Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81504

QWaylandWindow::handleUpdate creates thousands of pending frame callbacks, causing wayland connection termination

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P1: Critical
    • Resolution: Unresolved
    • Affects Version/s: 5.12.5, 5.13.2
    • Fix Version/s: None
    • Component/s: QPA: Wayland
    • Labels:
      None
    • Platform/s:
      Linux/Wayland

      Description

      QWaylandWindow::handleUpdate could create thousands of pending frame callbacks, causing compositor to terminate client connection. Reproducible with weston, sway and possibly other wlroots-based compositors.

      See swaywm/sway#4506 for original report and wayland debug logs.

      Conditions:

      1. Compositor does not process frame callbacks for off-screen applications. Instead, it fires and deletes all the callbacks once the app is visible again. This seems to be matching the expected behavior from wayland protocol spec, so I can't say that sway is in the wrong.
      2. Application forces updates while off-screen and a certain code path (which I wasn't able to figure out) ends up in a call of QWaylandWindow::handleUpdate outside of frame callback. About every 10ms, if I'm reading the log from WAYLAND_DEBUG=client correctly.
      3. Every time it's invoked, QWaylandWindow::handleUpdate attempts to destroy a pending wl_callback and schedule a new one. As explained in 1, even if the callback is destroyed on client side, it still remains pending in a compositor.
      4. Once a certain critical mass of pending callbacks has been reached and the app regains focus, compositor starts firing and deleting all pending callbacks at once. Apparently this causes overflow of a fixed-size wayland connection buffer and termination of a client.

      KWin avoids this crash by processing damage buffers and frame callbacks even for offscreen apps, which by itself is questionable. I had no chance to test with Gnome/mutter.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              johanhelsing Johan Helsing
              Reporter:
              alebastr Aleksei Bavshin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Gerrit Reviews

                There are no open Gerrit changes