in dri2_destroy_image_khr
    (drv=<optimized out>, disp=<optimized out>, image=0x560ba8a98ea0)
    at ../src/egl/drivers/dri2/egl_dri2.c:2941
#9  0x00007f49d086b7dd in _eglReleaseDisplayResources (drv=
    0x560ba78b2280, display=display@entry=0x560ba78b1790) at ../src/egl/main/egldisplay.c:483
#10 0x00007f49d08715bd in dri2_terminate (drv=<optimized out>, disp=0x560ba78b1790)
    at ../src/egl/drivers/dri2/egl_dri2.c:1130
#11 0x00007f49d0862b32 in eglTerminate (dpy=0x560ba78b1790) at ../src/egl/main/eglapi.c:675
#12 0x00007f49e7955818 in KWin::Platform::~Platform() (this=0x560ba76395a0, __in_chrg=<optimized out>)
    at /usr/src/debug/kwin-5.17.4-2.fc32.x86_64/platform.cpp:54
#13 0x00007f49d23a2c2d in KWin::DrmBackend::~DrmBackend()
--Type <RET> for more, q to quit, c to continue without paging--c
    (this=0x560ba76395a0, __in_chrg=<optimized out>) at /usr/src/debug/kwin-5.17.4-2.fc32.x86_64/plugins/platforms/drm/drm_backend.cpp:88
#14 0x00007f49e696d8bc in QObjectPrivate::deleteChildren() (this=this@entry=0x560ba75ffda0) at kernel/qobject.cpp:2019
#15 0x00007f49e696e80f in QObject::~QObject() (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1032
#16 0x00007f49e693e7ae in QCoreApplication::~QCoreApplication() (this=0x7ffd10a44bc0, __in_chrg=<optimized out>) at ../../include/QtCore/../../src/corelib/tools/qstringlist.h:99
#17 0x00007f49e497ce1a in QGuiApplication::~QGuiApplication() (this=0x7ffd10a44bc0, __in_chrg=<optimized out>) at kernel/qguiapplication.cpp:697
#18 0x00007f49e6d744ee in QApplication::~QApplication() (this=0x7ffd10a44bc0, __in_chrg=<optimized out>) at kernel/qapplication.cpp:841
#19 0x0000560ba7142cd2 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/9/bits/atomic_base.h:326

(gdb) x 0x0000560ba76632b0
0x560ba76632b0: 0x5a200000
(gdb) x 0x5a200000
0x5a200000:     Cannot access memory at address 0x5a200000

Another kwin_wayland segmentation fault when logging out of Plasma on Wayland with KF5 5.66.0 happened in cso_hash_find_node in at ../src/gallium/auxiliary/cso_cache/cso_hash.c:271 in mesa-dri-drivers-19.3.2-1.fc32.x86_64. The frames #0-13 were in Mesa.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f8c5eb39a0a in cso_hash_find_node (akey=2880521741, hash=0x561c1142a9c0)
    at ../src/gallium/auxiliary/cso_cache/cso_hash.c:271
271        struct cso_node **nextNode = cso_hash_find_node(hash, key);
[Current thread is 1 (Thread 0x7f8c826f2e00 (LWP 1303))]

(gdb) bt
#0  0x00007f8c5eb39a0a in cso_hash_find_node (akey=2880521741, hash=0x561c1142a9c0)
    at ../src/gallium/auxiliary/cso_cache/cso_hash.c:271
#1  cso_hash_find (hash=0x561c1142a9c0, key=2880521741)
    at ../src/gallium/auxiliary/cso_cache/cso_hash.c:271
#2  0x00007f8c5f41af2d in util_hash_table_find_iter
    (ht=0x561c11398b80, ht=0x561c11398b80, key_hash=<optimized out>, key=0x561c12355b80)
    at ../src/gallium/auxiliary/util/u_hash_table.c:215
#3  util_hash_table_remove (ht=0x561c11398b80, key=0x561c12355b80)
    at ../src/gallium/auxiliary/util/u_hash_table.c:215
#4  0x00007f8c5ed0ee01 in amdgpu_bo_destroy (_buf=0x561c124a5030)
    at ../src/gallium/winsys/amdgpu/drm/amdgpu_bo.c:185
#5  0x00007f8c5ecbbe6e in pb_destroy (buf=<optimized out>)
    at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:238
#6  pb_reference (src=0x0, dst=0x561c120cb820) at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:249
#7  si_texture_destroy (screen=<optimized out>, ptex=0x561c120cb7c0)
    at ../src/gallium/drivers/radeonsi/si_texture.c:1125
#8  0x00007f8c5ead632c in pipe_resource_reference (src=0x0, dst=0x561c125ab6b0)
    at ../src/gallium/auxiliary/util/u_inlines.h:148
#9  dri2_destroy_image (img=0x561c125ab6b0) at ../src/gallium/state_trackers/dri/dri_helpers.c:318
#10 0x00007f8c6c8c07e7 in dri2_destroy_image_khr
    (drv=<optimized out>, disp=<optimized out>, image=0x561c124e1320)
    at ../src/egl/drivers/dri2/egl_dri2.c:2941
#11 0x00007f8c6c8bd7dd in _eglReleaseDisplayResources (drv=
    0x561c11531f50, display=display@entry=0x561c11531460) at ../src/egl/main/egldisplay.c:483
--Type <RET> for more, q to quit, c to continue without paging--
#12 0x00007f8c6c8c35bd in dri2_terminate (drv=<optimized out>, disp=0x561c11531460)
    at ../src/egl/drivers/dri2/egl_dri2.c:1130
#13 0x00007f8c6c8b4b32 in eglTerminate (dpy=0x561c11531460) at ../src/egl/main/eglapi.c:675
#14 0x00007f8c839af818 in KWin::Platform::~Platform() (this=0x561c112c92b0, __in_chrg=<optimized out>)
    at /usr/src/debug/kwin-5.17.4-2.fc32.x86_64/platform.cpp:54
#15 0x00007f8c6e3f4c2d in KWin::DrmBackend::~DrmBackend()
    (this=0x561c112c92b0, __in_chrg=<optimized out>)
    at /usr/src/debug/kwin-5.17.4-2.fc32.x86_64/plugins/platforms/drm/drm_backend.cpp:88
#16 0x00007f8c829c78bc in QObjectPrivate::deleteChildren() (this=this@entry=0x561c1127eda0)
    at kernel/qobject.cpp:2019
#17 0x00007f8c829c880f in QObject::~QObject() (this=<optimized out>, __in_chrg=<optimized out>)
    at kernel/qobject.cpp:1032
#18 0x00007f8c829987ae in QCoreApplication::~QCoreApplication()
    (this=0x7ffe0d7c0a90, __in_chrg=<optimized out>)
    at ../../include/QtCore/../../src/corelib/tools/qstringlist.h:99
#19 0x00007f8c809d6e1a in QGuiApplication::~QGuiApplication()
    (this=0x7ffe0d7c0a90, __in_chrg=<optimized out>) at kernel/qguiapplication.cpp:697
#20 0x00007f8c82dce4ee in QApplication::~QApplication()
    (this=0x7ffe0d7c0a90, __in_chrg=<optimized out>) at kernel/qapplication.cpp:841
#21 0x0000561c0fd8acd2 in main(int, char**) (argc=<optimized out>, argv=<optimized out>)
    at /usr/include/c++/9/bits/atomic_base.h:326

About 20 KDE programs aborted with errors that the Wayland connection was lost.

STEPS TO REPRODUCE
1. Boot Fedora Rawhide KDE Plasma spin fully updated 
2. Log in to Plasma on Wayland from sddm
3. change /etc/systemd/coredump.conf to have 
ProcessSizeMax=3G
ExternalSizeMax=3G
4. Log out of Plasma


OBSERVED RESULT
kwin_wayland segmentation faults and black screen when logging out of Plasma on Wayland about 50% of the time

EXPECTED RESULT
Plasma would log out correctly to sddm with no crash

SOFTWARE/OS VERSIONS

Linux/KDE Plasma: Fedora Rawhide
(available in About System)
KDE Plasma Version: 5.17.4-5.17.5
KDE Frameworks Version: 5.65.0-5.66.0
Qt Version: 5.13.2

ADDITIONAL INFORMATION

I reported these Plasma logout issues at https://bugzilla.redhat.com/show_bug.cgi?id=1727482 I'm assigning this to kwin, but the underlying problem of the crashes above might be in Mesa. The GPU is an integrated AMD Radeon R5 using the radeonsi Mesa driver and the amdgpu kernel driver. I've seen other kwin_wayland segmentation faults when logging out in libraries like libwayland-client, but the core dumps were truncated. 

I'm seeing kwin_wayland aborts and segmentation faults when I shut down or reboot which might be related. I reported those kwin_wayland crashes which involved invalid reads and writes and use of uninitialized variables at https://bugs.kde.org/show_bug.cgi?id=409688
Comment 1 Matt Fagnani 2020-01-13 03:48:00 UTC 
I've reported these crashes at https://gitlab.freedesktop.org/mesa/mesa/issues/2342