Bug 462017 - kwin_wayland crashed in KWin::ContrastEffect::uploadRegion when closing Thunderbird
Summary: kwin_wayland crashed in KWin::ContrastEffect::uploadRegion when closing Thund...
Status: RESOLVED DUPLICATE of bug 372305
Alias: None
Product: kwin
Classification: Plasma
Component: wayland-generic (show other bugs)
Version: 5.26.3
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: ---
Assignee: KWin default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-19 04:23 UTC by Matt Fagnani
Modified: 2023-01-04 12:38 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fagnani 2022-11-19 04:23:28 UTC 
SUMMARY

I was using Plasma 5.26.3 on Wayland in a Fedora 37 KDE Plasma installation. I started Thunderbird Daily 109.0a1 20221118103700 on Wayland and used it briefly. I closed Thunderbird by clicking the x at the top-right of the window. The window shrinking animation began for Thunderbird as usually happens when closing programs in Plasma, but the screen went black as that was in progress. kwin_wayland crashed in KWin::ContrastEffect::uploadRegion which had the argument map=<synthetic pointer>: 0x0. map was incremented then used as a pointer in the crashing line  *(map++) = topLeft; at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:320. map might've been freed while it was still in use in a race condition.

Core was generated by `/usr/bin/kwin_wayland --wayland-fd 7 --socket wayland-0 --xwayland-fd 8 --xwayl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055d39820108e in KWin::ContrastEffect::uploadRegion (this=<optimized out>, region=..., map=<synthetic pointer>: 0x0) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:320
320             *(map++) = topLeft;
[Current thread is 1 (Thread 0x7f209f861980 (LWP 1414))]

(gdb) bt
#0  0x000055d39820108e in KWin::ContrastEffect::uploadRegion(QVector2D*&, QRegion const&)
    (this=<optimized out>, region=..., map=<synthetic pointer>: 0x0)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:320
#1  KWin::ContrastEffect::uploadGeometry(KWin::GLVertexBuffer*, QRegion const&)
     (this=0x55d3992bf5d0, region=..., vbo=0x55d398828a20)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:338
#2  KWin::ContrastEffect::doContrast(KWin::EffectWindow*, QRegion const&, QRect const&, float, QMatrix4x4 const&)
    (screenProjection=..., opacity=1, screen=..., shape=..., w=0x55d399a78260, this=0x55d3992bf5d0)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:422
#3  KWin::ContrastEffect::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (this=0x55d3992bf5d0, w=0x55d399a78260, mask=0, region=..., data=...)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects/backgroundcontrast/contrast.cpp:404
#4  0x00007f20a081e0b4 in KWin::EffectsHandlerImpl::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (this=0x55d3992b5f90, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:454
#5  0x00007f20a081e0b4 in KWin::EffectsHandlerImpl::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (this=0x55d3992b5f90, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:454
#6  0x00007f20a0c4a84c in KWin::CrossFadeEffect::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (this=0x55d399318610, window=<optimized out>, mask=0, region=..., data=...)
--Type <RET> for more, q to quit, c to continue without paging--
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/libkwineffects/kwinoffscreeneffect.cpp:287
#7  0x00007f20a081e0b4 in KWin::EffectsHandlerImpl::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (this=0x55d3992b5f90, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:454
#8  0x00007f20a0c4a84c in KWin::CrossFadeEffect::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (this=0x55d399531300, window=<optimized out>, mask=0, region=..., data=...)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/libkwineffects/kwinoffscreeneffect.cpp:287
#9  0x00007f20a088871d in KWin::EffectsHandlerImpl::drawWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (data=<optimized out>, region=<optimized out>, mask=<optimized out>, w=<optimized out>, this=0x55d3992b5f90) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:454
#10 KWin::Scene::finalPaintWindow(KWin::EffectWindowImpl*, int, QRegion const&, KWin::WindowPaintData&)
    (this=<optimized out>, w=<optimized out>, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scene.cpp:589
#11 0x00007f20a081dffb in KWin::EffectsHandlerImpl::paintWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (this=0x55d3992b5f90, w=0x55d399a78260, mask=0, region=<optimized out>, data=...)
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:425
#12 0x00007f20a081dffb in KWin::EffectsHandlerImpl::paintWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&)
    (this=0x55d3992b5f90, w=0x55d399a78260, mask=0, region=<optimized out>, data=...)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:425
#13 0x00007f20a0c317d9 in KWin::AnimationEffect::paintWindow(KWin::EffectWindow*, int, QRegion, KWin::WindowPaintData&) (this=this@entry=0x55d399318610, w=w@entry=0x55d399a78260, mask=mask@entry=0, region=..., data=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/libkwineffects/kwinanimationeffect.cpp:662
#14 0x00007f20a081dffb in KWin::EffectsHandlerImpl::paintWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (this=0x55d3992b5f90, w=0x55d399a78260, mask=0, region=<optimized out>, data=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:425
#15 0x00007f20a0c317d9 in KWin::AnimationEffect::paintWindow(KWin::EffectWindow*, int, QRegion, KWin::WindowPaintData&) (this=this@entry=0x55d399531300, w=w@entry=0x55d399a78260, mask=mask@entry=0, region=..., data=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/libkwineffects/kwinanimationeffect.cpp:662
#16 0x00007f20a081dffb in KWin::EffectsHandlerImpl::paintWindow(KWin::EffectWindow*, int, QRegion const&, KWin::WindowPaintData&) (this=0x55d3992b5f90, w=0x55d399a78260, mask=0, region=<optimized out>, data=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:425
#17 0x00007f20a088b35a in KWin::Scene::paintWindow(KWin::WindowItem*, int, QRegion const&) (region=..., mask=0, item=0x55d399ca6c00, this=0x55d399ca6c00) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/window.h:2256
#18 KWin::Scene::paintWindow(KWin::WindowItem*, int, QRegion const&) (this=this@entry=0x55d3986b1d80, item=0x55d399ca6c00, mask=0, region=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scene.cpp:576
#19 0x00007f20a088b606 in KWin::Scene::paintSimpleScreen(int, QRegion const&) (this=0x55d3986b1d80, region=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scene.cpp:537
#20 0x00007f20a081df4b in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x55d3992b5f90, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:397
#21 0x00007f20a081df4b in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x55d3992b5f90, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:397
#22 0x00007f20a081df4b in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x55d3992b5f90, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:397
#23 0x00007f20a081df4b in KWin::EffectsHandlerImpl::paintScreen(int, QRegion const&, KWin::ScreenPaintData&) (this=0x55d3992b5f90, mask=<optimized out>, region=<optimized out>, data=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/effects.cpp:397
#24 0x00007f20a0888583 in KWin::Scene::paintScreen(QRegion const&) (this=0x55d3986b1d80, region=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scene.cpp:480
#25 0x00007f20a09a7468 in KWin::SceneOpenGL::paint(KWin::RenderTarget*, QRegion const&) (this=0x55d3986b1d80, renderTarget=<optimized out>, region=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scenes/opengl/scene_opengl.cpp:90
#26 0x00007f20a088a2d3 in KWin::SceneDelegate::paint(KWin::RenderTarget*, QRegion const&) (this=<optimized out>, renderTarget=0x7fff0b7ab540, region=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/scene.cpp:121
#27 0x00007f20a07dfc08 in KWin::Compositor::paintPass(KWin::RenderLayer*, KWin::RenderTarget*, QRegion const&) (this=this@entry=0x55d3986e1f80, layer=layer@entry=0x55d39928e000, target=target@entry=0x7fff0b7ab540, region=...) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/composite.cpp:713
#28 0x00007f20a07e3e3e in KWin::Compositor::composite(KWin::RenderLoop*) (this=0x55d3986e1f80, renderLoop=0x55d39882ff80) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/composite.cpp:656
#29 0x00007f209eedbc26 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7fff0b7ab690, r=<optimized out>, this=0x55d39929efe0) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#30 doActivate<false>(QObject*, int, void**) (sender=0x55d39882ff80, signal_index=5, argv=0x7fff0b7ab690) at kernel/qobject.cpp:3919
#31 0x00007f209eed6bb7 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=<optimized out>, m=m@entry=0x7f20a0baa780 <KWin::RenderLoop::staticMetaObject>, local_signal_index=local_signal_index@entry=2, argv=argv@entry=0x7fff0b7ab690) at kernel/qobject.cpp:3979
#32 0x00007f20a0795816 in KWin::RenderLoop::frameRequested(KWin::RenderLoop*) (this=<optimized out>, _t1=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/redhat-linux-build/src/kwin_autogen/TAC5DWH4SE/moc_renderloop.cpp:206
#33 0x00007f20a07e8247 in KWin::RenderLoopPrivate::dispatch() (this=0x55d3988319c0) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/core/renderloop.cpp:151
#34 0x00007f209eedbc26 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7fff0b7ab7b0, r=<optimized out>, this=0x55d3988320c0) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#35 doActivate<false>(QObject*, int, void**) (sender=0x55d3988319d8, signal_index=3, argv=0x7fff0b7ab7b0) at kernel/qobject.cpp:3919
#36 0x00007f209eed6bb7 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=<optimized out>, m=m@entry=0x7f209f16d580 <QTimer::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fff0b7ab7b0) at kernel/qobject.cpp:3979
#37 0x00007f209eedefae in QTimer::timeout(QTimer::QPrivateSignal) (this=<optimized out>, _t1=...) at .moc/moc_qtimer.cpp:205
#38 0x00007f209eed2d55 in QObject::event(QEvent*) (this=0x55d3988319d8, e=0x7fff0b7ab910) at kernel/qobject.cpp:1369
#39 0x00007f209e3aed12 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x55d3988319d8, e=0x7fff0b7ab910) at kernel/qapplication.cpp:3637
#40 0x00007f209eea8278 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x55d3988319d8, event=0x7fff0b7ab910) at kernel/qcoreapplication.cpp:1064
#41 0x00007f209eef8711 in QTimerInfoList::activateTimers() (this=this@entry=0x55d398434e98) at kernel/qtimerinfo_unix.cpp:643
#42 0x00007f209eef5e70 in QEventDispatcherUNIXPrivate::activateTimers() (this=this@entry=0x55d398434e10) at kernel/qeventdispatcher_unix.cpp:249
#43 0x00007f209eef6cc0 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:516
#44 0x000055d398266b51 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
#45 0x00007f209eea6cca in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7fff0b7aba90, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#46 0x00007f209eeaed92 in QCoreApplication::exec() () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#47 0x00007f209f35fbe0 in QGuiApplication::exec() () at kernel/qguiapplication.cpp:1863
#48 0x00007f209e3aec89 in QApplication::exec() () at kernel/qapplication.cpp:2829
#49 0x000055d39818bd88 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/kwin-5.26.3-1.fc37.x86_64/src/main_wayland.cpp:613

(gdb) p map
$1 = (QVector2D *&) <synthetic pointer>: 0x0
(gdb) p topLeft
$2 =  [uninitialized] {v = {0, 726}}

I noticed errors in the journal including kwin_wayland[1414]: libkwinglutils: Wait failed at the time of the crash which I also saw with other kwin_wayland crashes I reported at https://bugs.kde.org/show_bug.cgi?id=460480#c3

Nov 18 22:25:40 kwin_wayland[1414]: This plugin does not support raise()
Nov 18 22:25:41 kwin_wayland[1414]: libkwinglutils: Wait failed
Nov 18 22:25:41 kernel: kwin_wayland[1414]: segfault at 8 ip 000055d39820108e sp 00007fff0b7aa9b0 error 6 in kwin_wayland[55d39817e000+ef000]
Nov 18 22:25:41 kernel: Code: 0f 7e d0 49 09 c0 41 8b 44 24 f8 83 c0 01 f3 0f 2a c0 66 0f 7e c8 66 0f ef c9 48 c1 e0 20 66 0f 7e c1 48 09 c1 41 8b 44 24 fc <4d> 89 46 d8 49 89 4e d0 83 c0 01 f3 0f 2a c8 66 0f 7e d0 66 0f 7e
Nov 18 22:25:41 audit[1414]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1414 comm="kwin_wayland" exe="/usr/bin/kwin_wayland" sig=11 res=1
Nov 18 22:25:41 audit: BPF prog-id=84 op=LOAD
Nov 18 22:25:41 audit: BPF prog-id=85 op=LOAD
Nov 18 22:25:41 audit: BPF prog-id=86 op=LOAD
Nov 18 22:25:41 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@1-2488-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 22:25:41 systemd[1]: Started systemd-coredump@1-2488-0.service - Process Core Dump (PID 2488/UID 0).
Nov 18 22:25:42 systemd[1348]: app-Thunderbird\x20Daily-8d535fbc70764e1da4e11323645cd448.scope: Consumed 7.936s CPU time.
Nov 18 22:25:44 systemd-coredump[2491]: Process 1414 (kwin_wayland) of user 1000 dumped core.

Plasma restarted after the crash. When I clicked on Restart or Shut down in the Application Launcher menu after the crash, Plasma froze for about a minute and the Restart or Shut down screens weren't shown.

STEPS TO REPRODUCE
1. Boot a Fedora 37 KDE Plasma installation updated to 2022-11-18 with the updates-testing repo enabled
2. Log in to Plasma 5.26.3 on Wayland
3. Download Thunderbird Daily 109.0a1 from https://www.thunderbird.net/en-US/
4. Extract Thunderbird Daily
5. Start Thunderbird Daily
6. Close Thunderbird. The problem only happened once when doing this, and so it is likely infrequent. I'm unsure if was related to closing Thunderbird.

OBSERVED RESULT
kwin_wayland crashed in KWin::ContrastEffect::uploadRegion when closing Thunderbird

EXPECTED RESULT
kwin_wayland wouldn't crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 37
(available in About System)
KDE Plasma Version: 5.26.3
KDE Frameworks Version: 5.100.0
Qt Version: 5.15.7

ADDITIONAL INFORMATION

I read reports of kwin crashes at https://bugs.kde.org/show_bug.cgi?id=372305 with similar traces, but they went back to 2016 and were on X when attaching a second monitor or resuming from suspend. I'm unsure if this problem is related to those.
Comment 1 David Edmundson 2023-01-04 12:37:45 UTC 
*** Bug 463039 has been marked as a duplicate of this bug. ***
Comment 2 David Edmundson 2023-01-04 12:38:04 UTC 

*** This bug has been marked as a duplicate of bug 372305 ***