[Wayland-bugs] [Bug 52198] New: weston segfauls after two drag and drops in dnd example and closing it

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jul 17 13:17:42 PDT 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=52198

             Bug #: 52198
           Summary: weston segfauls after two drag and drops in dnd
                    example and closing it
    Classification: Unclassified
           Product: Wayland
           Version: unspecified
          Platform: x86-64 (AMD64)
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: wayland
        AssignedTo: wayland-bugs at lists.freedesktop.org
        ReportedBy: dmitry.guryanov at gmail.com


Created attachment 64314
  --> https://bugs.freedesktop.org/attachment.cgi?id=64314
possible fix for the bug

weston segfauls if you make two drag'n'drops in dnd and then close it (dnd).

I've tried to investigate the problem and found possible solution, patch in
attachment:

In function drag_grab_button in wayland code we first call
data_device_end_drag_grab,
which sets seat->drag_data_source to NULL. Then we remove
listener from list only if drag_data_source is not NULL.

So if client will not free wl_data_source and start another drag'n'drop,
after the first one. Then two wl_data_source structures will be
free'd on client exit (let's name them s1 and s2).

next and prev pointer of
wl_data_source.resource.destroy_signal.listener_list in both
wl_data_source structures will be seat->drag_data_source_listener,
but next and prev in seat->drag_data_source_listener.link point
to listener_list in s2.

So if you try to iterate over listener_list in s1
then you get drag_data_source_listener as first item and
(struct wl_listener *)(&s2.resource.destroy_signal.listener_list)

Iteration over that list occurs in
wl_resource_destroy->destroy_resource->wl_signal_emit->wl_signal_emit
and try to call function at address of wl_resource->client, so
weston segfaults there.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Wayland-bugs mailing list