466183 – x11 nested kwin_wayland crashes on exit

Bug 466183 - x11 nested kwin_wayland crashes on exit

Summary: x11 nested kwin_wayland crashes on exit

Status:	RESOLVED FIXED

Alias:	None

Product:	kwin
Classification:	Plasma
Component:	core (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	KWin default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-21 06:17 UTC by Harald Sitter
Modified:	2023-02-23 14:24 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/plasma/kwin/commit/24a59dd2fe386df1c26626cd1d81c306b5ee5313
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Harald Sitter 2023-02-21 06:17:51 UTC

STEPS TO REPRODUCE
1. be on x11
2. kwin_wayland --no-global-shortcuts
3. close window using window decoration, or INT it, or TERM it, or QUIT it

OBSERVED RESULT
Crash about half the time

EXPECTED RESULT
No crash

SOFTWARE/OS VERSIONS
Operating System: KDE neon Unstable Edition
KDE Plasma Version: 5.27.80
KDE Frameworks Version: 5.104.0
Qt Version: 5.15.8
Kernel Version: 5.19.0-28-generic (64-bit)
Graphics Platform: X11
Processors: 12 × AMD Ryzen 5 3600X 6-Core Processor
Memory: 31,3 GiB of RAM
Graphics Processor: AMD Radeon RX 5700 XT

ADDITIONAL INFORMATION

kwin(97496)/(kwin_wayland_x11windowed) KWin::X11WindowedBackend::handleClientMessage: Backend window is going to be closed, shutting down.
corrupted double-linked list
Process 97496 stopped
* thread #1, name = 'kwin_wayland', stop reason = signal SIGABRT
    frame #0: 0x00007f8876a96a7c libc.so.6`__GI___pthread_kill at pthread_kill.c:44:76
(lldb) bt all
* thread #1, name = 'kwin_wayland', stop reason = signal SIGABRT
  * frame #0: 0x00007f8876a96a7c libc.so.6`__GI___pthread_kill at pthread_kill.c:44:76
    frame #1: 0x00007f8876a96a30 libc.so.6`__GI___pthread_kill [inlined] __pthread_kill_internal(signo=6, threadid=140224031688128) at pthread_kill.c:78:10
    frame #2: 0x00007f8876a96a30 libc.so.6`__GI___pthread_kill(threadid=140224031688128, signo=6) at pthread_kill.c:89:10
    frame #3: 0x00007f8876a42476 libc.so.6`__GI_raise(sig=6) at raise.c:26:13
    frame #4: 0x00007f8876a287f3 libc.so.6`__GI_abort at abort.c:79:7
    frame #5: 0x00007f8876a896f6 libc.so.6`__libc_message(action=do_abort, fmt="%s\n") at libc_fatal.c:155:5
    frame #6: 0x00007f8876aa0d7c libc.so.6`malloc_printerr(str="corrupted double-linked list") at malloc.c:5664:3
    frame #7: 0x00007f8876aa184c libc.so.6`unlink_chunk(p=<unavailable>, av=<unavailable>) at malloc.c:1635:5
    frame #8: 0x00007f8876aa19e9 libc.so.6`malloc_consolidate(av=0x00007f8876c19c80) at malloc.c:4780:6
    frame #9: 0x00007f8876aa2f20 libc.so.6`_int_free(av=0x00007f8876c19c80, p=0x0000556159d1ea40, have_lock=<unavailable>) at malloc.c:4674:2
    frame #10: 0x00007f8876aa54d3 libc.so.6`__GI___libc_free(mem=<unavailable>) at malloc.c:3391:7
    frame #11: 0x00007f887a3e258f libkwin.so.5`QTypedArrayData<char>::deallocate(data=0x0000556159d20060) at qarraydata.h:240:9
    frame #12: 0x00007f887a3de000 libkwin.so.5`QByteArray::~QByteArray(this=0x00005561592579a8) at qbytearray.h:495:57
    frame #13: 0x00007f887a943848 libkwin.so.5`KWaylandServer::KeyboardInterfacePrivate::~KeyboardInterfacePrivate(this=0x0000556159257940) at keyboard_interface_p.h:20:7
    frame #14: 0x00007f887a943889 libkwin.so.5`KWaylandServer::KeyboardInterfacePrivate::~KeyboardInterfacePrivate(this=0x0000556159257940) at keyboard_interface_p.h:20:7
    frame #15: 0x00007f887a9442fc libkwin.so.5`std::default_delete<KWaylandServer::KeyboardInterfacePrivate>::operator(this=0x00005561592578d0, __ptr=0x0000556159257940)(KWaylandServer::KeyboardInterfacePrivate*) const at unique_ptr.h:95:2
    frame #16: 0x00007f887a9436c3 libkwin.so.5`std::unique_ptr<KWaylandServer::KeyboardInterfacePrivate, std::default_delete<KWaylandServer::KeyboardInterfacePrivate>>::~unique_ptr(this=0x556159257940) at unique_ptr.h:396:4
    frame #17: 0x00007f887a94264b libkwin.so.5`KWaylandServer::KeyboardInterface::~KeyboardInterface(this=0x00005561592578c0) at keyboard_interface.cpp:130:39
    frame #18: 0x00007f887a942679 libkwin.so.5`KWaylandServer::KeyboardInterface::~KeyboardInterface(this=0x00005561592578c0) at keyboard_interface.cpp:130:39
    frame #19: 0x00007f887a9842ac libkwin.so.5`std::default_delete<KWaylandServer::KeyboardInterface>::operator(this=0x00005561591e1480, __ptr=0x00005561592578c0)(KWaylandServer::KeyboardInterface*) const at unique_ptr.h:95:2
    frame #20: 0x00007f887a983c43 libkwin.so.5`std::unique_ptr<KWaylandServer::KeyboardInterface, std::default_delete<KWaylandServer::KeyboardInterface>>::~unique_ptr(this=0x5561592578c0) at unique_ptr.h:396:4
    frame #21: 0x00007f887a982a1e libkwin.so.5`KWaylandServer::SeatInterfacePrivate::~SeatInterfacePrivate(this=0x00005561591e1400) at seat_interface_p.h:33:7
    frame #22: 0x00007f887a982a69 libkwin.so.5`KWaylandServer::SeatInterfacePrivate::~SeatInterfacePrivate(this=0x00005561591e1400) at seat_interface_p.h:33:7
    frame #23: 0x00007f887a984bac libkwin.so.5`std::default_delete<KWaylandServer::SeatInterfacePrivate>::operator(this=0x0000556159257350, __ptr=0x00005561591e1400)(KWaylandServer::SeatInterfacePrivate*) const at unique_ptr.h:95:2
    frame #24: 0x00007f887a980de3 libkwin.so.5`std::unique_ptr<KWaylandServer::SeatInterfacePrivate, std::default_delete<KWaylandServer::SeatInterfacePrivate>>::~unique_ptr(this=0x5561591e1400) at unique_ptr.h:396:4
    frame #25: 0x00007f887a97851f libkwin.so.5`KWaylandServer::SeatInterface::~SeatInterface(this=0x0000556159257340) at seat_interface.cpp:107:1
    frame #26: 0x00007f887a978549 libkwin.so.5`KWaylandServer::SeatInterface::~SeatInterface(this=0x0000556159257340) at seat_interface.cpp:102:1
    frame #27: 0x00007f88786e711e libQt5Core.so.5`QObjectPrivate::deleteChildren() + 110
    frame #28: 0x00007f88786f21a6 libQt5Core.so.5`QObject::~QObject() + 1046
    frame #29: 0x00007f887a926a30 libkwin.so.5`KWaylandServer::Display::~Display(this=0x0000556159252600) at display.cpp:50:1
    frame #30: 0x00007f887a93b354 libkwin.so.5`KWaylandServer::FilteredDisplay::~FilteredDisplay(this=0x0000556159252600) at filtered_display.cpp:50:1
    frame #31: 0x00007f887a77852b libkwin.so.5`KWin::KWinDisplay::~KWinDisplay(this=0x0000556159252600) at wayland_server.cpp:102:7
    frame #32: 0x00007f887a778559 libkwin.so.5`KWin::KWinDisplay::~KWinDisplay(this=0x0000556159252600) at wayland_server.cpp:102:7
    frame #33: 0x00007f88786e711e libQt5Core.so.5`QObjectPrivate::deleteChildren() + 110
    frame #34: 0x00007f88786f21a6 libQt5Core.so.5`QObject::~QObject() + 1046
    frame #35: 0x00007f887a76e8b5 libkwin.so.5`KWin::WaylandServer::~WaylandServer(this=0x0000556159248ca0) at wayland_server.cpp:225:1
    frame #36: 0x00007f887a76e8d9 libkwin.so.5`KWin::WaylandServer::~WaylandServer(this=0x0000556159248ca0) at wayland_server.cpp:223:1
    frame #37: 0x00007f88786e711e libQt5Core.so.5`QObjectPrivate::deleteChildren() + 110
    frame #38: 0x00007f88786f21a6 libQt5Core.so.5`QObject::~QObject() + 1046
    frame #39: 0x00007f887a652a7b libkwin.so.5`KWin::Application::~Application(this=0x00007ffe40d5a270) at main.cpp:143:1
    frame #40: 0x0000556157d344cc kwin_wayland`KWin::ApplicationWayland::~ApplicationWayland(this=0x00007ffe40d5a270) at main_wayland.cpp:132:1
    frame #41: 0x0000556157d37a1f kwin_wayland`main(argc=2, argv=0x00007ffe40d5a4a8) at main_wayland.cpp:617:1
    frame #42: 0x00007f8876a29d90 libc.so.6`__libc_start_call_main(main=(kwin_wayland`main at main_wayland.cpp:266), argc=2, argv=0x00007ffe40d5a4a8) at libc_start_call_main.h:58:16
    frame #43: 0x00007f8876a29e40 libc.so.6`__libc_start_main_impl(main=(kwin_wayland`main at main_wayland.cpp:266), argc=2, argv=0x00007ffe40d5a4a8, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007ffe40d5a498) at libc-start.c:392:3
    frame #44: 0x0000556157cd27d5 kwin_wayland`_start + 37
  thread #2, name = 'QDBusConnection'
    frame #0: 0x00007f8876b18d7f libc.so.6`__GI___poll(fds=0x00007f886c0053c0, nfds=3, timeout=-1) at poll.c:29:10
    frame #1: 0x00007f887af66666 libglib-2.0.so.0`___lldb_unnamed_symbol2709 + 390
    frame #2: 0x00007f887af0f3e3 libglib-2.0.so.0`g_main_context_iteration + 51
    frame #3: 0x00007f8878715ad8 libQt5Core.so.5`QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 104
    frame #4: 0x00007f88786ba99b libQt5Core.so.5`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 299
    frame #5: 0x00007f88784cd4e2 libQt5Core.so.5`QThread::exec() + 98
    frame #6: 0x00007f887ae41f1b libQt5DBus.so.5`___lldb_unnamed_symbol1355 + 27
    frame #7: 0x00007f88784ce703 libQt5Core.so.5`___lldb_unnamed_symbol9629 + 275
    frame #8: 0x00007f8876a94b43 libc.so.6`start_thread(arg=<unavailable>) at pthread_create.c:442:8
    frame #9: 0x00007f8876b26a00 libc.so.6`__clone3 at clone3.S:81




the crash doesn't always end in this trace but it seems to always be in a free. e.g. another one:




#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140459150689728) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140459150689728) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140459150689728, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fbf34e42476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fbf34e287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007fbf34e896f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fbf34fdbb8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007fbf34ea0d7c in malloc_printerr (str=str@entry=0x7fbf34fde740 "free(): invalid next size (fast)") at ./malloc/malloc.c:5664
#7  0x00007fbf34ea2b1d in _int_free (av=0x7fbf35019c80 <main_arena>, p=0x555c19d9d9a0, have_lock=0) at ./malloc/malloc.c:4522
#8  0x00007fbf34ea54d3 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391
#9  0x00007fbf368e711e in QObjectPrivate::deleteChildren() (this=0x555c1a0408d0) at kernel/qobject.cpp:2137
#10 0x00007fbf368f21a6 in QObject::~QObject() (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1115
#11 0x00007fbf3612713b in KGlobalAccelSingleton::KGlobalAccelSingleton()::{lambda()#1}::_FUN() () at ./obj-x86_64-linux-gnu/src/kglobalaccel_component_interface.cpp:25
#12 0x00007fbf368be222 in qt_call_post_routines() () at kernel/qcoreapplication.cpp:336
#13 0x00007fbf3576ce78 in QApplication::~QApplication() (this=0x7ffdeed57040, __in_chrg=<optimized out>) at kernel/qapplication.cpp:711
#14 0x00007fbf38852a7b in KWin::Application::~Application() (this=0x7ffdeed57040) at /home/me/src/kwin/src/main.cpp:143
#15 0x0000555c18b144cc in KWin::ApplicationWayland::~ApplicationWayland() (this=0x7ffdeed57040) at /home/me/src/kwin/src/main_wayland.cpp:132
#16 0x0000555c18b17a1f in main(int, char**) (argc=2, argv=0x7ffdeed57278) at /home/me/src/kwin/src/main_wayland.cpp:617

Comment 1 Bug Janitor Service 2023-02-23 13:25:23 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/3670

Comment 2 Harald Sitter 2023-02-23 14:01:25 UTC

Git commit 4fcc545628e6a1bce7bb6073e2aff9364f93d7a4 by Harald Sitter.
Committed on 23/02/2023 at 13:50.
Pushed by sitter into branch 'master'.

backends/x11: explicitly free the outputs

...before releasing the connection!

this was randomly causing crashes because of use-after-disconnect
problems. since we would tear down the connection in ~X11WindowedBackend
but outputs wouldn't get cleaned up until QObject children cleanup of
the X11WindowedBackend object (or more precisely the OutputBase). this
would then result in ~X11WindowedOutput accessing a backend connection
that had already been closed

to help debug this type of problem moving forward let's also reset the
connection to nullptr during destruction. it's kinda pointless but it
makes it easier to spot use-after-disconnect

M  +13   -0    src/backends/x11/windowed/x11_windowed_backend.cpp
M  +1    -0    src/backends/x11/windowed/x11_windowed_backend.h

https://invent.kde.org/plasma/kwin/commit/4fcc545628e6a1bce7bb6073e2aff9364f93d7a4

Comment 3 Harald Sitter 2023-02-23 14:24:34 UTC

Git commit 24a59dd2fe386df1c26626cd1d81c306b5ee5313 by Harald Sitter.
Committed on 23/02/2023 at 14:02.
Pushed by vladz into branch 'Plasma/5.27'.

backends/x11: explicitly free the outputs

...before releasing the connection!

this was randomly causing crashes because of use-after-disconnect
problems. since we would tear down the connection in ~X11WindowedBackend
but outputs wouldn't get cleaned up until QObject children cleanup of
the X11WindowedBackend object (or more precisely the OutputBase). this
would then result in ~X11WindowedOutput accessing a backend connection
that had already been closed

to help debug this type of problem moving forward let's also reset the
connection to nullptr during destruction. it's kinda pointless but it
makes it easier to spot use-after-disconnect


(cherry picked from commit 4fcc545628e6a1bce7bb6073e2aff9364f93d7a4)

M  +13   -0    src/backends/x11/windowed/x11_windowed_backend.cpp
M  +1    -0    src/backends/x11/windowed/x11_windowed_backend.h

https://invent.kde.org/plasma/kwin/commit/24a59dd2fe386df1c26626cd1d81c306b5ee5313