[Wayland-bugs] [Bug 46450] wayland client demo 'dnd' crash weston when it exit on x11 backend

Thu Mar 8 09:22:08 PST 2012

https://bugs.freedesktop.org/show_bug.cgi?id=46450

--- Comment #1 from Will Thompson <will.thompson at collabora.co.uk> 2012-03-08 09:22:08 PST ---
I can reliably crash Weston using the dnd demo as follows:

• Launching clients/dnd;
• Dragging two flowers onto another flower;
• Unfocus, then refocus, the DND test app's window (otherwise it doesn't
respond to right clicks);
• Right click it and choose Close.

The backtrace I see is a little different to zhao jian's:

#0  0x00007ffff79d8157 in wl_list_remove (elm=0x9237e8) at
../../src/wayland-util.c:50
#1  0x0000000000408e39 in weston_surface_unmap (surface=0x923720)
    at ../../src/compositor.c:607
#2  0x0000000000408eac in destroy_surface (resource=0x923720)
    at ../../src/compositor.c:627
#3  0x00007ffff79d84b9 in for_each_helper (data=0x7fffffffdeec, 
    func=0x7ffff79d3db0 <destroy_resource>, entries=<optimized out>)
    at ../../src/wayland-util.c:264
#4  wl_map_for_each (map=0x886338, func=0x7ffff79d3db0 <destroy_resource>, 
    data=0x7fffffffdeec) at ../../src/wayland-util.c:270
#5  0x00007ffff79d4402 in wl_client_destroy (client=0x886300)
    at ../../src/wayland-server.c:420
#6  0x00007ffff79d4541 in wl_client_connection_data (fd=<optimized out>, 
    mask=<optimized out>, data=0x886300) at ../../src/wayland-server.c:260
#7  0x00007ffff79d6962 in wl_event_loop_dispatch (loop=0x616900,
timeout=<optimized out>)
    at ../../src/event-loop.c:462
#8  0x00007ffff79d4d7d in wl_display_run (display=0x6168b0)
    at ../../src/wayland-server.c:847
#9  0x000000000040677f in main (argc=<optimized out>, argv=<optimized out>)
    at ../../src/compositor.c:2583

The crashing line is

50        elm->prev->next = elm->next;

which segfaults because prev (and, for that matter, next) are NULL.

Throwing in some breakpoints shows that weston_surface_unmap() gets called for
the crashing surface twice: first after ending a drag, and second when the
window is closed.

Immediately after the first call, there is a final call to
weston_surface_assign_output() on the surface, which re-sets ->output on the
surface but does not re-attach it to a list. But the call to
weston_surface_unmap() in destroy_surface() is guarded by checking ->output,
so…

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.