https://bugs.kde.org/show_bug.cgi?id=409688
Bug ID: 409688 Summary: kwin_wayland aborted when shutting down involving invalid reads and writes, use of uninitialized variables etc. Product: kwin Version: 5.15.5 Platform: Fedora RPMs OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: wayland-generic Assignee: kwin-bugs-n...@kde.org Reporter: matthew.fagn...@utoronto.ca Target Milestone: --- Created attachment 121444 --> https://bugs.kde.org/attachment.cgi?id=121444&action=edit valgrind log file when run on kwin_wayland after shutting down SUMMARY I've seen audit messages in my journal indicating that kwin_wayland aborted when shutting down the system in Plasma 5.15.5 on Wayland in Fedora 30 such as the following. Jul 09 21:01:21 audit[1399]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1399 comm="QDBusConnection" exe="/usr/bin/kwin_wayland" sig=6 res=1 Jul 09 21:01:21 systemd[1]: Requested transaction contradicts existing jobs: Transaction for systemd-coredump@0-1970-0.service/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction). Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed to queue service startup job (Maybe the service file is missing or not a non-template unit?): Transaction for systemd-coredump@0-1970-0.service/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction). Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed with result 'resources'. Jul 09 21:01:21 systemd-coredump[1970]: Failed to send coredump datagram: Connection reset by peer There are 149 such messages indicating kwin_wayland aborted when I shut down or rebooted. The crashes were not in coredumpctl or abrt. I edited /usr/bin/startplasmacompositor at line 239 to run kwin_wayland under valgrind like valgrind --log-file=/programs/kde/kwin/valgrind-kwin_wayland-3.txt --track-origins=yes /usr/bin/kwin_wayland --xwayland --libinput --exit-with-session=/usr/libexec/startplasma I rebooted then logged into Plasma on wayland from sddm 0.18.1 under valgrind. I shut down the system. The valgrind log showed 20 invalid reads and 2 invalid writes overall. An invalid read in wl_proxy_unref (wayland-client.c:229) in libwayland-client and invalid write in wl_proxy_unref (wayland-client.c:230) happened before I started the shutdown. Those appear to be use-after-free errors since they contained lines like "Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd". ==2115== Thread 3 QThread: ==2115== Invalid read of size 4 ==2115== at 0x8844BB4: wl_proxy_unref (wayland-client.c:229) ==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291) ==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106) ==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63) ==2115== by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76) ==2115== by 0x8856338: ffi_call (ffi64.c:525) ==2115== by 0x8848606: wl_closure_invoke (connection.c:1014) ==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236) ==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421) ==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650) ==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824) ==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958) ==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==2115== by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== ==2115== Invalid write of size 4 ==2115== at 0x8844BBE: wl_proxy_unref (wayland-client.c:230) ==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291) ==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106) ==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63) ==2115== by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76) ==2115== by 0x8856338: ffi_call (ffi64.c:525) ==2115== by 0x8848606: wl_closure_invoke (connection.c:1014) ==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236) ==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421) ==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650) ==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824) ==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958) ==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==2115== by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== A use of uninitialized variables in ScreenLocker::KSldApp::event(QEvent*) at ksldapp.cpp:733 in kscreenlocker and in the syscall writev (writev.c:26) also happened before I selected Shut Down in Plasma. ==2115== Thread 1: ==2115== Conditional jump or move depends on uninitialised value(s) ==2115== at 0x64445BB: ScreenLocker::KSldApp::event(QEvent*) (ksldapp.cpp:733) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x588B542: QObjectPrivate::setParent_helper(QObject*) (qobject.cpp:2059) ==2115== by 0x588BF67: QObject::QObject(QObject*) (qobject.cpp:817) ==2115== by 0x645A5C3: ScreenLocker::WaylandServer::WaylandServer(QObject*) (waylandserver.cpp:45) ==2115== by 0x6443955: ScreenLocker::KSldApp::KSldApp(QObject*) (ksldapp.cpp:87) ==2115== by 0x6443AD4: ScreenLocker::KSldApp::self() (ksldapp.cpp:76) ==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439) ==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== Uninitialised value was created by a heap allocation ==2115== at 0x4838E86: operator new(unsigned long) (vg_replace_malloc.c:344) ==2115== by 0x6443AC5: ScreenLocker::KSldApp::self() (ksldapp.cpp:76) ==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439) ==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x116B51: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:265) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== ==2115== Syscall param writev(vector[...]) points to uninitialised byte(s) ==2115== at 0x5E29325: __writev (writev.c:26) ==2115== by 0x5E29325: writev (writev.c:24) ==2115== by 0x5B20626: write_vec (xcb_conn.c:277) ==2115== by 0x5B20626: _xcb_conn_wait (xcb_conn.c:522) ==2115== by 0x5B209F8: _xcb_out_send (xcb_out.c:464) ==2115== by 0x5B20C86: _xcb_out_flush_to (xcb_out.c:488) ==2115== by 0x5B2150F: xcb_flush (xcb_out.c:423) ==2115== by 0x114A29: operator() (main_wayland.cpp:236) ==2115== by 0x114A29: call (qobjectdefs_impl.h:146) ==2115== by 0x114A29: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x114A29: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== by 0x58589EA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:225) ==2115== by 0x5860725: QCoreApplication::exec() (qcoreapplication.cpp:1385) ==2115== by 0x113994: main (main_wayland.cpp:830) ==2115== Address 0x27f31ff2 is 4,530 bytes inside a block of size 21,152 alloc'd ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345) ==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328) ==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== Uninitialised value was created by a stack allocation ==2115== at 0x4F2DE35: KSelectionOwner::Private::gotTimestamp() (kselectionowner.cpp:222) 19 invalid reads and 1 invalid write happened after the shutdown began starting at poll_for_next_event (xcb_in.c:708). These invalid reads and write appeared to be use-after-free errors also. ==2115== Invalid read of size 4 ==2115== at 0x5B230A4: poll_for_next_event (xcb_in.c:708) ==2115== by 0x5B230A4: xcb_poll_for_event (xcb_in.c:722) ==2115== by 0x1149A1: operator() (main_wayland.cpp:231) ==2115== by 0x1149A1: call (qobjectdefs_impl.h:146) ==2115== by 0x1149A1: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x1149A1: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== by 0x1157D1: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:157) ==2115== by 0x112F29: main (main_wayland.cpp:557) ==2115== Address 0x27f30e40 is 0 bytes inside a block of size 21,152 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x1157A0: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:151) ==2115== by 0x112F29: main (main_wayland.cpp:557) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345) ==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328) ==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) The trace of the kwin_wayland abort involved functions like _dbus_warn_check_failed (dbus-internals.c:281) in dbus-libs-1.12.16-1 and QDBusConnection related ones like QDBusConnectionPrivate::getNameOwnerNoCache (qdbusintegrator.cpp:2502) in qt5-qtbase-5.12.4-1. ==2115== Process terminating with default action of signal 6 (SIGABRT): dumping core ==2115== at 0x5D6EE75: raise (raise.c:51) ==2115== by 0x5D5995D: abort (abort.c:100) ==2115== by 0x7BF3B31: _dbus_abort.cold (dbus-sysdeps.c:93) ==2115== by 0x7C161BF: _dbus_warn_check_failed (dbus-internals.c:281) ==2115== by 0x4DE60F8: q_dbus_pending_call_block (qdbus_symbols_p.h:448) ==2115== by 0x4DE60F8: QDBusConnectionPrivate::getNameOwnerNoCache(QString const&) (qdbusintegrator.cpp:2502) ==2115== by 0x4DE67FF: QDBusConnectionPrivate::addSignalHook(QString const&, QDBusConnectionPrivate::SignalHook const&) (qdbusintegrator.cpp:2249) ==2115== by 0x4DE7B94: call (qobjectdefs_impl.h:152) ==2115== by 0x4DE7B94: call<QtPrivate::List<const QString&, const QDBusConnectionPrivate::SignalHook&>, bool> (qobjectdefs_impl.h:185) ==2115== by 0x4DE7B94: QtPrivate::QSlotObject<bool (QDBusConnectionPrivate::*)(QString const&, QDBusConnectionPrivate::SignalHook const&), QtPrivate::List<QString const&, QDBusConnectionPrivate::SignalHook const&>, bool>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:414) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x5859A54: doNotify(QObject*, QEvent*) (qcoreapplication.cpp:1174) ==2115== by 0x5859B60: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1083) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58AEE46: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:276) ==2115== The use of QDBusConnections agrees with the audit message of the abort which included comm="QDBusConnection", STEPS TO REPRODUCE 1. boot into Fedora 30 KDE Plasma spin fully updated with updates-testing enabled 2. Log into Plasma on Wayland from sddm 3. Shut down Troubleshooting 4. boot again 5. Log into Plasma on Wayland from sddm 6. journalctl -b -1 7. edit /usr/bin/startplasmacompositor to run kwin_wayland under valgrind as described above 8. reboot 9. Log into Plasma on Wayland from sddm 10. shut down 11. boot 12. Log into Plasma on Wayland from sddm 13. read valgrind log OBSERVED RESULT kwin_wayland aborted when shutting down EXPECTED RESULT kwin_wayland stops normally when shutting down SOFTWARE/OS VERSIONS Linux/KDE Plasma: Fedora 30, 5.1.16 kernel (available in About System) KDE Plasma Version: 5.15.5 KDE Frameworks Version: 5.59.0 Qt Version: 5.12.4 ADDITIONAL INFORMATION I've noticed similarities in the first invalid read at wl_proxy_unref (wayland-client.c:229) I reported and invalid reads starting at wayland-client.c:229 in in plasmashell https://bugs.kde.org/show_bug.cgi?id=409021#c1 konsole https://bugs.kde.org/show_bug.cgi?id=408971 powerdevil https://bugs.kde.org/show_bug.cgi?id=408553 kglobalaccel5 and akonadi_sendlater_agent The address freed had the following common functions and source lines and was 44 bytes inside a block of size 72 free'd ==4203== Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd ==4203== at 0x4839A0C: free (vg_replace_malloc.c:540) ==4203== by 0x1949F844: destroy (wayland_pointer_p.h:63) ==4203== by 0x1949F844: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==4203== by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x172C3606: wl_closure_invoke (connection.c:1014) ==4203== by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430) ==4203== by 0x172C146B: dispatch_queue (wayland-client.c:1576) ==4203== by 0x172C146B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==4203== by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==4203== by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) Functions in those stacks might have freed the pointer before the other programs used it. KWayland::Client::Registry::Private::globalSync (registry.cpp:539) might be where the freeing was done too early. Memory corruption due to the use-after-free errors might have led to the segmentation faults I saw. These errors might be in kwayland or libwayland-client. This report could be reassigned to frameworks-kwayland. I've attached the full valgrind log. -- You are receiving this mail because: You are watching all bug changes.