System Environment: -------------------------- wayland: (master) ab3b5cd71ce6dd1a532d9c1fecabb1a6e9d1a055 libdrm: (master) 23eeb7e1e45417a5a84f826286dd982dba440cd3 macros: (master) 52ef6f666a4fb46b693c81dc7a44612e6b78239d glproto: (master) 29d5b553b30755a25300c30b67d39b37c9a76466 dri2proto: (master) 7fd18b15646a62bd82a4eb0eca60a34c1731813d xproto: (master) ab1fba1a0967ac2289909c3f1a643f876a5dd393 libX11: (master) 2ca641c3a506dcbee97e279b67990d5387389f36 mesa: (master) 3dd7b53178cb085a1ff3d87844fa51487f8892fc kbproto: (master) b0f7912512091ea58dfaf8dffb2a658a6afeb96d libxkbcommon: (master) 1ab058bbb345245088f54315227fe0cf52ae54ed pixman: (master) 4fc586c3df9a53cc1406891e751a6eed3d7da400 cairo: (master) da8841cc5ea0b45daba6b91227a2b7058a0120b7 weston: (master) 31f9d0e8de4f788aaf35fb8072dc290da19b097a Bug detailed description: ------------------------- When run the wayland client demo 'dnd' on x11 backend, it works well on the operations like draging, but when stop the demo, it will cause the weston crashed. I tested on SandyBridge, and it works well on drm backend. There is an error message in dmesg as: weston[29804]: segfault at 0 ip 00007f2f57f6a763 sp 00007fffba5c9f40 error 4 in libwayland-server.so.0.0.0[7f2f57f66000+b000] And the output on the wayland server side is as following shows: [root@x-sgb3 src]# ./weston using socket /run/user/root/wayland-0 Internal error: Could not resolve keysym SunProps Internal error: Could not resolve keysym SunFront Internal error: Could not resolve keysym SunOpen disconnect from client 0x1e7a8e0 caught segv [0000000000405ca3] -- (./weston) [0000003079036320] -- (/lib64/libc.so.6) [00007f2f578d9c01] pixman_region32_union (/home/jzhao/install/lib/libpixman-1.so.0) [0000000000407e29] -- (./weston) [0000000000407eac] -- (./weston) [00007f2f57f6ec39] wl_map_for_each (/home/jzhao/install/lib/libwayland-server.so.0) [00007f2f57f6ac52] wl_client_destroy (/home/jzhao/install/lib/libwayland-server.so.0) [00007f2f57f6ad91] -- (/home/jzhao/install/lib/libwayland-server.so.0) [00007f2f57f6d122] wl_event_loop_dispatch (/home/jzhao/install/lib/libwayland-server.so.0) [00007f2f57f6b61d] wl_display_run (/home/jzhao/install/lib/libwayland-server.so.0) [0000000000405a83] -- (./weston) [000000307902169d] __libc_start_main (/lib64/libc.so.6) [0000000000405b79] -- (./weston) disconnect from client 0x1e5bf90 read error from connection 0x1635820: Connection reset by peer (104) read error: Connection reset by peer Segmentation fault (core dumped) Reproduce steps: ------------------------- 1. start x 2. start weston 3. start demo dnd 4. close demo dnd after some operations
I can reliably crash Weston using the dnd demo as follows: • Launching clients/dnd; • Dragging two flowers onto another flower; • Unfocus, then refocus, the DND test app's window (otherwise it doesn't respond to right clicks); • Right click it and choose Close. The backtrace I see is a little different to zhao jian's: #0 0x00007ffff79d8157 in wl_list_remove (elm=0x9237e8) at ../../src/wayland-util.c:50 #1 0x0000000000408e39 in weston_surface_unmap (surface=0x923720) at ../../src/compositor.c:607 #2 0x0000000000408eac in destroy_surface (resource=0x923720) at ../../src/compositor.c:627 #3 0x00007ffff79d84b9 in for_each_helper (data=0x7fffffffdeec, func=0x7ffff79d3db0 <destroy_resource>, entries=<optimized out>) at ../../src/wayland-util.c:264 #4 wl_map_for_each (map=0x886338, func=0x7ffff79d3db0 <destroy_resource>, data=0x7fffffffdeec) at ../../src/wayland-util.c:270 #5 0x00007ffff79d4402 in wl_client_destroy (client=0x886300) at ../../src/wayland-server.c:420 #6 0x00007ffff79d4541 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x886300) at ../../src/wayland-server.c:260 #7 0x00007ffff79d6962 in wl_event_loop_dispatch (loop=0x616900, timeout=<optimized out>) at ../../src/event-loop.c:462 #8 0x00007ffff79d4d7d in wl_display_run (display=0x6168b0) at ../../src/wayland-server.c:847 #9 0x000000000040677f in main (argc=<optimized out>, argv=<optimized out>) at ../../src/compositor.c:2583 The crashing line is 50 elm->prev->next = elm->next; which segfaults because prev (and, for that matter, next) are NULL. Throwing in some breakpoints shows that weston_surface_unmap() gets called for the crashing surface twice: first after ending a drag, and second when the window is closed. Immediately after the first call, there is a final call to weston_surface_assign_output() on the surface, which re-sets ->output on the surface but does not re-attach it to a list. But the call to weston_surface_unmap() in destroy_surface() is guarded by checking ->output, so…
(In reply to comment #1) > • Dragging two flowers onto another flower; Sorry, this is not quite right: you have to drag one flower onto another, then drag that flower onto a third flower.
This looks to have been fixed by <http://cgit.freedesktop.org/wayland/weston/commit/?id=de56c311d94e6df37537b9e05ec72863906902ff>
It fixed in below System Environment. wayland: (master) 5b72fc7528aa9f7c655dd49a2227cfd1e3feeb76 libdrm: (master) a3c34f56b94d4d47cadcd9814c2684c11f800e7d macros: (master) c0c42057e0d357c144e7933ee413b522950a0f17 glproto: (master) 29d5b553b30755a25300c30b67d39b37c9a76466 dri2proto: (master) 7fd18b15646a62bd82a4eb0eca60a34c1731813d xproto: (master) 20202784b9700d973d5301f0cb3243eba99fc349 libX11: (master) abc523fce31fcf2687229697a8eb656e343ecb0c mesa: (master) 2402ce04ae06f909e361782f5063fa3070091bf1 kbproto: (master) 391a1f6de6315fc0196d407d800597488315cccb libxkbcommon: (master) 3d672fcfea6b823db4793b9ad1c3aadc4b547a08 pixman: (master) b9ca23a9c711280a706eb1df30a0cfaf3b2d8e27 cairo: (master) d18542b735bb777b444152f0ef06de18993635bd weston: (master) 3448616bc3909faa2d7d2c559be845085a1b23ab kernel: (drm-intel-next-queued) e7e58eb5c0d1d7d1a42fcb2b5a247d28ec08b47e
Verified. Fixed.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.