Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wayfire crash while closing a firefox tab #2435

Closed
killown opened this issue Aug 18, 2024 · 0 comments
Closed

Wayfire crash while closing a firefox tab #2435

killown opened this issue Aug 18, 2024 · 0 comments
Labels
Milestone

Comments

@killown
Copy link
Contributor

killown commented Aug 18, 2024

Wayfire crashed while closing a firefox tab

DD 18-08-24 13:23:22.660 - [src/output/output.cpp:296] output DP-1: activate plugin scale
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op ConfigureWindow (no minor), code Window (no extension), sequence 5611, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op SendEvent (no minor), code Window (no extension), sequence 5612, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op ChangeProperty (no minor), code Window (no extension), sequence 5614, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op ChangeProperty (no minor), code Window (no extension), sequence 5616, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op DeleteProperty (no minor), code Window (no extension), sequence 5617, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op ChangeProperty (no minor), code Window (no extension), sequence 5618, value 14680070
EE 18-08-24 13:23:23.498 - [xwayland/xwm.c:1619] xcb error: op DeleteProperty (no minor), code Window (no extension), sequence 5619, value 14680070
EE 18-08-24 13:23:23.571 - [xwayland/xwm.c:1619] xcb error: op ChangeWindowAttributes (no minor), code Window (no extension), sequence 5622, value 14680083
DD 18-08-24 13:23:24.238 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
II 18-08-24 13:23:24.246 - [subprojects/filters/src/filters.cpp:440] Successfully compiled and applied shader.
DD 18-08-24 13:23:32.489 - [src/output/output.cpp:296] output DP-1: activate plugin expo
DD 18-08-24 13:23:33.276 - [src/output/output.cpp:320] output DP-1: deactivate plugin expo
DD 18-08-24 13:23:33.312 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:34.244 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
II 18-08-24 13:23:34.285 - [subprojects/filters/src/filters.cpp:440] Successfully compiled and applied shader.
II 18-08-24 13:23:34.285 - [subprojects/filters/src/filters.cpp:369] Removing shader and transformer.
DD 18-08-24 13:23:34.839 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:35.156 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
DD 18-08-24 13:23:35.414 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:35.793 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
DD 18-08-24 13:23:35.919 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:36.696 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
DD 18-08-24 13:23:37.342 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:37.986 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
II 18-08-24 13:23:38.038 - [subprojects/filters/src/filters.cpp:440] Successfully compiled and applied shader.
II 18-08-24 13:23:38.039 - [subprojects/filters/src/filters.cpp:369] Removing shader and transformer.
DD 18-08-24 13:23:39.042 - [src/output/output.cpp:296] output DP-1: activate plugin expo
DD 18-08-24 13:23:39.745 - [src/output/output.cpp:320] output DP-1: deactivate plugin expo
DD 18-08-24 13:23:39.894 - [src/output/output.cpp:296] output DP-1: activate plugin scale
DD 18-08-24 13:23:41.163 - [src/output/output.cpp:320] output DP-1: deactivate plugin scale
II 18-08-24 13:23:41.206 - [subprojects/filters/src/filters.cpp:440] Successfully compiled and applied shader.
II 18-08-24 13:23:41.206 - [subprojects/filters/src/filters.cpp:369] Removing shader and transformer.
=================================================================
==1635==ERROR: AddressSanitizer: heap-use-after-free on address 0x51100112bb08 at pc 0x60d5f860d8b7 bp 0x7fffae2ee400 sp 0x7fffae2ee3f0
READ of size 16 at 0x51100112bb08 thread T0
    #0 0x60d5f860d8b6 in wf::scene::dnd_root_icon_root_node_t::get_bounding_box() ../src/core/seat/drag-icon.cpp:112
    #1 0x60d5f86a9c2f in wf::wlr_surface_controller_t::update_subsurface_order_and_position() ../src/view/wlr-surface-controller.cpp:103
    #2 0x60d5f84e7f77 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.1.1/bits/std_function.h:591
    #3 0x60d5f84e7f77 in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
    #4 0x60d5f84e7f77 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
    #5 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #6 0x7dd83c9676c9  (/usr/lib/libwlroots.so.12+0x756c9) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #7 0x7dd83d0df595  (/usr/lib/libffi.so.8+0x7595) (BuildId: eecfa567f01d70c2ca4b60a1f7931e5634e41eea)
    #8 0x7dd83d0dc00d  (/usr/lib/libffi.so.8+0x400d) (BuildId: eecfa567f01d70c2ca4b60a1f7931e5634e41eea)
    #9 0x7dd83d0debd2 in ffi_call (/usr/lib/libffi.so.8+0x6bd2) (BuildId: eecfa567f01d70c2ca4b60a1f7931e5634e41eea)
    #10 0x7dd83d18be44  (/usr/lib/libwayland-server.so.0+0x6e44) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #11 0x7dd83d190c41  (/usr/lib/libwayland-server.so.0+0xbc41) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #12 0x7dd83d18f0a1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa0a1) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #13 0x7dd83d19110e in wl_display_run (/usr/lib/libwayland-server.so.0+0xc10e) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #14 0x60d5f84e3065 in main ../src/main.cpp:448
    #15 0x7dd83c145e07  (/usr/lib/libc.so.6+0x25e07) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #16 0x7dd83c145ecb in __libc_start_main (/usr/lib/libc.so.6+0x25ecb) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #17 0x60d5f84e7c74 in _start (/usr/bin/wayfire+0x101c74) (BuildId: 9f4c19dc60631aeb779c32af33d31866c1778025)

0x51100112bb08 is located 200 bytes inside of 232-byte region [0x51100112ba40,0x51100112bb28)
freed by thread T0 here:
    #0 0x7dd83caff652 in operator delete(void*, unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x60d5f84e7f77 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.1.1/bits/std_function.h:591
    #2 0x60d5f84e7f77 in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
    #3 0x60d5f84e7f77 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
    #4 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #5 0x7dd83c94ca0b  (/usr/lib/libwlroots.so.12+0x5aa0b) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #6 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #7 0x7dd83c94730f in wlr_data_source_destroy (/usr/lib/libwlroots.so.12+0x5530f) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #8 0x7dd83c94cb78  (/usr/lib/libwlroots.so.12+0x5ab78) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #9 0x60d5f877319a in wf::wlr_surface_pointer_interaction_t::handle_pointer_button(wlr_pointer_button_event const&) ../src/view/wlr-surface-pointer-interaction.hpp:177
    #10 0x60d5f8635cf8 in wf::pointer_t::send_button(wlr_pointer_button_event*, bool) ../src/core/seat/pointer.cpp:283
    #11 0x60d5f8650c44 in wf::pointer_t::handle_pointer_button(wlr_pointer_button_event*, wf::input_event_processing_mode_t) ../src/core/seat/pointer.cpp:235
    #12 0x60d5f86644ab in operator() ../src/core/seat/cursor.cpp:67
    #13 0x60d5f86644ab in __invoke_impl<void, wf::cursor_t::setup_listeners()::<lambda(void*)>&, void*> /usr/include/c++/14.1.1/bits/invoke.h:61
    #14 0x60d5f86644ab in __invoke_r<void, wf::cursor_t::setup_listeners()::<lambda(void*)>&, void*> /usr/include/c++/14.1.1/bits/invoke.h:111
    #15 0x60d5f86644ab in _M_invoke /usr/include/c++/14.1.1/bits/std_function.h:290
    #16 0x60d5f84e7f77 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.1.1/bits/std_function.h:591
    #17 0x60d5f84e7f77 in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
    #18 0x60d5f84e7f77 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
    #19 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #20 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #21 0x7dd83c93f420  (/usr/lib/libwlroots.so.12+0x4d420) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #22 0x7dd83d18f0a1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa0a1) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #23 0x7dd83d19110e in wl_display_run (/usr/lib/libwayland-server.so.0+0xc10e) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #24 0x60d5f84e3065 in main ../src/main.cpp:448
    #25 0x7dd83c145e07  (/usr/lib/libc.so.6+0x25e07) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #26 0x7dd83c145ecb in __libc_start_main (/usr/lib/libc.so.6+0x25ecb) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #27 0x60d5f84e7c74 in _start (/usr/bin/wayfire+0x101c74) (BuildId: 9f4c19dc60631aeb779c32af33d31866c1778025)

previously allocated by thread T0 here:
    #0 0x7dd83cafe4f2 in operator new(unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x60d5f8698acb in std::__detail::_MakeUniq<wf::drag_icon_t>::__single_object std::make_unique<wf::drag_icon_t, wlr_drag_icon*&>(wlr_drag_icon*&) /usr/include/c++/14.1.1/bits/unique_ptr.h:1076
    #2 0x60d5f8698acb in operator() ../src/core/seat/seat.cpp:269
    #3 0x60d5f8698acb in __invoke_impl<void, wf::seat_t::seat_t(wl_display*, std::string)::<lambda(void*)>&, void*> /usr/include/c++/14.1.1/bits/invoke.h:61
    #4 0x60d5f8698acb in __invoke_r<void, wf::seat_t::seat_t(wl_display*, std::string)::<lambda(void*)>&, void*> /usr/include/c++/14.1.1/bits/invoke.h:111
    #5 0x60d5f8698acb in _M_invoke /usr/include/c++/14.1.1/bits/std_function.h:290
    #6 0x60d5f84e7f77 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.1.1/bits/std_function.h:591
    #7 0x60d5f84e7f77 in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
    #8 0x60d5f84e7f77 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
    #9 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #10 0x60d5f867ed2a in wf::seat_t::impl::validate_drag_request(wlr_seat_request_start_drag_event*) ../src/core/seat/seat.cpp:430
    #11 0x60d5f84e7f77 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.1.1/bits/std_function.h:591
    #12 0x60d5f84e7f77 in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
    #13 0x60d5f84e7f77 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
    #14 0x7dd83d18d42d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x842d) (BuildId: 915b81a9d6d73724356b2d67e54f4fd5da5249d5)
    #15 0x7dd83c9498db in wlr_seat_request_start_drag (/usr/lib/libwlroots.so.12+0x578db) (BuildId: de2dccf34d17331128d8dcba557a03deb2cfbc6a)
    #16 0x7dd83d0df595  (/usr/lib/libffi.so.8+0x7595) (BuildId: eecfa567f01d70c2ca4b60a1f7931e5634e41eea)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/core/seat/drag-icon.cpp:112 in wf::scene::dnd_root_icon_root_node_t::get_bounding_box()
Shadow bytes around the buggy address:
  0x51100112b880: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51100112b900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51100112b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x51100112ba00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x51100112ba80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x51100112bb00: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x51100112bb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51100112bc00: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x51100112bc80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x51100112bd00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51100112bd80: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1635==ABORTING
(EE) failed to read Wayland events: Broken pipe
@killown killown added the bug label Aug 18, 2024
@ammen99 ammen99 added this to the 0.9 milestone Aug 20, 2024
ammen99 added a commit that referenced this issue Aug 21, 2024
The drag icon object may go away, but the scenegraph nodes may outlive
it. We need to make sure to handle this case.

Fixes #2435
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants