Bogus surface pointer in pointer_set_cursor when killing Galacritty terminal emulator
Galacritty is my terminal emulator (GTK shell for Alacritty, basically). I can close it with the X button just fine, but abruptly terminating it with something like killall galacritty
causes a Weston crash:
==1666==ERROR: AddressSanitizer: SEGV on unknown address 0x61705c80031d (pc 0x00080037d1e4 bp 0x7fffffffc390 sp 0x7fffffffc370 T0)
==1666==The signal is caused by a READ memory access.
#0 0x80037d1e3 in weston_surface_is_mapped /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/compositor.c:1740:18
#1 0x8003b6d85 in pointer_unmap_sprite /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/input.c:1184:6
#2 0x8003bda84 in pointer_set_cursor /home/greg/src/gitlab.freedesktop.org/wayland/weston/libweston/input.c:2746:4
#3 0x800cd12e7 in ffi_call_unix64 (/usr/local/lib/libffi.so.6+0x62e7)
(lldb) fr sel 8
frame #8: 0x00000008003b6d86 libweston-5.so.0`pointer_unmap_sprite(pointer=0x00006120001b6040) at input.c:1184
1181 {
1182 struct weston_surface *surface = pointer->sprite->surface;
1183
-> 1184 if (weston_surface_is_mapped(surface))
1185 weston_surface_unmap(surface);
1186
1187 wl_list_remove(&pointer->sprite_destroy_listener.link);
(lldb) fr v
(weston_pointer *) pointer = 0x00006120001b6040
(weston_surface *) surface = 0x000061705c800051
The surface
address that we got (from libwayland-server's resource thing I guess) seems completely bogus, it's not a freed surface. ASan did not report a use-after-free in this case, and my logging of surface creation did not show any addresses near that surface
.
UPD: I think I just reproduced that by just closing the subsurfaces demo..
UPD: even just closing gedit after a text file has been opened. This is related to the "fix" in #160 (comment 84684) but Galacritty caused Weston crashes before the "fix", maybe there's a second bug hidden by that one right now