-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load config files in a non-stupid manner #5
Comments
Closed
Merged
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jun 26, 2018
Fixes this kind of use-after-free: ==1795==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000191ef0 at pc 0x00000048c388 bp 0x7ffe308f0410 sp 0x7ffe308f0400 WRITE of size 8 at 0x612000191ef0 thread T0 #0 0x48c387 in wl_list_remove ../common/list.c:157 swaywm#1 0x42196b in handle_destroy ../sway/desktop/layer_shell.c:275 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc22cf68 in layer_surface_destroy ../types/wlr_layer_shell.c:182 swaywm#4 0x7f55cc22d084 in layer_surface_resource_destroy ../types/wlr_layer_shell.c:196 swaywm#5 0x7f55cc4ca025 in destroy_resource src/wayland-server.c:688 swaywm#6 0x7f55cc4ca091 in wl_resource_destroy src/wayland-server.c:705 swaywm#7 0x7f55cc22c3a2 in resource_handle_destroy ../types/wlr_layer_shell.c:18 swaywm#8 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) swaywm#9 0x7f55c8ef09fe in ffi_call (/lib64/libffi.so.6+0x59fe) swaywm#10 0x7f55cc4cdf2c (/lib64/libwayland-server.so.0+0xbf2c) swaywm#11 0x7f55cc4ca3de in wl_client_connection_data src/wayland-server.c:420 swaywm#12 0x7f55cc4cbf01 in wl_event_loop_dispatch src/event-loop.c:641 swaywm#13 0x7f55cc4ca601 in wl_display_run src/wayland-server.c:1260 swaywm#14 0x40bb1e in server_run ../sway/server.c:141 swaywm#15 0x40ab2f in main ../sway/main.c:432 swaywm#16 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 swaywm#17 0x408d29 in _start (/opt/wayland/bin/sway+0x408d29) 0x612000191ef0 is located 48 bytes inside of 312-byte region [0x612000191ec0,0x612000191ff8) freed by thread T0 here: #0 0x7f55ce3bb880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x42f1db in handle_destroy ../sway/desktop/output.c:1275 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc23b4c2 in wlr_output_destroy ../types/wlr_output.c:284 swaywm#4 0x7f55cc1ddc20 in xdg_toplevel_handle_close ../backend/wayland/output.c:235 swaywm#5 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) previously allocated by thread T0 here: #0 0x7f55ce3bbe50 in calloc (/lib64/libasan.so.5+0xeee50) swaywm#1 0x42f401 in handle_new_output ../sway/desktop/output.c:1308 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc1d6cbf in new_output_reemit ../backend/multi/backend.c:113 swaywm#4 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#5 0x7f55cc1deac7 in wlr_wl_output_create ../backend/wayland/output.c:327 swaywm#6 0x7f55cc1db353 in backend_start ../backend/wayland/backend.c:55 swaywm#7 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 swaywm#8 0x7f55cc1d67a0 in multi_backend_start ../backend/multi/backend.c:24 swaywm#9 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 swaywm#10 0x40ba8a in server_run ../sway/server.c:136 swaywm#11 0x40ab2f in main ../sway/main.c:432 swaywm#12 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jun 30, 2018
That event comes from the toplevel and not the surface, so would cause a use-after-free on destroy if the toplevel got destroyed first: ==5454==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001ed198 at pc 0x000000472d10 bp 0x7ffc19070a80 sp 0x7ffc19070a70 WRITE of size 8 at 0x6110001ed198 thread T0 #0 0x472d0f in wl_list_remove ../common/list.c:157 swaywm#1 0x42e159 in handle_destroy ../sway/desktop/xdg_shell_v6.c:243 swaywm#2 0x7fa9e5b28ce8 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fa9e5afd6b1 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:101 swaywm#4 0x7fa9e5d98025 in destroy_resource src/wayland-server.c:688 swaywm#5 0x7fa9e5d98091 in wl_resource_destroy src/wayland-server.c:705 swaywm#6 0x7fa9e27f103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) swaywm#7 0x7fa9e27f09fe in ffi_call (/lib64/libffi.so.6+0x59fe) swaywm#8 0x7fa9e5d9bf2c (/lib64/libwayland-server.so.0+0xbf2c) swaywm#9 0x7fa9e5d983de in wl_client_connection_data src/wayland-server.c:420 swaywm#10 0x7fa9e5d99f01 in wl_event_loop_dispatch src/event-loop.c:641 swaywm#11 0x7fa9e5d98601 in wl_display_run src/wayland-server.c:1260 swaywm#12 0x40a2f4 in main ../sway/main.c:433 swaywm#13 0x7fa9e527318a in __libc_start_main ../csu/libc-start.c:308 swaywm#14 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6110001ed198 is located 152 bytes inside of 240-byte region [0x6110001ed100,0x6110001ed1f0) freed by thread T0 here: #0 0x7fa9e7c89880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fa9e5affce9 in destroy_xdg_toplevel_v6 ../types/xdg_shell_v6/wlr_xdg_toplevel_v6.c:23 swaywm#2 0x7fa9e5d98025 in destroy_resource src/wayland-server.c:688 previously allocated by thread T0 here: #0 0x7fa9e7c89e50 in calloc (/lib64/libasan.so.5+0xeee50) swaywm#1 0x7fa9e5b00eea in create_xdg_toplevel_v6 ../types/xdg_shell_v6/wlr_xdg_toplevel_v6.c:427 swaywm#2 0x7fa9e27f103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) The toplevel only notifies the compositor on destroy if it was mapped, so only listen to events at map time.
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jul 4, 2018
wl_event_source_remove() is illegal after display has been destroyed ==20392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001240 at pc 0x00000048e86e bp 0x7ffe4b557e00 sp 0x7ffe4b557df0 READ of size 8 at 0x607000001240 thread T0 #0 0x48e86d in wl_list_insert ../common/list.c:149 swaywm#1 0x7fdf673d4d7d in wl_event_source_remove src/event-loop.c:487 swaywm#2 0x41b742 in ipc_terminate ../sway/ipc-server.c:94 swaywm#3 0x40b1ad in main ../sway/main.c:440 swaywm#4 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308 swaywm#5 0x409359 in _start (/opt/wayland/bin/sway+0x409359) 0x607000001240 is located 48 bytes inside of 72-byte region [0x607000001210,0x607000001258) freed by thread T0 here: #0 0x7fdf692c4880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fdf673d371a in wl_display_destroy src/wayland-server.c:1097 previously allocated by thread T0 here: #0 0x7fdf692c4c48 in malloc (/lib64/libasan.so.5+0xeec48) swaywm#1 0x7fdf673d4d9e in wl_event_loop_create src/event-loop.c:522 swaywm#2 0x40acb2 in main ../sway/main.c:363 swaywm#3 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jul 4, 2018
wl_event_source_remove() is illegal after display has been destroyed ==20392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001240 at pc 0x00000048e86e bp 0x7ffe4b557e00 sp 0x7ffe4b557df0 READ of size 8 at 0x607000001240 thread T0 #0 0x48e86d in wl_list_insert ../common/list.c:149 swaywm#1 0x7fdf673d4d7d in wl_event_source_remove src/event-loop.c:487 swaywm#2 0x41b742 in ipc_terminate ../sway/ipc-server.c:94 swaywm#3 0x40b1ad in main ../sway/main.c:440 swaywm#4 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308 swaywm#5 0x409359 in _start (/opt/wayland/bin/sway+0x409359) 0x607000001240 is located 48 bytes inside of 72-byte region [0x607000001210,0x607000001258) freed by thread T0 here: #0 0x7fdf692c4880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fdf673d371a in wl_display_destroy src/wayland-server.c:1097 previously allocated by thread T0 here: #0 0x7fdf692c4c48 in malloc (/lib64/libasan.so.5+0xeec48) swaywm#1 0x7fdf673d4d9e in wl_event_loop_create src/event-loop.c:522 swaywm#2 0x40acb2 in main ../sway/main.c:363 swaywm#3 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jul 4, 2018
wl_event_source_remove() is illegal after display has been destroyed, so just destroy everything when we still can. ==20392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001240 at pc 0x00000048e86e bp 0x7ffe4b557e00 sp 0x7ffe4b557df0 READ of size 8 at 0x607000001240 thread T0 #0 0x48e86d in wl_list_insert ../common/list.c:149 swaywm#1 0x7fdf673d4d7d in wl_event_source_remove src/event-loop.c:487 swaywm#2 0x41b742 in ipc_terminate ../sway/ipc-server.c:94 swaywm#3 0x40b1ad in main ../sway/main.c:440 swaywm#4 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308 swaywm#5 0x409359 in _start (/opt/wayland/bin/sway+0x409359) 0x607000001240 is located 48 bytes inside of 72-byte region [0x607000001210,0x607000001258) freed by thread T0 here: #0 0x7fdf692c4880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fdf673d371a in wl_display_destroy src/wayland-server.c:1097 previously allocated by thread T0 here: #0 0x7fdf692c4c48 in malloc (/lib64/libasan.so.5+0xeec48) swaywm#1 0x7fdf673d4d9e in wl_event_loop_create src/event-loop.c:522 swaywm#2 0x40acb2 in main ../sway/main.c:363 swaywm#3 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Jul 4, 2018
wl_event_source_remove() is illegal after display has been destroyed, so just destroy everything when we still can. ==20392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001240 at pc 0x00000048e86e bp 0x7ffe4b557e00 sp 0x7ffe4b557df0 READ of size 8 at 0x607000001240 thread T0 #0 0x48e86d in wl_list_insert ../common/list.c:149 swaywm#1 0x7fdf673d4d7d in wl_event_source_remove src/event-loop.c:487 swaywm#2 0x41b742 in ipc_terminate ../sway/ipc-server.c:94 swaywm#3 0x40b1ad in main ../sway/main.c:440 swaywm#4 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308 swaywm#5 0x409359 in _start (/opt/wayland/bin/sway+0x409359) 0x607000001240 is located 48 bytes inside of 72-byte region [0x607000001210,0x607000001258) freed by thread T0 here: #0 0x7fdf692c4880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fdf673d371a in wl_display_destroy src/wayland-server.c:1097 previously allocated by thread T0 here: #0 0x7fdf692c4c48 in malloc (/lib64/libasan.so.5+0xeec48) swaywm#1 0x7fdf673d4d9e in wl_event_loop_create src/event-loop.c:522 swaywm#2 0x40acb2 in main ../sway/main.c:363 swaywm#3 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
Closed
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Oct 7, 2018
When destroying swaynag from within wl_display_dispatch, we cannot disconnect the display as that will free the queue's event_list. Free it after running the loop instead. Fixes this use-after-free (you need a wayland compiled with asan, my wl_list hack, or running with valgrind to see this trace): ==7312==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000110 at pc 0x000000412a9f bp 0x7ffd4e811760 sp 0x7ffd4e811750 READ of size 8 at 0x612000000110 thread T0 #0 0x412a9e in wl_list_empty ../common/list.c:206 swaywm#1 0x7f5b58f0d42f in dispatch_queue src/wayland-client.c:1572 swaywm#2 0x7f5b58f0d42f in wl_display_dispatch_queue_pending src/wayland-client.c:1815 swaywm#3 0x40f465 in swaynag_run ../swaynag/swaynag.c:390 swaywm#4 0x407576 in main ../swaynag/main.c:123 swaywm#5 0x7f5b58bb9412 in __libc_start_main ../csu/libc-start.c:308 swaywm#6 0x404a3d in _start (/opt/wayland/bin/swaynag+0x404a3d) 0x612000000110 is located 208 bytes inside of 320-byte region [0x612000000040,0x612000000180) freed by thread T0 here: #0 0x7f5b594ab480 in free (/lib64/libasan.so.5+0xef480) swaywm#1 0x40faff in swaynag_destroy ../swaynag/swaynag.c:454 swaywm#2 0x40cbb4 in layer_surface_closed ../swaynag/swaynag.c:82 swaywm#3 0x7f5b583e1acd in ffi_call_unix64 (/lib64/libffi.so.6+0x6acd) previously allocated by thread T0 here: #0 0x7f5b594aba50 in __interceptor_calloc (/lib64/libasan.so.5+0xefa50) swaywm#1 0x7f5b58f0c902 in wl_display_connect_to_fd src/wayland-private.h:236
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Oct 7, 2018
When destroying swaynag from within wl_display_dispatch, we cannot disconnect the display as that will free the queue's event_list. Free it after running the loop instead. Fixes this use-after-free: ==7312==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000110 at pc 0x000000412a9f bp 0x7ffd4e811760 sp 0x7ffd4e811750 READ of size 8 at 0x612000000110 thread T0 #0 0x412a9e in wl_list_empty ../common/list.c:206 swaywm#1 0x7f5b58f0d42f in dispatch_queue src/wayland-client.c:1572 swaywm#2 0x7f5b58f0d42f in wl_display_dispatch_queue_pending src/wayland-client.c:1815 swaywm#3 0x40f465 in swaynag_run ../swaynag/swaynag.c:390 swaywm#4 0x407576 in main ../swaynag/main.c:123 swaywm#5 0x7f5b58bb9412 in __libc_start_main ../csu/libc-start.c:308 swaywm#6 0x404a3d in _start (/opt/wayland/bin/swaynag+0x404a3d) 0x612000000110 is located 208 bytes inside of 320-byte region [0x612000000040,0x612000000180) freed by thread T0 here: #0 0x7f5b594ab480 in free (/lib64/libasan.so.5+0xef480) swaywm#1 0x40faff in swaynag_destroy ../swaynag/swaynag.c:454 swaywm#2 0x40cbb4 in layer_surface_closed ../swaynag/swaynag.c:82 swaywm#3 0x7f5b583e1acd in ffi_call_unix64 (/lib64/libffi.so.6+0x6acd) previously allocated by thread T0 here: #0 0x7f5b594aba50 in __interceptor_calloc (/lib64/libasan.so.5+0xefa50) swaywm#1 0x7f5b58f0c902 in wl_display_connect_to_fd src/wayland-private.h:236 (you need a wayland compiled with asan, my wl_list hack, or running with valgrind to see this trace)
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Feb 21, 2019
Fixes memory leaks in the form of: Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) swaywm#1 0x563c799569f2 in ipc_recv_response ../common/ipc-client.c:94 swaywm#2 0x563c79957062 in ipc_single_command ../common/ipc-client.c:138 swaywm#3 0x563c798a56cc in run_as_ipc_client ../sway/main.c:127 swaywm#4 0x563c798a6a3a in main ../sway/main.c:349 swaywm#5 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Feb 21, 2019
Fixes memory leaks in the form of: Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) swaywm#1 0x563c799569f2 in ipc_recv_response ../common/ipc-client.c:94 swaywm#2 0x563c79957062 in ipc_single_command ../common/ipc-client.c:138 swaywm#3 0x563c798a56cc in run_as_ipc_client ../sway/main.c:127 swaywm#4 0x563c798a6a3a in main ../sway/main.c:349 swaywm#5 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Feb 23, 2019
Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 swaywm#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) swaywm#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) swaywm#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214 swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405 swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Feb 23, 2019
Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 swaywm#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) swaywm#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) swaywm#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214 swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405 swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes swaywm#3759
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Feb 23, 2019
Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 swaywm#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) swaywm#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) swaywm#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214 swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405 swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes swaywm#3759
RedSoxFan
pushed a commit
that referenced
this issue
Feb 23, 2019
Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 #3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) #12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) #14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) #17 0x55571ce4c7fd in server_run ../sway/server.c:214 #18 0x55571ce4ad59 in main ../sway/main.c:405 #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes #3759
ddevault
pushed a commit
that referenced
this issue
Feb 25, 2019
Fixes memory leaks in the form of: Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) #1 0x563c799569f2 in ipc_recv_response ../common/ipc-client.c:94 #2 0x563c79957062 in ipc_single_command ../common/ipc-client.c:138 #3 0x563c798a56cc in run_as_ipc_client ../sway/main.c:127 #4 0x563c798a6a3a in main ../sway/main.c:349 #5 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
ddevault
pushed a commit
that referenced
this issue
Feb 25, 2019
Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 #3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) #12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) #14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) #17 0x55571ce4c7fd in server_run ../sway/server.c:214 #18 0x55571ce4ad59 in main ../sway/main.c:405 #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes #3759
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Jun 2, 2019
handle_destroy would mark the output es being destroyed and commit the transaction. Committing the transaction results in the output being freed, the output manager can not retrieve the server reference afterwards, resulting in the following use-after-free: ==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10 READ of size 8 at 0x614000017088 thread T0 #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566 swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b) swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225 swaywm#10 0x560c1ac09382 in main ../sway/main.c:397 swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d) 0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0) freed by thread T0 here: #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66 swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243 swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66 swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348 swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539 swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564 swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) previously allocated by thread T0 here: #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95 swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91 swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656 swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294 swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy Shadow bytes around the buggy address: 0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Retrieve the reference before the output is destroyed and update the output_management state with the saved reference.
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Apr 18, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modifier to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168
martinetd
added a commit
to martinetd/sway
that referenced
this issue
Apr 18, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168
kennylevinsen
pushed a commit
that referenced
this issue
Apr 22, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) #13 0x43122c in server_run ../sway/server.c:254 #14 0x42f47c in main ../sway/main.c:433 #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 #2 0x4ed17b in view_destroy ../sway/tree/view.c:67 #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes #5168
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Apr 29, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> swaywm#1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> swaywm#2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> swaywm#3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} swaywm#4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 swaywm#5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 swaywm#6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> swaywm#7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well.
emersion
pushed a commit
that referenced
this issue
Apr 29, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> #1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> #2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> #3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} #4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 #5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 #6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> #7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well.
RagnarGrootKoerkamp
pushed a commit
to RagnarGrootKoerkamp/sway
that referenced
this issue
Jun 17, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168
RagnarGrootKoerkamp
pushed a commit
to RagnarGrootKoerkamp/sway
that referenced
this issue
Jun 17, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> swaywm#1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> swaywm#2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> swaywm#3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} swaywm#4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 swaywm#5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 swaywm#6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> swaywm#7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well.
emersion
pushed a commit
to emersion/sway
that referenced
this issue
Jun 23, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168 (cherry picked from commit 8529141)
emersion
pushed a commit
to emersion/sway
that referenced
this issue
Jun 23, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> swaywm#1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> swaywm#2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> swaywm#3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} swaywm#4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 swaywm#5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 swaywm#6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> swaywm#7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well. (cherry picked from commit 30e400c)
emersion
pushed a commit
to emersion/sway
that referenced
this issue
Jun 24, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168 (cherry picked from commit 8529141)
emersion
pushed a commit
to emersion/sway
that referenced
this issue
Jun 24, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> swaywm#1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> swaywm#2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> swaywm#3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} swaywm#4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 swaywm#5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 swaywm#6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> swaywm#7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well. (cherry picked from commit 30e400c)
emersion
pushed a commit
that referenced
this issue
Jun 24, 2021
remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) #13 0x43122c in server_run ../sway/server.c:254 #14 0x42f47c in main ../sway/main.c:433 #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 #2 0x4ed17b in view_destroy ../sway/tree/view.c:67 #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes #5168 (cherry picked from commit 8529141)
emersion
pushed a commit
that referenced
this issue
Jun 24, 2021
When a criteria places the view into the scratchpad, map_ws is NULL and trying to access map_ws->fullscreen will result in SIGSEGFAULT with: #0 0x0000000000455327 in should_focus (view=0x15a6a70) at ../sway/tree/view.c:604 prev_con = 0x0 len = <optimized out> seat = 0x12233c0 prev_ws = 0x1264c80 map_ws = 0x0 criterias = <optimized out> seat = <optimized out> prev_con = <optimized out> prev_ws = <optimized out> map_ws = <optimized out> criterias = <optimized out> len = <optimized out> num_children = <optimized out> #1 view_map (view=view@entry=0x15a6a70, wlr_surface=0x15a5cb0, fullscreen=<optimized out>, fullscreen_output=<optimized out>, decoration=<optimized out>) at ../sway/tree/view.c:809 __PRETTY_FUNCTION__ = "view_map" ws = <optimized out> seat = <optimized out> node = <optimized out> target_sibling = <optimized out> container = 0x1625400 set_focus = <optimized out> app_id = <optimized out> class = <optimized out> #2 0x0000000000423a7e in handle_map (listener=0x15a6c78, data=<optimized out>) at ../sway/desktop/xdg_shell.c:454 xdg_shell_view = 0x15a6a70 view = 0x15a6a70 xdg_surface = 0x15a6620 csd = <optimized out> #3 0x00007f508bd3674c in wlr_signal_emit_safe (signal=signal@entry=0x15a6718, data=data@entry=0x15a6620) at ../subprojects/wlroots/util/signal.c:29 pos = 0x15a6c78 l = 0x15a6c78 cursor = {link = {prev = 0x15a6c78, next = 0x7fff53d58190}, notify = 0x7f508bd366c0 <handle_noop>} end = {link = {prev = 0x7fff53d58170, next = 0x15a6718}, notify = 0x7f508bd366c0 <handle_noop>} #4 0x00007f508bd15b29 in handle_xdg_surface_commit (wlr_surface=<optimized out>) at ../subprojects/wlroots/types/xdg_shell/wlr_xdg_surface.c:384 surface = 0x15a6620 #5 0x00007f508bd2e981 in surface_commit_state (surface=surface@entry=0x15a5cb0, next=next@entry=0x15a5e18) at ../subprojects/wlroots/types/wlr_surface.c:455 __PRETTY_FUNCTION__ = "surface_commit_state" invalid_buffer = <optimized out> subsurface = 0x15a6038 #6 0x00007f508bd2f53b in surface_commit_pending (surface=0x15a5cb0) at ../subprojects/wlroots/types/wlr_surface.c:474 next_seq = 3 next_seq = <optimized out> #7 surface_commit (client=<optimized out>, resource=<optimized out>) at ../subprojects/wlroots/types/wlr_surface.c:542 surface = 0x15a5cb0 subsurface = <optimized out> If map_ws is NULL we assume the view is places into the scratchpad and return false as well. (cherry picked from commit 30e400c)
This was referenced Nov 29, 2021
Closed
Nefsen402
added a commit
to Nefsen402/sway
that referenced
this issue
Dec 13, 2021
There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread #1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame #1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame swaywm#2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame swaywm#3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame swaywm#4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame swaywm#5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame swaywm#6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame swaywm#7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame swaywm#8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame swaywm#9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame swaywm#10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame swaywm#11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame swaywm#12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame swaywm#13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame swaywm#14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame swaywm#15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame swaywm#16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <[email protected]>
emersion
pushed a commit
that referenced
this issue
Dec 13, 2021
There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread #1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame #1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame #2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame #3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame #4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame #5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame #6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame #7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame #8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame #9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame #10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame #11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame #12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame #13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame #14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame #15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame #16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <[email protected]>
michaelweiser
added a commit
to michaelweiser/sway
that referenced
this issue
Feb 28, 2022
This change prevents swaybar from crashing when trying to open the context menu of a StatusNotifierItem. Observed with blueman-applet. The backtrace is: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055fa7472b150 in dbusmenu_menu_find_menu_surface (menu=0x0, surface=0x55fa74d290d0) at ../sway-1.7/swaybar/tray/dbusmenu.c:1203 1203 if (menu->surface && menu->surface->surface == surface) { (gdb) bt #0 0x000055fa7472b150 in dbusmenu_menu_find_menu_surface (menu=0x0, surface=0x55fa74d290d0) at ../sway-1.7/swaybar/tray/dbusmenu.c:1203 #1 0x000055fa7472b4a3 in dbusmenu_pointer_enter (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348969, surface=0x55fa74d290d0, surface_x=365306, surface_y=6803) at ../sway-1.7/swaybar/tray/dbusmenu.c:1278 swaywm#2 0x000055fa747192eb in wl_pointer_enter (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348969, surface=0x55fa74d290d0, surface_x=365306, surface_y=6803) at ../sway-1.7/swaybar/input.c:121 swaywm#3 0x00007f9eced29e1a in () at /usr/lib64/libffi.so.8 swaywm#4 0x00007f9eced2937c in () at /usr/lib64/libffi.so.8 swaywm#5 0x00007f9ecf6da4c1 in () at /usr/lib64/libwayland-client.so.0 swaywm#6 0x00007f9ecf6d6a0a in () at /usr/lib64/libwayland-client.so.0 swaywm#7 0x00007f9ecf6d832c in wl_display_dispatch_queue_pending () at /usr/lib64/libwayland-client.so.0 swaywm#8 0x00007f9ecf6d884f in wl_display_roundtrip_queue () at /usr/lib64/libwayland-client.so.0 swaywm#9 0x000055fa7472acc8 in swaybar_dbusmenu_create (sni=0x55fa74e05590, output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=5230, y=1100) at ../sway-1.7/swaybar/tray/dbusmenu.c:1107 swaywm#10 0x000055fa74724de8 in handle_click (sni=0x55fa74e05590, output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=5230, y=1100, button=273, delta=1) at ../sway-1.7/swaybar/tray/item.c:379 swaywm#11 0x000055fa74725137 in icon_hotspot_callback (output=0x55fa74d28d60, hotspot=0x55fa74db12f0, seat=0x55fa74d28310, serial=348944, x=1390.921875, y=20.99609375, button=273, data=0x55fa74f33e40) at ../sway-1.7/swaybar/tray/item.c:423 swaywm#12 0x000055fa74719555 in process_hotspots (output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=1390.921875, y=20.99609375, button=273) at ../sway-1.7/swaybar/input.c:175 swaywm#13 0x000055fa74719693 in wl_pointer_button (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348944, time=1003868332, button=273, state=1) at ../sway-1.7/swaybar/input.c:207 swaywm#14 0x00007f9eced29e1a in () at /usr/lib64/libffi.so.8 swaywm#15 0x00007f9eced2937c in () at /usr/lib64/libffi.so.8 swaywm#16 0x00007f9ecf6da4c1 in () at /usr/lib64/libwayland-client.so.0 swaywm#17 0x00007f9ecf6d6a0a in () at /usr/lib64/libwayland-client.so.0 swaywm#18 0x00007f9ecf6d832c in wl_display_dispatch_queue_pending () at /usr/lib64/libwayland-client.so.0 swaywm#19 0x000055fa74716aa9 in display_in (fd=136, mask=1, data=0x55fa7473ba40 <swaybar>) at ../sway-1.7/swaybar/bar.c:470 swaywm#20 0x000055fa7472d414 in loop_poll (loop=0x55fa74d20fd0) at ../sway-1.7/common/loop.c:84 swaywm#21 0x000055fa74716d52 in bar_run (bar=0x55fa7473ba40 <swaybar>) at ../sway-1.7/swaybar/bar.c:519 swaywm#22 0x000055fa7471cec2 in main (argc=3, argv=0x7fff4c24db38) at ../sway-1.7/swaybar/main.c:101
RagnarGrootKoerkamp
pushed a commit
to RagnarGrootKoerkamp/sway
that referenced
this issue
Mar 29, 2022
There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread swaywm#1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame swaywm#1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame swaywm#2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame swaywm#3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame swaywm#4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame swaywm#5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame swaywm#6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame swaywm#7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame swaywm#8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame swaywm#9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame swaywm#10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame swaywm#11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame swaywm#12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame swaywm#13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame swaywm#14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame swaywm#15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame swaywm#16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <[email protected]>
Emantor
added a commit
to Emantor/sway
that referenced
this issue
Jun 14, 2023
In case a display is unplugged, the sway output may be removed from the userdata before the gamma_control can be reset. In this case we can't schedule a commit on the output, simply return within the function. backtrace full: #0 handle_gamma_control_set_gamma (listener=0x4856a8 <server+616>, data=0x7ffce1ed59c0) at ../sway/desktop/output.c:1105 server = 0x485440 <server> event = 0x7ffce1ed59c0 output = 0x0 swaywm#1 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#2 0x00007f430d142370 in gamma_control_destroy (gamma_control=0x29eb9b0) at ../types/wlr_gamma_control_v1.c:37 manager = 0x27e33e0 output = 0x2a10770 event = {output = 0x2a10770, control = 0x0} swaywm#3 0x00007f430d14239b in gamma_control_handle_output_destroy (listener=<optimized out>, data=<optimized out>) at ../types/wlr_gamma_control_v1.c:59 gamma_control = <optimized out> swaywm#4 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#5 0x00007f430d12a0e0 in wlr_output_destroy (output=output@entry=0x2a10770) at ../types/output/output.c:384 cursor = <optimized out> tmp_cursor = <optimized out> layer = <optimized out> tmp_layer = <optimized out> swaywm#6 0x00007f430d114ecf in disconnect_drm_connector (conn=conn@entry=0x2a10770) at ../backend/drm/drm.c:1757 __PRETTY_FUNCTION__ = "disconnect_drm_connector" swaywm#7 0x00007f430d117078 in scan_drm_connectors (drm=drm@entry=0x1eebab0, event=event@entry=0x7ffce1ed5c1c) at ../backend/drm/drm.c:1597 c = <optimized out> wlr_conn = 0x2a10770 drm_conn = 0x2e760d0 conn_id = <optimized out> index = 4 i = 4 res = 0x2e761f0 seen_len = 5 seen = {true, true, true, true, true, false} new_outputs_len = 0 new_outputs = 0x7ffce1ed5ab0 conn = <optimized out> tmp_conn = <optimized out> index = <optimized out> swaywm#8 0x00007f430d113425 in handle_dev_change (listener=0x1eebbb0, data=0x7ffce1ed5c18) at ../backend/drm/backend.c:157 drm = 0x1eebab0 change = 0x7ffce1ed5c18 swaywm#9 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#10 0x00007f430d111696 in handle_udev_event (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../backend/session/session.c:213 event = {type = WLR_DEVICE_HOTPLUG, {hotplug = {connector_id = 0, prop_id = 0}}} devnum = <optimized out> dev = 0x1ed9460 session = <optimized out> udev_dev = 0x2e70db0 sysname = 0x2e73c60 "card0" devnode = <optimized out> action = 0x7f430d6677b5 "change" seat = <optimized out> __PRETTY_FUNCTION__ = "handle_udev_event" swaywm#11 0x00007f430d1de8e2 in wl_event_loop_dispatch () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#12 0x00007f430d1dc445 in wl_display_run () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#13 0x000000000041daa5 in server_run (server=server@entry=0x485440 <server>) at ../sway/server.c:338 No locals. swaywm#14 0x000000000041cf4d in main (argc=<optimized out>, argv=0x7ffce1ed5fe8) at ../sway/main.c:415 verbose = false debug = false validate = false allow_unsupported_gpu = false config_path = 0x0 c = <optimized out> where event->output->data is NULL: (gdb) p event->output->data $5 = (void *) 0x0
emersion
pushed a commit
that referenced
this issue
Jun 14, 2023
In case a display is unplugged, the sway output may be removed from the userdata before the gamma_control can be reset. In this case we can't schedule a commit on the output, simply return within the function. backtrace full: #0 handle_gamma_control_set_gamma (listener=0x4856a8 <server+616>, data=0x7ffce1ed59c0) at ../sway/desktop/output.c:1105 server = 0x485440 <server> event = 0x7ffce1ed59c0 output = 0x0 #1 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #2 0x00007f430d142370 in gamma_control_destroy (gamma_control=0x29eb9b0) at ../types/wlr_gamma_control_v1.c:37 manager = 0x27e33e0 output = 0x2a10770 event = {output = 0x2a10770, control = 0x0} #3 0x00007f430d14239b in gamma_control_handle_output_destroy (listener=<optimized out>, data=<optimized out>) at ../types/wlr_gamma_control_v1.c:59 gamma_control = <optimized out> #4 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #5 0x00007f430d12a0e0 in wlr_output_destroy (output=output@entry=0x2a10770) at ../types/output/output.c:384 cursor = <optimized out> tmp_cursor = <optimized out> layer = <optimized out> tmp_layer = <optimized out> #6 0x00007f430d114ecf in disconnect_drm_connector (conn=conn@entry=0x2a10770) at ../backend/drm/drm.c:1757 __PRETTY_FUNCTION__ = "disconnect_drm_connector" #7 0x00007f430d117078 in scan_drm_connectors (drm=drm@entry=0x1eebab0, event=event@entry=0x7ffce1ed5c1c) at ../backend/drm/drm.c:1597 c = <optimized out> wlr_conn = 0x2a10770 drm_conn = 0x2e760d0 conn_id = <optimized out> index = 4 i = 4 res = 0x2e761f0 seen_len = 5 seen = {true, true, true, true, true, false} new_outputs_len = 0 new_outputs = 0x7ffce1ed5ab0 conn = <optimized out> tmp_conn = <optimized out> index = <optimized out> #8 0x00007f430d113425 in handle_dev_change (listener=0x1eebbb0, data=0x7ffce1ed5c18) at ../backend/drm/backend.c:157 drm = 0x1eebab0 change = 0x7ffce1ed5c18 #9 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #10 0x00007f430d111696 in handle_udev_event (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../backend/session/session.c:213 event = {type = WLR_DEVICE_HOTPLUG, {hotplug = {connector_id = 0, prop_id = 0}}} devnum = <optimized out> dev = 0x1ed9460 session = <optimized out> udev_dev = 0x2e70db0 sysname = 0x2e73c60 "card0" devnode = <optimized out> action = 0x7f430d6677b5 "change" seat = <optimized out> __PRETTY_FUNCTION__ = "handle_udev_event" #11 0x00007f430d1de8e2 in wl_event_loop_dispatch () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #12 0x00007f430d1dc445 in wl_display_run () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #13 0x000000000041daa5 in server_run (server=server@entry=0x485440 <server>) at ../sway/server.c:338 No locals. #14 0x000000000041cf4d in main (argc=<optimized out>, argv=0x7ffce1ed5fe8) at ../sway/main.c:415 verbose = false debug = false validate = false allow_unsupported_gpu = false config_path = 0x0 c = <optimized out> where event->output->data is NULL: (gdb) p event->output->data $5 = (void *) 0x0
emersion
added a commit
to emersion/sway
that referenced
this issue
Apr 12, 2024
../sway/config/output.c:33:21: runtime error: member access within null pointer of type 'struct sway_output' AddressSanitizer:DEADLYSIGNAL ================================================================= ==7856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x63da8558205c bp 0x7ffdc35881a0 sp 0x7ffdc3588160 T0) ==7856==The signal is caused by a READ memory access. ==7856==Hint: address points to the zero page. #0 0x63da8558205c in output_get_identifier ../sway/config/output.c:33 swaywm#1 0x63da855865c3 in store_output_config ../sway/config/output.c:220 swaywm#2 0x63da855d4066 in cmd_output ../sway/commands/output.c:106 swaywm#3 0x63da8547f2e3 in config_command ../sway/commands.c:425 swaywm#4 0x63da8548f3fc in read_config ../sway/config.c:822 swaywm#5 0x63da8548a224 in load_config ../sway/config.c:435 swaywm#6 0x63da8548b065 in load_main_config ../sway/config.c:507 swaywm#7 0x63da854bee8d in main ../sway/main.c:351 swaywm#8 0x77e2ea643ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) swaywm#9 0x77e2ea643d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) swaywm#10 0x63da8547ad64 in _start (/home/simon/src/sway/build/sway/sway+0x372d64) (BuildId: 3fa2e8838c1c32713b40aec6b1e84bbe4db5bde8) Fixes: 1267e47 ("config/output: Refactor handling of tiered configs")
kennylevinsen
pushed a commit
that referenced
this issue
Apr 12, 2024
../sway/config/output.c:33:21: runtime error: member access within null pointer of type 'struct sway_output' AddressSanitizer:DEADLYSIGNAL ================================================================= ==7856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x63da8558205c bp 0x7ffdc35881a0 sp 0x7ffdc3588160 T0) ==7856==The signal is caused by a READ memory access. ==7856==Hint: address points to the zero page. #0 0x63da8558205c in output_get_identifier ../sway/config/output.c:33 #1 0x63da855865c3 in store_output_config ../sway/config/output.c:220 #2 0x63da855d4066 in cmd_output ../sway/commands/output.c:106 #3 0x63da8547f2e3 in config_command ../sway/commands.c:425 #4 0x63da8548f3fc in read_config ../sway/config.c:822 #5 0x63da8548a224 in load_config ../sway/config.c:435 #6 0x63da8548b065 in load_main_config ../sway/config.c:507 #7 0x63da854bee8d in main ../sway/main.c:351 #8 0x77e2ea643ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #9 0x77e2ea643d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #10 0x63da8547ad64 in _start (/home/simon/src/sway/build/sway/sway+0x372d64) (BuildId: 3fa2e8838c1c32713b40aec6b1e84bbe4db5bde8) Fixes: 1267e47 ("config/output: Refactor handling of tiered configs")
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently hardcoded to
$HOME/.sway/config
, should probably use XDG_CONFIG_HOME and allow specific config to be specified through command line.The text was updated successfully, but these errors were encountered: