Bug 429086 - kwin_wayland segmentation faulted in QScopedPointer<KWaylandServer::SurfaceInterfacePrivate, QScopedPointerDeleter<KWaylandServer::SurfaceInterfacePrivate> >::operator->() when using Firefox
Summary: kwin_wayland segmentation faulted in QScopedPointer<KWaylandServer::SurfaceIn...
Status: RESOLVED FIXED
Alias: None
Product: kwin
Classification: Plasma
Component: wayland-generic (show other bugs)
Version: 5.20.4
Platform: Fedora RPMs Linux
: NOR normal
Target Milestone: ---
Assignee: KWin default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-14 10:58 UTC by Matt Fagnani
Modified: 2021-10-01 13:03 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Full trace of all threads of kwin_wayland segmentation fault (72.69 KB, text/plain)
2020-11-14 10:58 UTC, Matt Fagnani
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fagnani 2020-11-14 10:58:01 UTC
Created attachment 133325 [details]
Full trace of all threads of kwin_wayland segmentation fault

SUMMARY

I was using Plasma 5.20.3 on Wayland in Fedora 33. I started Firefox Nightly 74.0a1 (2020-11-13) on Wayland. I clicked on Bookmarks in the menu bar and moved the cursor down over the bookmarks folders. The contents of one of the bookmarks folders didn't appear, but the contents of a folder within that folder appeared. Plasma froze for a few seconds. kwin_wayland segmentation faulted in QScopedPointer<KWaylandServer::SurfaceInterfacePrivate, QScopedPointerDeleter<KWaylandServer::SurfaceInterfacePrivate> >::operator->()
at /usr/include/qt5/QtCore/qscopedpointer.h:116 in qt5-qtbase-devel-0:5.15.1-7.fc33.x86_64. The pointer this=0x10 in frame 0 was likely invalid, which might be due to this=0x0 in KWaylandServer::SurfaceInterface::subSurface in frame 1.

Core was generated by `/usr/bin/kwin_wayland --xwayland --exit-with-session=/usr/libexec/startplasma-w'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  QScopedPointer<KWaylandServer::SurfaceInterfacePrivate, QScopedPointerDeleter<KWaylandServer::SurfaceInterfacePrivate> >::operator-> (this=0x10) at /usr/include/qt5/QtCore/qscopedpointer.h:116
116         T *operator->() const noexcept
[Current thread is 1 (Thread 0x7fbde6c82e00 (LWP 1152))]
(gdb) bt
#0  QScopedPointer<KWaylandServer::SurfaceInterfacePrivate, QScopedPointerDeleter<KWaylandServer::SurfaceInterfacePrivate> >::operator->() const (this=0x10)
    at /usr/include/qt5/QtCore/qscopedpointer.h:116
#1  KWaylandServer::SurfaceInterface::subSurface() const (this=0x0)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/surface_interface.cpp:792
#2  0x00007fbde83ccfac in KWaylandServer::SubSurfaceInterface::Private::setMode(KWaylandServer::SubSurfaceInterface::Mode)
    (this=0x56071aaffb10, m=KWaylandServer::SubSurfaceInterface::Mode::Desynchronized)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/subcompositor_interface.cpp:275
#3  0x00007fbde42dcb10 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#4  0x00007fbde42dc0a3 in ffi_call
    (cif=cif@entry=0x7ffeb1593f70, fn=<optimized out>, rvalue=<optimized out>, 
    rvalue@entry=0x0, avalue=avalue@entry=0x7ffeb1594040) at ../src/x86/ffi64.c:525
#5  0x00007fbde5606fd5 in wl_closure_invoke
    (closure=closure@entry=0x56071ac12b70, target=<optimized out>, 
    target@entry=0x56071ac70020, opcode=opcode@entry=5, data=<optimized out>, 
    data@entry=0x56071abfdc60, flags=<optimized out>) at src/connection.c:1018
#6  0x00007fbde560aecc in wl_client_connection_data
    (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at src/wayland-server.c:432
#7  0x00007fbde5609ac2 in wl_event_loop_dispatch (loop=0x5607199cbb90, timeout=<optimized out>)
    at src/event-loop.c:1027
#8  0x00007fbde8389f13 in KWaylandServer::Display::Private::dispatch() (this=<optimized out>)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/display.cpp:135
#9  0x00007fbde725e256 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffeb1594650, r=0x5607199d71a0, this=0x56071a390d50)
--Type <RET> for more, q to quit, c to continue without paging--c
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#10 doActivate<false>(QObject*, int, void**) (sender=0x56071a395430, signal_index=3, argv=0x7ffeb1594650) at kernel/qobject.cpp:3886
#11 0x00007fbde7261476 in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x56071a395430, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#12 0x00007fbde7261be9 in QSocketNotifier::event(QEvent*) (this=0x56071a395430, e=0x7ffeb1594770) at kernel/qsocketnotifier.cpp:302
#13 0x00007fbde7c2615f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x56071a395430, e=0x7ffeb1594770) at kernel/qapplication.cpp:3630
#14 0x00007fbde722fbe8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x56071a395430, event=0x7ffeb1594770) at kernel/qcoreapplication.cpp:1063
#15 0x00007fbde7277ece in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x56071999ab40) at kernel/qeventdispatcher_unix.cpp:304
#16 0x00007fbde7278254 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:511
#17 0x00007fbdd413c3ad in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so
#18 0x00007fbde722e64b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffeb15948e0, flags=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#19 0x00007fbde7236010 in QCoreApplication::exec() () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#20 0x000056071912356e in main(int, char**) (argc=<optimized out>, argv=0x7ffeb1594b00) at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/main_wayland.cpp:702


STEPS TO REPRODUCE
1. Boot a Fedora 33 KDE Plasma spin installation with updates-testing enabled
2. Log in to Plasma 5.20.3 on Wayland
3. Start Firefox Nightly 84.0a1
4. Select Bookmarks
5. Move the cursor over bookmarks folders which contain folders until the crash happens. I'm not sure if this specifically is what led to the crash.

OBSERVED RESULT
kwin_wayland segmentation faulted in QScopedPointer<KWaylandServer::SurfaceInterfacePrivate, QScopedPointerDeleter<KWaylandServer::SurfaceInterfacePrivate> >::operator->() when using Firefox

EXPECTED RESULT
No crash would happen

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 33
(available in About System)
KDE Plasma Version: 5.20.3
KDE Frameworks Version: 5.75.0
Qt Version: 5.15.1

ADDITIONAL INFORMATION
I've only seen a crash with this trace once, but other similar kwin_wayland crashes happened occasionally which I reported at https://bugs.kde.org/show_bug.cgi?id=416974 https://bugs.kde.org/show_bug.cgi?id=423602 I'm attaching the full trace of all threads.
Comment 1 Matt Fagnani 2020-11-20 04:38:34 UTC
I've seen kwin_wayland crashes with this trace four times now. Each crash happened when using Firefox 84.0a1-85.0a1 on Wayland and moving the cursor over the bookmark folders. The folder shown at the time of the crash didn't contain another folder during two of the crashes, so the bookmark folder having another folder in it isn't a requirement for reproducing the crash. Another of the crashes had the contents of a bookmark folder within a folder frozen in a state of disappearing when Plasma crashed.

Firefox on Wayland crashed many times when using the bookmarks folders during the last four months or so in Plasma 5.19.5 and earlier. Segmentation faults happened involving a null pointer dereference in wl_proxy_marshal_constructor at wayland-client.c:830 in libwayland-client-1.18.0-2.fc33.x86_64. The Wayland proxies of the surfaces of the bookmark folders might've been occasionally freed before being used. I reported the Firefox crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1655282  If the Wayland subsurface of the bookmark folders were sometimes freed before being used, this=0x0 in KWaylandServer::SurfaceInterface::subSurface in frame 1 might be how that would show up. I reported these crashes for Fedora at https://bugzilla.redhat.com/show_bug.cgi?id=1897969

kwin_wayland core dump files were truncated for other crashes because their uncompressed sizes were above the 2 GB default limit of systemd-coredump https://bugs.kde.org/show_bug.cgi?id=416974 I changed /etc/systemd/coredump.conf many months ago to have the following values so the kwin_wayland core dumps wouldn't be truncated:
ProcessSizeMax=3G
ExternalSizeMax=3G
Comment 2 Matt Fagnani 2020-12-22 06:47:05 UTC
I've seen kwin_wayland crashes with this trace seven times with Plasma 5.20.3 and six times with 5.20.4. Each crash happened when using Firefox Nightly 84.0a1-86.0a1 on Wayland. All but one crash occurred while moving the cursor over the bookmark folders. One crash happened on the bugs.kde.org Advanced search page when I clicked on a popup box in the Custom Search area https://bugs.kde.org/query.cgi?format=advanced

I've had WebRender compositing enabled in Firefox by going into about:config and setting gfx.webrender.all=true, gfx.webrender.enabled=true. Having WebRender enabled might be needed for this crash to happen. Robert Mader commented "It just occurred to me that with Webrender enabled mesa will commit our surface in dri2_wl_swap_buffers_with_damage which we call in GLContextEGL::SwapBuffers(). So even if when using moz_container_wayland_surface_lock there's still a chance that the surface will get commited behind our back, potentially freeing it IIUC.

So maybe we have to extent our surface locking to GLContextEGL::SwapBuffers() as well somehow.
"
https://bugzilla.mozilla.org/show_bug.cgi?id=1655282#c10

Robert wrote a patch to lock the surface in GLContextEGL::SwapBuffers
https://bugzilla.mozilla.org/show_bug.cgi?id=1680961

Checking that the pointer this or d isn't null in KWaylandServer::SurfaceInterface::subSurface before surface_interface.cpp:792 might avoid the crash at least until the problem is fixed in Firefox.

QPointer< SubSurfaceInterface > SurfaceInterface::subSurface() const
{
    return d->subSurface;
}
Comment 3 Vlad Zahorodnii 2021-10-01 12:48:24 UTC
We've changed the handling of inert subsurfaces. Is this issue still actual?
Comment 4 Matt Fagnani 2021-10-01 13:03:17 UTC
(In reply to Vlad Zahorodnii from comment #3)
> We've changed the handling of inert subsurfaces. Is this issue still actual?

I haven't seen this type of crash in many months. I think it might've been fixed in Firefox. Thanks.