Bug 52198

Summary: weston segfauls after two drag and drops in dnd example and closing it
Product: Wayland Reporter: Dmitry Guryanov <dmitry.guryanov>
Component: waylandAssignee: Wayland bug list <wayland-bugs>
Status: VERIFIED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: possible fix for the bug

Description Dmitry Guryanov 2012-07-17 13:17:42 UTC 
Created attachment 64314 [details] [review]
possible fix for the bug

weston segfauls if you make two drag'n'drops in dnd and then close it (dnd).

I've tried to investigate the problem and found possible solution, patch in attachment:

In function drag_grab_button in wayland code we first call data_device_end_drag_grab,
which sets seat->drag_data_source to NULL. Then we remove
listener from list only if drag_data_source is not NULL.

So if client will not free wl_data_source and start another drag'n'drop,
after the first one. Then two wl_data_source structures will be
free'd on client exit (let's name them s1 and s2).

next and prev pointer of
wl_data_source.resource.destroy_signal.listener_list in both
wl_data_source structures will be seat->drag_data_source_listener,
but next and prev in seat->drag_data_source_listener.link point
to listener_list in s2.

So if you try to iterate over listener_list in s1
then you get drag_data_source_listener as first item and
(struct wl_listener *)(&s2.resource.destroy_signal.listener_list)

Iteration over that list occurs in
wl_resource_destroy->destroy_resource->wl_signal_emit->wl_signal_emit
and try to call function at address of wl_resource->client, so
weston segfaults there.
Comment 1 Kristian Høgsberg 2012-07-20 16:05:28 UTC 
Got your patch, applied it, closing this one.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.