436500 – Crash when opening then closing a display

Bug 436500 - Crash when opening then closing a display

Summary: Crash when opening then closing a display

Status:	RESOLVED FIXED

Alias:	None

Product:	kwin
Classification:	Plasma
Component:	wayland-generic (show other bugs)
Version:	git master
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	KWin default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-02 19:37 UTC by Aleix Pol
Modified:	2021-05-04 19:19 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/plasma/kwin/commit/5bd938f0f0766f80f4bfc3378279323a7175ea1e
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Aleix Pol 2021-05-02 19:37:21 UTC

Here's a detailed valgrind backtrace that shows how certain egl pointers are cleaned up twice.

==15995== Invalid read of size 8                                                                                                                                                                                                                                                                                                                                                                                                        [162/1932]
==15995==    at 0x11EE0B0F: ??? (in /usr/lib/libEGL_mesa.so.0.0.0)
==15995==    by 0xEA60B25: KWin::GbmSurface::releaseBuffer(gbm_bo*) (devel/frameworks/kwin/src/plugins/platforms/drm/gbm_surface.cpp:41)
==15995==    by 0xEA5F725: KWin::GbmBuffer::~GbmBuffer() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_buffer_gbm.cpp:53)
==15995==    by 0xEA60028: KWin::DrmGbmBuffer::~DrmGbmBuffer() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_buffer_gbm.cpp:87)
==15995==    by 0xEA5E835: QtSharedPointer::ExternalRefCountWithContiguousData<KWin::DrmGbmBuffer>::deleter(QtSharedPointer::ExternalRefCountData*) (devel/kde5/include/QtCore/qsharedpointer_impl.h:248)
==15995==    by 0xEA1CE85: QtSharedPointer::ExternalRefCountData::destroy() (devel/kde5/include/QtCore/qsharedpointer_impl.h:149)
==15995==    by 0xEA3673E: QSharedPointer<KWin::DrmBuffer>::deref(QtSharedPointer::ExternalRefCountData*) (devel/kde5/include/QtCore/qsharedpointer_impl.h:458)
==15995==    by 0xEA366F8: QSharedPointer<KWin::DrmBuffer>::deref() (devel/kde5/include/QtCore/qsharedpointer_impl.h:453)
==15995==    by 0xEA363F4: QSharedPointer<KWin::DrmBuffer>::~QSharedPointer() (devel/kde5/include/QtCore/qsharedpointer_impl.h:310)
==15995==    by 0xEA362FE: QSharedPointer<KWin::DrmBuffer>::operator=(QSharedPointer<KWin::DrmBuffer> const&) (devel/kde5/include/QtCore/qsharedpointer_impl.h:333)
==15995==    by 0xEA3DE95: KWin::DrmPlane::setCurrent(QSharedPointer<KWin::DrmBuffer> const&) (devel/frameworks/kwin/src/plugins/platforms/drm/drm_object_plane.h:81)
==15995==    by 0xEA39379: KWin::DrmOutput::teardown() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_output.cpp:67)
==15995==    by 0xEA48463: KWin::DrmGpu::removeOutput(KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/drm_gpu.cpp:426)
==15995==    by 0xEA496B8: KWin::DrmGpu::updateOutputs() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_gpu.cpp:305)
==15995==    by 0xEA1DDC4: KWin::DrmBackend::updateOutputs() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_backend.cpp:336)
==15995==    by 0xEA1FA86: KWin::DrmBackend::handleUdevEvent() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_backend.cpp:266)
==15995==    by 0xEA28910: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (KWin::DrmBackend::*)()>::call(void (KWin::DrmBackend::*)(), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:152)
==15995==    by 0xEA28877: void QtPrivate::FunctionPointer<void (KWin::DrmBackend::*)()>::call<QtPrivate::List<>, void>(void (KWin::DrmBackend::*)(), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:185)
==15995==    by 0xEA287A4: QtPrivate::QSlotObject<void (KWin::DrmBackend::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (devel/kde5/include/QtCore/qobjectdefs_impl.h:418)
==15995==    by 0x801D3D5: call (qobjectdefs_impl.h:398)
==15995==    by 0x801D3D5: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3886)
==15995==    by 0x802081E: QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:178)
==15995==    by 0x802101A: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:302)
==15995==    by 0x6C8517E: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3632)
==15995==    by 0x7FE6DF9: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==15995==    by 0x803B54A: QEventDispatcherUNIXPrivate::activateSocketNotifiers() (qeventdispatcher_unix.cpp:304)
==15995==    by 0x803B9AA: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:511)
==15995==    by 0x1C66DC: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qunixeventdispatcher.cpp:63)
==15995==    by 0x7FE57AA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:232)
==15995==    by 0x7FEDA2F: QCoreApplication::exec() (qcoreapplication.cpp:1375)
==15995==    by 0x1953CF: main (devel/frameworks/kwin/src/main_wayland.cpp:726)
==15995==  Address 0x1223ebb8 is 552 bytes inside a block of size 808 free'd
==15995==    at 0x483F9AB: free (vg_replace_malloc.c:538)
==15995==    by 0x11EE2AB1: ??? (in /usr/lib/libEGL_mesa.so.0.0.0)
==15995==    by 0x11ECED99: ??? (in /usr/lib/libEGL_mesa.so.0.0.0)
==15995==    by 0xEA546BA: KWin::EglGbmBackend::cleanupOutput(KWin::EglGbmBackend::Output&) (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:77)
==15995==    by 0xEA56372: KWin::EglGbmBackend::removeOutput(KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:253)
==15995==    by 0xEA543BB: QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<KWin::DrmOutput*>, void, void (KWin::AbstractEglDrmBackend::*)(KWin::DrmOutput*)>::call(void (KWin::AbstractEglDrmBackend::*)(KWin::DrmOutput*), KWin::AbstractEglDrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:152)
==15995==    by 0xEA54317: void QtPrivate::FunctionPointer<void (KWin::AbstractEglDrmBackend::*)(KWin::DrmOutput*)>::call<QtPrivate::List<KWin::DrmOutput*>, void>(void (KWin::AbstractEglDrmBackend::*)(KWin::DrmOutput*), KWin::AbstractEglDrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:185)
==15995==    by 0xEA54244: QtPrivate::QSlotObject<void (KWin::AbstractEglDrmBackend::*)(KWin::DrmOutput*), QtPrivate::List<KWin::DrmOutput*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (devel/kde5/include/QtCore/qobjectdefs_impl.h:418)
==15995==    by 0x801D3D5: call (qobjectdefs_impl.h:398)
==15995==    by 0x801D3D5: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3886)
==15995==    by 0xEA1BBB5: KWin::DrmGpu::outputDisabled(KWin::DrmOutput*) (moc_drm_gpu.cpp:189)
==15995==    by 0xEA1FEA9: KWin::DrmBackend::removeOutput(KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/drm_backend.cpp:321)
==15995==    by 0xEA2A3AB: QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<KWin::DrmOutput*>, void, void (KWin::DrmBackend::*)(KWin::DrmOutput*)>::call(void (KWin::DrmBackend::*)(KWin::DrmOutput*), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:152)
==15995==    by 0xEA2A307: void QtPrivate::FunctionPointer<void (KWin::DrmBackend::*)(KWin::DrmOutput*)>::call<QtPrivate::List<KWin::DrmOutput*>, void>(void (KWin::DrmBackend::*)(KWin::DrmOutput*), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:185)
==15995==    by 0xEA2A234: QtPrivate::QSlotObject<void (KWin::DrmBackend::*)(KWin::DrmOutput*), QtPrivate::List<KWin::DrmOutput*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (devel/kde5/include/QtCore/qobjectdefs_impl.h:418)
==15995==    by 0x801D3D5: call (qobjectdefs_impl.h:398)
==15995==    by 0x801D3D5: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3886)
==15995==    by 0xEA1BAB5: KWin::DrmGpu::outputRemoved(KWin::DrmOutput*) (moc_drm_gpu.cpp:175)
==15995==    by 0xEA4845A: KWin::DrmGpu::removeOutput(KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/drm_gpu.cpp:425)
==15995==    by 0xEA496B8: KWin::DrmGpu::updateOutputs() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_gpu.cpp:305)
==15995==    by 0xEA1DDC4: KWin::DrmBackend::updateOutputs() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_backend.cpp:336)
==15995==    by 0xEA1FA86: KWin::DrmBackend::handleUdevEvent() (devel/frameworks/kwin/src/plugins/platforms/drm/drm_backend.cpp:266)
==15995==    by 0xEA28910: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (KWin::DrmBackend::*)()>::call(void (KWin::DrmBackend::*)(), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:152)
==15995==    by 0xEA28877: void QtPrivate::FunctionPointer<void (KWin::DrmBackend::*)()>::call<QtPrivate::List<>, void>(void (KWin::DrmBackend::*)(), KWin::DrmBackend*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:185)
==15995==    by 0xEA287A4: QtPrivate::QSlotObject<void (KWin::DrmBackend::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (devel/kde5/include/QtCore/qobjectdefs_impl.h:418)
==15995==    by 0x801D3D5: call (qobjectdefs_impl.h:398)
==15995==    by 0x801D3D5: void doActivate<false>(QObject*, int, void**) (qobject.cpp:3886)
==15995==    by 0x802081E: QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:178)
==15995==    by 0x802101A: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:302)
==15995==    by 0x6C8517E: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3632)
==15995==    by 0x7FE6DF9: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==15995==    by 0x803B54A: QEventDispatcherUNIXPrivate::activateSocketNotifiers() (qeventdispatcher_unix.cpp:304)
==15995==    by 0x803B9AA: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:511)
==15995==    by 0x1C66DC: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qunixeventdispatcher.cpp:63)
==15995==    by 0x7FE57AA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:232)
==15995==    by 0x7FEDA2F: QCoreApplication::exec() (qcoreapplication.cpp:1375)
==15995==    by 0x1953CF: main (devel/frameworks/kwin/src/main_wayland.cpp:726)
==15995==  Block was alloc'd at
==15995==    at 0x4840B65: calloc (vg_replace_malloc.c:760)
==15995==    by 0x11EEC4CF: ??? (in /usr/lib/libEGL_mesa.so.0.0.0)
==15995==    by 0x11ECDD34: ??? (in /usr/lib/libEGL_mesa.so.0.0.0)
==15995==    by 0xEA5584C: KWin::EglGbmBackend::createEglSurface(QSharedPointer<KWin::GbmSurface>) const (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:168)
==15995==    by 0xEA55B1E: KWin::EglGbmBackend::resetOutput(KWin::EglGbmBackend::Output&, KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:196)
==15995==    by 0xEA55F7B: KWin::EglGbmBackend::addOutput(KWin::DrmOutput*) (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:216)
==15995==    by 0xEA54FB4: KWin::EglGbmBackend::initRenderingContext() (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:153)
==15995==    by 0xEA54E45: KWin::EglGbmBackend::init() (devel/frameworks/kwin/src/plugins/platforms/drm/egl_gbm_backend.cpp:130)
==15995==    by 0xEA50D91: KWin::EglMultiBackend::init() (devel/frameworks/kwin/src/plugins/platforms/drm/egl_multi_backend.cpp:41)
==15995==    by 0x11E66B2D: ??? (in /home/apol/devel/kde5/lib64/plugins/org.kde.kwin.scenes/KWinSceneOpenGL.so)
==15995==    by 0x11E75FE2: ??? (in /home/apol/devel/kde5/lib64/plugins/org.kde.kwin.scenes/KWinSceneOpenGL.so)
==15995==    by 0x4D12177: KWin::Compositor::setupStart() (devel/frameworks/kwin/src/composite.cpp:236)
==15995==    by 0x4D140DB: KWin::WaylandCompositor::start() (devel/frameworks/kwin/src/composite.cpp:674)
==15995==    by 0x4D19E20: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (KWin::Compositor::*)()>::call(void (KWin::Compositor::*)(), KWin::Compositor*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:152)
==15995==    by 0x4D19D87: void QtPrivate::FunctionPointer<void (KWin::Compositor::*)()>::call<QtPrivate::List<>, void>(void (KWin::Compositor::*)(), KWin::Compositor*, void**) (devel/kde5/include/QtCore/qobjectdefs_impl.h:185)
==15995==    by 0x4D19CB4: QtPrivate::QSlotObject<void (KWin::Compositor::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (devel/kde5/include/QtCore/qobjectdefs_impl.h:418)
==15995==    by 0x8012E20: QObject::event(QEvent*) (qobject.cpp:1314)
==15995==    by 0x6C8517E: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3632)
==15995==    by 0x7FE6DF9: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1064)
==15995==    by 0x7FE9830: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821)
==15995==    by 0x803B6A9: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:468)
==15995==    by 0x1C66DC: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qunixeventdispatcher.cpp:63)
==15995==    by 0x7FE57AA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:232)
==15995==    by 0x7FEDA2F: QCoreApplication::exec() (qcoreapplication.cpp:1375)
==15995==    by 0x1953CF: main (devel/frameworks/kwin/src/main_wayland.cpp:726)
==15995==

Comment 1 Bug Janitor Service 2021-05-02 21:34:35 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/932

Comment 2 Aleix Pol 2021-05-04 19:19:01 UTC

Git commit 5bd938f0f0766f80f4bfc3378279323a7175ea1e by Aleix Pol Gonzalez, on behalf of Xaver Hugl.
Committed on 04/05/2021 at 17:36.
Pushed by zamundaaa into branch 'master'.

platforms/drm: release gbm buffers before eglDestroySurface

M  +2    -0    src/plugins/platforms/drm/drm_buffer.h
M  +12   -1    src/plugins/platforms/drm/drm_buffer_gbm.cpp
M  +4    -0    src/plugins/platforms/drm/drm_buffer_gbm.h
M  +18   -0    src/plugins/platforms/drm/drm_output.cpp
M  +1    -0    src/plugins/platforms/drm/drm_output.h
M  +4    -2    src/plugins/platforms/drm/egl_gbm_backend.cpp

https://invent.kde.org/plasma/kwin/commit/5bd938f0f0766f80f4bfc3378279323a7175ea1e