66173 – SIGSEGV in wl_closure_marshal() core dumps Weston (corrupted double-linked list)

Bug 66173 - SIGSEGV in wl_closure_marshal() core dumps Weston (corrupted double-linked list)

Summary: SIGSEGV in wl_closure_marshal() core dumps Weston (corrupted double-linked list)

Status:	VERIFIED FIXED

Alias:	None

Product:	Wayland
Classification:	Unclassified
Component:	wayland (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	high normal
Assignee:	Wayland bug list
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-06-25 21:14 UTC by U. Artie Eoff
Modified:	2013-07-09 17:46 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
gdb backtrace for surface_destroy code path (20.49 KB, text/plain) 2013-06-25 21:14 UTC, U. Artie Eoff	Details
weston core dump (9.52 KB, text/plain) 2013-06-25 21:15 UTC, U. Artie Eoff	Details
another code path (display_sync) that segvs during wl_closure_marshal (12.20 KB, text/plain) 2013-06-25 22:48 UTC, U. Artie Eoff	Details
View All

Description U. Artie Eoff 2013-06-25 21:14:57 UTC

Created attachment 81427 [details]
gdb backtrace for surface_destroy code path

SIGSEGV is encountered in connection.c::wl_closure_marshal() when fiddling around in gtk3-demo (see attached gdb backtrace):

1. Launch gtk3-demo
2. In the left pane (titled Widget), double-click the "Application window" demo from the list. 
3. On the "Application window" MenuBar, activate "Preferences->Color->Green"
4. Observe Weston segfaults.

wayland (master) heads/master-0-g3af748b
fontconfig (master) heads/master-0-gcd9b103
drm (master) heads/master-0-ga0178c0
mesa (master) heads/master-0-g464c694
libxkbcommon (master) heads/master-0-g6f06eb5
pixman (master) heads/master-0-g279bdcd
cairo (master) heads/master-0-g4d94391
weston (master) heads/master-0-ge2173b5
harfbuzz (master) heads/master-0-gf5da11e
glib (master) heads/master-0-g5989651
atk (master) ATK_2_9_3-0-gb2edff1
gdk-pixbuf (master) heads/master-0-g5f8c246
pango (master) heads/master-0-g5441062
at-spi2-core (master) AT_SPI2_CORE_2_9_3-0-gfeb130f
at-spi2-atk (master) AT_SPI2_ATK_2_9_3-0-g58d3185
gtk+ (master) heads/master-0-g0091fc3

Comment 1 U. Artie Eoff 2013-06-25 21:15:20 UTC

Created attachment 81428 [details]
weston core dump

Comment 2 U. Artie Eoff 2013-06-25 22:48:38 UTC

Created attachment 81432 [details]
another code path (display_sync) that segvs during wl_closure_marshal

Comment 3 Rob Bradford 2013-07-08 10:51:27 UTC

commit 27b1793857953927f842065a57cb5821a86bc671
Author: Rob Bradford <rob@linux.intel.com>
Date:   Wed Jun 26 18:08:46 2013 +0100

    compositor: rebuild the global list if we've removed a surface from it
    
    The list of surfaces used by weston_compositor_pick_surface() is
    maintained in list of surfaces stored on the compositor. This list is
    generated from the surfaces across all the layers using
    weston_compositor_build_surface_list.
    
    When destroying a surface the surface is "unmapped" with
    weston_surface_unmap which removes it from the layer list. However since
    the compositor surface list was only being rebuilt when the output was
    repainted a call to weston_compositor_pick_surface before the next
    output repaint would use an outdated surface list containing surfaces
    that have been partially destroyed.
    
    https://bugs.freedesktop.org/show_bug.cgi?id=65986
    https://bugs.freedesktop.org/show_bug.cgi?id=66173
    https://bugs.freedesktop.org/show_bug.cgi?id=66198

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.