Bug 108249

Summary: [xwayland] Crash in Xpresent code on resume from suspend
Product: Wayland Reporter: Olivier Fourdan <fourdan>
Component: XWaylandAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: csaavedra, fourdan, subdiff, tpopela
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: gdb bt full

Description Olivier Fourdan 2018-10-05 10:03:06 UTC 
Created attachment 141909 [details]
gdb bt full

Description:

Downstream report of a crash after resuming from suspend.

Steps to reproduce:

1. suspend the laptop while docked and connected to two external displays
2. undock the laptop
3. resume the laptop

Additional data:

Xwayland crashes in xwl_present_sync_callback():

(gdb) bt
#0  0x00007fa32bfb353f in raise () from /lib64/libc.so.6
#1  0x00007fa32bf9d895 in abort () from /lib64/libc.so.6
#2  0x00000000005943f0 in OsAbort () at utils.c:1350
#3  0x0000000000599689 in AbortServer () at log.c:877
#4  0x000000000059a4fd in FatalError (f=f@entry=0x5c0770 "Caught signal %d (%s). Server aborting\n") at log.c:1015
#5  0x00000000005916f5 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:156
#6  <signal handler called>
#7  dixGetPrivate (key=<optimized out>, privates=0xf000000000404) at ../include/privates.h:122
#8  dixLookupPrivate (key=<optimized out>, privates=0xf000000000404) at ../include/privates.h:166
#9  present_screen_priv (screen=0xf000000000034) at present_priv.h:198
#10 present_wnmd_flip (damage=0xf4eee0, sync_flip=0, pixmap=0xf507a0, target_msc=268904, event_id=1985548, crtc=0xaa85b0, 
    window=0xf4ee90) at present_wnmd.c:358
#11 present_wnmd_execute (vblank=0x5e3f1a0, ust=15397860691, crtc_msc=268904) at present_wnmd.c:466
#12 0x00000000004f8ac8 in present_wnmd_re_execute (vblank=0x5e3f1a0) at present_wnmd.c:80
#13 0x00000000004392a7 in xwl_present_sync_callback (data=0x134e860, callback=<optimized out>, time=<optimized out>)
    at xwayland-present.c:287
#14 0x00007fa32bebcace in ffi_call_unix64 () from /lib64/libffi.so.6
#15 0x00007fa32bebc48f in ffi_call () from /lib64/libffi.so.6
#16 0x00007fa32c6b47ad in wl_closure_invoke (closure=closure@entry=0xaa8ff0, flags=flags@entry=1, target=<optimized out>, 
    target@entry=0x5e10480, opcode=opcode@entry=0, data=<optimized out>) at src/connection.c:1006
#17 0x00007fa32c6b0f09 in dispatch_event (display=display@entry=0xaa1a10, queue=<optimized out>) at src/wayland-client.c:1427
#18 0x00007fa32c6b241c in dispatch_queue (queue=0xaa1ad8, display=0xaa1a10) at src/wayland-client.c:1573
#19 wl_display_dispatch_queue_pending (display=0xaa1a10, queue=0xaa1ad8) at src/wayland-client.c:1815
#20 0x00007fa32c6b2480 in wl_display_dispatch_pending (display=<optimized out>) at src/wayland-client.c:1878
#21 0x000000000042ee1b in xwl_read_events (xwl_screen=0xa95d10) at xwayland.c:814
#22 0x00000000005920e1 in ospoll_wait (ospoll=0xa8b6b0, timeout=<optimized out>) at ospoll.c:651
#23 0x000000000058b9b3 in WaitForSomething (are_ready=0) at WaitFor.c:208
#24 0x000000000055b540 in Dispatch () at ../include/list.h:220
#25 0x000000000055f7d6 in dix_main (argc=12, argv=0x7ffee130c658, envp=<optimized out>) at main.c:276
#26 0x00007fa32bf9f413 in __libc_start_main () from /lib64/libc.so.6
#27 0x000000000042e33e in _start ()

(gdb) f 9
#9  present_screen_priv (screen=0xf000000000034) at present_priv.h:198
198	    return (present_screen_priv_ptr)dixLookupPrivate(&(screen)->devPrivates, &present_screen_private_key);
(gdb) p *screen
Cannot access memory at address 0xf000000000034
Comment 1 Olivier Fourdan 2018-10-05 11:33:41 UTC 
So, looking further into the backtrace, we see that:

(gdb) f 10
#10 present_wnmd_flip (damage=0xf4eee0, sync_flip=0, pixmap=0xf507a0, target_msc=268904, event_id=1985548, crtc=0xaa85b0, 
    window=0xf4ee90) at present_wnmd.c:358
358	    present_screen_priv_ptr     screen_priv = present_screen_priv(screen);
(gdb) p screen
$2 = (ScreenPtr) 0xf000000000034

(that's a bogus value ^^^)

That's coming from:

 353	                  PixmapPtr pixmap,
 354	                  Bool sync_flip,
 355	                  RegionPtr damage)
 356	{
 357	    ScreenPtr                   screen = crtc->pScreen;
 358	    present_screen_priv_ptr     screen_priv = present_screen_priv(screen);
 359	

And so is the RRCrtcPtr:

(gdb) p *crtc
$5 = {id = 0, pScreen = 0xf000000000034, mode = 0x63736e552f6b6447, x = 1684368481, y = 4804676, ...

So my guess is that the undock removes outputs, on resume Xwayland gets all the events at once, the xwl_present_sync_callback() occurs after the xwl_output_remove() has destroyed the xwl_output->randr_crtc so we're pointeing at freed memory here.
Comment 2 Olivier Fourdan 2018-10-08 14:47:48 UTC 
Maybe https://patchwork.freedesktop.org/series/50696/
Comment 3 Olivier Fourdan 2018-10-26 09:02:36 UTC 
Patches have landed.

https://gitlab.freedesktop.org/xorg/xserver/merge_requests/45
Comment 4 Claudio Saavedra 2019-01-28 07:43:05 UTC 
*** Bug 108556 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.