Description of problem: I've seen audit messages in my journal indicating that kwin_wayland aborted when shutting down the system in Plasma 5.15.5 on Wayland in Fedora 30 such as the following. Jul 09 21:01:21 audit[1399]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1399 comm="QDBusConnection" exe="/usr/bin/kwin_wayland" sig=6 res=1 Jul 09 21:01:21 systemd[1]: Requested transaction contradicts existing jobs: Transaction for systemd-coredump/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction). Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed to queue service startup job (Maybe the service file is missing or not a non-template unit?): Transaction for systemd-coredump/start is destructive (systemd-poweroff.service has 'start' job queued, but 'stop' is included in transaction). Jul 09 21:01:21 systemd[1]: systemd-coredump.socket: Failed with result 'resources'. Jul 09 21:01:21 systemd-coredump[1970]: Failed to send coredump datagram: Connection reset by peer There are 149 such messages indicating kwin_wayland aborted when I shut down or rebooted. The crashes were not in coredumpctl or abrt. I edited /usr/bin/startplasmacompositor at line 239 to run kwin_wayland under valgrind like valgrind --log-file=/programs/kde/kwin/valgrind-kwin_wayland-3.txt --track-origins=yes /usr/bin/kwin_wayland --xwayland --libinput --exit-with-session=/usr/libexec/startplasma I rebooted then logged into Plasma on wayland from sddm 0.18.1 under valgrind. I shut down the system. The valgrind log showed 20 invalid reads and 2 invalid writes overall. An invalid read in wl_proxy_unref (wayland-client.c:229) in libwayland-client and invalid write in wl_proxy_unref (wayland-client.c:230) happened before I started the shutdown. Those appear to be use-after-free errors since they contained lines like "Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd". ==2115== Thread 3 QThread: ==2115== Invalid read of size 4 ==2115== at 0x8844BB4: wl_proxy_unref (wayland-client.c:229) ==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291) ==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106) ==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63) ==2115== by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76) ==2115== by 0x8856338: ffi_call (ffi64.c:525) ==2115== by 0x8848606: wl_closure_invoke (connection.c:1014) ==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236) ==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421) ==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650) ==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824) ==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958) ==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==2115== by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== ==2115== Invalid write of size 4 ==2115== at 0x8844BBE: wl_proxy_unref (wayland-client.c:230) ==2115== by 0x8844CB3: destroy_queued_closure (wayland-client.c:291) ==2115== by 0x8844EC7: dispatch_event.isra.0 (wayland-client.c:1436) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x58AF586: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:106) ==2115== Address 0x1c2e4ffc is 44 bytes inside a block of size 72 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x661DC14: destroy (wayland_pointer_p.h:63) ==2115== by 0x661DC14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==2115== by 0x8856B27: ffi_call_unix64 (unix64.S:76) ==2115== by 0x8856338: ffi_call (ffi64.c:525) ==2115== by 0x8848606: wl_closure_invoke (connection.c:1014) ==2115== by 0x8844F17: dispatch_event.isra.0 (wayland-client.c:1430) ==2115== by 0x884646B: dispatch_queue (wayland-client.c:1576) ==2115== by 0x884646B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==2115== by 0x6605F16: operator() (connection_thread.cpp:129) ==2115== by 0x6605F16: call (qobjectdefs_impl.h:146) ==2115== by 0x6605F16: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x6605F16: QtPrivate::QFunctorSlotObject<KWayland::Client::ConnectionThread::Private::setupSocketNotifier()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x588FFCB: QSocketNotifier::activated(int, QSocketNotifier::QPrivateSignal) (moc_qsocketnotifier.cpp:140) ==2115== by 0x5890330: QSocketNotifier::event(QEvent*) (qsocketnotifier.cpp:266) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x8844D42: UnknownInlinedFun (wayland-private.h:236) ==2115== by 0x8844D42: proxy_create.isra.0 (wayland-client.c:421) ==2115== by 0x884542B: create_outgoing_proxy (wayland-client.c:650) ==2115== by 0x884542B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735) ==2115== by 0x8845782: wl_proxy_marshal_constructor (wayland-client.c:824) ==2115== by 0x661E0BD: wl_display_sync (wayland-client-protocol.h:958) ==2115== by 0x661E0BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470) ==2115== by 0x661E13A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479) ==2115== by 0x197A76F7: Breeze::ShadowHelper::initializeWayland() (breezeshadowhelper.cpp:149) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== A use of uninitialized variables in ScreenLocker::KSldApp::event(QEvent*) at ksldapp.cpp:733 in kscreenlocker and in the syscall writev (writev.c:26) also happened before I selected Shut Down in Plasma. ==2115== Thread 1: ==2115== Conditional jump or move depends on uninitialised value(s) ==2115== at 0x64445BB: ScreenLocker::KSldApp::event(QEvent*) (ksldapp.cpp:733) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x588B542: QObjectPrivate::setParent_helper(QObject*) (qobject.cpp:2059) ==2115== by 0x588BF67: QObject::QObject(QObject*) (qobject.cpp:817) ==2115== by 0x645A5C3: ScreenLocker::WaylandServer::WaylandServer(QObject*) (waylandserver.cpp:45) ==2115== by 0x6443955: ScreenLocker::KSldApp::KSldApp(QObject*) (ksldapp.cpp:87) ==2115== by 0x6443AD4: ScreenLocker::KSldApp::self() (ksldapp.cpp:76) ==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439) ==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== Uninitialised value was created by a heap allocation ==2115== at 0x4838E86: operator new(unsigned long) (vg_replace_malloc.c:344) ==2115== by 0x6443AC5: ScreenLocker::KSldApp::self() (ksldapp.cpp:76) ==2115== by 0x4AC82EC: KWin::WaylandServer::initScreenLocker() (wayland_server.cpp:439) ==2115== by 0x4ACB837: KWin::WaylandServer::initWorkspace() (wayland_server.cpp:428) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x116B51: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:265) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== ==2115== Syscall param writev(vector[...]) points to uninitialised byte(s) ==2115== at 0x5E29325: __writev (writev.c:26) ==2115== by 0x5E29325: writev (writev.c:24) ==2115== by 0x5B20626: write_vec (xcb_conn.c:277) ==2115== by 0x5B20626: _xcb_conn_wait (xcb_conn.c:522) ==2115== by 0x5B209F8: _xcb_out_send (xcb_out.c:464) ==2115== by 0x5B20C86: _xcb_out_flush_to (xcb_out.c:488) ==2115== by 0x5B2150F: xcb_flush (xcb_out.c:423) ==2115== by 0x114A29: operator() (main_wayland.cpp:236) ==2115== by 0x114A29: call (qobjectdefs_impl.h:146) ==2115== by 0x114A29: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x114A29: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== by 0x58589EA: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:225) ==2115== by 0x5860725: QCoreApplication::exec() (qcoreapplication.cpp:1385) ==2115== by 0x113994: main (main_wayland.cpp:830) ==2115== Address 0x27f31ff2 is 4,530 bytes inside a block of size 21,152 alloc'd ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345) ==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328) ==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== Uninitialised value was created by a stack allocation ==2115== at 0x4F2DE35: KSelectionOwner::Private::gotTimestamp() (kselectionowner.cpp:222) 19 invalid reads and 1 invalid write happened after the shutdown began starting at poll_for_next_event (xcb_in.c:708). These invalid reads and write appeared to be use-after-free errors also. ==2115== Invalid read of size 4 ==2115== at 0x5B230A4: poll_for_next_event (xcb_in.c:708) ==2115== by 0x5B230A4: xcb_poll_for_event (xcb_in.c:722) ==2115== by 0x1149A1: operator() (main_wayland.cpp:231) ==2115== by 0x1149A1: call (qobjectdefs_impl.h:146) ==2115== by 0x1149A1: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:256) ==2115== by 0x1149A1: QtPrivate::QFunctorSlotObject<KWin::ApplicationWayland::continueStartupWithX()::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:439) ==2115== by 0x5883EBF: call (qobjectdefs_impl.h:394) ==2115== by 0x5883EBF: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3781) ==2115== by 0x58ABF99: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:465) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) ==2115== by 0x1157D1: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:157) ==2115== by 0x112F29: main (main_wayland.cpp:557) ==2115== Address 0x27f30e40 is 0 bytes inside a block of size 21,152 free'd ==2115== at 0x4839A0C: free (vg_replace_malloc.c:540) ==2115== by 0x1157A0: KWin::ApplicationWayland::~ApplicationWayland() (main_wayland.cpp:151) ==2115== by 0x112F29: main (main_wayland.cpp:557) ==2115== Block was alloc'd at ==2115== at 0x483AB1A: calloc (vg_replace_malloc.c:762) ==2115== by 0x5B1FFF4: xcb_connect_to_fd (xcb_conn.c:345) ==2115== by 0x11538F: KWin::ApplicationWayland::createX11Connection() (main_wayland.cpp:328) ==2115== by 0x116859: KWin::ApplicationWayland::continueStartupWithX() (main_wayland.cpp:223) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x50CC203: QApplication::event(QEvent*) (qapplication.cpp:1991) ==2115== by 0x50C4AF5: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3737) ==2115== by 0x50CDE7F: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3483) ==2115== by 0x5859AE7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1084) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58ABFA6: QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_unix.cpp:466) ==2115== by 0x18D61ED0: QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so) The trace of the kwin_wayland abort involved functions like _dbus_warn_check_failed (dbus-internals.c:281) in dbus-libs-1.12.16-1 and QDBusConnection related ones like QDBusConnectionPrivate::getNameOwnerNoCache (qdbusintegrator.cpp:2502) in qt5-qtbase-5.12.4-1. ==2115== Process terminating with default action of signal 6 (SIGABRT): dumping core ==2115== at 0x5D6EE75: raise (raise.c:51) ==2115== by 0x5D5995D: abort (abort.c:100) ==2115== by 0x7BF3B31: _dbus_abort.cold (dbus-sysdeps.c:93) ==2115== by 0x7C161BF: _dbus_warn_check_failed (dbus-internals.c:281) ==2115== by 0x4DE60F8: q_dbus_pending_call_block (qdbus_symbols_p.h:448) ==2115== by 0x4DE60F8: QDBusConnectionPrivate::getNameOwnerNoCache(QString const&) (qdbusintegrator.cpp:2502) ==2115== by 0x4DE67FF: QDBusConnectionPrivate::addSignalHook(QString const&, QDBusConnectionPrivate::SignalHook const&) (qdbusintegrator.cpp:2249) ==2115== by 0x4DE7B94: call (qobjectdefs_impl.h:152) ==2115== by 0x4DE7B94: call<QtPrivate::List<const QString&, const QDBusConnectionPrivate::SignalHook&>, bool> (qobjectdefs_impl.h:185) ==2115== by 0x4DE7B94: QtPrivate::QSlotObject<bool (QDBusConnectionPrivate::*)(QString const&, QDBusConnectionPrivate::SignalHook const&), QtPrivate::List<QString const&, QDBusConnectionPrivate::SignalHook const&>, bool>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:414) ==2115== by 0x5884BF9: QObject::event(QEvent*) (qobject.cpp:1260) ==2115== by 0x5859A54: doNotify(QObject*, QEvent*) (qcoreapplication.cpp:1174) ==2115== by 0x5859B60: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1083) ==2115== by 0x585CA92: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1821) ==2115== by 0x58AEE46: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:276) ==2115== The use of QDBusConnections agrees with the audit message of the abort which included comm="QDBusConnection", Version-Release number of selected component (if applicable): dbus-libs-1:1.12.16-1.fc30.x86_64 kf5-kwayland-0:5.59.0-2.fc30.x86_64 kwin-wayland-0:5.15.5-2.fc30.x86_64 qt5-qtwayland-0:5.12.4-3.fc30.x86_64 How reproducible: kwin_wayland aborted most times I shut down or rebooted from Plasma on Wayland. Steps to Reproduce: 1. boot into Fedora 30 KDE Plasma spin fully updated with updates-testing enabled 2. Log into Plasma on Wayland from sddm 3. Shut down Troubleshooting 4. boot again 5. Log into Plasma on Wayland from sddm 6. journalctl -b -1 7. edit /usr/bin/startplasmacompositor to run kwin_wayland under valgrind as described above 8. reboot 9. Log into Plasma on Wayland from sddm 10. shut down 11. boot 12. Log into Plasma on Wayland from sddm 13. read valgrind log Actual results: kwin_wayland aborted when shutting down Expected results: kwin_wayland stops normally when shutting down Additional info: I've noticed similarities in the first invalid read at wl_proxy_unref (wayland-client.c:229) I reported and invalid reads starting at wayland-client.c:229 in plasmashell https://bugs.kde.org/show_bug.cgi?id=409021#c1 konsole https://bugs.kde.org/show_bug.cgi?id=408971 powerdevil https://bugs.kde.org/show_bug.cgi?id=408553 kglobalaccel5 and akonadi_sendlater_agent The address freed had the following common functions and source lines and was 44 bytes inside a block of size 72 free'd ==4203== Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd ==4203== at 0x4839A0C: free (vg_replace_malloc.c:540) ==4203== by 0x1949F844: destroy (wayland_pointer_p.h:63) ==4203== by 0x1949F844: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539) ==4203== by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2) ==4203== by 0x172C3606: wl_closure_invoke (connection.c:1014) ==4203== by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430) ==4203== by 0x172C146B: dispatch_queue (wayland-client.c:1576) ==4203== by 0x172C146B: wl_display_dispatch_queue_pending (wayland-client.c:1818) ==4203== by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241) ==4203== by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290) Functions in those stacks might have freed the pointer before the other programs used it. KWayland::Client::Registry::Private::globalSync (registry.cpp:539) might be where the freeing was done too early. Memory corruption due to the use-after-free errors might have led to the segmentation faults I saw. These errors might be in kwayland or libwayland-client. This report could be reassigned to kf5-kwayland. I'll attached the full valgrind log.
Created attachment 1589112 [details] valgrind log file when run on kwin_wayland then shutting down
I reported this issue at https://bugs.kde.org/show_bug.cgi?id=409688
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.