Bug 1733833 - plasmashell 5.16.2 segmentation faults in wl_proxy_marshal_constructor at wayland-client.c:819-820 in libwayland-client when logging out of Plasma on Wayland
Summary: plasmashell 5.16.2 segmentation faults in wl_proxy_marshal_constructor at way...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: plasma-workspace
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: KDE SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 03:06 UTC by Matt Fagnani
Modified: 2019-08-13 18:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
valgrind log of plasmashell on wayland when logging in and logging out (31.95 KB, text/plain)
2019-07-29 03:06 UTC, Matt Fagnani
no flags Details
gdb full trace of all threads and other output from the plasmashell segmentation fault core file on logging out of Plasma on Wayland (125.11 KB, text/plain)
2019-07-29 03:07 UTC, Matt Fagnani
no flags Details


Links
System ID Priority Status Summary Last Updated
KDE Software Compilation 410332 None None None 2019-07-29 03:06:02 UTC

Description Matt Fagnani 2019-07-29 03:06:03 UTC
Created attachment 1594136 [details]
valgrind log of plasmashell on wayland when logging in and logging out

Description of problem:

I booted into an installation of the Fedora Rawhide/31 KDE Plasma spin image Fedora-KDE-Live-x86_64-Rawhide-20190724.n.0.iso at
https://koji.fedoraproject.org/koji/buildinfo?buildID=1319740

I logged into Plasma 5.16.2 on Wayland from sddm. I ran sudo dnf install x*amd* kwin*way* pla*way* to install
kwayland-integration-5.16.2-1.fc31.x86_64     
kwin-wayland-5.16.2-1.fc31.x86_64             
plasma-workspace-wayland-5.16.2-2.fc31.x86_64 
xorg-x11-drv-amdgpu-19.0.1-1.fc31.x86_64      
xorg-x11-server-Xwayland-1.20.5-5.fc31.x86_64 

I updated using sudo dnf upgrade --refresh. I logged out of Plasma. After I logged back into Plasma on Wayland, coredumpctl showed that plasmashell and drkonqi had aborted during the log out process. The drkonqi command line indicated a plasmashell segmentation fault.
/usr/libexec/drkonqi -platform wayland --appname plasmashell --apppath /usr/bin --signal 11 --pid 10618 --appversion 5.16.2 --programname Plasma --bugaddress submit@bugs.kde.org --startupid 0 --restarted

The drkonqi abort and trace from coredumpctl gdb were the following.
Core was generated by `/usr/libexec/drkonqi -platform wayland --appname plasmashell --apppath /usr/bin'.
Program terminated with signal SIGABRT, Aborted.

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50        return ret;
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f90200a28d9 in __GI_abort () at abort.c:79
#2  0x00007f90204d4b05 in qt_message_fatal (context=..., message=<synthetic pointer>...)
    at global/qlogging.cpp:1904
#3  QMessageLogger::fatal (this=this@entry=0x7fff7d7f5920, msg=msg@entry=0x7f9020dc4737 "%s")
    at global/qlogging.cpp:888
#4  0x00007f9020a7e765 in init_platform (argv=<optimized out>, argc=@0x7fff7d7f5bbc: 18, 
    platformThemeName=..., platformPluginPath=..., pluginNamesWithArguments=...)
    at ../../include/QtCore/../../src/corelib/tools/qarraydata.h:208
#5  QGuiApplicationPrivate::createPlatformIntegration (this=0x561f4bdafaf0)
    at kernel/qguiapplication.cpp:1385
#6  0x00007f9020a7eef8 in QGuiApplicationPrivate::createEventDispatcher (this=<optimized out>)
    at kernel/qguiapplication.cpp:1402
#7  0x00007f90206b80a5 in QCoreApplicationPrivate::init (this=this@entry=0x561f4bdafaf0)
    at kernel/qcoreapplication.cpp:858
#8  0x00007f9020a806b3 in QGuiApplicationPrivate::init (this=this@entry=0x561f4bdafaf0)
    at kernel/qguiapplication.cpp:1431
#9  0x00007f902101b12d in QApplicationPrivate::init (this=0x561f4bdafaf0)
    at kernel/qapplication.cpp:566
#10 0x0000561f49e28707 in main (argc=<optimized out>, argv=0x7fff7d7f5db8)
    at /usr/src/debug/plasma-drkonqi-5.16.2-1.fc31.x86_64/src/main.cpp:65

plasmashell aborted with the following information from coredumpctl gdb.
Core was generated by `/usr/bin/plasmashell'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50        return ret;
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f9b283b28d9 in __GI_abort () at abort.c:79
#2  0x00007f9b287e4b05 in qt_message_fatal (context=..., message=<synthetic pointer>...)
    at global/qlogging.cpp:1904
#3  QMessageLogger::fatal (this=this@entry=0x7ffced9a4ef0, msg=msg@entry=0x7f9b290d4737 "%s")
    at global/qlogging.cpp:888
#4  0x00007f9b28d8e765 in init_platform (argv=<optimized out>, argc=@0x7ffced9a514c: 1, 
    platformThemeName=..., platformPluginPath=..., pluginNamesWithArguments=...)
    at ../../include/QtCore/../../src/corelib/tools/qarraydata.h:208
#5  QGuiApplicationPrivate::createPlatformIntegration (this=0x55a8cab5fe80)
    at kernel/qguiapplication.cpp:1385
#6  0x00007f9b28d8eef8 in QGuiApplicationPrivate::createEventDispatcher (this=<optimized out>)
    at kernel/qguiapplication.cpp:1402
#7  0x00007f9b289c80a5 in QCoreApplicationPrivate::init (this=this@entry=0x55a8cab5fe80)
    at kernel/qcoreapplication.cpp:858
#8  0x00007f9b28d906b3 in QGuiApplicationPrivate::init (this=this@entry=0x55a8cab5fe80)
    at kernel/qguiapplication.cpp:1431
#9  0x00007f9b294c312d in QApplicationPrivate::init (this=0x55a8cab5fe80)
    at kernel/qapplication.cpp:566
#10 0x000055a8c8b5ad34 in main (argc=<optimized out>, argv=0x7ffced9a5318)
    at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/shell/main.cpp:68


plasmashell had restarted and drkonqi started after the Wayland compositor connection had been broken during the log out process, and so they aborted with the errors shown in the following from the journal.

Jul 28 14:28:32 plasmashell[11257]: Failed to create wl_display (No such file or directory)
Jul 28 14:28:32 plasmashell[11257]: qt.qpa.plugin: Could not load the Qt platform plugin "wayland" in "" even though it was found.
Jul 28 14:28:32 audit[11257]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=11257 comm="plasmashell" exe="/usr/bin/plasmashell" sig=6 res=1
Jul 28 14:28:32 audit[11259]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=11259 comm="drkonqi" exe="/usr/libexec/drkonqi" sig=6 res=1
Jul 28 14:28:32 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@12-11262-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 28 14:28:32 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@13-11263-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 28 14:28:32 plasmashell[11257]: This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
                                    
                                    Available platform plugins are: wayland-org.kde.kwin.qpa, eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.
Jul 28 14:28:32 drkonqi[11259]: Failed to create wl_display (No such file or directory)
Jul 28 14:28:32 drkonqi[11259]: qt.qpa.plugin: Could not load the Qt platform plugin "wayland" in "" even though it was found.
Jul 28 14:28:32 drkonqi[11259]: This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
                                
                                Available platform plugins are: wayland-org.kde.kwin.qpa, eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

I switched to VT4 in which I ran gdb -p <pid of plasmashell>. I continued the plasmashell with c in gdb. I switched back to Plasma and logged out. gdb showed a segmentation fault in wl_proxy_marshal_constructor at wayland-client.c:819 in libwayland-client-0:1.17.0-1.fc30.x86_64. The full trace of the crashing thread showed that the wayland proxy pointer was null in wl_proxy_marshal_constructor and inaccessible memory errors like
s = 0x3f693637c38ae00 <error: Cannot access memory at address 0x3f693637c38ae00>
s = 0xc <error: Cannot access memory at address 0xc>
s = 0x1 <error: Cannot access memory at address 0x1>
s = 0xa <error: Cannot access memory at address 0xa>

(gdb) bt full
#0  wl_proxy_marshal_constructor (proxy=0x0, opcode=opcode@entry=0, 
    interface=0x7f96f16330e0 <org_kde_kwin_blur_interface>) at src/wayland-client.c:819
        args = {{i = -278739360, u = 4016227936, f = -278739360, s = 0x7f96ef62c660 "\001", 
            o = 0x7f96ef62c660, n = 4016227936, a = 0x7f96ef62c660, h = -278739360}, {i = 1880875328, 
            u = 1880875328, f = 1880875328, s = 0x55f3701be140 "\350xc\361\226\177", 
            o = 0x55f3701be140, n = 1880875328, a = 0x55f3701be140, h = 1880875328}, {i = 1566035744, 
            u = 1566035744, f = 1566035744, s = 0x7fff5d57cf20 "p\234b\357\226\177", 
            o = 0x7fff5d57cf20, n = 1566035744, a = 0x7fff5d57cf20, h = 1566035744}, {i = 1881849208, 
            u = 1881849208, f = 1881849208, s = 0x55f3702abd78 "", o = 0x55f3702abd78, 
            n = 1881849208, a = 0x55f3702abd78, h = 1881849208}, {i = 1874443600, u = 1874443600, 
            f = 1874443600, s = 0x55f36fb9bd50 "\260s,p\363U", o = 0x55f36fb9bd50, n = 1874443600, 
            a = 0x55f36fb9bd50, h = 1874443600}, {i = -243106372, u = 4051860924, f = -243106372, 
            s = 0x7f96f1827dbc <update_get_addr+12> "dL\213\004%\b", 
            o = 0x7f96f1827dbc <update_get_addr+12>, n = 4051860924, 
            a = 0x7f96f1827dbc <update_get_addr+12>, h = -243106372}, {i = 1566035552, 
            u = 1566035552, f = 1566035552, s = 0x7fff5d57ce60 "@\341\033p\363U", o = 0x7fff5d57ce60, 
            n = 1566035552, a = 0x7fff5d57ce60, h = 1566035552}, {i = -243085460, u = 4051881836, 
            f = -243085460, s = 0x7f96f182cf6c <__tls_get_addr+60> "H\211\354]\303f.\017\037\204", 
            o = 0x7f96f182cf6c <__tls_get_addr+60>, n = 4051881836, 
            a = 0x7f96f182cf6c <__tls_get_addr+60>, h = -243085460}, {i = 1880875328, u = 1880875328, 
            f = 1880875328, s = 0x55f3701be140 "\350xc\361\226\177", o = 0x55f3701be140, 
            n = 1880875328, a = 0x55f3701be140, h = 1880875328}, {i = 2084089344, u = 2084089344, 
            f = 2084089344, 
            s = 0x3f693637c38ae00 <error: Cannot access memory at address 0x3f693637c38ae00>, 
            o = 0x3f693637c38ae00, n = 2084089344, a = 0x3f693637c38ae00, h = 2084089344}, {i = 12, 
--Type <RET> for more, q to quit, c to continue without paging--c
            u = 12, f = 12, s = 0xc <error: Cannot access memory at address 0xc>, o = 0xc, n = 12, a = 0xc, h = 12}, {i = 1, u = 1, f = 1, s = 0x1 <error: Cannot access memory at address 0x1>, o = 0x1, n = 1, a = 0x1, h = 1}, {i = 1880875328, u = 1880875328, f = 1880875328, s = 0x55f3701be140 "\350xc\361\226\177", o = 0x55f3701be140, n = 1880875328, a = 0x55f3701be140, h = 1880875328}, {i = 1873533840, u = 1873533840, f = 1873533840, s = 0x55f36fabdb90 "\257:", o = 0x55f36fabdb90, n = 1873533840, a = 0x55f36fabdb90, h = 1873533840}, {i = 1566035744, u = 1566035744, f = 1566035744, s = 0x7fff5d57cf20 "p\234b\357\226\177", o = 0x7fff5d57cf20, n = 1566035744, a = 0x7fff5d57cf20, h = 1566035744}, {i = -278728600, u = 4016238696, f = -278728600, s = 0x7f96ef62f068 <QCoreApplication::self> "\300\372W]\377\177", o = 0x7f96ef62f068 <QCoreApplication::self>, n = 4016238696, a = 0x7f96ef62f068 <QCoreApplication::self>, h = -278728600}, {i = 1874443600, u = 1874443600, f = 1874443600, s = 0x55f36fb9bd50 "\260s,p\363U", o = 0x55f36fb9bd50, n = 1874443600, a = 0x55f36fb9bd50, h = 1874443600}, {i = -281568552, u = 4013398744, f = -281568552, s = 0x7f96ef379ad8 <QCoreApplication::notifyInternal2(QObject*, QEvent*)+136> "A\203l$\b\001H\213L$(dH3\f%(", o = 0x7f96ef379ad8 <QCoreApplication::notifyInternal2(QObject*, QEvent*)+136>, n = 4013398744, a = 0x7f96ef379ad8 <QCoreApplication::notifyInternal2(QObject*, QEvent*)+136>, h = -281568552}, {i = 10, u = 10, f = 10, s = 0xa <error: Cannot access memory at address 0xa>, o = 0xa, n = 10, a = 0xa, h = 10}, {i = -1, u = 4294967295, f = -1, s = 0xffffffff <error: Cannot access memory at address 0xffffffff>, o = 0xffffffff, n = 4294967295, a = 0xffffffff, h = -1}}
        ap = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x0, reg_save_area = 0x0}}
#1  0x00007f96f15bf974 in org_kde_kwin_blur_manager_create (surface=<optimized out>, org_kde_kwin_blur_manager=<optimized out>) at /usr/src/debug/kf5-kwayland-5.59.0-2.fc31.x86_64/x86_64-redhat-linux-gnu/src/client/wayland-blur-client-protocol.h:111
        id = <optimized out>
        id = <optimized out>
#2  KWayland::Client::BlurManager::createBlur (this=0x55f3702c73f0, surface=0x55f3701be140, parent=0x55f3701be140) at /usr/src/debug/kf5-kwayland-5.59.0-2.fc31.x86_64/src/client/blur.cpp:91
        s = 0x55f370d0f950
        w = <optimized out>
#3  0x00007f96dcbddb33 in WindowEffects::enableBlurBehind (this=<optimized out>, region=..., enable=true, window=<optimized out>) at /usr/src/debug/kwayland-integration-5.16.2-1.fc31.x86_64/src/windowsystem/windoweffects.cpp:224
        blur = <optimized out>
        surface = 0x55f3701be140
        surface = <optimized out>
        blur = <optimized out>
#4  WindowEffects::enableBlurBehind (this=<optimized out>, window=<optimized out>, enable=<optimized out>, region=...) at /usr/src/debug/kwayland-integration-5.16.2-1.fc31.x86_64/src/windowsystem/windoweffects.cpp:215
        surface = <optimized out>
        blur = <optimized out>
#5  0x00007f96dcbde41d in WindowEffects::enableBlurBehind (this=0x55f36fb9bd30, winId=<optimized out>, enable=<optimized out>, region=...) at /usr/src/debug/kwayland-integration-5.16.2-1.fc31.x86_64/src/windowsystem/windoweffects.cpp:212
        window = 0x55f37013f640
#6  0x00007f96f17b78b0 in PlasmaQuick::DialogPrivate::updateTheme (this=this@entry=0x55f3701e3c40) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasmaquick/dialog.cpp:244
No locals.
#7  0x00007f96f17b8187 in PlasmaQuick::DialogPrivate::syncToMainItemSize (this=0x55f3701e3c40) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasmaquick/dialog.cpp:604
        s = {wd = -675552000, ht = 32662}
        min = {wd = 1882450992, ht = 22003}
        max = {wd = -670699728, ht = 32662}
#8  0x00007f96f17b9b9e in PlasmaQuick::DialogPrivate::slotMainItemSizeChanged (this=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasmaquick/dialog.cpp:840
No locals.
#9  PlasmaQuick::Dialog::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/x86_64-redhat-linux-gnu/src/plasmaquick/KF5PlasmaQuick_autogen/include/moc_dialog.cpp:235
        _t = <optimized out>
#10 0x00007f96ef3a3d5b in QMetaObject::activate (sender=0x55f3701d59b0, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3801
        methodIndex = <optimized out>
        method_relative = <optimized out>
        callFunction = 0x7f96f17b9900 <PlasmaQuick::Dialog::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>
        receiver = 0x55f37013f640
        receiverInSameThread = <optimized out>
        sw = {receiver = 0x55f37013f640, previousSender = 0x0, currentSender = {sender = 0x55f3701d59b0, signal = 25, ref = 1}, switched = true}
        c = 0x55f3701ca030
        last = 0x55f3701ca030
        locker = {val = 140286238069552}
        connectionLists = {connectionLists = 0x55f3701ca000}
        list = <optimized out>
        currentThreadId = 0x7f96f07cbd00
        signal_index = 25
        empty_argv = {0x0}
#11 0x00007f96f0fe1a9c in QQuickItem::geometryChanged (this=0x55f3701d59b0, newGeometry=..., oldGeometry=...) at items/qquickitem.cpp:3810
        d = <optimized out>
        change = <optimized out>
#12 0x00007f96f0fdb2a8 in QQuickItem::setHeight (this=0x55f3701d59b0, h=<optimized out>) at /usr/include/qt5/QtCore/qrect.h:644
        d = 0x55f370193310
        oldHeight = 720
#13 0x00007f96f0fec64a in QQuickItem::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=0x7fff5d57d5a0) at .moc/moc_qquickitem.cpp:961
        _t = <optimized out>
        _v = <optimized out>
#14 0x00007f96f0c021ae in QQmlPropertyData::writeProperty (flags=..., value=0x7fff5d57d578, target=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.12.4/QtQml/private/../../../../../src/qml/qml/qqmlpropertycache_p.h:346
        status = -1
        argv = {0x7fff5d57d578, 0x0, 0x7fff5d57d56c, 0x7fff5d57d568}
        status = <optimized out>
        argv = <optimized out>
#15 GenericBinding<6>::doStore<double> (flags=..., pd=<optimized out>, value=<optimized out>, this=0x55f3701c97d0) at qml/qqmlbinding.cpp:332
        o = 0x7fff5d57d578
        o = <optimized out>
#16 GenericBinding<6>::write (this=0x55f3701c97d0, result=..., isUndefined=<optimized out>, flags=...) at qml/qqmlbinding.cpp:305
        pd = 0x7f96d0043b18
        vpd = {<QQmlPropertyRawData> = {_flags = {_otherBits = 0, isConstant = 0, isWritable = 0, isResettable = 0, isAlias = 0, isFinal = 0, isOverridden = 0, isDirect = 0, type = 0, isVMEFunction = 0, hasArguments = 0, isSignal = 0, isVMESignal = 0, isV4Function = 0, isSignalHandler = 0, isOverload = 0, isCloned = 0, isConstructor = 0, notFullyResolved = 0, overrideIndexIsProperty = 0}, _coreIndex = -1, _propType = 0, _notifyIndex = -1, _overrideIndex = -1, _revision = 0 '\000', _typeMinorVersion = 0 '\000', _metaObjectOffset = -1, _arguments = 0x0, _staticMetaCallFunction = 0x0}, <No data fields>}
        vtw = <optimized out>
#17 0x00007f96f0c02ef0 in QQmlNonbindingBinding::doUpdate (this=0x55f3701c97d0, watcher=..., flags=..., scope=...) at ../../include/QtQml/5.12.4/QtQml/private/../../../../../src/qml/jsruntime/qv4scopedvalue_p.h:239
        ep = 0x55f36fb57370
        isUndefined = false
        result = {ptr = 0x7f96d7bbe4c8}
        error = false
#18 0x00007f96f0bff644 in QQmlBinding::update (this=0x55f3701c97d0, flags=...) at qml/qqmlbinding.cpp:185
        watcher = {_c = 0x55f3701d59b0, _w = 0x7fff5d57d6e0, _s = 0x55f3701c97d0}
        engine = 0x55f36fb9ae60
        scope = {engine = 0x55f36fc688f0, mark = 0x7f96d7bbe4c8}
        prof = {<QQmlProfilerHelper> = {<QQmlProfilerDefinitions> = {<No data fields>}, profiler = 0x0}, <No data fields>}
#19 0x00007f96f0bdb86d in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=a@entry=0x0) at qml/qqmlnotifier.cpp:104
        data = @0x7fff5d57d808: {originalSenderPtr = 0, disconnectWatch = 0x7fff5d57d808, endpoint = 0x55f370222c28}
        stack = {a = 256, s = 8, ptr = 0x7fff5d57d790, {array = "\360\263\035p\363U\000\000\220\327W]\377\177\000\000\370#\323o\363U\000\000\360\263\035p\363U\000\000\250\327W]\377\177\000\000P#\323o\363U\000\000\000\000\000\000\000\000\000\000\300\327W]\377\177\000\000\000\"\323o\363U\000\000\360\263\035p\363U\000\000\330\327W]\377\177\000\000\260-\"p\363U\000\000\360\263\035p\363U\000\000\360\327W]\377\177\000\000\b-\"p\363U\000\000\000\000\000\000\000\000\000\000\b\330W]\377\177\000\000(,\"p\363U\000\000\000\000\000\000\000\000\000\000 \330W]\377\177\000\000\200+\"p\363U\000\000\000\000\000\000\000\000\000\000\070\330W]\377\177\000\000\000\245\034p\363U\000\000\377\377\377\377\000\000\000\000"..., q_for_alignment_1 = 94504046408688, q_for_alignment_2 = 4.6691202723519573e-310}}
        i = 5
#20 0x00007f96f0b77d85 in QQmlData::signalEmitted (object=0x55f3701db3f0, index=30, a=0x0) at qml/qqmlengine.cpp:883
        ep = <optimized out>
        ddata = 0x55f3701db410
        m = <optimized out>
        parameterTypes = <optimized out>
        types = <optimized out>
        args = <optimized out>
        ev = <optimized out>
        mpo = <optimized out>
        ii = <optimized out>
        typeName = <optimized out>
#21 0x00007f96ef3a3763 in QMetaObject::activate (sender=0x55f3701db3f0, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.h:121
        signal_index = 30
        empty_argv = {0x55f3702f2f20}
#22 0x00007f96f0b79b20 in QQmlData::destroyed (this=0x55f3702f4c60, object=0x55f36fd11e00) at qml/qqmlengine.cpp:1982
        guard = <optimized out>
        binding = <optimized out>
        signalHandler = <optimized out>
#23 0x00007f96ef3ab72d in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:920
        d = <optimized out>
        sharedRefcount = 0x55f3702c8420
        d = <optimized out>
        sharedRefcount = <optimized out>
        signalSlotMutex = <optimized out>
        locker = <optimized out>
        node = <optimized out>
        connectionListsCount = <optimized out>
        signal = <optimized out>
        connectionList = <optimized out>
        c = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        sender = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        senderLists = <optimized out>
        slotObj = <optimized out>
#24 0x00007f96f0fe97e8 in QQuickItem::~QQuickItem (this=0x55f36fd11e00, __in_chrg=<optimized out>) at items/qquickitem.cpp:2443
        d = <optimized out>
        listeners = <optimized out>
        change = <optimized out>
        __for_range = <optimized out>
        __for_begin = <optimized out>
        __for_end = <optimized out>
        anchor = <optimized out>
        change = <optimized out>
        __for_range = <optimized out>
        __for_begin = <optimized out>
        __for_end = <optimized out>
        anchor = <optimized out>
        change = <optimized out>
        __for_range = <optimized out>
        __for_begin = <optimized out>
        __for_end = <optimized out>
        ii = <optimized out>
        t = <optimized out>
        tp = <optimized out>
#25 0x00007f96f17b1f94 in PlasmaQuick::AppletQuickItem::~AppletQuickItem (this=0x55f36fd11e00, __in_chrg=<optimized out>) at /usr/include/c++/9/bits/atomic_base.h:326
No locals.
#26 0x00007f96dc16d5f0 in ContainmentInterface::~ContainmentInterface (this=0x55f36fd11e00, __in_chrg=<optimized out>) at /usr/include/c++/9/bits/atomic_base.h:326
No locals.
#27 ContainmentInterface::~ContainmentInterface (this=0x55f36fd11e00, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/scriptengines/qml/plasmoid/containmentinterface.h:51
No locals.
#28 0x00007f96ef3aacfc in QObjectPrivate::deleteChildren (this=this@entry=0x55f36fd129d0) at kernel/qobject.cpp:2016
        i = 0
#29 0x00007f96ef3abc4f in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1032
        d = <optimized out>
        sharedRefcount = <optimized out>
        d = <optimized out>
        sharedRefcount = <optimized out>
        signalSlotMutex = <optimized out>
        locker = <optimized out>
        node = <optimized out>
        connectionListsCount = <optimized out>
        signal = <optimized out>
        connectionList = <optimized out>
        c = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        sender = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        senderLists = <optimized out>
        slotObj = <optimized out>
#30 0x00007f96dc155948 in DeclarativeAppletScript::~DeclarativeAppletScript (this=0x55f36fd0b7d0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/scriptengines/qml/plasmoid/declarativeappletscript.cpp:69
No locals.
#31 DeclarativeAppletScript::~DeclarativeAppletScript (this=0x55f36fd0b7d0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/scriptengines/qml/plasmoid/declarativeappletscript.cpp:71
No locals.
#32 0x00007f96f130ff9f in Plasma::AppletPrivate::~AppletPrivate (this=0x55f36fba4da0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasma/private/applet_p.cpp:107
No locals.
#33 0x00007f96f13101ad in Plasma::AppletPrivate::~AppletPrivate (this=0x55f36fba4da0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasma/private/applet_p.cpp:96
No locals.
#34 0x00007f96f12f961d in Plasma::Applet::~Applet (this=0x55f36fd137f0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasma/applet.cpp:144
No locals.
#35 0x00007f96f12fec4d in Plasma::Containment::~Containment (this=0x55f36fd137f0, __in_chrg=<optimized out>) at /usr/src/debug/kf5-plasma-5.59.0-1.fc31.x86_64/src/plasma/containment.cpp:84
No locals.
#36 0x000055f36f383209 in ShellCorona::~ShellCorona (this=0x55f36fb5f110, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qlist.h:235
No locals.
#37 0x000055f36f3834ed in ShellCorona::~ShellCorona (this=0x55f36fb5f110, __in_chrg=<optimized out>) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/shell/shellcorona.cpp:233
No locals.
#38 0x00007f96ef3aacfc in QObjectPrivate::deleteChildren (this=this@entry=0x55f36fae6dc0) at kernel/qobject.cpp:2016
        i = 0
#39 0x00007f96ef3abc4f in QObject::~QObject (this=<optimized out>, __in_chrg=<optimized out>) at kernel/qobject.cpp:1032
        d = <optimized out>
        sharedRefcount = <optimized out>
        d = <optimized out>
        sharedRefcount = <optimized out>
        signalSlotMutex = <optimized out>
        locker = <optimized out>
        node = <optimized out>
        connectionListsCount = <optimized out>
        signal = <optimized out>
        connectionList = <optimized out>
        c = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        sender = <optimized out>
        m = <optimized out>
        needToUnlock = <optimized out>
        senderLists = <optimized out>
        slotObj = <optimized out>
#40 0x000055f36f38f0a7 in ShellManager::~ShellManager (this=0x55f36fb0be00, __in_chrg=<optimized out>) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/shell/shellmanager.cpp:57
No locals.
#41 ShellManager::~ShellManager (this=0x55f36fb0be00, __in_chrg=<optimized out>) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/shell/shellmanager.cpp:86
No locals.
#42 0x00007f96ef3a4a04 in QObject::event (this=0x55f36fb0be00, e=<optimized out>) at kernel/qobject.cpp:1251
No locals.
#43 0x00007f96efe74af6 in QApplicationPrivate::notify_helper (this=this@entry=0x55f36fab7e80, receiver=receiver@entry=0x55f36fb0be00, e=e@entry=0x55f372c0e740) at kernel/qapplication.cpp:3737
        consumed = false
        filtered = false
#44 0x00007f96efe7de80 in QApplication::notify (this=0x7fff5d57fac0, receiver=0x55f36fb0be00, e=0x55f372c0e740) at kernel/qapplication.cpp:3483
        w = <optimized out>
        extra = <optimized out>
        isProxyWidget = <optimized out>
        d = <optimized out>
        res = false
        me = <optimized out>
#45 0x00007f96ef379ad8 in QCoreApplication::notifyInternal2 (receiver=0x55f36fb0be00, event=0x55f372c0e740) at kernel/qcoreapplication.cpp:1084
        selfRequired = true
        result = false
        cbdata = {0x55f36fb0be00, 0x55f372c0e740, 0x7fff5d57f8bf}
        d = <optimized out>
        threadData = 0x55f36fabdb90
        scopeLevelCounter = {threadData = 0x55f36fabdb90}
#46 0x00007f96ef37ca7b in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=52, data=0x55f36fabdb90) at kernel/qcoreapplication.cpp:1821
        e = 0x55f372c0e740
        pe = <optimized out>
        r = <optimized out>
        unlocker = {m = <synthetic pointer><error reading variable>}
        event_deleter = {d = 0x55f372c0e740}
        locker = {val = 94504038947776}
        startOffset = 3
        i = @0x7fff5d57f93c: 3
        cleanup = {receiver = 0x0, event_type = 52, data = 0x55f36fabdb90, exceptionCaught = true}
#47 0x00007f96ef38071f in QCoreApplication::exec () at kernel/qcoreapplication.h:86
        threadData = 0x55f36fabdb90
        eventLoop = {<QObject> = {_vptr.QObject = 0x7f96ef629a28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f96ef519300 <qt_meta_stringdata_QObject>, data = 0x7f96ef5191e0 <qt_meta_data_QObject>, static_metacall = 0x7f96ef3abfc0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55f36fb3f8e0}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7f96ef51c220 <qt_meta_stringdata_Qt>, data = 0x7f96ef519420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7f96ef621fe0 <QObject::staticMetaObject>, stringdata = 0x7f96ef5136a0 <qt_meta_stringdata_QEventLoop>, data = 0x7f96ef513640 <qt_meta_data_QEventLoop>, static_metacall = 0x7f96ef3786f0 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = 0
#48 0x000055f36f3557e4 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/shell/main.cpp:215
        qpaVariable = <optimized out>
        app = {<QGuiApplication> = {<QCoreApplication> = {<QObject> = {_vptr.QObject = 0x7f96f0374f78 <vtable for QApplication+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f96ef519300 <qt_meta_stringdata_QObject>, data = 0x7f96ef5191e0 <qt_meta_data_QObject>, static_metacall = 0x7f96ef3abfc0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55f36fab7e80}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7f96ef51c220 <qt_meta_stringdata_Qt>, data = 0x7f96ef519420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7f96ef621fe0 <QObject::staticMetaObject>, stringdata = 0x7f96ef513d40 <qt_meta_stringdata_QCoreApplication>, data = 0x7f96ef513c20 <qt_meta_data_QCoreApplication>, static_metacall = 0x7f96ef37b570 <QCoreApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, static self = 0x7fff5d57fac0}, static staticMetaObject = {d = {superdata = 0x7f96ef629bc0 <QCoreApplication::staticMetaObject>, stringdata = 0x7f96efa7cde0 <qt_meta_stringdata_QGuiApplication>, data = 0x7f96efa7cb60 <qt_meta_data_QGuiApplication>, static_metacall = 0x7f96ef743de0 <QGuiApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7f96efb55de0 <QGuiApplication::staticMetaObject>, stringdata = 0x7f96f021ba40 <qt_meta_stringdata_QApplication>, data = 0x7f96f021b8c0 <qt_meta_data_QApplication>, static_metacall = 0x7f96efe7b2b0 <QApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        aboutData = {static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f96f059c160, data = 0x7f96f059c060, static_metacall = 0x7f96f053cbe0 <KAboutData::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d = 0x55f36faf7890}
        service = <incomplete type>

The wl_proxy_marshal_constructor function dereferenced proxy with proxy->object.interface->methods[opcode].signature without checking if it was null at line 820.

(gdb) list
814                                  const struct wl_interface *interface, ...)
815     {
816             union wl_argument args[WL_CLOSURE_MAX_ARGS];
817             va_list ap;
818
819             va_start(ap, interface);
820             wl_argument_from_va_list(proxy->object.interface->methods[opcode].signature,
821                                      args, WL_CLOSURE_MAX_ARGS, ap);
822             va_end(ap);
(gdb) p proxy
$3 = (struct wl_proxy *) 0x0
(gdb) p proxy->object.interface->methods[opcode].signature
Cannot access memory at address 0x0

I changed /etc/xdg/autostart/org.kde.plasmashell.desktop at line 2 with kate to run plasmashell under valgrind like
Exec=valgrind --log-file=valgrind-plasmashell-logout-crash-2.txt --track-origins=yes plasmashell

I logged out and back into Plasma on Wayland. I changed /etc/xdg/autostart/org.kde.plasmashell.desktop at line 2 back to Exec=plasmashell
I checked the valgrind log file and then logged out. The valgrind log file showed invalid read and write in wl_proxy_unref at wayland-client.c:229-230 which appeared to be use-after-free errors due to the lines like "Address 0xac3e20c is 44 bytes inside a block of size 72 free'd"

==10618== Invalid read of size 4
==10618==    at 0x7370BB4: wl_proxy_unref (wayland-client.c:229)
==10618==    by 0x7370CB3: destroy_queued_closure (wayland-client.c:291)
==10618==    by 0x7370EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==10618==    by 0x737246B: dispatch_queue (wayland-client.c:1576)
==10618==    by 0x737246B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==10618==    by 0x73728AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==10618==    by 0x4A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==10618==    by 0x1809AEE9: KWaylandIntegration::init() (kwaylandintegration.cpp:67)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==    by 0x659E418: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==10618==    by 0x659DDB5: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==10618==    by 0x65A6847: init_platform (qguiapplication.cpp:1247)
==10618==    by 0x65A6847: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1385)
==10618==  Address 0xac3e20c is 44 bytes inside a block of size 72 free'd
==10618==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==10618==    by 0x4A92C14: destroy (wayland_pointer_p.h:63)
==10618==    by 0x4A92C14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==10618==    by 0x857BAA7: ffi_call_unix64 (unix64.S:76)
==10618==    by 0x857B2A3: ffi_call (ffi64.c:525)
==10618==    by 0x7374606: wl_closure_invoke (connection.c:1014)
==10618==    by 0x7370F17: dispatch_event.isra.0 (wayland-client.c:1430)
==10618==    by 0x737246B: dispatch_queue (wayland-client.c:1576)
==10618==    by 0x737246B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==10618==    by 0x73728AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==10618==    by 0x4A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==10618==    by 0x1809AEE9: KWaylandIntegration::init() (kwaylandintegration.cpp:67)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==  Block was alloc'd at
==10618==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==10618==    by 0x7370D42: UnknownInlinedFun (wayland-private.h:236)
==10618==    by 0x7370D42: proxy_create.isra.0 (wayland-client.c:421)
==10618==    by 0x737142B: create_outgoing_proxy (wayland-client.c:650)
==10618==    by 0x737142B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735)
==10618==    by 0x7371782: wl_proxy_marshal_constructor (wayland-client.c:824)
==10618==    by 0x4A930BD: wl_display_sync (wayland-client-protocol.h:958)
==10618==    by 0x4A930BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470)
==10618==    by 0x4A9313A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479)
==10618==    by 0x1809AE6D: KWaylandIntegration::init() (kwaylandintegration.cpp:55)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==    by 0x659E418: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==10618==    by 0x659DDB5: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==10618==    by 0x65A6847: init_platform (qguiapplication.cpp:1247)
==10618==    by 0x65A6847: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1385)
==10618== 
==10618== Invalid write of size 4
==10618==    at 0x7370BBE: wl_proxy_unref (wayland-client.c:230)
==10618==    by 0x7370CB3: destroy_queued_closure (wayland-client.c:291)
==10618==    by 0x7370EC7: dispatch_event.isra.0 (wayland-client.c:1436)
==10618==    by 0x737246B: dispatch_queue (wayland-client.c:1576)
==10618==    by 0x737246B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==10618==    by 0x73728AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==10618==    by 0x4A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==10618==    by 0x1809AEE9: KWaylandIntegration::init() (kwaylandintegration.cpp:67)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==    by 0x659E418: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==10618==    by 0x659DDB5: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==10618==    by 0x65A6847: init_platform (qguiapplication.cpp:1247)
==10618==    by 0x65A6847: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1385)
==10618==  Address 0xac3e20c is 44 bytes inside a block of size 72 free'd
==10618==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==10618==    by 0x4A92C14: destroy (wayland_pointer_p.h:63)
==10618==    by 0x4A92C14: KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned int) (registry.cpp:539)
==10618==    by 0x857BAA7: ffi_call_unix64 (unix64.S:76)
==10618==    by 0x857B2A3: ffi_call (ffi64.c:525)
==10618==    by 0x7374606: wl_closure_invoke (connection.c:1014)
==10618==    by 0x7370F17: dispatch_event.isra.0 (wayland-client.c:1430)
==10618==    by 0x737246B: dispatch_queue (wayland-client.c:1576)
==10618==    by 0x737246B: wl_display_dispatch_queue_pending (wayland-client.c:1818)
==10618==    by 0x73728AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==10618==    by 0x4A7BB73: KWayland::Client::ConnectionThread::roundtrip() (connection_thread.cpp:290)
==10618==    by 0x1809AEE9: KWaylandIntegration::init() (kwaylandintegration.cpp:67)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==  Block was alloc'd at
==10618==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==10618==    by 0x7370D42: UnknownInlinedFun (wayland-private.h:236)
==10618==    by 0x7370D42: proxy_create.isra.0 (wayland-client.c:421)
==10618==    by 0x737142B: create_outgoing_proxy (wayland-client.c:650)
==10618==    by 0x737142B: wl_proxy_marshal_array_constructor_versioned (wayland-client.c:735)
==10618==    by 0x7371782: wl_proxy_marshal_constructor (wayland-client.c:824)
==10618==    by 0x4A930BD: wl_display_sync (wayland-client-protocol.h:958)
==10618==    by 0x4A930BD: KWayland::Client::Registry::create(wl_display*) (registry.cpp:470)
==10618==    by 0x4A9313A: KWayland::Client::Registry::create(KWayland::Client::ConnectionThread*) (registry.cpp:479)
==10618==    by 0x1809AE6D: KWaylandIntegration::init() (kwaylandintegration.cpp:55)
==10618==    by 0x18080FA0: KdePlatformTheme::KdePlatformTheme() (kdeplatformtheme.cpp:84)
==10618==    by 0x1809D65A: KdePlatformThemePlugin::create(QString const&, QStringList const&) (main.cpp:37)
==10618==    by 0x659E418: QPlatformTheme* qLoadPlugin<QPlatformTheme, QPlatformThemePlugin, QStringList&>(QFactoryLoader const*, QString const&, QStringList&) (qfactoryloader_p.h:108)
==10618==    by 0x659DDB5: QPlatformThemeFactory::create(QString const&, QString const&) (qplatformthemefactory.cpp:73)
==10618==    by 0x65A6847: init_platform (qguiapplication.cpp:1247)
==10618==    by 0x65A6847: QGuiApplicationPrivate::createPlatformIntegration() (qguiapplication.cpp:1385)
==10618==

Ten conditional jumps or moves based on uninitialized variables created by were shown starting with

==10618== Thread 3 QQmlThread:
==10618== Conditional jump or move depends on uninitialised value(s)
==10618==    at 0x1A2A20DC: ???
==10618==    by 0x1A1DCD57: ???
==10618==  Uninitialised value was created by a heap allocation
==10618==    at 0x483AD19: realloc (vg_replace_malloc.c:836)
==10618==    by 0x6A963FF: reallocateData (qarraydata.cpp:83)
==10618==    by 0x6A963FF: QArrayData::reallocateUnaligned(QArrayData*, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (qarraydata.cpp:146)
==10618==    by 0x6B05EA9: UnknownInlinedFun (qarraydata.h:232)
==10618==    by 0x6B05EA9: QString::reallocData(unsigned int, bool) (qstring.cpp:2388)
==10618==    by 0x6B05F1B: QString::resize(int) (qstring.cpp:2296)
==10618==    by 0x6B0ED48: append (qstring.cpp:10971)
==10618==    by 0x6B0ED48: QString::append(QStringRef const&) (qstring.cpp:10965)
==10618==    by 0x6BA42DE: operator+= (qstring.h:484)
==10618==    by 0x6BA42DE: appendToUser (qurl.cpp:846)
==10618==    by 0x6BA42DE: appendPath (qurl.cpp:949)
==10618==    by 0x6BA42DE: QUrl::toString(QUrlTwoFlags<QUrl::UrlFormattingOption, QUrl::ComponentFormattingOption>) const (qurl.cpp:3362)
==10618==    by 0x48A5B07: PlasmaQuick::PackageUrlInterceptor::intercept(QUrl const&, QQmlAbstractUrlInterceptor::DataType) (packageurlinterceptor.cpp:102)
==10618==    by 0x55262F1: QQmlDataBlob::QQmlDataBlob(QUrl const&, QQmlDataBlob::Type, QQmlTypeLoader*) (qqmltypeloader.cpp:263)
==10618==    by 0x5526574: QQmlTypeLoader::Blob::Blob(QUrl const&, QQmlDataBlob::Type, QQmlTypeLoader*) (qqmltypeloader.cpp:1342)
==10618==    by 0x5527E01: QQmlScriptBlob::QQmlScriptBlob(QUrl const&, QQmlTypeLoader*) (qqmltypeloader.cpp:2998)
==10618==    by 0x552D80A: QQmlTypeLoader::getScript(QUrl const&) (qqmltypeloader.cpp:1748)
==10618==    by 0x552E21A: QQmlTypeData::resolveTypes() (qqmltypeloader.cpp:2676)
==1

An invalid read at 0x0 in wl_proxy_marshal_constructor at wayland-client.c:820 was shown with a trace like that shown by gdb for the segmentation fault. This invalid read might be a null pointer dereference of proxy.

==10618== Invalid read of size 8
==10618==    at 0x737171A: wl_proxy_marshal_constructor (wayland-client.c:820)
==10618==    by 0x4A7A973: org_kde_kwin_blur_manager_create (wayland-blur-client-protocol.h:111)
==10618==    by 0x4A7A973: KWayland::Client::BlurManager::createBlur(KWayland::Client::Surface*, QObject*) (blur.cpp:91)
==10618==    by 0x19E76B32: enableBlurBehind (windoweffects.cpp:224)
==10618==    by 0x19E76B32: WindowEffects::enableBlurBehind(QWindow*, bool, QRegion const&) (windoweffects.cpp:215)
==10618==    by 0x19E7741C: WindowEffects::enableBlurBehind(unsigned long long, bool, QRegion const&) (windoweffects.cpp:212)
==10618==    by 0x488D8AF: PlasmaQuick::DialogPrivate::updateTheme() (dialog.cpp:244)
==10618==    by 0x488E186: PlasmaQuick::DialogPrivate::syncToMainItemSize() (dialog.cpp:604)
==10618==    by 0x488FB9D: slotMainItemSizeChanged (dialog.cpp:840)
==10618==    by 0x488FB9D: PlasmaQuick::Dialog::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_dialog.cpp:235)
==10618==    by 0x6C5CD5A: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3801)
==10618==    by 0x4FA0A9B: QQuickItem::geometryChanged(QRectF const&, QRectF const&) (qquickitem.cpp:3810)
==10618==    by 0x4F9A2A7: QQuickItem::setHeight(double) (qquickitem.cpp:6826)
==10618==    by 0x4FAB649: QQuickItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_qquickitem.cpp:961)
==10618==    by 0x55771AD: writeProperty (qqmlpropertycache_p.h:346)
==10618==    by 0x55771AD: doStore<double> (qqmlbinding.cpp:332)
==10618==    by 0x55771AD: GenericBinding<6>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (qqmlbinding.cpp:305)
==10618==  Address 0x0 is not stack'd, malloc'd or (recently) free'd



Version-Release number of selected component (if applicable):
libwayland-client-0:1.17.0-1.fc30.x86_64
kernel-0:5.3.0-0.rc1.git3.1.fc31.x86_64
kf5-kwayland-0:5.59.0-2.fc31.x86_64
mesa-dri-drivers-0:19.1.3-1.fc31.x86_64
plasma-workspace-0:5.16.2-2.fc31.x86_64
qt5-qtbase-0:5.12.4-5.fc31.x86_64
qt5-qtwayland-0:5.12.4-5.fc31.x86_64


How reproducible:
coredumpctl showed that plasmashell and drkonqi aborts due to the plasmashell segmentation fault have happened nine times in the last day which are most of the times I've logged out of Plasma on Wayland.


Steps to Reproduce:
1. boot into an installation of the Fedora Rawhide/31 KDE Plasma spin image Fedora-KDE-Live-x86_64-Rawhide-20190724.n.0.iso at
https://koji.fedoraproject.org/koji/buildinfo?buildID=1319740
2. logg into Plasma 5.16.2 on Wayland from sddm
3. sudo dnf install x*amd* kwin*way* pla*way* (in konsole)
4. sudo dnf upgrade --refresh 
5. log out of Plasma. 
6. log back into Plasma on Wayland
7. coredumpctl

Actual results:
plasmashell 5.16.2 segmentation faults in wl_proxy_marshal_constructor at wayland-client.c:819 in libwayland-client when logging out of Plasma on Wayland. plasmashell restarted and aborted and drkonqi aborted after the Wayland compositor connection had been broken.

Expected results:
No plasmashell crashes

Additional info:
The plasmashell segmentation faults reported at https://bugs.kde.org/show_bug.cgi?id=408847 and https://bugzilla.redhat.com/show_bug.cgi?id=1723017 were also in wl_proxy_marshal_constructor at wayland-client.c:819-820 and proxy was null. Those crashes occurred when logging in or within a few minutes after, or clicking many times on the apps launcher. The other parts of the trace are different as they involve functions like org_kde_kwin_blur_manager_create and KWayland::Client::BlurManager::createBlur from kf5-kwayland-5.59.0-2.fc31.x86_64. The underlying problem might involve org_kde_kwin_blur_manager_create in kwayland calling wl_proxy_marshal_constructor with proxy being null. If wl_proxy_marshal_constructor were to check if proxy was null before it was dereferenced in line 820, the crash might also be avoided.

I reported this problem at https://bugs.kde.org/show_bug.cgi?id=410332

Comment 1 Matt Fagnani 2019-07-29 03:07:14 UTC
Created attachment 1594137 [details]
gdb full trace of all threads and other output from the plasmashell segmentation fault core file on logging out of Plasma on Wayland

Comment 2 Ben Cotton 2019-08-13 17:12:59 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 3 Ben Cotton 2019-08-13 18:53:36 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.


Note You need to log in before you can comment on or make changes to this bug.