Bug 107314

Summary: Crash on resuming laptop with screen connected
Product: Wayland Reporter: Lionel Landwerlin <lionel.g.landwerlin>
Component: XWaylandAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED MOVED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: fourdan
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: present: fix freed pointer access
[RFC PATCH xserver] xwayland: ignore sync callback if window is destroyed

Description Lionel Landwerlin 2018-07-20 19:40:23 UTC 
btCore was generated by `/usr/bin/Xwayland :0 -rootless -terminate -accessx -core -listen 4 -listen 5 -d'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f7dcd86e640 (LWP 2069))]
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f7dcfb652f1 in __GI_abort () at abort.c:79
#2  0x0000564b8f171d4a in OsAbort () at ../../../../os/utils.c:1350
#3  0x0000564b8f1778e3 in AbortServer () at ../../../../os/log.c:877
#4  0x0000564b8f178705 in FatalError (f=f@entry=0x564b8f19b610 "Caught signal %d (%s). Server aborting\n") at ../../../../os/log.c:1015
#5  0x0000564b8f16ede3 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../../../os/osinit.c:156
#6  <signal handler called>
#7  0x0000564b8f0d78b0 in dixGetPrivate (key=<optimized out>, privates=0x564b91477500) at ../../../../include/privates.h:136
#8  dixLookupPrivate (key=<optimized out>, privates=0x564b91477500) at ../../../../include/privates.h:166
#9  present_screen_priv (screen=0x564b91477130) at ../../../../present/present_priv.h:198
#10 present_wnmd_flip (damage=0x564b91698880, sync_flip=0, pixmap=0x564b91871630, target_msc=85702, event_id=140808, crtc=0x564b90ecd480, window=0x564b91698830) at ../../../../present/present_wnmd.c:357
#11 present_wnmd_execute (vblank=vblank@entry=0x564b91eb6110, ust=30332107320, crtc_msc=85703) at ../../../../present/present_wnmd.c:465
#12 0x0000564b8f0d79a4 in present_wnmd_re_execute (vblank=0x564b91eb6110) at ../../../../present/present_wnmd.c:80
#13 0x0000564b8f0d7a40 in present_wnmd_flip_try_ready (window=<optimized out>) at ../../../../present/present_wnmd.c:91
#14 0x0000564b8f0d83d0 in present_wnmd_flip_notify (crtc_msc=<optimized out>, ust=<optimized out>, vblank=<optimized out>) at ../../../../present/present_wnmd.c:195
#15 present_wnmd_event_notify (window=<optimized out>, event_id=<optimized out>, ust=<optimized out>, msc=<optimized out>) at ../../../../present/present_wnmd.c:228
#16 0x0000564b8f01b4e7 in xwl_present_sync_callback (data=0x70fef3a38, callback=<optimized out>, time=<optimized out>) at ../../../../../hw/xwayland/xwayland-present.c:282
#17 0x00007f7dcf894fce in ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/libffi.so.6
#18 0x00007f7dcf89493f in ffi_call () from /usr/lib/x86_64-linux-gnu/libffi.so.6
#19 0x00007f7dd1621184 in ?? () from /usr/lib/x86_64-linux-gnu/libwayland-client.so.0
#20 0x00007f7dd161d9d9 in ?? () from /usr/lib/x86_64-linux-gnu/libwayland-client.so.0
#21 0x00007f7dd161eea4 in wl_display_dispatch_queue_pending () from /usr/lib/x86_64-linux-gnu/libwayland-client.so.0
#22 0x0000564b8f0110bb in xwl_read_events (xwl_screen=0x564b90ebefa0) at ../../../../../hw/xwayland/xwayland.c:820
#23 0x0000564b8f16f871 in ospoll_wait (ospoll=0x564b90eb3f90, timeout=<optimized out>) at ../../../../os/ospoll.c:651
#24 0x0000564b8f1689c3 in WaitForSomething (are_ready=1) at ../../../../os/WaitFor.c:207
#25 0x0000564b8f138cc3 in Dispatch () at ../../../../dix/dispatch.c:421
#26 0x0000564b8f13cf18 in dix_main (argc=12, argv=0x7fff5522a868, envp=<optimized out>) at ../../../../dix/main.c:276
#27 0x00007f7dcfb50b17 in __libc_start_main (main=0x564b8f010520 <main>, argc=12, argv=0x7fff5522a868, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff5522a858) at ../csu/libc-start.c:310
#28 0x0000564b8f01055a in _start ()
Comment 1 Lionel Landwerlin 2018-07-20 19:40:44 UTC 
This is XWayland 1.20.0
Comment 2 Lionel Landwerlin 2018-07-30 15:57:09 UTC 
*** Bug 107427 has been marked as a duplicate of this bug. ***
Comment 3 Lionel Landwerlin 2018-08-23 09:57:42 UTC 
Reproduced with xwayland 1.20.1.
Comment 4 Lionel Landwerlin 2018-08-24 18:35:34 UTC 
Got a valgrind trace :

==5331== Invalid read of size 8
==5331==    at 0x212B4D: present_vblank_notify (present_vblank.c:34)
==5331==    by 0x21439B: present_wnmd_flip_notify (present_wnmd.c:194)
==5331==    by 0x21439B: present_wnmd_event_notify (present_wnmd.c:228)
==5331==    by 0x156216: xwl_present_sync_callback (xwayland-present.c:282)
==5331==    by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==5331==    by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==5331==    by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x14BCCA: xwl_read_events (xwayland.c:814)
==5331==    by 0x2AC0D0: ospoll_wait (ospoll.c:651)
==5331==    by 0x2A5322: WaitForSomething (WaitFor.c:208)
==5331==    by 0x27574B: Dispatch (dispatch.c:421)
==5331==  Address 0x1b44dc98 is 40 bytes inside a block of size 184 free'd
==5331==    at 0x48369EB: free (vg_replace_malloc.c:530)
==5331==    by 0x213B0A: present_wnmd_free_idle_vblanks (present_wnmd.c:118)
==5331==    by 0x213B0A: present_wnmd_flips_stop (present_wnmd.c:161)
==5331==    by 0x2143EF: present_wnmd_flip_notify (present_wnmd.c:192)
==5331==    by 0x2143EF: present_wnmd_event_notify (present_wnmd.c:228)
==5331==    by 0x156216: xwl_present_sync_callback (xwayland-present.c:282)
==5331==    by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==5331==    by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==5331==    by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0)
==5331==    by 0x14BCCA: xwl_read_events (xwayland.c:814)
==5331==    by 0x2AC0D0: ospoll_wait (ospoll.c:651)
==5331==    by 0x2A5322: WaitForSomething (WaitFor.c:208)
==5331==  Block was alloc'd at
==5331==    at 0x48377D5: calloc (vg_replace_malloc.c:711)
==5331==    by 0x212D9F: present_vblank_create (present_vblank.c:69)
==5331==    by 0x214014: present_wnmd_pixmap (present_wnmd.c:610)
==5331==    by 0x21576C: proc_present_pixmap (present_request.c:150)
==5331==    by 0x27599D: Dispatch (dispatch.c:479)
==5331==    by 0x279945: dix_main (main.c:276)
==5331==    by 0x633AB16: (below main) (libc-start.c:310)
==5331== 


Seems to indicate that we're not dealing with the abort flip correctly.
present_wnmd_flip_notify needs fixing.
Comment 5 Lionel Landwerlin 2018-08-24 18:50:08 UTC 
Created attachment 141273 [details] [review]
present: fix freed pointer access

Tentative fix.
Comment 6 Daniel Stone 2018-08-24 20:43:58 UTC 
Seems safe enough. When we free the vblanks (which, when we're aborting here, can only happen because the window has been destroyed), we'll send a Present IdleNotify. I don't think there's any need to send any completion events.

Can you please git-send-email this to xorg-devel@lists.x.org with this on it?
Reviewed-by: Daniel Stone <daniels@collabora.com>
Comment 7 Olivier Fourdan 2018-09-05 17:04:44 UTC 
Created attachment 141463 [details] [review]
[RFC PATCH xserver] xwayland: ignore sync callback if window is destroyed

(In reply to Daniel Stone from comment #6)
> Seems safe enough. When we free the vblanks (which, when we're aborting
> here, can only happen because the window has been destroyed), [...]

Roman pointed out on the ML a crash possibly caused by that patch.

What about this patch then?

On destroy, `xwl_present_cleanup()` would free the `xwl_present_window` but leave its reference in the window's privates, so that other functions could still find it and use freed memory.

That patch there https://patchwork.freedesktop.org/patch/247271/ fixes that, so with this if we just check for `xwl_present_window` being nun-null in `xwl_present_sync_callback()` we should avoid the crash, cleanly, no?

If the idea makes sense (and if someone cwould be willing to try it) and if it works, I would send that to the ML for further review.
Comment 8 GitLab Migration User 2019-05-10 15:54:06 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/724.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.