Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
W
weston
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 273
    • Issues 273
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 117
    • Merge Requests 117
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • wayland
  • weston
  • Issues
  • #169

Closed
Open
Opened Dec 02, 2018 by myfreeweb@myfreewebReporter

Bogus surface pointer in pointer_set_cursor when killing Galacritty terminal emulator

Galacritty is my terminal emulator (GTK shell for Alacritty, basically). I can close it with the X button just fine, but abruptly terminating it with something like killall galacritty causes a Weston crash:

==1666==ERROR: AddressSanitizer: SEGV on unknown address 0x61705c80031d (pc 0x00080037d1e4 bp 0x7fffffffc390 sp 0x7fffffffc370 T0)
==1666==The signal is caused by a READ memory access.
    #0 0x80037d1e3 in weston_surface_is_mapped /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/compositor.c:1740:18
    #1 0x8003b6d85 in pointer_unmap_sprite /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/input.c:1184:6
    #2 0x8003bda84 in pointer_set_cursor /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/input.c:2746:4
    #3 0x800cd12e7 in ffi_call_unix64 (/usr/local/lib/libffi.so.6+0x62e7)
(lldb) fr sel 8
frame #8: 0x00000008003b6d86 libweston-5.so.0`pointer_unmap_sprite(pointer=0x00006120001b6040) at input.c:1184
   1181 {
   1182         struct weston_surface *surface = pointer->sprite->surface;
   1183
-> 1184         if (weston_surface_is_mapped(surface))
   1185                 weston_surface_unmap(surface);
   1186
   1187         wl_list_remove(&pointer->sprite_destroy_listener.link);
(lldb) fr v
(weston_pointer *) pointer = 0x00006120001b6040
(weston_surface *) surface = 0x000061705c800051

The surface address that we got (from libwayland-server's resource thing I guess) seems completely bogus, it's not a freed surface. ASan did not report a use-after-free in this case, and my logging of surface creation did not show any addresses near that surface.

UPD: I think I just reproduced that by just closing the subsurfaces demo..

UPD: even just closing gedit after a text file has been opened. This is related to the "fix" in #160 (comment 84684) but Galacritty caused Weston crashes before the "fix", maybe there's a second bug hidden by that one right now

Edited Dec 06, 2018 by myfreeweb
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: wayland/weston#169