-
xwl_unrealize_window() would use freed xwl_window which can lead to various memory corruption and crashes, as reported by valgrind: Invalid read of size 8 at 0x42C802: xwl_present_cleanup (xwayland-present.c:84) by 0x42BA67: xwl_unrealize_window (xwayland.c:601) by 0x541EE9: compUnrealizeWindow (compwindow.c:285) by 0x57E1FA: UnrealizeTree (window.c:2816) by 0x581189: UnmapWindow (window.c:2874) by 0x54EB26: ProcUnmapWindow (dispatch.c:879) by 0x554B7D: Dispatch (dispatch.c:479) by 0x558BE5: dix_main (main.c:276) by 0x7C4B1BA: (below main) (libc-start.c:308) Address 0xf520f60 is 96 bytes inside a block of size 184 free'd at 0x4C2EDAC: free (vg_replace_malloc.c:530) by 0x42B9FB: xwl_unrealize_window (xwayland.c:624) by 0x541EE9: compUnrealizeWindow (compwindow.c:285) by 0x57E1FA: UnrealizeTree (window.c:2816) by 0x581189: UnmapWindow (window.c:2874) by 0x54EB26: ProcUnmapWindow (dispatch.c:879) by 0x554B7D: Dispatch (dispatch.c:479) by 0x558BE5: dix_main (main.c:276) by 0x7C4B1BA: (below main) (libc-start.c:308) Block was alloc'd at at 0x4C2FB06: calloc (vg_replace_malloc.c:711) by 0x42B307: xwl_realize_window (xwayland.c:488) by 0x541E59: compRealizeWindow (compwindow.c:268) by 0x57DA40: RealizeTree (window.c:2617) by 0x580B28: MapWindow (window.c:2694) by 0x54EA2A: ProcMapWindow (dispatch.c:845) by 0x554B7D: Dispatch (dispatch.c:479) by 0x558BE5: dix_main (main.c:276) by 0x7C4B1BA: (below main) (libc-start.c:308) This is because UnrealizeTree() traverses the tree from top to bottom, which invalidates the assumption that if the Window doesn't feature an xwl_window on its own, it's the xwl_window of its first ancestor with one. This reverts commit 82df2ce3 Reviewed-by:Adam Jackson <ajax@redhat.com> Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com>
8b8f9007
