Details
-
Bug
-
Resolution: Incomplete
-
P1: Critical
-
None
-
5.15.13, 6.8.0 Beta2
-
None
-
Debian Testing Qt5.15.13 , Wayland
Description
TLDR: a
mReapeatTimer.stop()
might be missing at line
https://github.com/qt/qtwayland/blob/9b09775f8edfd8d248a2b13a47ea4ff5af96f90a/src/client/qwaylandinputdevice.cpp#L111
Long report:
Since the code I am commenting on is the same in Qt 6.8.0 Beta2 i am feeling free to report my observation of Qt5.15.13 (Looking at other Linux Distros I see reports for Qt6 affecting kscreenlocker_great as well, which seem to be quite similar)
I had spurios crashes of kscreenlocker_greet on current Debian Testing with Qt5.15.13 when trying to unlock the Linux amd64 Laptop. (it has Wayland, Fingerprint devices, Touchpad, Keyboard, Mouse)
From dmesg output
14210.107204] kscreenlocker_g[7810]: segfault at 1000000050 ip 00007f76952fcc09 sp 00007ffd2759f400 error 4 in libQt5Core.so.5.15.13[7f769508e000+328000] likely on CPU 7 (core 3, socket 0) [14210.107243] Code: 00 48 83 e1 f8 48 01 c8 48 89 4c 24 10 48 89 04 24 48 89 c6 31 c0 f0 48 0f b1 16 0f 85 95 0a 00 00 48 8b 44 24 18 48 8b 40 08 <48> 8b 40 40 48 89 44 24 38 48 85 c0 75 49 48 8b 34 24 48 89 c1 b8
I found the code in libQt5Core and it seemed like memory corruption since the code was jumping right in the middle of an instruction which caused referencing a register which was invalid ... Was not able to find exactly the code in Qt5Core but it seemed to be in private Qt dispatching events.
I did run valgrind on kscreenlocker_greet
And got this report:
==12292== Conditional jump or move depends on uninitialised value(s) ==12292== at 0x740A039: QtWaylandClient::QWaylandInputDevice::Keyboard::keyboard_key(unsigned int, unsigned int, unsigned int, unsigned int) (in /usr/ lib/x86_64-linux-gnu/libQt5WaylandClient.so.5.15.13) ==12292== by 0x74E93FD: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x74E870C: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x74E8EE2: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x4AC9920: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x4AC5C08: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x4AC75AB: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x740AFE1: QtWaylandClient::QWaylandDisplay::flushRequests() (in /usr/lib/x86_64-linux-gnu/libQt5WaylandClient.so.5.15.13) ==12292== by 0x6CA02EF: QObject::event(QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.13) ==12292== by 0x6C730E7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.13) ==12292== by 0x6C76800: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.13) ==12292== by 0x6CCF0E6: ??? (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.13) ==12292== Uninitialised value was created by a heap allocation ==12292== at 0x4840F83: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==12292== by 0x7409600: QtWaylandClient::QWaylandInputDevice::seat_capabilities(unsigned int) (in /usr/lib/x86_64-linux-gnu/libQt5WaylandClient.so.5.1 5.13) ==12292== by 0x74E93FD: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x74E870C: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x74E8EE2: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4) ==12292== by 0x4AC9920: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x4AC5C08: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x4AC75AB: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x4AC7B5E: wl_display_roundtrip_queue (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.22.0) ==12292== by 0x740DD9B: QtWaylandClient::QWaylandDisplay::registry_global(unsigned int, QString const&, unsigned int) (in /usr/lib/x86_64-linux-gnu/li bQt5WaylandClient.so.5.15.13) ==12292== by 0x74367A6: QtWayland::wl_registry::handle_global(void*, wl_registry*, unsigned int, char const*, unsigned int) (in /usr/lib/x86_64-linux- gnu/libQt5WaylandClient.so.5.15.13) ==12292== by 0x74E93FD: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.4)
Therfore I looked a little bit into QWaylandInputDevice::seat_capabilities and QWaylandInputDevice::Keyboard::keyboard_key and I am asking myself if this code in
https://github.com/qt/qtwayland/blob/9b09775f8edfd8d248a2b13a47ea4ff5af96f90a/src/client/qwaylandinputdevice.cpp#L65 is correct.
Here an periodic timer is setup on a lambda and it is started.
However in https://github.com/qt/qtwayland/blob/9b09775f8edfd8d248a2b13a47ea4ff5af96f90a/src/client/qwaylandinputdevice.cpp#L435 the keyboard is destroyed without any safeguard. IMO there might be a race condition destroying Keyboard will first deallocate other members while the QTimer is still running, calling the Lambda above on already destroyed members.
This might explain the corruption observed in the Signal delivery code. However I am not sure if it really relates to the valgrind messages.
My proposal would be to stop the timer in the destructor of keyboard beforehand to be sure, like I proposed at the head of this report.