Bug 46450

Summary: wayland client demo 'dnd' crash weston when it exit on x11 backend
Product: Wayland Reporter: zhao jian <jian.j.zhao>
Component: westonAssignee: Wayland bug list <wayland-bugs>
Status: VERIFIED FIXED QA Contact:
Severity: major    
Priority: medium CC: ullysses.a.eoff
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description zhao jian 2012-02-22 05:54:36 UTC
System Environment:
--------------------------
wayland: (master) ab3b5cd71ce6dd1a532d9c1fecabb1a6e9d1a055
libdrm: (master) 23eeb7e1e45417a5a84f826286dd982dba440cd3
macros: (master) 52ef6f666a4fb46b693c81dc7a44612e6b78239d
glproto: (master) 29d5b553b30755a25300c30b67d39b37c9a76466
dri2proto: (master) 7fd18b15646a62bd82a4eb0eca60a34c1731813d
xproto: (master) ab1fba1a0967ac2289909c3f1a643f876a5dd393
libX11: (master) 2ca641c3a506dcbee97e279b67990d5387389f36
mesa: (master) 3dd7b53178cb085a1ff3d87844fa51487f8892fc
kbproto: (master) b0f7912512091ea58dfaf8dffb2a658a6afeb96d
libxkbcommon: (master) 1ab058bbb345245088f54315227fe0cf52ae54ed
pixman: (master) 4fc586c3df9a53cc1406891e751a6eed3d7da400
cairo: (master) da8841cc5ea0b45daba6b91227a2b7058a0120b7
weston: (master) 31f9d0e8de4f788aaf35fb8072dc290da19b097a

Bug detailed description:
-------------------------
When run the wayland client demo 'dnd' on x11 backend, it works well on the operations like draging, but when stop the demo, it will cause the weston crashed. I tested on SandyBridge, and it works well on drm backend. 
 
There is an error message in dmesg as: weston[29804]: segfault at 0 ip 00007f2f57f6a763 sp 00007fffba5c9f40 error 4 in libwayland-server.so.0.0.0[7f2f57f66000+b000]
And the output on the wayland server side is as following shows: 
		[root@x-sgb3 src]# ./weston
		using socket /run/user/root/wayland-0
		Internal error:   Could not resolve keysym SunProps
		Internal error:   Could not resolve keysym SunFront
		Internal error:   Could not resolve keysym SunOpen
		disconnect from client 0x1e7a8e0
		caught segv
		  [0000000000405ca3]  --  (./weston)
		  [0000003079036320]  --  (/lib64/libc.so.6)
		  [00007f2f578d9c01]  pixman_region32_union  (/home/jzhao/install/lib/libpixman-1.so.0)
		  [0000000000407e29]  --  (./weston)
		  [0000000000407eac]  --  (./weston)
		  [00007f2f57f6ec39]  wl_map_for_each  (/home/jzhao/install/lib/libwayland-server.so.0)
		  [00007f2f57f6ac52]  wl_client_destroy  (/home/jzhao/install/lib/libwayland-server.so.0)
		  [00007f2f57f6ad91]  --  (/home/jzhao/install/lib/libwayland-server.so.0)
		  [00007f2f57f6d122]  wl_event_loop_dispatch  (/home/jzhao/install/lib/libwayland-server.so.0)
		  [00007f2f57f6b61d]  wl_display_run  (/home/jzhao/install/lib/libwayland-server.so.0)
		  [0000000000405a83]  --  (./weston)
		  [000000307902169d]  __libc_start_main  (/lib64/libc.so.6)
		  [0000000000405b79]  --  (./weston)
		disconnect from client 0x1e5bf90
		read error from connection 0x1635820: Connection reset by peer (104)
		read error: Connection reset by peer
		Segmentation fault (core dumped)


Reproduce steps:
-------------------------
1. start x
2. start weston
3. start demo dnd
4. close demo dnd after some operations
Comment 1 Will Thompson 2012-03-08 09:22:08 UTC
I can reliably crash Weston using the dnd demo as follows:

• Launching clients/dnd;
• Dragging two flowers onto another flower;
• Unfocus, then refocus, the DND test app's window (otherwise it doesn't respond to right clicks);
• Right click it and choose Close.

The backtrace I see is a little different to zhao jian's:

#0  0x00007ffff79d8157 in wl_list_remove (elm=0x9237e8) at ../../src/wayland-util.c:50
#1  0x0000000000408e39 in weston_surface_unmap (surface=0x923720)
    at ../../src/compositor.c:607
#2  0x0000000000408eac in destroy_surface (resource=0x923720)
    at ../../src/compositor.c:627
#3  0x00007ffff79d84b9 in for_each_helper (data=0x7fffffffdeec, 
    func=0x7ffff79d3db0 <destroy_resource>, entries=<optimized out>)
    at ../../src/wayland-util.c:264
#4  wl_map_for_each (map=0x886338, func=0x7ffff79d3db0 <destroy_resource>, 
    data=0x7fffffffdeec) at ../../src/wayland-util.c:270
#5  0x00007ffff79d4402 in wl_client_destroy (client=0x886300)
    at ../../src/wayland-server.c:420
#6  0x00007ffff79d4541 in wl_client_connection_data (fd=<optimized out>, 
    mask=<optimized out>, data=0x886300) at ../../src/wayland-server.c:260
#7  0x00007ffff79d6962 in wl_event_loop_dispatch (loop=0x616900, timeout=<optimized out>)
    at ../../src/event-loop.c:462
#8  0x00007ffff79d4d7d in wl_display_run (display=0x6168b0)
    at ../../src/wayland-server.c:847
#9  0x000000000040677f in main (argc=<optimized out>, argv=<optimized out>)
    at ../../src/compositor.c:2583

The crashing line is

50		elm->prev->next = elm->next;

which segfaults because prev (and, for that matter, next) are NULL.

Throwing in some breakpoints shows that weston_surface_unmap() gets called for the crashing surface twice: first after ending a drag, and second when the window is closed.

Immediately after the first call, there is a final call to weston_surface_assign_output() on the surface, which re-sets ->output on the surface but does not re-attach it to a list. But the call to weston_surface_unmap() in destroy_surface() is guarded by checking ->output, so…
Comment 2 Will Thompson 2012-03-08 09:27:06 UTC
(In reply to comment #1)
> • Dragging two flowers onto another flower;

Sorry, this is not quite right: you have to drag one flower onto another, then drag that flower onto a third flower.
Comment 3 Will Thompson 2012-03-12 10:23:29 UTC
This looks to have been fixed by <http://cgit.freedesktop.org/wayland/weston/commit/?id=de56c311d94e6df37537b9e05ec72863906902ff>
Comment 4 lu hua 2012-03-31 02:09:10 UTC
It fixed in below System Environment.

wayland:             (master) 5b72fc7528aa9f7c655dd49a2227cfd1e3feeb76
libdrm:               (master) a3c34f56b94d4d47cadcd9814c2684c11f800e7d
macros:              (master) c0c42057e0d357c144e7933ee413b522950a0f17
glproto:              (master) 29d5b553b30755a25300c30b67d39b37c9a76466
dri2proto:            (master) 7fd18b15646a62bd82a4eb0eca60a34c1731813d
xproto:               (master) 20202784b9700d973d5301f0cb3243eba99fc349
libX11:               (master) abc523fce31fcf2687229697a8eb656e343ecb0c
mesa:                (master) 2402ce04ae06f909e361782f5063fa3070091bf1
kbproto:              (master) 391a1f6de6315fc0196d407d800597488315cccb
libxkbcommon:         (master) 3d672fcfea6b823db4793b9ad1c3aadc4b547a08
pixman:              (master) b9ca23a9c711280a706eb1df30a0cfaf3b2d8e27
cairo:                 (master) d18542b735bb777b444152f0ef06de18993635bd
weston:              (master) 3448616bc3909faa2d7d2c559be845085a1b23ab
kernel:               (drm-intel-next-queued) e7e58eb5c0d1d7d1a42fcb2b5a247d28ec08b47e
Comment 5 lu hua 2012-03-31 02:09:36 UTC
Verified. Fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.