<html>
<head>
<base href="https://bugzilla.gnome.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - EGL wayland surfaces are freed too early (?)"
href="https://bugzilla.gnome.org/show_bug.cgi?id=780681">780681</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>EGL wayland surfaces are freed too early (?)
</td>
</tr>
<tr>
<th>Classification</th>
<td>Platform
</td>
</tr>
<tr>
<th>Product</th>
<td>gtk+
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>Backend: Wayland
</td>
</tr>
<tr>
<th>Assignee</th>
<td>gtk-bugs@gtk.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mihailescu2m@gmail.com
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>gtk-bugs@gtk.org
</td>
</tr>
<tr>
<th>CC</th>
<td>rob@robster.org.uk, wayland-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>GNOME version</th>
<td>---
</td>
</tr></table>
<p>
<div>
<pre>GTK+ EGL applications such as totem or gnome-maps on wayland segphault on exit
because they try to use surfaces that have been already freed. The issue seems
to be in GDK, because in gnome, they crash the entire session (gnome-shell also
crashes), but in weston only the application throws segpfault when exiting. I
am assuming this is because weston does not use GTK+ but gnome-shell does.
This is an example trace from totem:
----------------------------------------------------------------------------
Core was generated by `totem bbb_720p.mov'.
Program terminated with signal SIGSEGV, Segmentation fault.
</pre>
<p class="trace_link" title="See Full Trace">
<a class="trace_toggle_box" href="#"
title="Expand/Collapse Trace"
onclick="traceparser_toggle_trace(this, 237295); return false;">+</a>
<a href="page.cgi?id=traceparser/trace.html&trace_id=237295">Trace
237295</a></p>
<table border="0" cellpadding="0" cellspacing="0"><tr><td>
<div class="trace bz_default_hidden"
id="trace_237295">
<ul class="frames">
<li class="frame ">
<span class="frame_number">#0</span>
<span class="frame_function">get_next_argument</span>
<div class="frame_file_container">
at <span class="frame_file">../src/connection.c</span>
line
<span class="frame_line">430</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#0</span>
<span class="frame_function">get_next_argument</span>
<div class="frame_file_container">
at <span class="frame_file">../src/connection.c</span>
line
<span class="frame_line">430</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#1</span>
<span class="frame_function">wl_argument_from_va_list</span>
<div class="frame_file_container">
at <span class="frame_file">../src/connection.c</span>
line
<span class="frame_line">493</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#2</span>
<span class="frame_function">wl_proxy_marshal</span>
<div class="frame_file_container">
at <span class="frame_file">../src/wayland-client.c</span>
line
<span class="frame_line">692</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#3</span>
<span class="frame_function">window_surface_delete</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#4</span>
<span class="frame_function">eglp_window_surface_specific_deinitialization</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#5</span>
<span class="frame_function">eglp_delete_surface</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#6</span>
<span class="frame_function">eglp_destroy_all_non_current_surfaces</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#7</span>
<span class="frame_function">eglp_try_display_finish_terminating</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#8</span>
<span class="frame_function">eglTerminate</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#9</span>
<span class="frame_function">eglp_unload_callback</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#10</span>
<span class="frame_function">osup_term_unload_hooks</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#11</span>
<span class="frame_function">osup_c_unload_hook</span>
<div class="frame_library_container">
from
<span class="frame_library">/usr/lib/arm-linux-gnueabihf/egl-current/libwayland-egl.so.1</span>
</div>
</li>
<li class="frame ">
<span class="frame_number">#12</span>
<span class="frame_function">??</span>
<div class="frame_library_container">
from
<span class="frame_library">/lib/ld-linux-armhf.so.3</span>
</div>
</li>
</ul>
</div>
</td></tr></table>
<pre class="bz_comment_text" >
(gdb) print (struct wl_proxy) *0x7f6bedb0
$3 = {object = {interface = 0x7fe1bfc8, implementation = 0x7fb51c30, id = 44},
display = 0x7f660ec0, queue = 0x7f660f2c, flags = 2, refcount = 1, user_data =
0x0, dispatcher = 0x0, version = 3}
(gdb) print (struct wl_interface) *0x7fe1bfc8 # => this is proxy->interface -
you can see the name is garbage already
$4 = {name = 0xa93e931d
"iXh\377\367าบ\022KP!0\265{D\021L\205\260\025F\034Y#h\003\223\377\367\f\354\016IjF",
version = 49, method_count = -2147421248, methods = 0x7f6beda8, event_count =
0, events = 0x0}
(gdb) print (struct wl_message) *0x7f6beda8 # => this is
proxy->interface->methods => you can see the signature field cannot be accessed
(0x31 is invalid) leading to the segmentation fault
$5 = {name = 0x0, signature = 0x31 <error: Cannot access memory at address
0x31>, types = 0x7fe1bfc8}
----------------------------------------------------------------------------
This is running gtk+ 3.22.8 (debian stretch) on armhf architecture with Mali
T628 GPU using the ARM wayland drivers version r12p0. All files in the
egl-current directory (including libwayland-egl.so) are symlinks to the binary
mali driver libmali.so
I've raised the issue first with ARM (see
<a href="https://community.arm.com/graphics/f/discussions/8146/r12p0-wayland-driver-odroid-xu3-frees-objects-too-early-leading-to-segm-fault">https://community.arm.com/graphics/f/discussions/8146/r12p0-wayland-driver-odroid-xu3-frees-objects-too-early-leading-to-segm-fault</a>)
and after investigation I was told by an ARM engineer that the issue probably
is in GDK:
<quote>
This segfault can happen if the application frees the Wayland surface too
early, specifically if the associated EGL surface is still current. If this is
the case, the application is doing something like the following during clean
up:
eglDestroySurface(egl_surface);
wl_egl_window_destroy(wl_egl_window_win);
wl_surface_destroy(wl_surface);
If egl_surface was either the draw or read argument in the previous call to
eglMakeCurrent, egl_surface and wl_egl_window_win are only marked for deletion
and are still in use. Destroying wl_surface results in the SEGFAULT when the
driver subsequently needs to do something with the wl_surface (in this case,
part of deletion). EGL spec 1.5 sections 3.5.5 and 3.2 cover the lifetime of
EGL objects.
There are 2 possible application fixes you could consider:
* Call eglMakeCurrent(display, EGL_NO_SURFACE, EGL_NO_SURFACE, EGL_NO_CONTEXT)
before destroying the surface.
* Call eglTerminate() instead of destroying the surfaces individually.
I'm reasonably confident that this is an issue in GDK (or how totem is calling
GTK+) rather than the driver.
</quote></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>