Bug 73490

Summary: SIGSEGV in ping_timeout_handler
Product: Wayland Reporter: Anu Reddy <anasuyax.r.nannuri>
Component: westonAssignee: Wayland bug list <wayland-bugs>
Status: VERIFIED FIXED QA Contact:
Severity: critical    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: backtrace

Description Anu Reddy 2014-01-11 00:52:45 UTC 
1. Configure Weston.ini with seat=back0
Example:
Output
Name=HDMI2
Seat=back0

2. Launch Weston
3. Execute Weston-terminal
4. Close Weston-terminal using toolbar button ‘x’
5. Observe Weston crash
Comment 1 Anu Reddy 2014-01-11 00:55:30 UTC 
Program received signal SIGSEGV, Segmentation fault.
0x00007fe6d098572a in ping_timeout_handler (data=0x104f4c0) at shell.c:1789
1789			if (seat->pointer->focus &&
(gdb) bt
#0  0x00007fe6d098572a in ping_timeout_handler (data=0x104f4c0) at shell.c:1789
#1  0x00007fe6d5574fb3 in wl_event_source_timer_dispatch (source=0x133db00, ep=0x7fff49945520) at event-loop.c:180
#2  0x00007fe6d55758b2 in wl_event_loop_dispatch (loop=0xe7aec0, timeout=-1) at event-loop.c:421
#3  0x00007fe6d5572a72 in wl_display_run (display=0xe7ae30) at wayland-server.c:961
#4  0x0000000000413d8c in main (argc=1, argv=0x7fff49945988) at compositor.c:4254
(gdb) bt full
#0  0x00007fe6d098572a in ping_timeout_handler (data=0x104f4c0) at shell.c:1789
        shsurf = 0x104f4c0
        seat = 0xe95970
#1  0x00007fe6d5574fb3 in wl_event_source_timer_dispatch (source=0x133db00, ep=0x7fff49945520) at event-loop.c:180
        timer_source = 0x133db00
        expires = 1
        len = 8
#2  0x00007fe6d55758b2 in wl_event_loop_dispatch (loop=0xe7aec0, timeout=-1) at event-loop.c:421
        i = 0
        count = 1
        ep = {{events = 1, data = {ptr = 0x133db00, fd = 20175616, u32 = 20175616, u64 = 20175616}}, {events = 0, data = {ptr = 0x7fff49945570, fd = 1234457968, 
              u32 = 1234457968, u64 = 140734427846000}}, {events = 3579286361, data = {ptr = 0x404000007fe6, fd = 32742, u32 = 32742, u64 = 70643622117350}}, {events = 0, 
            data = {ptr = 0x7fff49945670, fd = 1234458224, u32 = 1234458224, u64 = 140734427846256}}, {events = 1234458096, data = {ptr = 0x104d9f800007fff, fd = 32767, 
              u32 = 32767, u64 = 73423153119920127}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 3043026489, data = {ptr = 0x4994568000000034, 
              fd = 52, u32 = 52, u64 = 5301957769077719092}}, {events = 32767, data = {ptr = 0x7fe6d5579676 <wl_connection_flush+275>, fd = -715680138, u32 = 3579287158, 
              u64 = 140629398492790}}, {events = 3051676113, data = {ptr = 0x104a9e000000000, fd = 0, u32 = 0, u64 = 73370273482539008}}, {events = 0, data = {
              ptr = 0x104bbfc, fd = 17087484, u32 = 17087484, u64 = 17087484}}, {events = 36, data = {ptr = 0x104b9e800000000, fd = 0, u32 = 0, u64 = 73387900028321792}}, {
            events = 0, data = {ptr = 0x14, fd = 20, u32 = 20, u64 = 20}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 32767, data = {
              ptr = 0x7fff49945590, fd = 1234458000, u32 = 1234458000, u64 = 140734427846032}}, {events = 1, data = {ptr = 0x499455f000000000, fd = 0, u32 = 0, 
              u64 = 5301957150602428416}}, {events = 32767, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0xd578327800000000, fd = 0, u32 = 0, 
              u64 = 15382100018261393408}}, {events = 32742, data = {ptr = 0x14, fd = 20, u32 = 20, u64 = 20}}, {events = 1, data = {ptr = 0x2d00000001, fd = 1, u32 = 1, 
              u64 = 193273528321}}, {events = 0, data = {ptr = 0x7fe6d5783398, fd = -713542760, u32 = 3581424536, u64 = 140629400630168}}, {events = 0, data = {
              ptr = 0x4994598000000000, fd = 0, u32 = 0, u64 = 5301961067612602368}}, {events = 32767, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {
              ptr = 0x499456e000000000, fd = 0, u32 = 0, u64 = 5301958181394579456}}, {events = 32767, data = {ptr = 0x34b4a0e8a6 <_dl_fixup+230>, fd = -1264523098, 
              u32 = 3030444198, u64 = 226368743590}}, {events = 5, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x7fff499458a0, fd = 1234458784, 
              u32 = 1234458784, u64 = 140734427846816}}, {events = 3579228968, data = {ptr = 0x7fe6, fd = 32742, u32 = 32742, u64 = 32742}}, {events = 0, data = {
              ptr = 0x7fff499456e0, fd = 1234458336, u32 = 1234458336, u64 = 140734427846368}}, {events = 0, data = {ptr = 0x121400000001, fd = 1, u32 = 1, 
              u64 = 19877108645889}}, {events = 36, data = {ptr = 0x7fff499456c0, fd = 1234458304, u32 = 1234458304, u64 = 140734427846336}}, {events = 3579259625, data = {
              ptr = 0xe7ae7800007fe6, fd = 32742, u32 = 32742, u64 = 65212550039502822}}, {events = 0, data = {ptr = 0xe7ae30, fd = 15183408, u32 = 15183408, u64 = 15183408}}}
        source = 0x133db00
        n = 36
#3  0x00007fe6d5572a72 in wl_display_run (display=0xe7ae30) at wayland-server.c:961
No locals.
#4  0x0000000000413d8c in main (argc=1, argv=0x7fff49945988) at compositor.c:4254
        help = 0
        backend = 0x42f8de "drm-backend.so"
        config = 0xe7b7e0
        signals = {0xe7af50, 0xe7b6f0, 0xe7b740, 0xe7b790}
        backend_init = 0x7fe6d432cf91 <backend_init>
        shell = 0xe84cc0 "desktop-shell.so"
        modules = 0xe7c800 ""
        log = 0xe7a9e0 "weston.log"
        idle_time = 300
        section = 0xe7afa0
Comment 2 Anu Reddy 2014-01-11 00:57:43 UTC 
Software Stack

wayland (HEAD) 1.3.92-0-gc102c20
drm (HEAD) libdrm-2.4.50-0-g4c5de72
mesa (HEAD) remotes/origin/10.0-0-g3a62718
libva (HEAD) libva-1.2.1-0-g88ed1eb
intel-driver (HEAD) 1.2.1-0-g8f306e3
weston (HEAD) 1.3.92-0-gb637a40
efl (HEAD) remotes/origin/efl-1.8-0-gb63675a
elementary (HEAD) remotes/origin/elementary-1.8-0-gf7ddd25
Comment 3 U. Artie Eoff 2014-01-11 16:23:41 UTC 
Created attachment 91865 [details]
backtrace
Comment 4 U. Artie Eoff 2014-01-11 17:22:26 UTC 
Another way to reproduce this is to SIGSTOP a wayland client (i.e. kill -SIGSTOP <pid of client>), then move the mouse in and out of the client.  Further inspection with gdb shows that the seat->pointer is being NULL deref'd.

Program received signal SIGSEGV, Segmentation fault.
0x00007f6b92f1aa13 in ping_timeout_handler (data=0x25f0970) at shell.c:1789
1789                    if (seat->pointer->focus &&
(gdb) print seat
$1 = (struct weston_seat *) 0x2558870
(gdb) print seat->pointer
$2 = (struct weston_pointer *) 0x0


NOTE: this issue only seems to happen when the "seat" option is specified in the weston.ini for that output.
Comment 5 Kristian Høgsberg 2014-01-15 19:47:25 UTC 
commit 5cbc7634043707c3a0e442014910fc7f6db317e0
Author: Kristian Høgsberg <krh@bitplanet.net>
Date:   Wed Jan 15 11:46:38 2014 -0800

    shell.c: Not all seats have pointers
    
    Don't look up the pointer focus in ping_timeout_handler() if the
    seat doesn't have a pointer.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=73490

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.