Description of problem: I was using Firefox 122.0a1 (2023-11-30) on Wayland in Plasma 5.27.9 in a Fedora 39 KDE Plasma installation. I logged into my Instagram account in Firefox. I played various Instagram stories. As one Instagram story video ended and another began, plasmashell crashed. drkonqi appeared for reporting the plasmashell crash. I pressed Developer Information in drkonqi. drkonqi crashed while it was creating a trace. Another drkonqi window appeared for the drkonqi trace. I pressed Developer Information again in drkonqi. drkonqi crashed again. An abrt notification was shown. A gdb crash was shown in abrt and coredumpctl. gdb aborted in iter_match_first_hashed in frame 5 at ../../gdb/dictionary.c:586. There were errors in reading the name variable at that line like m_demangled_name = <error: Cannot access memory at address 0xf435c9f3d929f800> (gdb) frame 5 #5 0x000055dc80ae97e7 in iter_match_first_hashed (dict=0x55dca15bb2a0, name=..., iterator=0x7ffe3d29d858) at ../../gdb/dictionary.c:586 586 = lang->get_symbol_name_matcher (name); (gdb) p lang $1 = <optimized out> (gdb) p name $2 = (const lookup_name_info &) @0x7ffe3d29d880: {m_match_type = symbol_name_match_type::FULL, m_completion_mode = false, m_ignore_parameters = false, m_name = "QObject", m_ada = {{ m_dummy = {<No data fields>}, m_item = {m_encoded_name = "", m_encoded_p = true, m_wild_match_p = true, m_verbatim_p = true, m_standard_p = true}, dont_use = 16 '\020'}, m_instantiated = false}, m_cplus = {{m_dummy = {<No data fields>}, m_item = { m_demangled_name = "QObject"}, dont_use = -40 '\330'}, m_instantiated = true}, m_d = {{ m_dummy = {<No data fields>}, m_item = { m_demangled_name = <error reading variable: Cannot create a lazy string with address 0x0, and a non-zero length.>}, dont_use = 0 '\000'}, m_instantiated = false}, m_go = {{ m_dummy = {<No data fields>}, m_item = { m_demangled_name = <error: Cannot access memory at address 0xf435c9f3d929f800>}, dont_use = 0 '\000'}, m_instantiated = false}, m_demangled_hashes = {_M_elems = {0, 0, 1290290123, 32559, 1290290123, 0, 3643406336, 4097165811, 2851925232, 1290290123, 2170300608, 21980, 543009376, 32559, 4275458032}}, m_demangled_hashes_p = {_M_elems = {false, false, false, false, true, false, false, false, false, false, false, false, false, false, false}}} I'm not sure if this gdb crash was for the plasmashell trace or the drkonqi one. /usr/libexec/kf5/kioslave5 also crashed around the time of this gdb crash. Version-Release number of selected component: gdb-headless-13.2-11.fc39 Additional info: reporter: libreport-2.17.11 cmdline: /usr/bin/gdb -nw -n -batch -x /tmp/drkonqi.QVBqyR -x /tmp/drkonqi.JalXhn -p 22478 /usr/bin/plasmashell rootdir: / executable: /usr/libexec/gdb cgroup: 0::/user.slice/user-1000.slice/user/session.slice/plasma-plasmashell.service type: CCpp kernel: 6.6.3-200.fc39.x86_64 runlevel: N 5 journald_cursor: s=8b9f89e1c4b04a659622f0c97015e2a9;i=11deeab;b=087557a2ecb94a6da7263f38f9bbee64;m=3668f1c97;t=60b6efcf70fb7;x=30376a4b7e398f68 package: gdb-headless-13.2-11.fc39 backtrace_rating: 4 uid: 1000 crash_function: handle_fatal_signal reason: gdb killed by SIGABRT Truncated backtrace: Thread no. 1 (30 frames) #3 handle_fatal_signal at ../../gdb/event-top.c:985 #5 iter_match_first_hashed at ../../gdb/dictionary.c:586 #6 dict_iter_match_first at ../../gdb/dictionary.c:490 #7 mdict_iter_match_first at ../../gdb/dictionary.c:1229 #8 block_iter_match_step at ../../gdb/block.c:615 #10 block_iter_match_first at ../../gdb/block.c:645 #11 block_find_symbol at ../../gdb/block.c:842 #12 basic_lookup_transparent_type_1 at ../../gdb/symtab.c:2720 #13 basic_lookup_transparent_type at ../../gdb/symtab.c:2771 #15 check_typedef at ../../gdb/gdbtypes.c:3096 #16 type_to_type_object at ../../gdb/python/py-type.c:1389 #17 _PyEval_EvalFrameDefault at Python/bytecodes.c:3155 #18 PyEval_EvalCode at /usr/src/debug/python3.12-3.12.0-1.fc39.x86_64/Python/ceval.c:570 #19 run_eval_code_obj at /usr/src/debug/python3.12-3.12.0-1.fc39.x86_64/Python/pythonrun.c:1693 #20 run_mod at /usr/src/debug/python3.12-3.12.0-1.fc39.x86_64/Python/pythonrun.c:1714 #21 PyRun_StringFlags at /usr/src/debug/python3.12-3.12.0-1.fc39.x86_64/Python/pythonrun.c:1589 #22 PyRun_SimpleStringFlags at /usr/src/debug/python3.12-3.12.0-1.fc39.x86_64/Python/pythonrun.c:480 #23 python_command at ../../gdb/python/python.c:451 #24 cmd_func at ../../gdb/cli/cli-decode.c:2543 #25 execute_command at ../../gdb/top.c:690 #26 command_handler at ../../gdb/event-top.c:619 #27 read_command_file at ../../gdb/top.c:457 #28 script_from_file at ../../gdb/cli/cli-script.c:1641 #29 source_script_from_stream at ../../gdb/cli/cli-cmds.c:728 #30 source_script_with_search at ../../gdb/cli/cli-cmds.c:773 #31 catch_command_errors at ../../gdb/main.c:513 #32 execute_cmdargs at ../../gdb/main.c:605 #33 captured_main_1 at ../../gdb/main.c:1299 #34 captured_main at ../../gdb/main.c:1320 #35 gdb_main at ../../gdb/main.c:1345
Created attachment 2002285 [details] File: core_backtrace
Created attachment 2002286 [details] File: backtrace
Created attachment 2002287 [details] File: maps
Created attachment 2002288 [details] File: open_fds
Created attachment 2002289 [details] File: os_info
Created attachment 2002290 [details] File: cpuinfo
Created attachment 2002291 [details] File: proc_pid_status
Created attachment 2002292 [details] File: dso_list
Created attachment 2002293 [details] File: limits
Created attachment 2002294 [details] File: var_log_messages
I think the gdb crash I reported here was while the plasmashell trace was being created in drkonqi because the command line had /usr/bin/plasmashell. Since the plasmashell crashes when watching videos in Firefox were infrequent as I reported at https://bugzilla.redhat.com/show_bug.cgi?id=2216067 and https://bugzilla.redhat.com/show_bug.cgi?id=2250389 I found a way to reproduce the plasmashell crash and gdb crash in drkonqi such that plasmashell will crash every time at least. 1. Log in to Plasma 5.27.9 on Wayland 2. Start Konsole 3. gdb -p $(pidof plasmashell) 4. In gdb, run c 5. Open a new tab in Konsole 6. In the new Konsole tab, pkill -6 plasmashell 7. In gdb, you can generate a core dump if you want with gcore plasmashell.core 8. in gdb, run q 9. Select Report Bug in the plasmashell crash notification before it disappears 10. Select Developer Information in drkonqi gdb aborted with a similar trace with three extra frames 5-7 above iter_match_first_hashed in frame 8. The plasmashell crash from pkill -6 plasmashell will be different from the one I saw before of course. Core was generated by `/usr/bin/gdb -nw -n -batch -x /tmp/drkonqi.IZfCGG -x /tmp/drkonqi.glsMdj -p 789'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; [Current thread is 1 (Thread 0x7faac4d28080 (LWP 9988))] (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007faac3eac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007faac3e5a8ee in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 #3 0x0000559d5bad0aca in handle_fatal_signal (sig=6) at ../../gdb/event-top.c:985 #4 <signal handler called> #5 0x0000559d5be3c93a in skip_ws ( string1=@0x7ffed94630f8: 0x559d65f1c4f0 "ConversionCheck::supported", string2=@0x7ffed94630f0: 0x7ffed94632e8 "QThread", end_str2=end_str2@entry=0x7ffed94632ef "") at ../../gdb/utils.c:2049 #6 0x0000559d5be3ed80 in strncmp_iw_with_mode (string1=<optimized out>, string1@entry=0x559d65f1c4f0 "ConversionCheck::supported", string2=<optimized out>, string2_len=<optimized out>, mode=strncmp_iw_mode::MATCH_PARAMS, language=language@entry=language_cplus, match_for_lcd=match_for_lcd@entry=0x0, ignore_template_params=false) at ../../gdb/utils.c:2148 #7 0x0000559d5ba1f1e7 in cp_fq_symbol_name_matches ( symbol_search_name=0x559d65f1c4f0 "ConversionCheck::supported", lookup_name=..., comp_match_res=0x0) at /usr/include/c++/13/bits/basic_string.h:222 #8 0x0000559d5ba3982c in iter_match_first_hashed (dict=<optimized out>, name=..., iterator=0x7ffed9463268) at ../../gdb/dictionary.c:600 #9 0x0000559d5ba39edf in dict_iter_match_first (iterator=0x7ffed9463268, name=..., --Type <RET> for more, q to quit, c to continue without paging--c dict=<optimized out>) at ../../gdb/dictionary.c:490 #10 mdict_iter_match_first (mdict=0x559d65fbbd90, name=..., miterator=miterator@entry=0x7ffed9463260) at ../../gdb/dictionary.c:1229 #11 0x0000559d5b963c31 in block_iter_match_step (first=<optimized out>, name=..., iterator=<optimized out>) at ../../gdb/block.c:615 #12 block_iter_match_step (iterator=0x7ffed9463250, name=..., first=<optimized out>) at ../../gdb/block.c:594 #13 0x0000559d5b964e28 in block_iter_match_first (iterator=0x7ffed9463250, name=..., block=0x559d6641d720) at ../../gdb/block.c:645 #14 block_find_symbol (block=0x559d6641d720, name=name@entry=0x559d7dd70a10 "QThread", domain=domain@entry=STRUCT_DOMAIN, matcher=matcher@entry=0x559d5b965050 <block_find_non_opaque_type(symbol*, void*)>, data=data@entry=0x0) at ../../gdb/block.c:842 #15 0x0000559d5bd863d8 in basic_lookup_transparent_type_1 (objfile=<optimized out>, block_index=block_index@entry=GLOBAL_BLOCK, name=name@entry=0x559d7dd70a10 "QThread") at ../../gdb/symtab.c:2720 #16 0x0000559d5bd8a4a8 in basic_lookup_transparent_type (name=0x559d7dd70a10 "QThread") at ../../gdb/symtab.c:2750 #17 0x0000559d5bb0ad9d in check_typedef (type=<optimized out>) at ../../gdb/gdbtypes.c:3096 #18 0x0000559d5bc8581d in type_to_type_object (type=0x559d8050e3c0) at ../../gdb/python/py-type.c:1389 #19 0x00007faac4510bef in _PyEval_EvalFrameDefault.cold () from /lib64/libpython3.12.so.1.0 #20 0x00007faac4687876 in PyEval_EvalCode () from /lib64/libpython3.12.so.1.0 #21 0x00007faac46aad9a in run_eval_code_obj () from /lib64/libpython3.12.so.1.0 #22 0x00007faac46a5ebe in run_mod () from /lib64/libpython3.12.so.1.0 #23 0x00007faac46980f6 in PyRun_StringFlags () from /lib64/libpython3.12.so.1.0 #24 0x00007faac4697bb4 in PyRun_SimpleStringFlags () from /lib64/libpython3.12.so.1.0 #25 0x0000559d5bc9406a in python_command (arg=<optimized out>, from_tty=<optimized out>) at ../../gdb/python/python.c:451 #26 0x0000559d5b9cf185 in cmd_func (cmd=<optimized out>, args=<optimized out>, from_tty=<optimized out>) at ../../gdb/cli/cli-decode.c:2543 #27 0x0000559d5bdd1fd5 in execute_command (p=<optimized out>, p@entry=0x559d7c4ffe80 "py print_preamble()", from_tty=<optimized out>) at ../../gdb/top.c:690 #28 0x0000559d5bad131f in command_handler (command=0x559d7c4ffe80 "py print_preamble()") at ../../gdb/event-top.c:619 #29 0x0000559d5bdd0b9d in read_command_file (stream=stream@entry=0x559d7c6eef60) at ../../gdb/top.c:457 #30 0x0000559d5b9dfe79 in script_from_file (stream=stream@entry=0x559d7c6eef60, file=file@entry=0x7ffed9464739 "/tmp/drkonqi.IZfCGG") at ../../gdb/cli/cli-script.c:1641 #31 0x0000559d5b9cd2cb in source_script_from_stream ( file_to_open=0x559d7bea6120 "/tmp/drkonqi.IZfCGG", file=0x7ffed9464739 "/tmp/drkonqi.IZfCGG", stream=0x559d7c6eef60) at ../../gdb/cli/cli-cmds.c:728 #32 source_script_with_search (file=0x7ffed9464739 "/tmp/drkonqi.IZfCGG", file@entry=<error reading variable: value has been optimized out>, from_tty=<error reading variable: value has been optimized out>, search_path=<error reading variable: value has been optimized out>) at ../../gdb/cli/cli-cmds.c:773 #33 0x0000559d5bbb705a in catch_command_errors (command=<optimized out>, arg=<optimized out>, from_tty=<optimized out>, do_bp_actions=do_bp_actions@entry=false) at ../../gdb/main.c:513 #34 0x0000559d5bbb7108 in execute_cmdargs (cmdarg_vec=cmdarg_vec@entry=0x7ffed9463dc0, file_type=file_type@entry=CMDARG_FILE, cmd_type=cmd_type@entry=CMDARG_COMMAND, ret=ret@entry=0x7ffed9463db4) at ../../gdb/main.c:605 #35 0x0000559d5bbb9449 in captured_main_1 (context=context@entry=0x7ffed9463fd0) at ../../gdb/main.c:1299 #36 0x0000559d5bbba000 in captured_main (data=0x7ffed9463fd0) at ../../gdb/main.c:1320 #37 gdb_main (args=args@entry=0x7ffed9464000) at ../../gdb/main.c:1345 #38 0x0000559d5b8a5abf in main (argc=<optimized out>, argv=<optimized out>) at ../../gdb/gdb.c:40 The name variable had m_demangled_name = <error reading variable: Cannot create a lazy string with address 0x0, and a non-zero length.>} like in the first crash. (gdb) frame 8 #8 0x0000559d5ba3982c in iter_match_first_hashed (dict=<optimized out>, name=..., iterator=0x7ffed9463268) at ../../gdb/dictionary.c:600 600 if (matches_name (sym->search_name (), name, NULL)) (gdb) p name $1 = (const lookup_name_info &) @0x7ffed9463290: {m_match_type = symbol_name_match_type::FULL, m_completion_mode = false, m_ignore_parameters = false, m_name = "QThread", m_ada = {{ m_dummy = {<No data fields>}, m_item = {m_encoded_name = "", m_encoded_p = true, m_wild_match_p = true, m_verbatim_p = true, m_standard_p = true}, dont_use = -16 '\360'}, m_instantiated = false}, m_cplus = {{m_dummy = {<No data fields>}, m_item = { m_demangled_name = "QThread"}, dont_use = -24 '\350'}, m_instantiated = true}, m_d = {{ m_dummy = {<No data fields>}, m_item = { m_demangled_name = <error reading variable: Cannot create a lazy string with address 0x0, and a non-zero length.>}, dont_use = 0 '\000'}, m_instantiated = false}, m_go = {{ m_dummy = {<No data fields>}, m_item = {m_demangled_name = ""}, dont_use = 0 '\000'}, m_instantiated = false}, m_demangled_hashes = {_M_elems = {0, 0, 3869261042, 32682, 3869261042, 0, 3489280768, 3701942453, 2414602096, 21917, 1548822720, 21917, 3298667104, 32682, 2637544560}}, m_demangled_hashes_p = {_M_elems = {false, false, false, false, true, false, false, false, false, false, false, false, false, false, false}}} (gdb) p sym $2 = (symbol *) 0x559d65fbbca0 The /tmp/drkonqi* files in the command line when this crash happened had the following lines which drkonqi presumably ran in gdb when creating traces. thread thread apply all bt set width 200 source /usr/share/drkonqi/gdb/preamble.py py print_preamble() I'll attach the full trace of all threads for the second gdb crash.
Created attachment 2002335 [details] Full trace of all threads of second gdb crash in drkonqi
I reported this problem at https://sourceware.org/bugzilla/show_bug.cgi?id=31122
There are systemd service watchdog timeouts which default to 45 s like DefaultTimeoutStopSec=45s described in man systemd-user.conf. /usr/lib/systemd/user/plasma-plasmashell.service had TimeoutSec=40sec. So when drkonqi was still creating the trace of plasmashell 40 s after plasmashell crashed, systemd aborted plasma-plasmashell.service's processes plasmashell, drkonqi, kioslave5, gdb. Fedora services use the drop-in configuration file /usr/lib/systemd/user/service.d/10-timeout-abort.conf which has TimeoutStopFailureMode=abort which makes processes abort when timing out to generate core dumps https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer I changed the timeout to TimeoutSec=120sec, logged out and logged in. I reproduced the plasmashell crash, and the trace completed after about 40 s. drkonqi, plasmashell, and kioslave5 were aborted after 120 s. The default timeout of 40 s for plasma-plasmashell.service wasn't long enough to trace plasmashell and report the crash.