51054 – [bug] Clipboard crash

Bug 51054 - [bug] Clipboard crash

Summary: [bug] Clipboard crash

Status:	RESOLVED FIXED

Alias:	None

Product:	Wayland
Classification:	Unclassified
Component:	weston (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Wayland bug list
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-13 17:40 UTC by Scott Moreau
Modified:	2012-06-23 12:17 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
structures in memory in the moment of crash. Note the notify() incorrect function pointer. (14.29 KB, application/postscript) 2012-06-13 18:03 UTC, min2	Details
View All

Description Scott Moreau 2012-06-13 17:40:58 UTC

Steps to reproduce:

1) Open weston-terminal
2) Ctrl+Shift+C
3) Close the terminal
4) Open a new weston-terminal
5) Ctrl+Shift+C


This crashes weston. It makes no difference if text is selected or not. Here is the bt:


(gdb) bt full
#0  0x00000000007b5350 in ?? ()
No symbol table info available.
#1  0x000000000041059c in wl_signal_emit (signal=0x757a50, data=0x757a20) at /home/user/wayland/include/wayland-server.h:166
        l = 0x8633c0
        next = 0x7c4268
#2  0x000000000041062b in clipboard_source_unref (source=0x757a20) at clipboard.c:63
        s = 0x7b16c0
#3  0x0000000000410ba9 in clipboard_set_selection (listener=0x7b7198, data=0x7c4220) at clipboard.c:228
        clipboard = 0x7b7190
        seat = 0x7c4220
        source = 0x788490
        mime_types = 0x7b16f0
        p = {7909432, 0}
#4  0x00007ffff6e48643 in wl_signal_emit (signal=0x7c4280, data=0x7c4220) at wayland-server.h:166
        l = 0x7b7198
        next = 0x7c4280
#5  0x00007ffff6e49333 in wl_seat_set_selection (seat=0x7c4220, source=0x788490, serial=66) at data-device.c:392
        data_device = 0x757ed0
        offer = 0x7b16c0
        focus = 0x744a90
#6  0x00007ffff6e493a5 in data_device_set_selection (client=0x7b5350, resource=0x757ed0, source_resource=0x788490, serial=66) at data-device.c:411
No locals.
#7  0x00000032a7205d64 in ffi_call_unix64 () from /usr/lib64/libffi.so.5
No symbol table info available.
#8  0x00000032a7205785 in ffi_call () from /usr/lib64/libffi.so.5
No symbol table info available.
#9  0x00007ffff6e4c059 in wl_closure_invoke (closure=0x857540, target=0x757ed0, func=0x7ffff6e49369 <data_device_set_selection>, data=0x7b5350) at connection.c:773
        result = 0
#10 0x00007ffff6e45e8a in wl_client_connection_data (fd=24, mask=1, data=0x7b5350) at wayland-server.c:253
        client = 0x7b5350
        connection = 0x83b1c0
        resource = 0x757ed0
        object = 0x757ed0
        closure = 0x857540
        message = 0x7ffff725bc98
        p = {8, 1048577}
        opcode = 1
        size = 16
        cmask = 1
        len = 0
#11 0x00007ffff6e49792 in wl_event_source_fd_dispatch (source=0x7b3020, ep=0x7fffffffdc70) at event-loop.c:79
        fd_source = 0x7b3020
        mask = 1
#12 0x00007ffff6e4a132 in wl_event_loop_dispatch (loop=0x61b9c0, timeout=-1) at event-loop.c:410
        ep = {{events = 1, data = {ptr = 0x7b3020, fd = 8073248, u32 = 8073248, u64 = 8073248}}, {events = 4, data = {ptr = 0x7b3020, fd = 8073248, u32 = 8073248, u64 = 8073248}}, {events = 0, data = {
              ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x7ffff725d858, fd = -148514728, u32 = 4146452568, u64 = 140737339840600}}, {events = 4294967295, data = {ptr = 0x1, fd = 1, 
              u32 = 1, u64 = 1}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 4142144365, data = {ptr = 0xf705285800007fff, fd = 32767, u32 = 32767, u64 = 17799677460674019327}}, {
            events = 1, data = {ptr = 0x7ffff725d000, fd = -148516864, u32 = 4146450432, u64 = 140737339838464}}, {events = 0, data = {ptr = 0x402a2d00000000, fd = 0, u32 = 0, u64 = 18060771271376896}}, {
            events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 2765821696, data = {ptr = 0xffffffff00000032, fd = 50, u32 = 50, u64 = 18446744069414584370}}, {events = 0, data = {
              ptr = 0x405c40, fd = 4217920, u32 = 4217920, u64 = 4217920}}, {events = 4142141424, data = {ptr = 0xf725d50000007fff, fd = 32767, u32 = 32767, u64 = 17808874497483243519}}, {events = 32767, 
            data = {ptr = 0x618828, fd = 6391848, u32 = 6391848, u64 = 6391848}}, {events = 0, data = {ptr = 0xf6e40cd800000000, fd = 0, u32 = 0, u64 = 17790358549872771072}}, {events = 32767, data = {
              ptr = 0x7ffff725d500, fd = -148515584, u32 = 4146451712, u64 = 140737339839744}}, {events = 4294967295, data = {ptr = 0xa460e60400000000, fd = 0, u32 = 0, u64 = 11844719924838662144}}, {
            events = 50, data = {ptr = 0x7fff00000001, fd = 1, u32 = 1, u64 = 140733193388033}}, {events = 0, data = {ptr = 0x21142000000000, fd = 0, u32 = 0, u64 = 9310801902960640}}, {events = 0, data = {
              ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x7ffff6e40000, fd = -152829952, u32 = 4142137344, 
              u64 = 140737335525376}}, {events = 2757813764, data = {ptr = 0x100000032, fd = 50, u32 = 50, u64 = 4294967346}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {
              ptr = 0xf6e40ff000000000, fd = 0, u32 = 0, u64 = 17790361951486869504}}, {events = 32767, data = {ptr = 0x1, fd = 1, u32 = 1, u64 = 1}}, {events = 0, data = {ptr = 0xffffde3000000000, fd = 0, 
              u32 = 0, u64 = 18446706896472637440}}, {events = 32767, data = {ptr = 0x405c40, fd = 4217920, u32 = 4217920, u64 = 4217920}}, {events = 4294959472, data = {ptr = 0xa4614f0500007fff, fd = 32767, 
              u32 = 32767, u64 = 11844835377854578687}}, {events = 50, data = {ptr = 0x61b9c0, fd = 6404544, u32 = 6404544, u64 = 6404544}}, {events = 2762938986, data = {ptr = 0x303e0dcc00000032, fd = 50, 
              u32 = 50, u64 = 3476231132201091122}}, {events = 1314329481, data = {ptr = 0xffffffff, fd = -1, u32 = 4294967295, u64 = 4294967295}}}
        source = 0x7b3020
        i = 0
        count = 1
        n = 0
#13 0x00007ffff6e478c4 in wl_display_run (display=0x61b970) at wayland-server.c:1027
No locals.
#14 0x000000000040ec7b in main (argc=1, argv=0x7fffffffe178) at compositor.c:3363
        ret = 0
        display = 0x61b970
        ec = 0x61cba0
        signals = {0x61ba40, 0x61ba90, 0x61c130, 0x61c180}
        loop = 0x61b9c0
        segv_action = {__sigaction_handler = {sa_handler = 0x40e439 <on_segv_signal>, sa_sigaction = 0x40e439 <on_segv_signal>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = -2147483644, 
          sa_restorer = 0x840}
        shell_module = 0x0
        backend_module = 0x1
        xserver_module = 0x7ffff5559e70
        module_init = 0
        backend_init = 0x7ffff534f5dc <backend_init>
        i = 1
        backend = 0x4145f4 "x11-backend.so"
        shell = 0x61c410 "desktop-shell.so"
        module = 0x0
        log = 0x0
        idle_time = 300
        xserver = 0
        socket_name = 0x0
        config_file = 0x61bae0 "\340\336{"
        shell_config_keys = {{name = 0x41447d "type", type = CONFIG_KEY_STRING, data = 0x7fffffffdf68}}
        cs = {{name = 0x414482 "shell", keys = 0x7fffffffdf30, num_keys = 1, done = 0}}
        core_options = {{type = WESTON_OPTION_STRING, name = 0x414488 "backend", short_name = 66, data = 0x7fffffffdf70}, {type = WESTON_OPTION_STRING, name = 0x414490 "socket", short_name = 83, 
            data = 0x7fffffffdf48}, {type = WESTON_OPTION_INTEGER, name = 0x414497 "idle-time", short_name = 105, data = 0x7fffffffdf54}, {type = WESTON_OPTION_BOOLEAN, name = 0x4144a1 "xserver", 
            short_name = 0, data = 0x7fffffffdf50}, {type = WESTON_OPTION_STRING, name = 0x4144a9 "module", short_name = 0, data = 0x7fffffffdf60}, {type = WESTON_OPTION_STRING, name = 0x4144b0 "log", 
            short_name = 0, data = 0x7fffffffdf58}}
(gdb) q


wayland master 6e94028c31d06999cb9848b1bd0348ea2f683516
weston  master bf1e8660edc9aee7c270f34ad624f91cd6dcfc1f

Comment 1 min2 2012-06-13 18:03:02 UTC

Created attachment 63001 [details]
structures in memory in the moment of crash. Note the notify() incorrect function pointer.

Comment 2 min2 2012-06-13 18:16:06 UTC

Function call log:

[03:14:51.900] clipboard_set_selection()
[03:14:51.900] clipboard_source_create()
[03:14:51.902] clipboard_source_data()
[03:14:51.902] clipboard_source_data()
[03:14:53.336] libwayland: disconnect from client 0x82ba9c0
[03:14:53.336] clipboard_set_selection()
[03:14:53.336] clipboard_set_selection()
[03:14:58.975] clipboard_set_selection()
[03:14:58.975] clipboard_source_unref()

Comment 3 min2 2012-06-15 08:41:45 UTC

Inside signal, there is listener list.
this listener list contains several items with corresponding notify() functions.
The first notify() function points to destroy_offer_data_source()
The second notify() func. points to 0x82c0b00. See log:

[17:19:44.882] libwayland: disconnect from client 0x82c0b00
[17:19:44.883] clipboard_copy(clipboard=0x82b24b8,seat=0x828fc38)
[17:19:44.883] clipboard_copy(clipboard=0x82b24b8,seat=0x828fc38)

It's clear that this points to client that has been destroyed.
Now we must somehow also remove this notify(). Too bad that there seems
to be no way for removing notify from wl_signal()

We must maybe remove it inside the two clipboard_copy() calls that follow the client disconnect.

That function clipboard_copy() is called two times for an unknown reason.

Comment 4 min2 2012-06-23 12:17:41 UTC

Ok this is now fixed since
data-device: Fix list corruption when the source goes away
c806dde7e61f4d06564bd3acf74dbba6cfa328c6

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.