[PATCH 1/2] xwayland-input: Fix a crasher for a race with the Wayland compositor

Jasper St. Pierre jstpierre at mecheye.net
Mon Jun 30 17:29:33 PDT 2014

If something quickly maps and unmaps a window, then we'll immediately
create and destroy the Wayland surface that cooresponds to that
window. If our mouse pointer is over the window when the surface is
created, we'll receive a enter on the window.

Since resource creation and destruction is not synchronous, that
means that the compositor will queue up an event for a resource that's
eventually destroyed. On the client-side, when we receive this message,
we note that the resource isn't allocated, and get a NULL surface in our
enter handler. We immediately try to dereference this, and then crash.

This was caused by running gtkperf while moving the window a lot.
 hw/xwayland/xwayland-input.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
index 990cb82..469ef25 100644
--- a/hw/xwayland/xwayland-input.c
+++ b/hw/xwayland/xwayland-input.c
@@ -152,6 +152,15 @@ pointer_handle_enter(void *data, struct wl_pointer *pointer,
     ScreenPtr pScreen = xwl_seat->xwl_screen->screen;
     ValuatorMask mask;
+    /* There's a race here where if we create and then immediately
+     * destroy a surface, we might end up in a state where the Wayland
+     * compositor sends us an event for a surface that doesn't exist.
+     *
+     * Don't process enter events in this case.
+     */
+    if (surface == NULL)
+        return;
     xwl_seat->xwl_screen->serial = serial;
     xwl_seat->pointer_enter_serial = serial;

More information about the xorg-devel mailing list