Skip to content

Xserver crashes when ungrabbing pointer with touch events mask

Happens in X.Org X Server 1.20.1 (but also previous versions)

This happens when adding XI_Touch* to the XIGrabDevice mask, then grabbing/ungrabbing the device.

To reproduce, patch mutter with:

diff --git a/src/backends/x11/meta-backend-x11.c b/src/backends/x11/meta-backend-x11.c
index ed81364e2..7be6791ee 100644
--- a/src/backends/x11/meta-backend-x11.c
+++ b/src/backends/x11/meta-backend-x11.c
@@ -558,6 +558,9 @@ meta_backend_x11_grab_device (MetaBackend *backend,
   XISetMask (mask.mask, XI_Motion);
   XISetMask (mask.mask, XI_KeyPress);
   XISetMask (mask.mask, XI_KeyRelease);
+  XISetMask (mask.mask, XI_TouchBegin);
+  XISetMask (mask.mask, XI_TouchEnd);
+  XISetMask (mask.mask, XI_TouchUpdate);
 
   ret = XIGrabDevice (priv->xdisplay, device_id,
                       meta_backend_x11_get_xwindow (x11),

Then, I got two different stacktraces. With pure gnome-shell vanilla:

  • hit Super to enter the overview (causes a grab)
  • hit Super again to exit the overview (ungrab)
  • Hit super agan, touch a dock icon to start it.

And here we crash with:

#0  0x00007ffff631332d in __GI___libc_free (mem=0x190) at malloc.c:3085
        ar_ptr = <optimized out>
        p = <optimized out>
        hook = 0x0
#1  0x00005555555cb871 in xi2mask_free (mask=mask@entry=0x555555ea9770) at ../../../../dix/inpututils.c:1100
#2  0x00005555555c8844 in FreeGrab (pGrab=0x555555ea9700) at ../../../../dix/grabs.c:263
        __func__ = "FreeGrab"
#3  0x000055555569f98c in ProcXIUngrabDevice (client=0x555555d6e2c0) at ../../../../Xi/xigrabdev.c:169
        dev = 0x555555b5ecb0
        grab = 0x555555ea9700
        ret = 0
        time = <optimized out>
        stuff = <optimized out>
#4  0x00005555555ae91e in Dispatch () at ../../../../dix/dispatch.c:478
        result = <optimized out>
        client = 0x555555d6e2c0
        start_tick = 10
#5  0x00005555555b28c6 in dix_main (argc=3, argv=0x7fffffffe668, envp=<optimized out>) at ../../../../dix/main.c:276
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
#6  0x00007ffff62a109b in __libc_start_main (main=
    0x55555559c640 <main>, argc=3, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:308
        result = <optimized out>
        unwind_buf = 
              {cancel_jmp_buf = {{jmp_buf = {0, 7232572333447558818, 93824992527952, 140737488348768, 0, 0, 3533662334381045410, 3533641806224012962}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffe688, 0x7ffff7ffe190}, data = {prev = 0x0, cleanup = 0x0, canceltype = -6520}}}
        not_first_call = <optimized out>
#7  0x000055555559c67a in _start () at ../../../../Xi/xigrabdev.c:179

Other case (related)

  • Install an launcher extension such as dash-to-dock
  • Hit super to enter the overivew (grab)
  • Launch an application from dock (overview closes)
  • Touch another icon in the dock to launch it

And in such case we crash with:

#0  0x00005555555b7760 in IsParent (a=a@entry=0x555555d52760, b=b@entry=0x200011) at ../../../../dix/events.c:948
#1  0x00005555555b487b in CoreEnterLeaveEvents (mode=2, to=0x555555d52760, from=0x200011, dev=0x555555b52f70)
    at ../../../../dix/enterleave.c:547
#2  0x00005555555b487b in DoEnterLeaveEvents
    (pDev=pDev@entry=0x555555b52f70, sourceid=2, fromWin=0x200011, toWin=0x555555d52760, mode=mode@entry=2)
    at ../../../../dix/enterleave.c:606
#3  0x00005555555bef15 in DeactivatePointerGrab (mouse=0x555555b52f70) at ../../../../dix/events.c:1599
        grab = 0x555555edff60
        dev = <optimized out>
        wasPassive = <optimized out>
        wasImplicit = <optimized out>
        grab_resource = <optimized out>
        i = <optimized out>
#4  0x000055555569f98c in ProcXIUngrabDevice (client=0x555555d4e5a0) at ../../../../Xi/xigrabdev.c:169
        dev = 0x555555b52f70
        grab = 0x555555edff60
        ret = 0
        time = <optimized out>
        stuff = <optimized out>
#5  0x00005555555ae91e in Dispatch () at ../../../../dix/dispatch.c:478
        result = <optimized out>
        client = 0x555555d4e5a0
        start_tick = 25
#6  0x00005555555b28c6 in dix_main (argc=3, argv=0x7fffffffe668, envp=<optimized out>) at ../../../../dix/main.c:276
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
#7  0x00007ffff62a109b in __libc_start_main (main=
    0x55555559c640 <main>, argc=3, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:308
        result = <optimized out>
        unwind_buf = 
              {cancel_jmp_buf = {{jmp_buf = {0, -2033628884764628718, 93824992527952, 140737488348768, 0, 0, -5291082698727528174, -5291061083607963374}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffe688, 0x7ffff7ffe190}, data = {prev = 0x0, cleanup = 0x0, canceltype = -6520}}}
        not_first_call = <optimized out>
#8  0x000055555559c67a in _start () at ../../../../Xi/xigrabdev.c:179

All this is 100% reproducible, and blocks https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/272

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information