Bug 447717 - plasmashell crashes when hovering or clicking items on the Panel due to "zwp_linux_buffer_params_v1.add" protocol error
Summary: plasmashell crashes when hovering or clicking items on the Panel due to "zwp_...
Status: RESOLVED FIXED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Panel (show other bugs)
Version: 5.23.4
Platform: Manjaro Linux
: NOR crash
Target Milestone: 1.0
Assignee: Eike Hein
URL:
Keywords: wayland
: 445409 445778 449194 449351 451319 460311 460575 461397 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-12-31 03:38 UTC by JR
Modified: 2022-11-21 14:35 UTC (History)
24 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.26.4


Attachments
plasmashell crash terminal output (11.19 KB, text/x-log)
2021-12-31 03:38 UTC, JR
Details
WAYLAND_DEBUG=1 crash output (58.51 KB, text/x-log)
2022-01-01 14:19 UTC, JR
Details
wayland-session.log after a fresh login and induced crash (3.15 KB, text/x-log)
2022-01-12 15:23 UTC, JR
Details
wayland-session.log at around crash time (4.33 KB, text/x-log)
2022-01-16 20:32 UTC, Dan Johansen
Details
WAYLAND_DEBUG=1 plasmashell crash log.log (2.85 MB, text/x-log)
2022-01-26 12:40 UTC, Fushan Wen
Details
plasmashell strace (71.92 KB, text/x-log)
2022-05-05 16:57 UTC, JR
Details
valgrind log of running plasmashell --replace (33.58 KB, text/plain)
2022-11-04 19:34 UTC, Matt Fagnani
Details
valgrind log of running plasmashell --replace with Blur effect disabled (58.54 KB, text/plain)
2022-11-06 01:16 UTC, Matt Fagnani
Details
WAYLAND_DEBUG=1 plasmashell --replace output when plasmashell crashed with wl_proxy_unref: Assertion `proxy->refcount > 0' failed. (379.16 KB, text/plain)
2022-11-07 18:22 UTC, Matt Fagnani
Details

Note You need to log in before you can comment on or make changes to this bug.
Description JR 2021-12-31 03:38:22 UTC
Created attachment 144981 [details]
plasmashell crash terminal output

SUMMARY
When mouserovering icon-only task manager entries back and forth, the system visibly stutters and the mouse will not move for a split second. Repeating this over and over eventually causes a plasmashell crash. Notably it is not a segfault, so even after having built it with debug symbols enabled I could not get a backtrace. Attaching log of terminal output, however.

STEPS TO REPRODUCE
1. Start (for instance) Firefox and have at least two windows open, so that the icon-only task manager will draw a window with thumbnails upon icon mouseover
2. Mouseover the entry and quickly move the mouse away from it again just as it starts drawing the window with the thumbnails (observe system stuttering)
3. Repeat 2

OBSERVED RESULT
4. plasmashell crashes

EXPECTED RESULT
4. Mouseovering and de-mouseovering should be smooth and not crash plasmashell

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Manjaro x86_64
KDE Plasma Version: 5.23.4
KDE Frameworks Version: 5.88.0
Qt Version: 5.15.2
Graphics platform: Wayland

ADDITIONAL INFORMATION
The log file says this as it crashes. See the attached file for the whole thing.

> file:///usr/lib/qt/qml/org/kde/plasma/components.3/ScrollView.qml:34:43: QML ScrollBar: Binding loop detected for property "visible"
> [Thread 0x7fff671a6640 (LWP 571296) exited]
> [New Thread 0x7fff671a6640 (LWP 571369)]
> [Thread 0x7fff671a6640 (LWP 571369) exited]
> wl_display@1: error 1: invalid arguments for zwp_linux_buffer_params_v1@794.add
> The Wayland connection experienced a fatal error: Invalid argument

The machine is a Dell XPS 9310, so Intel graphics.

Please reassign the product or component if incorrectly filed.
Comment 1 Patrick Silva 2021-12-31 21:58:48 UTC
Can reproduce on both Arch Linux and neon unstable. This crash was previously mentioned in bug 439681 comment 6.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux
KDE Plasma Version: 5.23.4
KDE Frameworks Version: 5.89.0
Qt Version: 5.15.2
Graphics Platform: Wayland
Comment 2 JR 2022-01-01 14:19:14 UTC
Created attachment 145009 [details]
WAYLAND_DEBUG=1 crash output

Added log file of the last 1000 lines of crash terminal output when run with WAYLAND_DEBUG set. Unsure if it's of any extra help.
Comment 3 Dan Johansen 2022-01-09 23:12:35 UTC
This also happens to me.

I even have task bar tooltips turned off, in the hopes that it would stop these crashes. Which it did for a while, but now they are back.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Manjaro x86_64
KDE Plasma Version: 5.23.4
KDE Frameworks Version: 5.89.0
Qt Version: 5.15.2
Graphics platform: Wayland
Comment 4 Vlad Zahorodnii 2022-01-10 07:35:38 UTC
Can you also post kwin_wayland's log after a crash? The log is in ~/.local/share/sddm/wayland-session.log
Comment 5 Vlad Zahorodnii 2022-01-12 11:01:07 UTC
Can you also check how many file descriptors kwin has open (before the crash)?

  sudo ls /proc/(pidof kwin_wayland)/fd | wc -l
Comment 6 JR 2022-01-12 15:23:17 UTC
Created attachment 145370 [details]
wayland-session.log after a fresh login and induced crash

Attaching wayland-session.log.

Number of open file descriptors before the crash was 257.
Comment 7 Vlad Zahorodnii 2022-01-12 15:32:21 UTC
*** Bug 445409 has been marked as a duplicate of this bug. ***
Comment 8 Nate Graham 2022-01-12 15:33:01 UTC
*** Bug 445778 has been marked as a duplicate of this bug. ***
Comment 9 Dan Johansen 2022-01-16 20:32:14 UTC
Created attachment 145559 [details]
wayland-session.log at around crash time

This is a snippet of the log from around the crash time. My log is pretty long, because some application spam it, so I tried to only include what could be relevant.
Comment 10 Fushan Wen 2022-01-26 12:32:26 UTC
*** Bug 449194 has been marked as a duplicate of this bug. ***
Comment 11 Fushan Wen 2022-01-26 12:40:18 UTC
Created attachment 145953 [details]
WAYLAND_DEBUG=1 plasmashell crash log.log

After I crazily move my cursor among diferent tasks to show window thumbnails in tooltips. It seems there is a maximum number of screen casting requests a program can make.

coredumpctl shows no record on the crash.

STEPS TO REPRODUCE
1. Login to a Wayland session
2. Move the cursor to hover on different tasks to show tooltips repeatedly
Comment 12 Rui Zhao 2022-02-21 11:19:39 UTC
Thanks for @JR for finding the way to trigger this bug. I see it recently (I switched to wayland recently) but had no idea why this happened.

In the meantime, I also found this bug report and fix for SwayWM: https://github.com/swaywm/wlroots/issues/2594 .
They seem to have found a cause and the way to fix it. Probably useful for Plasma too?
Comment 13 JR 2022-04-17 14:20:18 UTC
Somtimes it starts doing this when I'm not really doing anything to aggravate it, and it just keeps continuing randomly crashing until I reboot.

> apr 17 16:09:02 newxps kwin_wayland[1121]: kwin_screencast: PipeWire remote error:  connection error
> apr 17 16:09:02 newxps kwin_wayland_wrapper[1121]: file descriptor expected, object (752), message add(huuuuu)
> apr 17 16:09:02 newxps kwin_wayland_wrapper[1121]: error in client communication (pid 799855)
> apr 17 16:09:02 newxps kwin_wayland[1121]: QMetaProperty::read: Unable to handle unregistered datatype 'KWin::SessionState' for property 'KWin::EffectsHandlerImpl::sessionState'
> apr 17 16:09:02 newxps plasmashell[799855]: wl_display@1: error 1: invalid arguments for zwp_linux_buffer_params_v1@752.add
> apr 17 16:09:02 newxps plasmashell[799855]: The Wayland connection experienced a fatal error: Invalid argument
> apr 17 16:09:02 newxps fcitx5[1312]: I2022-04-17 16:09:02.587769 kimpanel.cpp:117] Kimpanel new owner
> apr 17 16:09:02 newxps systemd[1002]: plasma-plasmashell.service: Main process exited, code=exited, status=1/FAILURE
> apr 17 16:09:02 newxps systemd[1002]: plasma-plasmashell.service: Failed with result 'exit-code'.
> apr 17 16:09:02 newxps systemd[1002]: plasma-plasmashell.service: Consumed 26.165s CPU time.
> apr 17 16:09:02 newxps systemd[1002]: plasma-ksystemstats.service: Consumed 3.072s CPU time.
> apr 17 16:09:02 newxps systemd[1002]: plasma-plasmashell.service: Scheduled restart job, restart counter is at 7.
> apr 17 16:09:02 newxps systemd[1002]: Stopped KDE Plasma Workspace.

The counter is up to 9 now since the time I copied it, often bringing Firefox down with it. Very disruptive.
Comment 14 David Edmundson 2022-05-05 15:00:46 UTC
Can I get a log of "strace plasmashell --replace" if this is still an issue?
Comment 15 JR 2022-05-05 16:57:50 UTC
Created attachment 148584 [details]
plasmashell strace

Certainly.
Comment 16 Bug Janitor Service 2022-05-20 04:35:39 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 17 Patrick Silva 2022-05-20 11:06:01 UTC
This crash persists on Plasma 5.25 beta, Arch Linux.
Comment 18 Nate Graham 2022-10-13 13:23:30 UTC
*** Bug 460311 has been marked as a duplicate of this bug. ***
Comment 19 Pawel 2022-10-14 10:57:24 UTC
try as I might, I can't reproduce when running plasmashell with WAYLAND_DEBUG=1 from the command line:

WAYLAND_DEBUG=1 plasmashell --replace </dev/null &>~/Desktop/ab.txt

but when I run plasma 'normally', I can repro easily.
Comment 20 Nathan 2022-11-03 21:10:42 UTC
I have been hitting this bug constantly on 5.26.2
Comment 21 marav 2022-11-04 01:17:22 UTC
(In reply to Nathan from comment #20)
> I have been hitting this bug constantly on 5.26.2

Same here, plasma 5.26.2

org.kde.plasma.libtaskmanager: Got invalid activation app_id: ""
Service  ":1.130" unregistered
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
message too short, object (313), message set_app_id(s)
error in client communication (pid 1485)
wl_display@1: error 1: invalid arguments for xdg_activation_token_v1@313.set_app_id
The Wayland connection experienced a fatal error: Argument invalide
Service  "org.kde.StatusNotifierHost-1485" unregistered
Comment 22 Nathan 2022-11-04 02:58:17 UTC
Mine error is a little different but very similar

Nov 04 07:02:00 nathan-hp1030G4 systemd[1794]: Started plasma-plasmashell.service - KDE Plasma Workspace.
Nov 04 07:02:00 nathan-hp1030G4 systemd[1794]: Starting plasma-plasmashell.service - KDE Plasma Workspace...
Nov 04 07:02:00 nathan-hp1030G4 systemd[1794]: plasma-plasmashell.service: Consumed 14.464s CPU time.
Nov 04 07:02:00 nathan-hp1030G4 systemd[1794]: Stopped plasma-plasmashell.service - KDE Plasma Workspace.
Nov 04 07:02:00 nathan-hp1030G4 systemd[1794]: plasma-plasmashell.service: Scheduled restart job, restart counter is at 1.
Nov 04 07:01:59 nathan-hp1030G4 systemd[1794]: plasma-plasmashell.service: Consumed 14.464s CPU time.
Nov 04 07:01:59 nathan-hp1030G4 systemd[1794]: plasma-plasmashell.service: Failed with result 'exit-code'.
Nov 04 07:01:59 nathan-hp1030G4 systemd[1794]: plasma-plasmashell.service: Main process exited, code=exited, status=1/FAILURE
Nov 04 07:01:59 nathan-hp1030G4 plasmashell[2150]: The Wayland connection experienced a fatal error: Invalid argument
Nov 04 07:01:59 nathan-hp1030G4 plasmashell[2150]: wl_display@1: error 1: invalid arguments for zwp_linux_dmabuf_v1@25.get_surface_feedback
Nov 04 07:01:59 nathan-hp1030G4 kwin_wayland_wrapper[1884]: error in client communication (pid 2150)
Nov 04 07:01:59 nathan-hp1030G4 kwin_wayland_wrapper[1884]: unknown object (48), message get_surface_feedback(4no)
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: kf.plasma.quick: Couldn't create KWindowShadow for Osd_QMLTYPE_952(0x55c06e3d7dc0)
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: kf.plasma.quick: Couldn't create KWindowShadow for Osd_QMLTYPE_952(0x55c06e3d7dc0)
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: kf.plasma.quick: Couldn't create KWindowShadow for Osd_QMLTYPE_952(0x55c06e3d7dc0)
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: kf.plasma.quick: Couldn't create KWindowShadow for Osd_QMLTYPE_952(0x55c06e3d7dc0)
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/NotificationItem.qml:221:21: QML SelectableLabel: Binding loop detected for property "implicitWidth"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/SelectableLabel.qml:38:5: QML TextArea: Binding loop detected for property "implicitHeight"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/lib64/qt5/qml/org/kde/plasma/components.3/ScrollView.qml:45:27: QML ScrollBar: Binding loop detected for property "visible"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/NotificationItem.qml:221:21: QML SelectableLabel: Binding loop detected for property "implicitHeight"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/NotificationItem.qml:221:21: QML SelectableLabel: Binding loop detected for property "implicitWidth"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/NotificationItem.qml:221:21: QML SelectableLabel: Binding loop detected for property "implicitWidth"
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55c06e6f18a0) QQmlContext(0x55c06d7f8570) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Nov 04 07:01:51 nathan-hp1030G4 plasmashell[2150]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55c06e6f18a0) QQmlContext(0x55c06d7f8570) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Comment 23 Nicolas Fella 2022-11-04 11:14:16 UTC
(In reply to marav from comment #21)
> (In reply to Nathan from comment #20)
> > I have been hitting this bug constantly on 5.26.2
> 
> Same here, plasma 5.26.2
> 
> org.kde.plasma.libtaskmanager: Got invalid activation app_id: ""
> Service  ":1.130" unregistered
> kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> message too short, object (313), message set_app_id(s)
> error in client communication (pid 1485)
> wl_display@1: error 1: invalid arguments for
> xdg_activation_token_v1@313.set_app_id
> The Wayland connection experienced a fatal error: Argument invalide
> Service  "org.kde.StatusNotifierHost-1485" unregistered

That's a completely different protocol error
Comment 24 Nicolas Fella 2022-11-04 11:24:34 UTC
*** Bug 461397 has been marked as a duplicate of this bug. ***
Comment 25 Nicolas Fella 2022-11-04 11:26:11 UTC
From https://bugs.kde.org/show_bug.cgi?id=461397:

[4245733.460] wl_display@1.error(wl_display@1, 1, "invalid arguments for org_kde_plasma_surface@270.set_output")
wl_display@1: error 1: invalid arguments for org_kde_plasma_surface@270.set_output
The Wayland connection experienced a fatal error: Invalid argument

So we have at least four somewhat different protocol errors
Comment 26 marav 2022-11-04 11:36:57 UTC
(In reply to Nicolas Fella from comment #23)
> (In reply to marav from comment #21)
> > (In reply to Nathan from comment #20)
> > > I have been hitting this bug constantly on 5.26.2
> > 
> > Same here, plasma 5.26.2
> > 
> > org.kde.plasma.libtaskmanager: Got invalid activation app_id: ""
> > Service  ":1.130" unregistered
> > kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> > kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> > kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> > kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x1a8d760)
> > message too short, object (313), message set_app_id(s)
> > error in client communication (pid 1485)
> > wl_display@1: error 1: invalid arguments for
> > xdg_activation_token_v1@313.set_app_id
> > The Wayland connection experienced a fatal error: Argument invalide
> > Service  "org.kde.StatusNotifierHost-1485" unregistered
> 
> That's a completely different protocol error

Indeed
By "same",  I meant "same user exeperience" not really "same issue"
Comment 27 Matt Fagnani 2022-11-04 17:10:47 UTC
(In reply to Nicolas Fella from comment #25)
> From https://bugs.kde.org/show_bug.cgi?id=461397:
> 
> [4245733.460] wl_display@1.error(wl_display@1, 1, "invalid arguments for
> org_kde_plasma_surface@270.set_output")
> wl_display@1: error 1: invalid arguments for
> org_kde_plasma_surface@270.set_output
> The Wayland connection experienced a fatal error: Invalid argument
> 
> So we have at least four somewhat different protocol errors

Given that the crash can happen just by moving the cursor over the task manager icons so that their tooltips were shown and the errors, a race condition could've been involved in which the Wayland objects/surfaces of the icons' tooltips might occasionally have been freed while still in use or not. The following errors I reported at https://bugs.kde.org/show_bug.cgi?id=461397 might've been the next uses of the Wayland objects/surfaces of the icons' tooltips after they were freed.
wl_display@1: error 1: invalid arguments for org_kde_plasma_surface@270.set_output
kwin_wayland_wrapper[1652]: invalid object (256), type (wl_buffer), message set_region(?o)
plasmashell[3304]: wl_display@1: error 1: invalid method 1, object wl_buffer@226
Comment 28 Matt Fagnani 2022-11-04 19:34:53 UTC
Created attachment 153472 [details]
valgrind log of running plasmashell --replace

I reproduced this type of plasmashell crash twice while running it under valgrind like valgrind --log-file=valgrind-plasmashell-task-manager-icons-2.txt --enable-debuginfod=no plasmashell --replace (in konsole) in a Fedora Rawhide KDE Plasma live image in GNOME Boxes QEMU/KVM VM with Plasma 5.26.2, KF 5.26.2, Qt 5.15.7. I started Firefox and Konsole then moved the cursor back and forth over the task manager icons so that tooltips were shown until the crash happened. The first plasmashell shell had the errors 
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x23cd7220)
wl_display@1: error 1: invalid arguments for org_kde_plasma_surface@157.set_output
The Wayland connection experienced a fatal error: Invalid argument

The second plasmashell crash had the errors 
org.kde.kf5.kwindowsystem.kwayland: Failed to recreate shadow for ToolTipDialog(0x24271af0)
wl_display@1: error 0: invalid object 204
The Wayland connection experienced a fatal error: Invalid argument
The Wayland connection experienced a fatal error: Invalid argument

The valgrind logs showed 26 and 11 invalid reads of 16 bytes which were less than 16 bytes from the end of the buffers, and so they might've been overreads. The stacks of the allocations had functions which seemed to be involved with SVG rendering. The stacks of where the invalid reads were just showed ??s so they're difficult to interpret. The first such invalid read from the second crash's run was

==3516== Invalid read of size 16
==3516==    at 0x25B21A90: ???
==3516==    by 0x23DAB237: ???
==3516==  Address 0x23dabf2e is 3,342 bytes inside a block of size 3,352 alloc'd
==3516==    at 0x484186F: malloc (vg_replace_malloc.c:393)
==3516==    by 0x696F581: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:218)
==3516==    by 0x69F125D: allocate (qarraydata.h:225)
==3516==    by 0x69F125D: QString::fromLatin1_helper(char const*, int) (qstring.cpp:5464)
==3516==    by 0x4B44999: UnknownInlinedFun (qstring.h:701)
==3516==    by 0x4B44999: UnknownInlinedFun (qstring.h:713)
==3516==    by 0x4B44999: Plasma::SharedSvgRenderer::load(QByteArray const&, QString const&, QHash<QString, QRectF>&) [clone .isra.0] (svg.cpp:134)
==3516==    by 0x4B320B3: UnknownInlinedFun (svg.cpp:81)
==3516==    by 0x4B320B3: Plasma::SvgPrivate::createRenderer() [clone .part.0] (svg.cpp:681)
==3516==    by 0x4B23617: UnknownInlinedFun (qbasicatomic.h:118)
==3516==    by 0x4B23617: UnknownInlinedFun (svg.cpp:756)
==3516==    by 0x4B23617: Plasma::SvgPrivate::elementRect(QString const&) (svg.cpp:745)
==3516==    by 0x4B248C3: Plasma::SvgPrivate::checkColorHints() (svg.cpp:777)
==3516==    by 0x4B25C8E: Plasma::SvgPrivate::setImagePath(QString const&) (svg.cpp:511)
==3516==    by 0x4B27600: Plasma::Svg::setImagePath(QString const&) (svg.cpp:1108)
==3516==    by 0x27BFA030: UnknownInlinedFun (iconitem.cpp:186)
==3516==    by 0x27BFA030: IconItem::setSource(QVariant const&) (iconitem.cpp:370)
==3516==    by 0x56B3701: QQmlPropertyPrivate::write(QObject*, QQmlPropertyData const&, QVariant const&, QQmlContextData*, QFlags<QQmlPropertyData::WriteFlag>) (in /usr/lib64/libQt5Qml.so.5.15.7)
==3516==    by 0x571AEFB: QQmlBinding::slowWrite(QQmlPropertyData const&, QQmlPropertyData const&, QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (in /usr/lib64/libQt5Qml.so.5.15.7)
==3516== 

There were also many Conditional jump or move depends on uninitialised value(s) lines which could've contributed to the problem. I'm attaching the valgrind log for the second crash's run.
Comment 29 Vlad Zahorodnii 2022-11-05 23:45:17 UTC
@Matt Fagnani can you reproduce the crash if the blur effect is disabled?
Comment 30 Vlad Zahorodnii 2022-11-06 00:08:26 UTC
Can you also run plasmashell with the WAYLAND_DEBUG=1 environment variable and post the log after plasmashell crashes?
Comment 31 Matt Fagnani 2022-11-06 01:16:35 UTC
Created attachment 153508 [details]
valgrind log of running plasmashell --replace with Blur effect disabled

Vlad, I reproduced three plasmashell crashes after disabling the Blur effect in System Settings in Plasma 5.26.2 on Wayland, with KF 5.99.0, Qt 5.15.7 in a Fedora Rawhide KDE Plasma live image Fedora-KDE-Live-x86_64-Rawhide-20221103.n.0.iso on bare metal. The second crash happened the first time I moved the cursor over the Firefox task manager icon. The third crash was when I was running plasmashell under valgrind and took a minute of moving the cursor over the task manager icons. It had errors like 
kf.plasma.quick: Couldn't create KWindowShadow for ToolTipDialog(0x38aa6070)
wl_display@1: error 0: invalid object 145
The Wayland connection experienced a fatal error: Invalid argument

The same sorts of invalid reads were shown in the attached valgrind log. The invalid reads might be enough to lead to the invalid object errors from kwin_wayland, or they might result in memory corruption leading to the crashes.

I attached a WAYLAND_DEBUG=1 plasmashell --replace log for a previous crash at https://bugs.kde.org/show_bug.cgi?id=461397#c1 though that one only had the last 1000 lines or so due to the default konsole line limit. I could make a full one if you want.
Comment 32 Vlad Zahorodnii 2022-11-07 08:20:06 UTC
> I attached a WAYLAND_DEBUG=1 plasmashell --replace log for a previous crash at https://bugs.kde.org/show_bug.cgi?id=461397#c1 though that one only had the last 1000 lines or so due to the default konsole line limit. I could make a full one if you want.

Yes please. FTR I redirect stderr and stdout to a file.

Another thing that's worth testing is whether the crash is reproducible with the basic QSG render loop, I suspect that there might be some race condition in QPA. You can set the basic render loop in plasma renderer kcm, e.g. open "krunner" and type "plasma renderer", then select "basic" render loop, and restart plasmashell process.
Comment 33 Matt Fagnani 2022-11-07 18:22:04 UTC
Created attachment 153561 [details]
WAYLAND_DEBUG=1 plasmashell --replace output when plasmashell crashed with wl_proxy_unref: Assertion `proxy->refcount > 0' failed.

I reproduced the crash in Plasma 5.26.2 in a Fedora Rawhide live image with KF 5.99.0 and Qt 5.15.7 and the blur effect disabled using WAYLAND_DEBUG=1 plasmashell --replace > /tmp/plasmashell/plasmashell-wayland-debug-1.txt 2> /tmp/plasmashell/plasmashell-wayland-debug-1.txt, but the errors weren't shown in the log and the log was 50 MB. A second crash with just WAYLAND_DEBUG=1 plasmashell --replace showed a failed assertion plasmashell: ../src/wayland-client.c:230: wl_proxy_unref: Assertion `proxy->refcount > 0' failed. I'm attaching what I could copy from konsole of the Wayland debug log before the second crash. The drkonqi notification disappeared before I clicked on it and the crash wasn't shown in the Crashed Processes Viewer or coredumpctl so I didn't get the trace. I saw a plasmashell crash in wl_proxy_unref yesterday when I reproduced this problem which had a trace like that reported at https://bugs.kde.org/show_bug.cgi?id=452370 drkonqi crashed after I installed the debuginfo packages for libwayland-client qt5-qtbase etc. and clicked Reload in it so I don't have the trace. The failed assertion might've indicated that the Wayland proxy had been freed and then was being used or freed again. I'll try with the basic Renderer loop as suggested and see what happens.  Thanks
Comment 34 Bug Janitor Service 2022-11-08 16:30:36 UTC
A possibly relevant merge request was started @ https://invent.kde.org/qt/qt/qtwayland/-/merge_requests/57
Comment 35 Vlad Zahorodnii 2022-11-08 19:58:07 UTC
*** Bug 460575 has been marked as a duplicate of this bug. ***
Comment 36 Vlad Zahorodnii 2022-11-08 20:00:10 UTC
*** Bug 451319 has been marked as a duplicate of this bug. ***
Comment 37 Nate Graham 2022-11-09 19:37:33 UTC
*** Bug 461429 has been marked as a duplicate of this bug. ***
Comment 38 Nate Graham 2022-11-09 19:58:43 UTC
*** Bug 461600 has been marked as a duplicate of this bug. ***
Comment 39 Nate Graham 2022-11-09 19:59:13 UTC
*** Bug 449351 has been marked as a duplicate of this bug. ***
Comment 40 Nate Graham 2022-11-09 20:31:01 UTC
*** Bug 461643 has been marked as a duplicate of this bug. ***
Comment 41 php4fan 2022-11-09 20:43:20 UTC
Note that I experienced the issue on Xorg, not Wayland.
Comment 42 Vlad Zahorodnii 2022-11-14 09:50:36 UTC
Fixed in the Qt patch collection.
Comment 43 Vlad Zahorodnii 2022-11-14 10:44:56 UTC
Reopening because the qt patch was reverted.
Comment 44 Bug Janitor Service 2022-11-14 11:01:41 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-integration/-/merge_requests/59
Comment 45 Matt Fagnani 2022-11-15 05:19:23 UTC
(In reply to Vlad Zahorodnii from comment #32)
> > I attached a WAYLAND_DEBUG=1 plasmashell --replace log for a previous crash at https://bugs.kde.org/show_bug.cgi?id=461397#c1 though that one only had the last 1000 lines or so due to the default konsole line limit. I could make a full one if you want.
> 
> Yes please. FTR I redirect stderr and stdout to a file.
> 
> Another thing that's worth testing is whether the crash is reproducible with
> the basic QSG render loop, I suspect that there might be some race condition
> in QPA. You can set the basic render loop in plasma renderer kcm, e.g. open
> "krunner" and type "plasma renderer", then select "basic" render loop, and
> restart plasmashell process.

I tried to reproduce the crash for about 20 minutes in total after setting the basic render loop, but I didn't see the crash happen. Since the crash usually happened after a second to a few minutes when I was moving the cursor over the task manager icons, plasmashell using the basic render loop might not be affected by this problem. The problem and patch as described at https://invent.kde.org/plasma/plasma-integration/-/merge_requests/59 make sense to me. Thanks.
Comment 46 Nathan 2022-11-15 08:33:32 UTC
I have also enabled basic render loop and I have not seen the issue all day
Comment 47 Bug Janitor Service 2022-11-15 13:49:20 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/2332
Comment 48 Sebastian 2022-11-16 16:58:00 UTC
Hi, I also get these crashes a lot. I updated to Plasma 5.26.3 yesterday and they still happen frequently.

I set the render loop to "basic" which seems to stop these crashes.
Now however, after some time icon-only-taskbar freezes instead of producing a crash. This happens in the same situations that would normally trigger a crash (hovering over taskbar icons or launching an application). Icon-only-taskbar is the only widget that freezes, all other panel widgets continue to work fine and I'm still able to switch between windows via Alt-Tab.
Comment 49 Arjen Hiemstra 2022-11-18 14:42:26 UTC
Git commit 9c998d3083f622a1677782248d4c8e238c935dc2 by Arjen Hiemstra.
Committed on 18/11/2022 at 14:05.
Pushed by ahiemstra into branch 'master'.

shell: Use the basic scene graph rendering loop on wayland

This avoids crashing Plasma when a surface gets destroyed too early
while still in use by the threaded loop. To avoid leaking things into
child processes, we clear the environment variable again after we've
created the initial views for the shell.

M  +20   -0    shell/main.cpp
M  +2    -0    shell/shellcorona.cpp
M  +1    -0    shell/shellcorona.h

https://invent.kde.org/plasma/plasma-workspace/commit/9c998d3083f622a1677782248d4c8e238c935dc2
Comment 50 Arjen Hiemstra 2022-11-18 15:00:24 UTC
Git commit 0fff87982b7164a442b549509fa9fa792007880a by Arjen Hiemstra.
Committed on 18/11/2022 at 15:00.
Pushed by ahiemstra into branch 'cherry-pick-9c998d30'.

shell: Use the basic scene graph rendering loop on wayland

This avoids crashing Plasma when a surface gets destroyed too early
while still in use by the threaded loop. To avoid leaking things into
child processes, we clear the environment variable again after we've
created the initial views for the shell.


(cherry picked from commit 9c998d3083f622a1677782248d4c8e238c935dc2)

M  +20   -0    shell/main.cpp
M  +2    -0    shell/shellcorona.cpp
M  +1    -0    shell/shellcorona.h

https://invent.kde.org/plasma/plasma-workspace/commit/0fff87982b7164a442b549509fa9fa792007880a
Comment 51 php4fan 2022-11-21 14:35:43 UTC
I wonder if this is the same issue:
https://bugs.kde.org/show_bug.cgi?id=461782

There are significant differences in the observed behavior, but also similarities...