461723 – konsole (or other applications) crash at disabling second screen

Bug 461723 - konsole (or other applications) crash at disabling second screen

Summary: konsole (or other applications) crash at disabling second screen

Status:	RESOLVED DUPLICATE of bug 473602

Alias:	None

Product:	kde
Classification:	I don't know
Component:	general (show other bugs)
Version:	unspecified
Platform:	Debian testing Linux

Importance:	HI crash
Target Milestone:	---
Assignee:	Unassigned bugs mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-12 10:37 UTC by Bernhard Übelacker
Modified:	2023-10-04 10:29 UTC (History)
CC List:	9 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Bernhard Übelacker 2022-11-12 10:37:49 UTC

Hello, I received a crash of konsole when I disabled a second screen via systemsettings.
This screen is left of my main screen and has a lower resolution.

The crash looks like caused by a calculation in copy_unswapped,
which does some pointer arithmetic, but unfortunately the
offset gets negative, and therefore unmapped memory is tried to be accessed.

Otherwise it looks like yy might be related to a pixel resolution,
but my screens are nowhere near a height of 8256 pixel.

I received this crash two weeks ago also in konsole and dolphin.
This bug might be a duplicate of Bug 461563 and/or Bug 451110.

I collected the cores of the three crashes, so I can lookup somthing if needed.


STEPS TO REPRODUCE
Unfortunately I did not yet try to reproduce it this time.
Last time I could not get it crash when I tried to reproduce it.


SOFTWARE/OS VERSIONS
Operating System: Debian GNU/Linux
KDE Plasma Version: 5.26.0
KDE Frameworks Version: 5.98.0
Qt Version: 5.15.6
Kernel Version: 6.0.0-2-amd64 (64-bit)
Graphics Platform: X11
Processors: 16 × AMD Ryzen 7 1700 Eight-Core Processor
Memory: 31.1 GiB of RAM
Graphics Processor: AMD Radeon RX 460 Graphics

ADDITIONAL INFORMATION

(gdb) bt
#0  0x00007f009bcfe32f in __GI___poll (fds=0x7ffc26bb9058, nfds=1, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007f009d975160 in ?? () from /lib/x86_64-linux-gnu/libKF5Crash.so.5
#2  0x00007f009d975b67 in KCrash::defaultCrashHandler(int) () from /lib/x86_64-linux-gnu/libKF5Crash.so.5
#3  <signal handler called>
#4  __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:228
#5  0x00007f00962f142a in memmove (__len=262112, __src=0x7efb8bbe8810, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:36
#6  copy_unswapped (rect=<synthetic pointer>..., img=..., dstBytesPerLine=262112, dst=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:547
#7  native_sub_image (swap=false, rect=<synthetic pointer>..., src=..., dstStride=262112, buffer=0x5557a9af9130) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:590
#8  QXcbBackingStoreImage::flushPixmap (this=0x5557a9af90b0, region=..., fullRegion=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:669
#9  0x00007f00962f1a29 in QXcbBackingStoreImage::flushPixmap (fullRegion=false, region=..., this=0x5557a9af90b0) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:627
#10 QXcbBackingStoreImage::put (this=0x5557a9af90b0, dst=85983245, region=..., offset=...) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:741
#11 0x00007f00962f2369 in QXcbBackingStore::flush (this=this@entry=0x5557a9a3b4d0, window=window@entry=0x5557a98d7c10, region=..., offset=...) at ./src/plugins/platforms/xcb/qxcbwindow.h:128
#12 0x00007f009cd017b2 in QBackingStore::flush (this=this@entry=0x5557a9a4f510, region=..., window=0x5557a98d7c10, offset=...) at painting/qbackingstore.cpp:252
#13 0x00007f009d37059f in QWidgetRepaintManager::flush (this=this@entry=0x5557a9d8fad0, widget=0x5557a98df320, region=..., widgetTextures=<optimized out>) at kernel/qwidgetrepaintmanager.cpp:1184
#14 0x00007f009d372129 in QWidgetRepaintManager::flush (this=0x5557a9d8fad0) at kernel/qwidgetrepaintmanager.cpp:1082
#15 0x00007f009d374270 in QWidgetRepaintManager::paintAndFlush (this=0x5557a9d8fad0) at kernel/qwidgetrepaintmanager.cpp:1014
#16 0x00007f009d3bd341 in QWidgetWindow::handleResizeEvent (this=0x5557a98d7c10, event=0x7ffc26bba560) at kernel/qwidgetwindow.cpp:841
#17 0x00007f009d3c10db in QWidgetWindow::event (this=0x5557a98d7c10, event=0x7ffc26bba560) at kernel/qwidgetwindow.cpp:322
#18 0x00007f009d362f5e in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x5557a98d7c10, e=0x7ffc26bba560) at kernel/qapplication.cpp:3637
#19 0x00007f009c6b1718 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#20 0x00007f009cb39bac in QGuiApplicationPrivate::processGeometryChangeEvent (e=<optimized out>) at kernel/qguiapplication.cpp:2610
#21 0x00007f009cb11e1c in QWindowSystemInterface::sendWindowSystemEvents (flags=flags@entry=...) at kernel/qwindowsysteminterface.cpp:1169
#22 0x00007f00962fc0fa in xcbSourceDispatch (source=<optimized out>) at ./src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:105
#23 0x00007f009a9da799 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007f009a9daa28 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007f009a9daabc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007f009c7094b6 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007f009c6b019b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#28 0x00007f009c6b8306 in QCoreApplication::exec() () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#29 0x00005557a933ee4c in ?? ()
#30 0x00007f009bc2920a in __libc_start_call_main (main=main@entry=0x5557a933e690, argc=argc@entry=4, argv=argv@entry=0x7ffc26bbab08) at ../sysdeps/nptl/libc_start_call_main.h:58
#31 0x00007f009bc292bc in __libc_start_main_impl (main=0x5557a933e690, argc=4, argv=0x7ffc26bbab08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc26bbaaf8) at ../csu/libc-start.c:389
#32 0x00005557a933f301 in ?? ()

(gdb) up
(gdb) up
(gdb) up
(gdb) up
#4  __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:228
228     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: Datei oder Verzeichnis nicht gefunden.
(gdb) display/i $pc
1: x/i $pc
=> 0x7f009bd5457d <__memcpy_avx_unaligned+13>:  vmovdqu (%rsi),%ymm0
(gdb) print/x $rsi
$1 = 0x7efb8bbe8810
(gdb) up
#5  0x00007f00962f142a in memmove (__len=262112, __src=0x7efb8bbe8810, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:36
36        return __builtin___memmove_chk (__dest, __src, __len,
(
(gdb) up
#6  copy_unswapped (rect=<synthetic pointer>..., img=..., dstBytesPerLine=262112, dst=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:547
547         ::memmove(dst, src, dstBytesPerLine);

https://sources.debian.org/src/qtbase-opensource-src/5.15.6+dfsg-2/src/plugins/platforms/xcb/qxcbbackingstore.cpp/#L547
  https://github.com/qt/qtbase/blob/7c4b3648cad7faf990397af0b8a81664658c2d4f/src/plugins/platforms/xcb/qxcbbackingstore.cpp#L514
  https://github.com/qt/qtbase/blob/dev/src/plugins/platforms/xcb/qxcbbackingstore.cpp#L514

537 static inline void copy_unswapped(char *dst, int dstBytesPerLine, const QImage &img, const QRect &rect)
538 {
539     const uchar *srcData = img.constBits();
540     const int srcBytesPerLine = img.bytesPerLine();
541 
542     const int leftOffset = rect.left() * img.depth() >> 3;
543     const int bottom = rect.bottom() + 1;
544 
545     for (int yy = rect.top(); yy < bottom; ++yy) {
546         const uchar *src = srcData + yy * srcBytesPerLine + leftOffset;
547         ::memmove(dst, src, dstBytesPerLine);
548         dst += dstBytesPerLine;
549     }
550 }

(gdb) print img.d->data
$2 = (uchar *) 0x7efc0ac29010 "\361\360\357\377\361...

(gdb) print bottom
$3 = 8320

(gdb) print yy
$4 = 8256
(gdb) print srcBytesPerLine
$5 = 262112

(gdb) print yy * srcBytesPerLine
$7 = -2130970624
# if calculation uses int, it overflows and the offset gets negative

(gdb) print/x 0x7efc0ac29010 + yy * srcBytesPerLine
$9 = 0x7efb8bbe8810
# the resulting pointer 0x7efb8bbe8810 is smaller than img.d->data 0x7efc0ac29010

(gdb) up
(gdb) up
(gdb) up
#8  QXcbBackingStoreImage::flushPixmap (this=0x5557a9af90b0, region=..., fullRegion=<optimized out>) at ./src/plugins/platforms/xcb/qxcbbackingstore.cpp:669
669             const QImage subImage = native_sub_image(&m_flushBuffer, stride, m_qimage, subRect, needsByteSwap);
(gdb) print x
$12 = 0
(gdb) print y
$13 = 8256
(gdb) print width
$14 = <optimized out>
(gdb) print rows
$15 = <optimized out>
(gdb) print rect
$16 = (const QRect &) @0x5557aad282d0: {x1 = 0, y1 = 0, x2 = 65527, y2 = 65504}
(gdb) print stride
$17 = 262112
(gdb) print rows_per_put
$18 = 64



$ xrandr
Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 16384 x 16384
DisplayPort-0 disconnected (normal left inverted right x axis y axis)
HDMI-A-0 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 476mm x 268mm
   1920x1080     60.00*+  50.00    59.94  
...
DVI-D-0 connected (normal left inverted right x axis y axis)
   1280x1024     60.02 +  75.02  
...

Comment 1 Nate Graham 2022-11-14 21:14:46 UTC

Looks like all the action is in Qt. Since you seem to be very accomplished at debugging, would you be able to submit a Qt patch to fix it? If not, please do submit bug report for them at bugreports.qt.io. Thanks a lot!

Comment 2 Bernhard Übelacker 2022-12-06 14:05:18 UTC

Hello Nate, thanks for looking into this report.
I opened now https://bugreports.qt.io/browse/QTBUG-109226

Comment 3 Bernhard Übelacker 2022-12-12 23:44:42 UTC

Hello, upstream bug QTBUG-109226 got closed now with a commit:
qtbase/dev: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=6a3627b6c5aa5109a80024f3d7b0f938504f7ffe
qtbase/6.4: https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.4&id=003d30fac2a75ee5f942917dbd4901536a742cbc
Unfortunately it looks like the qt-5.15 cerry-pick is not publicly visible ...

Comment 4 Nicolas Fella 2023-08-15 13:35:06 UTC

The fix will be part of 5.15.12, which will be open-source released later this year.

Meanwhile it has been added to our Qt Patch collection: https://invent.kde.org/qt/qt/qtbase/-/merge_requests/230

Comment 5 Nicolas Fella 2023-08-15 13:36:24 UTC

*** Bug 473405 has been marked as a duplicate of this bug. ***

Comment 6 Nicolas Fella 2023-08-15 13:37:00 UTC

*** Bug 470450 has been marked as a duplicate of this bug. ***

Comment 7 Nicolas Fella 2023-08-15 13:38:02 UTC

*** Bug 451110 has been marked as a duplicate of this bug. ***

Comment 8 Nicolas Fella 2023-08-15 13:38:10 UTC

*** Bug 462022 has been marked as a duplicate of this bug. ***

Comment 9 Nicolas Fella 2023-08-15 13:38:20 UTC

*** Bug 462487 has been marked as a duplicate of this bug. ***

Comment 10 Nicolas Fella 2023-08-15 13:38:38 UTC

*** Bug 466503 has been marked as a duplicate of this bug. ***

Comment 11 Nicolas Fella 2023-08-15 13:38:45 UTC

*** Bug 467010 has been marked as a duplicate of this bug. ***

Comment 12 Nicolas Fella 2023-08-15 13:39:40 UTC

*** Bug 467191 has been marked as a duplicate of this bug. ***

Comment 13 Bernhard Übelacker 2023-08-28 12:46:14 UTC

Hello,
unfortunately this Qt upstream modifiction seems not to avoid this issue.
Further debugging leads to kwin_x11 as causing this, details added in https://bugs.kde.org/show_bug.cgi?id=473602

Comment 14 Nicolas Fella 2023-10-04 10:29:33 UTC


*** This bug has been marked as a duplicate of bug 473602 ***