Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

warp_to_constraint_cursor_hint: Handle NULL view #7349

Merged
merged 1 commit into from
Jan 4, 2023

Conversation

Nefsen402
Copy link
Member

This might be the wrong fix, but the crash is happening because the ->data field on an xwayland surface is NULL. A NULL data field is normal for unmanaged surfaces, however it seems clients can do weird things: They can create a cursor lock on a regular xwayland surface then make it unmanaged by calling override_redirect. In this case, the xwayland server should destroy the cursor lock, which is does, but does so in the wrong order making it try to dereference a NULL pointer after sway has acknowledged its new unmanaged status.

(gdb) bt full
0  0x000055fd91934861 in warp_to_constraint_cursor_hint (cursor=0x55fd93486c00)
    at ../sway/input/cursor.c:1243
        sy = 605
        lx = 6.9527431433545762e-310
        sx = 1272
        view = 0x0
        con = 0x7ffd1cdfe400
        ly = -6.949595189996421e+59
        constraint = 0x55fd93e7faa0
1  0x000055fd91934976 in handle_constraint_destroy (listener=0x55fd93f0fd58, data=0x55fd93e7faa0)
    at ../sway/input/cursor.c:1266
        sway_constraint = 0x55fd93f0fd30
        constraint = 0x55fd93e7faa0
        cursor = 0x55fd93486c00
2  0x00007fda8275bf6e in wl_signal_emit_mutable () at /usr/lib/libwayland-server.so.0
3  0x00007fda82e57016 in pointer_constraint_destroy (constraint=0x55fd93e7faa0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:49
4  0x00007fda82e570dc in pointer_constraint_destroy_resource (resource=0x55fd933cf8f0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:66
        constraint = 0x55fd93e7faa0
5  0x00007fda8275d8ba in  () at /usr/lib/libwayland-server.so.0
6  0x00007fda8275f6a9 in wl_resource_destroy () at /usr/lib/libwayland-server.so.0
7  0x00007fda82e56fb3 in resource_destroy (client=0x55fd93ea52e0, resource=0x55fd933cf8f0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:39
8  0x00007fda81d8f4f6 in  () at /usr/lib/libffi.so.8
9  0x00007fda81d8bf5e in  () at /usr/lib/libffi.so.8
10 0x00007fda81d8eb73 in ffi_call () at /usr/lib/libffi.so.8
11 0x00007fda8275aada in  () at /usr/lib/libwayland-server.so.0
12 0x00007fda8275f01c in  () at /usr/lib/libwayland-server.so.0
13 0x00007fda8275d9e2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
14 0x00007fda8275e197 in wl_display_run () at /usr/lib/libwayland-server.so.0
15 0x000055fd919264d3 in server_run (server=0x55fd919a3a80 <server>) at ../sway/server.c:320
16 0x000055fd91925457 in main (argc=1, argv=0x7ffd1cdfed98) at ../sway/main.c:411
        verbose = false
        debug = false
        validate = false
        allow_unsupported_gpu = false
        config_path = 0x0
        c = -1

This might be the wrong fix, but the crash is happening because the ->data
field on an xwayland surface is NULL. A NULL data field is normal for
unmanaged surfaces, however it seems clients can do weird things: They can
create a cursor lock on a regular xwayland surface then make it unmanaged
by calling override_redirect. In this case, the xwayland server should
destroy the cursor lock, which is does, but does so in the wrong order
making it try to dereference a NULL pointer after sway has acknowledged
its new unmanaged status.

```
(gdb) bt full
0  0x000055fd91934861 in warp_to_constraint_cursor_hint (cursor=0x55fd93486c00)
    at ../sway/input/cursor.c:1243
        sy = 605
        lx = 6.9527431433545762e-310
        sx = 1272
        view = 0x0
        con = 0x7ffd1cdfe400
        ly = -6.949595189996421e+59
        constraint = 0x55fd93e7faa0
1  0x000055fd91934976 in handle_constraint_destroy (listener=0x55fd93f0fd58, data=0x55fd93e7faa0)
    at ../sway/input/cursor.c:1266
        sway_constraint = 0x55fd93f0fd30
        constraint = 0x55fd93e7faa0
        cursor = 0x55fd93486c00
2  0x00007fda8275bf6e in wl_signal_emit_mutable () at /usr/lib/libwayland-server.so.0
3  0x00007fda82e57016 in pointer_constraint_destroy (constraint=0x55fd93e7faa0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:49
4  0x00007fda82e570dc in pointer_constraint_destroy_resource (resource=0x55fd933cf8f0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:66
        constraint = 0x55fd93e7faa0
5  0x00007fda8275d8ba in  () at /usr/lib/libwayland-server.so.0
6  0x00007fda8275f6a9 in wl_resource_destroy () at /usr/lib/libwayland-server.so.0
7  0x00007fda82e56fb3 in resource_destroy (client=0x55fd93ea52e0, resource=0x55fd933cf8f0)
    at ../subprojects/wlroots/types/wlr_pointer_constraints_v1.c:39
8  0x00007fda81d8f4f6 in  () at /usr/lib/libffi.so.8
9  0x00007fda81d8bf5e in  () at /usr/lib/libffi.so.8
10 0x00007fda81d8eb73 in ffi_call () at /usr/lib/libffi.so.8
11 0x00007fda8275aada in  () at /usr/lib/libwayland-server.so.0
12 0x00007fda8275f01c in  () at /usr/lib/libwayland-server.so.0
13 0x00007fda8275d9e2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
14 0x00007fda8275e197 in wl_display_run () at /usr/lib/libwayland-server.so.0
15 0x000055fd919264d3 in server_run (server=0x55fd919a3a80 <server>) at ../sway/server.c:320
16 0x000055fd91925457 in main (argc=1, argv=0x7ffd1cdfed98) at ../sway/main.c:411
        verbose = false
        debug = false
        validate = false
        allow_unsupported_gpu = false
        config_path = 0x0
        c = -1
```
Copy link
Member

@emersion emersion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Xwayland doesn't care about managed/unmanaged.

That said, maybe the client switches from managed to unmanaged and ends the lock at the same time. Since there is no synchronization between the X11 and Wayland sockets, there is no ordering guarantee between these two events.

Sounds like something we need to handle.

@emersion emersion merged commit 88c17ec into swaywm:master Jan 4, 2023
@emersion
Copy link
Member

emersion commented Jan 4, 2023

Thanks!

@Nefsen402 Nefsen402 deleted the xwayland-cursor-lock branch January 5, 2023 08:10
@froeberger
Copy link

This seems related:

Okay, digging deeper, there seems to be a bug at line 1325 of the latest sway's cursor.c

I am able to reproduce a crash and coredump in sway any time I choose a beat subdivision timing within Bitwig-Studio. The selection process involves a mouse click to pull up the options mini-panel, and then holding the mouse button down while dragging to select the subdivision of a beat timing I desire ( triole, quintole, septole, etc...). Crash and coredump and abrupt end of login session every time.

from coredump analysis:

Core was generated by `sway'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055862c09defb in warp_to_constraint_cursor_hint (cursor=cursor@entry=0x55862d9495e0) at ../sway-1.8/sway/input/cursor.c:1325
1325 struct sway_container *con = view->container;

#0 0x000055862c09defb in warp_to_constraint_cursor_hint (cursor=cursor@entry=0x55862d9495e0) at ../sway-1.8/sway/input/cursor.c:1325
#1 0x000055862c09dfc0 in handle_constraint_destroy (listener=0x55862e249358, data=0x55862e1f2f40) at ../sway-1.8/sway/input/cursor.c:1348
#2 0x00007f600769ef6e in wl_signal_emit_mutable (signal=signal@entry=0x55862e1f3048, data=data@entry=0x55862e1f2f40) at ../wayland-1.21.0/src/wayland-server.c:2179
#3 0x00007f6007615f17 in pointer_constraint_destroy (constraint=0x55862e1f2f40) at ../wlroots-0.16.1/types/wlr_pointer_constraints_v1.c:49
#4 0x00007f60076a08ba in destroy_resource (element=0x55862e1f4290, data=data@entry=0x0, flags=0) at ../wayland-1.21.0/src/wayland-server.c:730
#5 0x00007f60076a26a9 in wl_resource_destroy (resource=) at ../wayland-1.21.0/src/wayland-server.c:747
#6 0x00007f6006d174f6 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#7 0x00007f6006d13f5e in ffi_call_int (cif=, fn=, rvalue=, avalue=, closure=) at ../src/x86/ffi64.c:673
#8 0x00007f6006d16b73 in ffi_call (cif=cif@entry=0x7ffca3e757c0, fn=, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffca3e75890) at ../src/x86/ffi64.c:710
#9 0x00007f600769dada in wl_closure_invoke (closure=closure@entry=0x55862e24e500, target=, target@entry=0x55862e1f4290, opcode=opcode@entry=0, data=,
data@entry=0x55862e11a340, flags=2) at ../wayland-1.21.0/src/connection.c:1025
#10 0x00007f60076a201c in wl_client_connection_data (fd=, mask=, data=) at ../wayland-1.21.0/src/wayland-server.c:437
#11 0x00007f60076a09e2 in wl_event_loop_dispatch (loop=0x55862cfe0bd0, timeout=timeout@entry=-1) at ../wayland-1.21.0/src/event-loop.c:1027
#12 0x00007f60076a1197 in wl_display_run (display=0x55862cfe0ae0) at ../wayland-1.21.0/src/wayland-server.c:1431
#13 0x000055862c086b15 in server_run (server=) at ../sway-1.8/sway/server.c:313
#14 main (argc=, argv=0x7ffca3e75f88) at ../sway-1.8/sway/main.c:415

@froeberger
Copy link

a full backtrace:
(gdb) bt full
#0 0x000055862c09defb in warp_to_constraint_cursor_hint (cursor=cursor@entry=0x55862d9495e0) at ../sway-1.8/sway/input/cursor.c:1325
sy =
lx =
sx =
view = 0x0
con =
ly =
constraint = 0x55862e1f2f40
#1 0x000055862c09dfc0 in handle_constraint_destroy (listener=0x55862e249358, data=0x55862e1f2f40) at ../sway-1.8/sway/input/cursor.c:1348
sway_constraint = 0x55862e249330
constraint = 0x55862e1f2f40
cursor = 0x55862d9495e0
#2 0x00007f600769ef6e in wl_signal_emit_mutable (signal=signal@entry=0x55862e1f3048, data=data@entry=0x55862e1f2f40) at ../wayland-1.21.0/src/wayland-server.c:2179
pos = 0x55862e249358
l = 0x55862e249358
cursor = {link = {prev = 0x55862e1f3048, next = 0x7ffca3e75540}, notify = 0x7f600769c110 <handle_noop>}
end = {link = {prev = 0x7ffca3e75560, next = 0x55862e1f3048}, notify = 0x7f600769c110 <handle_noop>}
#3 0x00007f6007615f17 in pointer_constraint_destroy (constraint=0x55862e1f2f40) at ../wlroots-0.16.1/types/wlr_pointer_constraints_v1.c:49
#4 0x00007f60076a08ba in destroy_resource (element=0x55862e1f4290, data=data@entry=0x0, flags=0) at ../wayland-1.21.0/src/wayland-server.c:730
resource = 0x55862e1f4290
#5 0x00007f60076a26a9 in wl_resource_destroy (resource=) at ../wayland-1.21.0/src/wayland-server.c:747
client = 0x55862e11a340
id = 155
flags =
#6 0x00007f6006d174f6 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#7 0x00007f6006d13f5e in ffi_call_int (cif=, fn=, rvalue=, avalue=, closure=) at ../src/x86/ffi64.c:673
classes = {X86_64_INTEGER_CLASS, 32764, 114370236, 32608}
stack =
argp = 0x7ffca3e75610 ""
arg_types =
gprcount = 2
ssecount =
ngpr = 1
nsse = 0
i =
avn =
flags =
reg_args =
#8 0x00007f6006d16b73 in ffi_call (cif=cif@entry=0x7ffca3e757c0, fn=, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffca3e75890) at ../src/x86/ffi64.c:710
arg_types = 0x7ffca3e757e0
i =
--Type for more, q to quit, c to continue without paging--
nargs = 2
max_reg_struct_size =
#9 0x00007f600769dada in wl_closure_invoke (closure=closure@entry=0x55862e24e500, target=, target@entry=0x55862e1f4290, opcode=opcode@entry=0, data=,
data@entry=0x55862e11a340, flags=2) at ../wayland-1.21.0/src/connection.c:1025
count =
cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7ffca3e757e0, rtype = 0x7f6006d181a0 <ffi_type_void>, bytes = 0, flags = 0}

              ffi_types = {0x7f6006d182a0 <ffi_type_pointer>, 0x7f6006d182a0 <ffi_type_pointer>, 0x7f6006d18330 <ffi_type_sint32>, 0x7f6006d18330 <ffi_type_sint32>, 0x7f6006d18330 <ffi_type_sint32>, 0x7f6006d18330 <ffi_type_sint32>, 0x0, 0x55862e12c380, 0x55862e12c380, 0x29, 0x7ffca3e75a10, 0x7f60076a2671 <wl_resource_destroy+145>, 0x55862e1f3850, 0x55862e1f3850, 0x7ffca3e75a10, 0x7f6007600e68 <wlr_surface_send_frame_done+168>, 0x7ffca3e75980, 0x23d2ec9857f3bd00, 0x0, 0x3, 0x7ffca3e759b0, 0x55862c1024a0 <sway_fmt>}

              ffi_args = {0x7ffca3e757a0, 0x7ffca3e757a8, 0x55862e252b38, 0x55862e252b40, 0x1, 0xd, 0x7ffc0000000f, 0x23d2ec9857f3bd00, 0x0, 0x7f600769f471 <log_closure+81>, 0x55862e2859a0, 0x55862cfe0ae0, 0x7f60074f9ba0 <main_arena>, 0x0, 0x55862e216b00, 0x7f60073b8416 <__libc_calloc+214>, 0x0, 0x23d2ec9857f3bd00, 0x0, 0x7f600766694e, 0x7f600768e4c0 <zwp_locked_pointer_v1_requests>, 0x0}
    implementation = <optimized out>

#10 0x00007f60076a201c in wl_client_connection_data (fd=, mask=, data=) at ../wayland-1.21.0/src/wayland-server.c:437
client =
connection =
resource = 0x55862e1f4290
object = 0x55862e1f4290
closure = 0x55862e24e500
message = 0x7f600768e4c0 <zwp_locked_pointer_v1_requests>
p = {155, 524288}
resource_flags = 0
opcode = 0
size =
since =
len =
#11 0x00007f60076a09e2 in wl_event_loop_dispatch (loop=0x55862cfe0bd0, timeout=timeout@entry=-1) at ../wayland-1.21.0/src/event-loop.c:1027

                  ep = {{events = 1, data = {ptr = 0x55862cfd9310, fd = 754815760, u32 = 754815760, u64 = 94034768794384}}, {events = 1, data = {ptr = 0x55862e1cb1f0, fd = 773632496, u32 = 773632496, u64 = 94034787611120}}, {events = 1, data = {ptr = 0x55862dd90ba0, fd = 769199008, u32 = 769199008, u64 = 94034783177632}}, {events = 1, data = {ptr = 0x180, fd = 384, u32 = 384, u64 = 384}}, {events = 773229424, data = {ptr = 0xa3e75c1000005586, fd = 21894, u32 = 21894, u64 = 11810509771591669126}}, {events = 32764, data = {ptr = 0x55862e16bb88, fd = 773241736, u32 = 773241736, u64 = 94034787220360}}, {events = 773233528, data = {ptr = 0xa3e75c5000005586, fd = 21894, u32 = 21894, u64 = 11810510046469576070}}, {events = 32764, data = {ptr = 0x7f600769d500 <wl_connection_flush+304>, fd = 124376320, u32 = 124376320, u64 = 140050417964288}}, {events = 122657696, data = {ptr = 0x18000007f60, fd = 32608, u32 = 32608, u64 = 1649267474272}}, {events = 0, data = {ptr = 0x7ffca3e75c70, fd = -1545118608, u32 = 2749848688, u64 = 140723058334832}}, {events = 801757212, data = {ptr = 0x4d3b30, fd = 5061424, u32 = 5061424, u64 = 5061424}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0xfffffffffffffde0, fd = -544, u32 = 4294966752, u64 = 18446744073709551072}}, {events = 773236392, data = {ptr = 0x18000005586, fd = 21894, u32 = 21894, u64 = 1649267463558}}, {events = 0, data = {ptr = 0x55862e169b78, fd = 773233528, u32 = 773233528, u64 = 94034787212152}}, {events = 56, data = {ptr = 0x1400000000, fd = 0, u32 = 0, u64 = 85899345920}}, {events = 0, data = {ptr = 0x100000001, fd = 1, u32 = 1, u64 = 4294967297}}, {events = 130, data = {ptr = 0xa3e75d7000000083, fd = 131, u32 = 131, u64 = 11810511283420135555}}, {events = 32764, data = {ptr = 0x7ffca3e75ca0, fd = -1545118560, u32 = 2749848736, u64 = 140723058334880}}, {events --Type <RET> for more, q to quit, c to continue without paging--

= 1475591424, data = {ptr = 0x23d2ec98, fd = 601025688, u32 = 601025688, u64 = 601025688}}, {events = 0, data = {ptr = 0x55862c08dab0 <execute_command+816>, fd = 738777776, u32 = 738777776, u64 = 94034752756400}}, {events = 739127459, data = {ptr = 0x13700005586, fd = 21894, u32 = 21894, u64 = 1335734850950}}, {events = 0, data = {ptr = 0x55862d8972d0, fd = 763982544, u32 = 763982544, u64 = 94034777961168}}, {events = 805713092, data = {ptr = 0x2d947ab000000000, fd = 0, u32 = 0, u64 = 3284384924592766976}}, {events = 21894, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 124371216, data = {ptr = 0x2d96af0000000000, fd = 0, u32 = 0, u64 = 3285005392748216320}}, {events = 21894, data = {ptr = 0x55862d947160, fd = 764703072, u32 = 764703072, u64 = 94034778681696}}, {events = 1475591424, data = {ptr = 0x23d2ec98, fd = 601025688, u32 = 601025688, u64 = 601025688}}, {events = 0, data = {ptr = 0x55862e236870, fd = 774072432, u32 = 774072432, u64 = 94034788051056}}}
source =
i = 1
count =
has_timers =
#12 0x00007f60076a1197 in wl_display_run (display=0x55862cfe0ae0) at ../wayland-1.21.0/src/wayland-server.c:1431
#13 0x000055862c086b15 in server_run (server=) at ../sway-1.8/sway/server.c:313
config_path = 0x0
c =
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
#14 main (argc=, argv=0x7ffca3e75f88) at ../sway-1.8/sway/main.c:415
config_path = 0x0
c =
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false

@Nefsen402
Copy link
Member Author

This patch is supposed to fix that crash? The line numbers are different because I run sway with a bunch of patches on top.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants