Bug 105258 - libinput crashes Xorg with SIGABRT in tp_tap_handle_state() [evdev-mt-touchpad-tap.c:1030|1028]
Summary: libinput crashes Xorg with SIGABRT in tp_tap_handle_state() [evdev-mt-touchpa...
Status: RESOLVED FIXED
Alias: None
Product: Wayland
Classification: Unclassified
Component: libinput (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Wayland bug list
QA Contact:
URL:
Whiteboard:
Keywords:
: 105275 105336 105437 105439 105443 105459 105791 (view as bug list)
Depends on:
Blocks: 105535
  Show dependency treegraph
 
Reported: 2018-02-26 18:32 UTC by Nicolas Joyard
Modified: 2019-02-21 00:50 UTC (History)
14 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Xorg log (40.09 KB, text/plain)
2018-02-26 18:32 UTC, Nicolas Joyard 		Details
Systemd core dump info (2.54 KB, text/plain)
2018-02-26 18:32 UTC, Nicolas Joyard 		Details
evemu recording (489.00 KB, text/x-log)
2018-02-27 22:20 UTC, Nicolas Joyard 		Details
evemu-record output (94.53 KB, text/plain)
2018-03-11 19:56 UTC, stas-t 		Details
coredump info (2.61 KB, text/plain)
2018-03-13 18:05 UTC, mrblooter 		Details
evemu-record of touchpad (838.18 KB, text/plain)
2018-03-13 18:09 UTC, mrblooter 		Details
View All

Description Nicolas Joyard 2018-02-26 18:32:09 UTC 
Created attachment 137615 [details]
Xorg log

Since recent updates Xorg crashes very often (4 or more times a day) with SIGABRT in libinput code.
Unfortunately I have found no reproduction scenario yet, it seems to happen randomly.

I can provide a full coredump if that helps.

Distribution: arch
Hardware: Lenovo Thinkpad X270
Packages:
  libinput 1.10.0-1
  linux 4.15.4-1
  xf86-input-libinput 0.26.0-1
  xorg-server 1.19.6+13+gd0d1a694f-1

$ libinput list-devices --version
1.10.0

$ xinput list-props "SynPS/2 Synaptics TouchPad"
Device 'SynPS/2 Synaptics TouchPad':
	Device Enabled (143):	1
	Coordinate Transformation Matrix (145):	1.000000, 0.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000, 0.000000, 1.000000
	libinput Tapping Enabled (280):	1
	libinput Tapping Enabled Default (281):	0
	libinput Tapping Drag Enabled (282):	1
	libinput Tapping Drag Enabled Default (283):	1
	libinput Tapping Drag Lock Enabled (284):	0
	libinput Tapping Drag Lock Enabled Default (285):	0
	libinput Tapping Button Mapping Enabled (286):	1, 0
	libinput Tapping Button Mapping Default (287):	1, 0
	libinput Natural Scrolling Enabled (288):	1
	libinput Natural Scrolling Enabled Default (289):	0
	libinput Left Handed Enabled (290):	0
	libinput Left Handed Enabled Default (291):	0
	libinput Accel Speed (292):	0.000000
	libinput Accel Speed Default (293):	0.000000
	libinput Scroll Methods Available (294):	1, 1, 0
	libinput Scroll Method Enabled (295):	1, 0, 0
	libinput Scroll Method Enabled Default (296):	1, 0, 0
	libinput Click Methods Available (297):	1, 1
	libinput Click Method Enabled (298):	1, 0
	libinput Click Method Enabled Default (299):	1, 0
	libinput Middle Emulation Enabled (300):	0
	libinput Middle Emulation Enabled Default (301):	0
	libinput Send Events Modes Available (265):	1, 1
	libinput Send Events Mode Enabled (266):	0, 0
	libinput Send Events Mode Enabled Default (267):	0, 0
	libinput Disable While Typing Enabled (302):	1
	libinput Disable While Typing Enabled Default (303):	1
	Device Node (268):	"/dev/input/event17"
	Device Product ID (269):	2, 7
	libinput Drag Lock Buttons (304):	<no items>
	libinput Horizontal Scroll Enabled (305):	1
Comment 1 Nicolas Joyard 2018-02-26 18:32:50 UTC 
Created attachment 137616 [details]
Systemd core dump info
Comment 2 Peter Hutterer 2018-02-27 01:42:43 UTC 
install the debug info package for libinput please (whatever that's called on arch, I don't know for sure) and run:

$ eu-addr2line -e /usr/lib64/libinput.so

and provide:
libinput_event_get_pointer_event+0xec9e

That should give you the line number where it crashes, same with the few other references. This should help a bit identifying what's going on.

Please also provide an evemu recording of one of the crashers, thanks.
Comment 3 Nicolas Joyard 2018-02-27 12:15:50 UTC 
Here is a new crash with an updated libinput, rebuilt without stripping symbols.

libinput version: 1.10.0+25+g3e77f2e9-1
libinput commit: 3e77f2e9f5a98fc5917642bd47ceeef89b95c858

Backtrace from Xorg log:
    [  1580.664] (EE) Backtrace:
    [  1580.671] (EE) 0: /usr/lib/xorg-server/Xorg (OsLookupColor+0x139) [0x55ed7d51ee99]
    [  1580.673] (EE) 1: /usr/lib/libpthread.so.0 (funlockfile+0x50) [0x7fbf098d4e1f]
    [  1580.677] (EE) 2: /usr/lib/libc.so.6 (gsignal+0x110) [0x7fbf09540860]
    [  1580.679] (EE) 3: /usr/lib/libc.so.6 (abort+0x1c9) [0x7fbf09541ec9]
    [  1580.681] (EE) 4: /usr/lib/libc.so.6 (__assert_fail_base+0x14c) [0x7fbf095390bc]
    [  1580.683] (EE) 5: /usr/lib/libc.so.6 (__assert_fail+0x43) [0x7fbf09539133]
    [  1580.685] (EE) 6: /usr/lib/libinput.so.10 (tp_handle_state+0x332c) [0x7fbf023396dc]
    [  1580.686] (EE) 7: /usr/lib/libinput.so.10 (tp_interface_process+0xb8) [0x7fbf0233a438]
    [  1580.687] (EE) 8: /usr/lib/libinput.so.10 (evdev_device_dispatch+0x3f8) [0x7fbf02326178]
    [  1580.687] (EE) 9: /usr/lib/libinput.so.10 (libinput_dispatch+0x5f) [0x7fbf02325a5f]
    [  1580.688] (EE) 10: /usr/lib/xorg/modules/input/libinput_drv.so (_init+0x29b9) [0x7fbf0255c5b9]
    [  1580.689] (EE) 11: /usr/lib/xorg-server/Xorg (input_unlock+0x293) [0x55ed7d51d3d3]
    [  1580.689] (EE) 12: /usr/lib/xorg-server/Xorg (OsCleanup+0x621) [0x55ed7d51fe01]
    [  1580.690] (EE) 13: /usr/lib/xorg-server/Xorg (input_unlock+0xde) [0x55ed7d51cfce]
    [  1580.691] (EE) 14: /usr/lib/libpthread.so.0 (start_thread+0xdc) [0x7fbf098ca08c]
    [  1580.694] (EE) 15: /usr/lib/libc.so.6 (clone+0x3f) [0x7fbf09601eb8]


Line numbers:
    tp_handle_state+0x332c: ../libinput/src/evdev-mt-touchpad-gestures.c:85
    tp_interface_process+0xb8: ../libinput/src/evdev-mt-touchpad.c:1639
    evdev_device_dispatch+0x3f8: ../libinput/src/evdev.c:857
    libinput_dispatch+0x5f: ../libinput/src/libinput.c:1989

I'll try to have an evemu recording setup next.
Comment 4 Nicolas Joyard 2018-02-27 22:20:13 UTC 
Created attachment 137672 [details]
evemu recording

Here is an evemu recording for the last crash (with the exact same backtrace as the one showed previously).

I left only the last minute or so in the recording. I cannot pinpoint exactly where in that recording the crash happened, but it is close to the end as I stopped touching the touchpad as soon as I noticed the crash.
Comment 5 Peter Hutterer 2018-03-01 02:27:17 UTC 
well, that was more effort than expected. patch series is here:
https://lists.freedesktop.org/archives/wayland-devel/2018-March/037268.html

branch for testing is here:
https://github.com/whot/libinput/tree/wip/touchpad-maybe-end-state
Comment 6 Peter Hutterer 2018-03-01 02:28:14 UTC 
*** Bug 105275 has been marked as a duplicate of this bug. ***
Comment 7 Nicolas Joyard 2018-03-04 15:28:10 UTC 
Just did some tests and it seems to have fixed the crash. Thanks!

I first tried to have a near-systematic reproduction pattern by trying to reproduce the sequence you described on wayland-devel, and managed to make it crash in a few seconds every time.

Then I updated and tried again with the same pattern for a few minutes, and no crash.

Again, thanks a lot for your work.
Comment 8 Peter Hutterer 2018-03-05 00:24:32 UTC 
*** Bug 105336 has been marked as a duplicate of this bug. ***
Comment 9 Peter Hutterer 2018-03-05 00:37:55 UTC 
Thanks for testing, pushed to master and I'll get this into the next 1.10 release too

commit 6ccd8e934f965150173866db265ca544031c6e6b
Author: Peter Hutterer <>
Date:   Wed Feb 28 12:51:27 2018 +1000

     touchpad: add a TOUCH_MAYBE_END state
Comment 10 Peter Hutterer 2018-03-07 00:38:52 UTC 
*** Bug 105370 has been marked as a duplicate of this bug. ***
Comment 11 Aaron Plattner 2018-03-10 00:12:50 UTC 
Thanks Peter! I built from commit 12410dfba4b903108c8926d68c64ed1c7468902d and so far, haven't been able to reproduce the problem.
Comment 12 stas-t 2018-03-11 13:41:59 UTC 
Peter, I'm afraid the issue is still there.
I had libinput 1.10.2 installed which was still crashing Xorg. Then I upgraded to commit 12410dfba4b903108c8926d68c64ed1c7468902d and rebuilt. I still was able to reproduce the issue.

Here is the bactrace:

#0  0x00007fa3f4197860 in raise () at /usr/lib/libc.so.6
#1  0x00007fa3f4198ec9 in abort () at /usr/lib/libc.so.6
#2  0x00005593d7ac0cea in  ()
#3  0x00005593d799c674 in  ()
#4  0x00005593d7ac67e2 in  ()
#5  0x00005593d7ac7625 in  ()
#6  0x00005593d7abddde in  ()
#7  0x00007fa3f452bdd0 in <signal handler called> () at /usr/lib/libpthread.so.0
#8  0x00007fa3f4197860 in raise () at /usr/lib/libc.so.6
#9  0x00007fa3f4198ec9 in abort () at /usr/lib/libc.so.6
#10 0x00007fa3f41900bc in __assert_fail_base () at /usr/lib/libc.so.6
#11 0x00007fa3f4190133 in  () at /usr/lib/libc.so.6
#12 0x00007fa3e6438671 in tp_tap_handle_state (time=94093507188400, tp=0x5593da14f8b0) at ../libinput/src/evdev-mt-touchpad-tap.c:1030
#13 0x00007fa3e6438671 in tp_post_events (time=94093507188400, tp=0x5593da14f8b0) at ../libinput/src/evdev-mt-touchpad.c:1650
#14 0x00007fa3e6438671 in tp_handle_state (tp=0x5593da14f8b0, time=time@entry=3849255224) at ../libinput/src/evdev-mt-touchpad.c:1673
#15 0x00007fa3e6439108 in tp_interface_process (dispatch=
    0x5593da14f8b0, device=<optimized out>, e=0x7fa3e598bd80, time=3849255224, time=<optimized out>, e=<optimized out>, dispatch=<optimized out>)
    at ../libinput/src/evdev-mt-touchpad.c:1720
#16 0x00007fa3e64243d8 in evdev_process_event (e=0x7fa3e598bd80, device=0x5593da1443e0) at ../libinput/src/evdev.c:863
#17 0x00007fa3e64243d8 in evdev_device_dispatch_one (ev=0x7fa3e598bd80, device=0x5593da1443e0) at ../libinput/src/evdev.c:871
#18 0x00007fa3e64243d8 in evdev_device_dispatch (data=0x5593da1443e0) at ../libinput/src/evdev.c:930
#19 0x00007fa3e6423cbf in libinput_dispatch (libinput=0x5593d9c9e5a0) at ../libinput/src/libinput.c:1989
#20 0x00007fa3e6658c19 in  () at /usr/lib/xorg/modules/input/libinput_drv.so
#21 0x00005593d7abc163 in  ()
#22 0x00005593d7abe861 in  ()
#23 0x00005593d7abbfae in  ()
#24 0x00007fa3f452108c in start_thread () at /usr/lib/libpthread.so.0
#25 0x00007fa3f4258e7f in clone () at /usr/lib/libc.so.6
Comment 13 stas-t 2018-03-11 13:50:29 UTC 
Reproduction steps: open gnome-terminal and swipe inside its window with three fingers quickly left-to-right and right-to-left few times.

Apparently this assertion fails when t->state == TOUCH_END and t->was_down:
assert(tp->tap.nfingers_down >= 1);
Comment 14 stas-t 2018-03-11 19:40:55 UTC 
Some more details.

Distribution: arch
Hardware: Hewlett-Packard HP Pavilion TS Sleekbook 15/18FD
Packages:
  libinput 1.10.0+68+g12410dfb-1
  linux 4.15.7-1
  xf86-input-libinput 0.26.0-1
  xorg-server 1.19.6+13+gd0d1a694f-1

libinput list-devices --version
1.10.900

xinput list-props "SynPS/2 Synaptics TouchPad"
Device 'SynPS/2 Synaptics TouchPad':
	Device Enabled (142):	1
	Coordinate Transformation Matrix (144):	1.000000, 0.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000, 0.000000, 1.000000
	libinput Tapping Enabled (285):	1
	libinput Tapping Enabled Default (286):	0
	libinput Tapping Drag Enabled (287):	1
	libinput Tapping Drag Enabled Default (288):	1
	libinput Tapping Drag Lock Enabled (289):	0
	libinput Tapping Drag Lock Enabled Default (290):	0
	libinput Tapping Button Mapping Enabled (291):	1, 0
	libinput Tapping Button Mapping Default (292):	1, 0
	libinput Natural Scrolling Enabled (293):	1
	libinput Natural Scrolling Enabled Default (294):	0
	libinput Left Handed Enabled (295):	0
	libinput Left Handed Enabled Default (296):	0
	libinput Accel Speed (297):	0.010989
	libinput Accel Speed Default (298):	0.000000
	libinput Scroll Methods Available (299):	1, 1, 0
	libinput Scroll Method Enabled (300):	1, 0, 0
	libinput Scroll Method Enabled Default (301):	1, 0, 0
	libinput Send Events Modes Available (266):	1, 1
	libinput Send Events Mode Enabled (267):	0, 0
	libinput Send Events Mode Enabled Default (268):	0, 0
	libinput Disable While Typing Enabled (302):	1
	libinput Disable While Typing Enabled Default (303):	1
	Device Node (269):	"/dev/input/event11"
	Device Product ID (270):	2, 7
	libinput Drag Lock Buttons (304):	<no items>
	libinput Horizontal Scroll Enabled (305):	1
Comment 15 stas-t 2018-03-11 19:56:18 UTC 
Created attachment 137991 [details]
evemu-record output

These events result in Xorg crash in this context:

...
#12 0x00007f6e4d01d671 in tp_tap_handle_state (time=94242228317136, tp=0x55b67a8a9be0) at ../libinput/src/evdev-mt-touchpad-tap.c:1030
#13 0x00007f6e4d01d671 in tp_post_events (time=94242228317136, tp=0x55b67a8a9be0) at ../libinput/src/evdev-mt-touchpad.c:1650
#14 0x00007f6e4d01d671 in tp_handle_state (tp=0x55b67a8a9be0, time=time@entry=19144585374) at ../libinput/src/evdev-mt-touchpad.c:1673
...
Comment 16 Peter Hutterer 2018-03-12 01:05:06 UTC 
*** Bug 105437 has been marked as a duplicate of this bug. ***
Comment 17 Peter Hutterer 2018-03-12 01:06:04 UTC 
*** Bug 105407 has been marked as a duplicate of this bug. ***
Comment 18 Peter Hutterer 2018-03-12 01:40:07 UTC 
*** Bug 105443 has been marked as a duplicate of this bug. ***
Comment 19 Peter Hutterer 2018-03-12 01:49:24 UTC 
*** Bug 105439 has been marked as a duplicate of this bug. ***
Comment 20 Peter Hutterer 2018-03-12 02:01:17 UTC 
Thanks for the evemu, that helped a lot. Caused by a corner-case where a fake finger touch ended up hovering and was never terminated on the input event sequence. On the next real touch with high-enough pressure it was continued and caused a miscount of tapping fingers.

commit d8db6b5927f61460b2991479a85056256c819485
Author: Peter Hutterer <>
Date:   Mon Mar 12 10:33:21 2018 +1000

     touchpad: end hovering touches in maybe_end_touch
Comment 21 Peter Hutterer 2018-03-13 00:05:54 UTC 
*** Bug 105459 has been marked as a duplicate of this bug. ***
Comment 22 Petrus 2018-03-13 03:21:01 UTC 
It better if change summary to something new, the "1.10-branch" make me thought it was a  old bug on libinput version 1.10.0
Comment 23 Daniel van Vugt 2018-03-13 03:25:25 UTC 
Done. It's the same assertion, just line 1030 in master and line 1028 in 1.10-branch.
Comment 24 mrblooter 2018-03-13 18:05:22 UTC 
Created attachment 138073 [details]
coredump info

I am still getting crashes with 1.10.2.

I tried to provide more information by following the instructions in comment #2, but I'm afraid I don't quite understand how to. I am also experiencing the crashes on Arch Linux.

I rebuilt the libinput package specifying --builtype debug. Then I triggered another crash and got a coredump (attached info).

I will attach an evemu recording shortly.

There is nothing in my Xorg log, apart from this line:
[  1149.033] (II) Axis 0x1 value 5120 is outside expected range [1237, 4990]

I also ran "eu-addr2line -e /usr/lib64/libinput.so", but I don't know what I'm supposed to do with it since there was no output.
Can someone help me to provide more information?
Comment 25 mrblooter 2018-03-13 18:09:14 UTC 
Created attachment 138074 [details]
evemu-record of touchpad

evemu-record of my SynPS/2 Synaptics TouchPad on a Thinkpad T410.
Comment 26 Peter Hutterer 2018-03-13 22:01:57 UTC 
regarding addr2line: https://who-t.blogspot.com.au/2014/02/making-sense-of-backtraces-with.html

see comment #20, this bug is fixed on master, and I cannot reproduce it with the recording (but I can with the commit before d8db6b59).
Comment 27 mrblooter 2018-03-14 08:56:30 UTC 
Thank you. I have tested it with 1.10.3 and it's fixed.
I got confused for a bit, because the bug tracker on the distribution said it was fixed in 1.10.2, but they meant the first bug in this report.
Comment 28 Peter Hutterer 2018-04-02 22:39:43 UTC 
*** Bug 105791 has been marked as a duplicate of this bug. ***
Comment 29 Francecso 2018-04-03 05:34:50 UTC 
I confirm running libinput 1.10.900 it solved the issue for me

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.