425233 – Crash in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate

Bug 425233 - Crash in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate

Summary: Crash in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate

Status:	RESOLVED FIXED

Alias:	None

Product:	kwin
Classification:	Plasma
Component:	wayland-generic (show other bugs)
Version:	git master
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	KWin default assignee

URL:
Keywords:

Duplicates (1):	426767 (view as bug list)
Depends on:
Blocks:

Reported:	2020-08-11 18:11 UTC by Aleix Pol
Modified:	2020-09-21 14:00 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	https://invent.kde.org/plasma/kwayland-server/commit/2b1970754d96f92d3938f6912a757c82ce00b49e
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Aleix Pol 2020-08-11 18:11:44 UTC

I don't really know how to reproduce, it happens sometimes:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb659bb1366 in KWaylandServer::BufferInterface::unref (this=0x561234d6f7e0) at /home/apol/devel/frameworks/kwayland-server/src/server/buffer_interface.cpp:239
239         Q_ASSERT(d->refCount > 0);
[Current thread is 1 (Thread 0x7fb65432ed80 (LWP 96536))]
(gdb) where
#0  0x00007fb659bb1366 in KWaylandServer::BufferInterface::unref() (this=0x561234d6f7e0) at /home/apol/devel/frameworks/kwayland-server/src/server/buffer_interface.cpp:239
#1  0x00007fb659c539fc in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x561235798650) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:337
#2  0x00007fb659c53afc in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x561235798650) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:332
#3  0x00007fb659c546ab in QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate>::cleanup(KWaylandServer::ShadowInterfacePrivate*) (pointer=0x561235798650) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:60
#4  0x00007fb659c544d0 in QScopedPointer<KWaylandServer::ShadowInterfacePrivate, QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate> >::~QScopedPointer() (this=0x561235625210) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:107
#5  0x00007fb659c53bc5 in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x561235625200) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#6  0x00007fb659c53bfc in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x561235625200) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#7  0x00007fb659c53636 in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy_resource(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x561235798650, resource=0x5612357315a0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:246
#8  0x00007fb659cb8c2a in QtWaylandServer::org_kde_kwin_shadow::destroy_func(wl_resource*) (client_resource=0x5612357fbc80) at src/server/qwayland-server-shadow.cpp:320
#9  0x00007fb657361e90 in  () at /usr/lib/libwayland-server.so.0
#10 0x00007fb657361f11 in wl_resource_destroy () at /usr/lib/libwayland-server.so.0
#11 0x00007fb659c535ed in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x561235798650, resource=0x5612357315a0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:240
#12 0x00007fb659cb9105 in QtWaylandServer::org_kde_kwin_shadow::handle_destroy(wl_client*, wl_resource*) (client=0x5612356fa860, resource=0x5612357fbc80) at src/server/qwayland-server-shadow.cpp:584
#13 0x00007fb6548eda8d in  () at /usr/lib/libffi.so.7
#14 0x00007fb6548ed01b in  () at /usr/lib/libffi.so.7
#15 0x00007fb657365f62 in  () at /usr/lib/libwayland-server.so.0
#16 0x00007fb6573622dc in  () at /usr/lib/libwayland-server.so.0
#17 0x00007fb657363faa in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#18 0x00007fb659bbfb8e in KWaylandServer::Display::Private::dispatch() (this=0x561233ab8190) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:134
#19 0x00007fb659bc6828 in KWaylandServer::Display::Private::installSocketNotifier()::$_0::operator()() const (this=0x5612346a6a60) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:103
#20 0x00007fb659bc67d6 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWaylandServer::Display::Private::installSocketNotifier()::$_0>::call(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void**) (f=..., arg=0x7ffec3344ec0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:146
#21 0x00007fb659bc67a1 in QtPrivate::Functor<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0>::call<QtPrivate::List<>, void>(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void*, void**) (f=..., arg=0x7ffec3344ec0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:256
#22 0x00007fb659bc674c in QtPrivate::QFunctorSlotObject<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x5612346a6a50, r=0x561233ab8070, a=0x7ffec3344ec0, ret=0x0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:443
#23 0x00007fb65875ff06 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7ffec3344ec0, r=0x561233ab8070, this=0x5612346a6a50) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:398
#24 doActivate<false>(QObject*, int, void**) (sender=0x5612346a6a00, signal_index=3, argv=argv@entry=0x7ffec3344ec0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3886
#25 0x00007fb658759260 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=sender@entry=0x5612346a6a00, m=m@entry=0x7fb6589f8b00 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffec3344ec0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3946
#26 0x00007fb65876333f in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x5612346a6a00, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#27 0x00007fb658763b3b in QSocketNotifier::event(QEvent*) (this=0x5612346a6a00, e=0x7ffec3344fd0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qsocketnotifier.cpp:302
#28 0x00007fb65923d11f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x5612346a6a00, e=0x7ffec3344fd0) at /home/apol/devel/frameworks/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3671
#29 0x00007fb658729a3a in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x5612346a6a00, event=0x7ffec3344fd0) at ../../include/QtCore/5.15.0/QtCore/private/../../../../../../../../devel/frameworks/qt5/qtbase/src/corelib/thread/qthread_p.h:325
#30 0x00007fb65877e1eb in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x561233a87cf0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:304
#31 0x00007fb65877e64b in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:511
#32 0x00007fb653daff4d in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/platformsupport/eventdispatchers/qunixeventdispatcher.cpp:63
#33 0x00007fb6587283fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffec3345160, flags=..., flags@entry=...) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:141
#34 0x00007fb658730660 in QCoreApplication::exec() () at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:121
#35 0x000056123373ab5f in main(int, char**) (argc=3, argv=0x7ffec3345b48) at /home/apol/devel/frameworks/kwin/main_wayland.cpp:705

Comment 1 Aleix Pol 2020-08-31 01:07:10 UTC

Still getting it:
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f565fc1b2a6 in KWaylandServer::BufferInterface::unref (this=0x55c15efe8e90) at /home/apol/devel/frameworks/kwayland-server/src/server/buffer_interface.cpp:239
239         Q_ASSERT(d->refCount > 0);
[Current thread is 1 (Thread 0x7f565a391d80 (LWP 628))]
(gdb) where
#0  0x00007f565fc1b2a6 in KWaylandServer::BufferInterface::unref() (this=0x55c15efe8e90) at /home/apol/devel/frameworks/kwayland-server/src/server/buffer_interface.cpp:239
#1  0x00007f565fcbd8fc in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x55c15f643500) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:337
#2  0x00007f565fcbd9fc in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x55c15f643500) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:332
#3  0x00007f565fcbe5ab in QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate>::cleanup(KWaylandServer::ShadowInterfacePrivate*) (pointer=0x55c15f643500) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:60
#4  0x00007f565fcbe3d0 in QScopedPointer<KWaylandServer::ShadowInterfacePrivate, QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate> >::~QScopedPointer() (this=0x55c15f05cb50) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:107
#5  0x00007f565fcbdac5 in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x55c15f05cb40) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#6  0x00007f565fcbdafc in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x55c15f05cb40) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#7  0x00007f565fcbd536 in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy_resource(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x55c15f643500, resource=0x55c15f778790) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:246
#8  0x00007f565fd224ca in QtWaylandServer::org_kde_kwin_shadow::destroy_func(wl_resource*) (client_resource=0x7f5648029f30) at src/server/qwayland-server-shadow.cpp:320
#9  0x00007f565d3c4e90 in  () at /usr/lib/libwayland-server.so.0
#10 0x00007f565d3c4f11 in wl_resource_destroy () at /usr/lib/libwayland-server.so.0
#11 0x00007f565fcbd4ed in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x55c15f643500, resource=0x55c15f778790) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:240
#12 0x00007f565fd229a5 in QtWaylandServer::org_kde_kwin_shadow::handle_destroy(wl_client*, wl_resource*) (client=0x55c15f58f550, resource=0x7f5648029f30) at src/server/qwayland-server-shadow.cpp:584
#13 0x00007f565a950a8d in  () at /usr/lib/libffi.so.7
#14 0x00007f565a95001b in  () at /usr/lib/libffi.so.7
#15 0x00007f565d3c8f62 in  () at /usr/lib/libwayland-server.so.0
#16 0x00007f565d3c52dc in  () at /usr/lib/libwayland-server.so.0
#17 0x00007f565d3c6faa in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#18 0x00007f565fc29ace in KWaylandServer::Display::Private::dispatch() (this=0x55c15d9b5da0) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:134
#19 0x00007f565fc30768 in KWaylandServer::Display::Private::installSocketNotifier()::$_0::operator()() const (this=0x55c15e35e940) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:103
#20 0x00007f565fc30716 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWaylandServer::Display::Private::installSocketNotifier()::$_0>::call(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void**) (f=..., arg=0x7ffc04e31ad0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:146
#21 0x00007f565fc306e1 in QtPrivate::Functor<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0>::call<QtPrivate::List<>, void>(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void*, void**) (f=..., arg=0x7ffc04e31ad0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:256
#22 0x00007f565fc3068c in QtPrivate::QFunctorSlotObject<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x55c15e35e930, r=0x55c15d9b5c80, a=0x7ffc04e31ad0, ret=0x0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:443
#23 0x00007f565e7c3b06 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7ffc04e31ad0, r=0x55c15d9b5c80, this=0x55c15e35e930) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:398
#24 doActivate<false>(QObject*, int, void**) (sender=0x55c15e35e8e0, signal_index=3, argv=argv@entry=0x7ffc04e31ad0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3886
#25 0x00007f565e7bce60 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=sender@entry=0x55c15e35e8e0, m=m@entry=0x7f565ea5d140 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffc04e31ad0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3946
#26 0x00007f565e7c6f3f in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x55c15e35e8e0, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#27 0x00007f565e7c773b in QSocketNotifier::event(QEvent*) (this=0x55c15e35e8e0, e=0x7ffc04e31be0) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qsocketnotifier.cpp:302
#28 0x00007f565f29d14f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x55c15e35e8e0, e=0x7ffc04e31be0) at /home/apol/devel/frameworks/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3630
#29 0x00007f565e78d52a in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x55c15e35e8e0, event=0x7ffc04e31be0) at ../../include/QtCore/5.15.1/QtCore/private/../../../../../../../../devel/frameworks/qt5/qtbase/src/corelib/thread/qthread_p.h:325
#30 0x00007f565e7e1deb in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x55c15d962d00) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:304
#31 0x00007f565e7e224b in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:511
#32 0x00007f5659e1017d in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/platformsupport/eventdispatchers/qunixeventdispatcher.cpp:63
#33 0x00007f565e78beeb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffc04e31d70, flags=..., flags@entry=...) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:141
#34 0x00007f565e794160 in QCoreApplication::exec() () at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:121
#35 0x000055c15d3aab9f in main(int, char**) (argc=3, argv=0x7ffc04e32758) at /home/apol/devel/frameworks/kwin/main_wayland.cpp:706

Comment 2 Vlad Zahorodnii 2020-08-31 06:24:44 UTC

> Still getting it:

Have you found a way to reproduce the bug?

Comment 3 Vlad Zahorodnii 2020-08-31 06:40:57 UTC

Do you remember what application was active at the moment of the crash?

Comment 4 Vlad Zahorodnii 2020-08-31 06:43:31 UTC

My wild guess is that a popup window, e.g. a tooltip or a context menu, got dismissed.

Comment 5 Aleix Pol 2020-08-31 10:19:06 UTC

I think it was a KDevelop tooltip last thing I saw. In the end it's hard to tell, since it happens when moving the cursor over the screen.

Comment 6 Aleix Pol 2020-09-02 13:55:21 UTC

It definitely happens often with KDevelop popups. But then it might just be because it's one of the apps I use the most.

Comment 7 Aleix Pol 2020-09-10 21:31:40 UTC

I had it mid pubquiz :(

#0  0x00007f7deb1712c6 in KWaylandServer::BufferInterface::unref() (this=0x55af77408d90) at /home/apol/devel/frameworks/kwayland-server/src/server/buffer_interface.cpp:239
#1  0x00007f7deb21724c in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x55af7759dde0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:337
#2  0x00007f7deb21734c in KWaylandServer::ShadowInterfacePrivate::~ShadowInterfacePrivate() (this=0x55af7759dde0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:332
#3  0x00007f7deb217efb in QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate>::cleanup(KWaylandServer::ShadowInterfacePrivate*) (pointer=0x55af7759dde0) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:60
#4  0x00007f7deb217d20 in QScopedPointer<KWaylandServer::ShadowInterfacePrivate, QScopedPointerDeleter<KWaylandServer::ShadowInterfacePrivate> >::~QScopedPointer() (this=0x55af772e8cb0) at /home/apol/devel/kde5/include/QtCore/qscopedpointer.h:107
#5  0x00007f7deb217415 in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x55af772e8ca0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#6  0x00007f7deb21744c in KWaylandServer::ShadowInterface::~ShadowInterface() (this=0x55af772e8ca0) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:354
#7  0x00007f7deb216e86 in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy_resource(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x55af7759dde0, resource=0x55af76bcf230) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:246
#8  0x00007f7deb27b56a in QtWaylandServer::org_kde_kwin_shadow::destroy_func(wl_resource*) (client_resource=0x55af775d6d80) at src/server/qwayland-server-shadow.cpp:320
#9  0x00007f7deb0a7e90 in  () at /usr/lib/libwayland-server.so.0
#10 0x00007f7deb0a7f11 in wl_resource_destroy () at /usr/lib/libwayland-server.so.0
#11 0x00007f7deb216e3d in KWaylandServer::ShadowInterfacePrivate::org_kde_kwin_shadow_destroy(QtWaylandServer::org_kde_kwin_shadow::Resource*) (this=0x55af7759dde0, resource=0x55af76bcf230) at /home/apol/devel/frameworks/kwayland-server/src/server/shadow_interface.cpp:240
#12 0x00007f7deb27ba45 in QtWaylandServer::org_kde_kwin_shadow::handle_destroy(wl_client*, wl_resource*) (client=0x55af756ea500, resource=0x55af775d6d80) at src/server/qwayland-server-shadow.cpp:584
#13 0x00007f7de87f2a8d in  () at /usr/lib/libffi.so.7
#14 0x00007f7de87f201b in  () at /usr/lib/libffi.so.7
#15 0x00007f7deb0abf62 in  () at /usr/lib/libwayland-server.so.0
#16 0x00007f7deb0a82dc in  () at /usr/lib/libwayland-server.so.0
#17 0x00007f7deb0a9faa in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#18 0x00007f7deb17faee in KWaylandServer::Display::Private::dispatch() (this=0x55af7390e840) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:135
#19 0x00007f7deb186998 in KWaylandServer::Display::Private::installSocketNotifier()::$_0::operator()() const (this=0x55af74476e10) at /home/apol/devel/frameworks/kwayland-server/src/server/display.cpp:104
#20 0x00007f7deb186946 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWaylandServer::Display::Private::installSocketNotifier()::$_0>::call(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void**) (f=..., arg=0x7fff1566e930) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:146
#21 0x00007f7deb186911 in QtPrivate::Functor<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0>::call<QtPrivate::List<>, void>(KWaylandServer::Display::Private::installSocketNotifier()::$_0&, void*, void**) (f=..., arg=0x7fff1566e930) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:256
#22 0x00007f7deb1868bc in QtPrivate::QFunctorSlotObject<KWaylandServer::Display::Private::installSocketNotifier()::$_0, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x55af74476e00, r=0x55af7390e720, a=0x7fff1566e930, ret=0x0) at /home/apol/devel/kde5/include/QtCore/qobjectdefs_impl.h:443
#23 0x00007f7de9d1cb06 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7fff1566e930, r=0x55af7390e720, this=0x55af74476e00) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:398
#24 doActivate<false>(QObject*, int, void**) (sender=0x55af74476e60, signal_index=3, argv=argv@entry=0x7fff1566e930) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3886
#25 0x00007f7de9d15e60 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=sender@entry=0x55af74476e60, m=m@entry=0x7f7de9fb6140 <QSocketNotifier::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fff1566e930) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qobject.cpp:3946
#26 0x00007f7de9d1ff3f in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x55af74476e60, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#27 0x00007f7de9d2073b in QSocketNotifier::event(QEvent*) (this=0x55af74476e60, e=0x7fff1566ea40) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qsocketnotifier.cpp:302
#28 0x00007f7dea7f614f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x55af74476e60, e=0x7fff1566ea40) at /home/apol/devel/frameworks/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3630
#29 0x00007f7de9ce652a in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x55af74476e60, event=0x7fff1566ea40) at ../../include/QtCore/5.15.1/QtCore/private/../../../../../../../../devel/frameworks/qt5/qtbase/src/corelib/thread/qthread_p.h:325
#30 0x00007f7de9d3adeb in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x55af738cc410) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:304
#31 0x00007f7de9d3b24b in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/corelib/kernel/qeventdispatcher_unix.cpp:511
#32 0x00007f7de537e13d in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at /home/apol/devel/frameworks/qt5/qtbase/src/platformsupport/eventdispatchers/qunixeventdispatcher.cpp:63
#33 0x00007f7de9ce4eeb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fff1566ebd0, flags=..., flags@entry=...) at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:141
#34 0x00007f7de9ced160 in QCoreApplication::exec() () at ../../include/QtCore/../../../../../devel/frameworks/qt5/qtbase/src/corelib/global/qflags.h:121
#35 0x000055af71b096cd in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /home/apol/devel/frameworks/kwin/main_wayland.cpp:702

Comment 8 Vlad Zahorodnii 2020-09-21 06:58:47 UTC

*** Bug 426767 has been marked as a duplicate of this bug. ***

Comment 9 Vlad Zahorodnii 2020-09-21 10:05:20 UTC

The problem is that KWaylandServer delays destruction of BufferInterface objects. This is a huge issue because kwayland-integration re-uses buffer objects in order to keep memory footprint as low as possible.

So, if an application has destroyed a shadow and immediately creates a new shadow, it's highly possible that the new shadow will have references to defunct buffer objects, i.e. we have a use-after-free bug.

Comment 10 Vlad Zahorodnii 2020-09-21 13:59:02 UTC

Git commit fcfdab060edea0aa161b45b85fe9621bbee301e0 by Vlad Zahorodnii.
Committed on 21/09/2020 at 13:58.
Pushed by vladz into branch 'master'.

Keep unreferenced buffers around

One problem with delaying destruction of buffer objects is that the
compositor may create a shadow that references defunct buffers.

One way to fix that issue is to immediately destroy buffers. However,
there is other way to address the issue - keep released buffers alive.

If a buffer is kept alive by the client, then it will most likely be
used again. It also simplifies buffer management.

M  +0    -1    src/server/buffer_interface.cpp

https://invent.kde.org/plasma/kwayland-server/commit/fcfdab060edea0aa161b45b85fe9621bbee301e0

Comment 11 Vlad Zahorodnii 2020-09-21 14:00:12 UTC

Git commit 2b1970754d96f92d3938f6912a757c82ce00b49e by Vlad Zahorodnii.
Committed on 21/09/2020 at 14:00.
Pushed by vladz into branch 'Plasma/5.20'.

Keep unreferenced buffers around

One problem with delaying destruction of buffer objects is that the
compositor may create a shadow that references defunct buffers.

One way to fix that issue is to immediately destroy buffers. However,
there is other way to address the issue - keep released buffers alive.

If a buffer is kept alive by the client, then it will most likely be
used again. It also simplifies buffer management.


(cherry picked from commit fcfdab060edea0aa161b45b85fe9621bbee301e0)

M  +0    -1    src/server/buffer_interface.cpp

https://invent.kde.org/plasma/kwayland-server/commit/2b1970754d96f92d3938f6912a757c82ce00b49e