Bug 1376569

Summary: [Wayland] mutter: is_surface_effectively_synchronized() kills whole session
Product: [Fedora] Fedora Reporter: Nicolas Dufresne <nicolas>
Component: mutterAssignee: Florian Müllner <fmuellner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: fmuellner, otaylor, stransky, swt, walters
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/db695a5b350d6fe7697058dcfdb489de2788ae77
See Also: https://gitlab.gnome.org/GNOME/mutter/issues/124
Whiteboard: abrt_hash:5b0d87293dafffd28fa9fcaddedee28b1c1fac42;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-15 14:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277927    
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Nicolas Dufresne 2016-09-15 18:35:06 UTC 
Description of problem:
I was running a gtkwaylandsink a test of the waylandsink element in gst-plugins-bad. It worked until I pressed
the X button. At that moment the entire compostitor crash. Does not happen in Weston.

Version-Release number of selected component:
gnome-shell-3.20.4-1.fc24

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell
crash_function: is_surface_effectively_synchronized
executable:     /usr/bin/gnome-shell
global_pid:     29942
kernel:         4.7.2-201.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 is_surface_effectively_synchronized at wayland/meta-wayland-surface.c:590
 #1 meta_wayland_surface_commit at wayland/meta-wayland-surface.c:814
 #2 wl_surface_commit at wayland/meta-wayland-surface.c:966
 #3 ffi_call_unix64 at ../src/x86/unix64.S:76
 #4 ffi_call at ../src/x86/ffi64.c:525
 #5 wl_closure_invoke at src/connection.c:949
 #6 wl_client_connection_data at src/wayland-server.c:337
 #7 wl_event_loop_dispatch at src/event-loop.c:421
 #8 wayland_event_source_dispatch at wayland/meta-wayland.c:77
 #13 meta_run at core/main.c:537
Comment 1 Nicolas Dufresne 2016-09-15 18:35:10 UTC 
Created attachment 1201355 [details]
File: backtrace
Comment 2 Nicolas Dufresne 2016-09-15 18:35:11 UTC 
Created attachment 1201356 [details]
File: cgroup
Comment 3 Nicolas Dufresne 2016-09-15 18:35:12 UTC 
Created attachment 1201357 [details]
File: core_backtrace
Comment 4 Nicolas Dufresne 2016-09-15 18:35:14 UTC 
Created attachment 1201358 [details]
File: dso_list
Comment 5 Nicolas Dufresne 2016-09-15 18:35:15 UTC 
Created attachment 1201359 [details]
File: environ
Comment 6 Nicolas Dufresne 2016-09-15 18:35:16 UTC 
Created attachment 1201360 [details]
File: exploitable
Comment 7 Nicolas Dufresne 2016-09-15 18:35:17 UTC 
Created attachment 1201361 [details]
File: limits
Comment 8 Nicolas Dufresne 2016-09-15 18:35:19 UTC 
Created attachment 1201362 [details]
File: maps
Comment 9 Nicolas Dufresne 2016-09-15 18:35:20 UTC 
Created attachment 1201363 [details]
File: mountinfo
Comment 10 Nicolas Dufresne 2016-09-15 18:35:21 UTC 
Created attachment 1201364 [details]
File: namespaces
Comment 11 Nicolas Dufresne 2016-09-15 18:35:22 UTC 
Created attachment 1201365 [details]
File: open_fds
Comment 12 Nicolas Dufresne 2016-09-15 18:35:23 UTC 
Created attachment 1201366 [details]
File: proc_pid_status
Comment 13 Nicolas Dufresne 2016-09-15 18:35:25 UTC 
Created attachment 1201367 [details]
File: var_log_messages
Comment 14 Nicolas Dufresne 2016-09-15 18:36:40 UTC 
The test application can be found here:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/tree/tests/examples/waylandsink
Comment 15 Martin Stransky 2016-10-31 10:09:20 UTC 
I hit the bug with Firefox Wayland port. Crashes whole session after 1-2 minutes of browsing.
Comment 16 Martin Stransky 2016-10-31 10:11:05 UTC 
Backtrace from gnome-shell crash caused by FF:

#0  0x00007f07d128f3e1 in is_surface_effectively_synchronized (surface=0x0) at wayland/meta-wayland-surface.c:621
        surface = 0x559d38530810 [MetaWaylandSurface]
#1  0x00007f07d128f3e1 in meta_wayland_surface_commit (surface=<optimized out>) at wayland/meta-wayland-surface.c:851
        surface = 0x559d38530810 [MetaWaylandSurface]
#2  0x00007f07d128f3e1 in wl_surface_commit (client=<optimized out>, resource=<optimized out>) at wayland/meta-wayland-surface
        surface = 0x559d38530810 [MetaWaylandSurface]
#3  0x00007f07c82aec58 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#4  0x00007f07c82ae6ba in ffi_call (cif=cif@entry=0x7fffb282d220, fn=<optimized out>, rvalue=<optimized out>, rvalue@entry=0x0
        classes = {X86_64_INTEGER_CLASS, X86_64_NO_CLASS, 943809696, 21917}
        stack = <optimized out>
        argp = 0x7fffb282d0f0 ""
        arg_types = <optimized out>
        gprcount = 2
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        ret_in_memory = <optimized out>
        reg_args = <optimized out>
#5  0x00007f07cc3ef58e in wl_closure_invoke (closure=closure@entry=0x559d3b7bfd10, flags=flags@entry=2, target=<optimized out>
        count = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7fffb282d240, rtype = 0x7f07c82af040 <ffi_type_void>, bytes = 0, fla
        ffi_types = {0x7f07c82aef20 <ffi_type_pointer>, 0x7f07c82aef20 <ffi_type_pointer>, 0x7fffb282d2c0, 0x7fffb282d2bf, 0x7
        ffi_args = {0x7fffb282d210, 0x7fffb282d218, 0x6, 0x559d3ae6a100, 0x7f07ce0a00d0 <wl_surface_requests+144>, 0x7f07caeeb
        implementation = <optimized out>
#6  0x00007f07cc3eb787 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x559d3ae6a100) at src/way
        client = 0x559d3ae6a100
        connection = 0x559d3c8f7290
        resource = 0x559d384164a0
        object = 0x559d384164a0
        closure = 0x559d3b7bfd10
        message = 0x7f07ce0a00d0 <wl_surface_requests+144>
        p = {54, 524294}
        resource_flags = <optimized out>
        opcode = 6
        size = <optimized out>
        since = <optimized out>
        len = <optimized out>
#7  0x00007f07cc3ed802 in wl_event_loop_dispatch (loop=0x559d3829e130, timeout=timeout@entry=0) at src/event-loop.c:423
        ep = {{events = 1, data = {ptr = 0x559d3c3c64d0, fd = 1010590928, u32 = 1010590928, u64 = 94133808817360}}, {events =
        source = <optimized out>
        i = <optimized out>
        count = <optimized out>
Comment 17 Martin Stransky 2016-10-31 10:33:19 UTC 
Owen, is that something which should be fixed on application side or is that a bug in mutter?
Comment 18 Martin Stransky 2016-10-31 10:34:40 UTC 
I can reproduce that on Fedora 24 and Fedora 25.
Comment 19 Martin Stransky 2016-10-31 10:35:55 UTC 
Sorry if I broke the bug assignment, please move if necessary.
Comment 20 Martin Stransky 2016-10-31 13:21:00 UTC 
If I add a simple null pointer check to is_surface_effectively_synchronized() the crash is a bit different:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fd6d8606de3 in subsurface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:608
608	  if (parent->role)
[Current thread is 1 (Thread 0x7fd6dd67c640 (LWP 1378))]

Thread 1 (Thread 0x7fd6dd67c640 (LWP 1378)):
#0  0x00007fd6d8606de3 in subsurface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:608
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        parent = 0x0
#1  0x00007fd6d860966c in meta_wayland_surface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:1913
        klass = 0x55597a20aba0
#2  0x00007fd6d8608efe in meta_wayland_surface_get_toplevel (surface=0x55597bdf58f0 [MetaWaylandSurface]) at wayland/meta-wayland-surface.c:1693
#3  0x00007fd6d86098af in actor_surface_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:2015
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        toplevel_surface = 0x55597aefec90
#4  0x00007fd6d8606d64 in subsurface_role_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:593
        surface_role_class = 0x55597aefec90
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        surface_actor = 0x55597c4a3c60 [MetaSurfaceActorWayland]
#5  0x00007fd6d86095d5 in meta_wayland_surface_role_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:1889
#6  0x00007fd6d86073cd in apply_pending_state (surface=0x55597bdf58f0 [MetaWaylandSurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:801
        surface_actor_wayland = 0x55597c4a3c60 [MetaSurfaceActorWayland]
        __func__ = "apply_pending_state"
#7  0x00007fd6d8607551 in meta_wayland_surface_commit (surface=0x55597bdf58f0 [MetaWaylandSurface]) at wayland/meta-wayland-surface.c:857
#8  0x00007fd6d8607a04 in wl_surface_commit (client=0x55597c756e00, resource=0x55597d54a360) at wayland/meta-wayland-surface.c:1006
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
#9  0x00007fd6cf57cc58 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#10 0x00007fd6cf57c6ba in ffi_call (cif=cif@entry=0x7fffa1588a70, fn=<optimized out>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7fffa1588b40) at ../src/x86/ffi64.c:525
        classes = {X86_64_INTEGER_CLASS, 32767, 2102698848, 21849}
        stack = <optimized out>
        argp = 0x7fffa1588940 ""
        arg_types = <optimized out>
        gprcount = 2
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        ret_in_memory = <optimized out>
        reg_args = <optimized out>
#11 0x00007fd6d36bd58e in wl_closure_invoke (closure=closure@entry=0x55597d533ee0, flags=flags@entry=2, target=<optimized out>, target@entry=0x55597d54a360, opcode=opcode@entry=6, data=<optimized out>, data@entry=0x55597c756e00) at src/connection.c:935
        count = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7fffa1588a90, rtype = 0x7fd6cf57d040 <ffi_type_void>, bytes = 0, flags = 0}
        ffi_types = {0x7fd6cf57cf20 <ffi_type_pointer>, 0x7fd6cf57cf20 <ffi_type_pointer>, 0x7fffa1588b10, 0x7fffa1588b0f, 0x7fd6cf57cf80 <ffi_type_sint32>, 0x7fd6cf57cf80 <ffi_type_sint32>, 0x7fd6cf57cf80 <ffi_type_sint32>, 0xffff80005ea774f1, 0x3, 0x330000000e, 0x0, 0x0, 0x6e0000005b, 0x0, 0x0, 0x7c00000077, 0x0, 0x555900000000, 0x7fffa1588b50, 0x2, 0x7fffa1588b70, 0x7fd6d24f4ae0 <main_arena>}
        ffi_args = {0x7fffa1588a60, 0x7fffa1588a68, 0x6, 0x55597c756e00, 0x7fd6d53970d0 <wl_surface_requests+144>, 0x7fd6d21b9f74 <__GI___libc_malloc+84>, 0x55597d5525d8, 0x0, 0x0, 0x7fd6d36bce29 <wl_connection_demarshal+265>, 0x55597d533fb8, 0x55597d062d30, 0x55597d533ee0, 0x55597d552670, 0x55597d55267c, 0x55597c756e38, 0x55597d5525a0, 0x55597c756e38, 0x7fd6d53970d0 <wl_surface_requests+144>, 0x7fd6d36b8847 <log_closure+71>, 0x55597c756e38, 0x7fd6d53970d0 <wl_surface_requests+144>}
        implementation = <optimized out>
#12 0x00007fd6d36b9787 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x55597c756e00) at src/wayland-server.c:371
        client = 0x55597c756e00
        connection = 0x55597d062d30
        resource = 0x55597d54a360
        object = 0x55597d54a360
        closure = 0x55597d533ee0
        message = 0x7fd6d53970d0 <wl_surface_requests+144>
        p = {49, 524294}
        resource_flags = <optimized out>
        opcode = 6
        size = <optimized out>
        since = <optimized out>
        len = <optimized out>
#13 0x00007fd6d36bb802 in wl_event_loop_dispatch (loop=0x555979acdfb0, timeout=<optimized out>) at src/event-loop.c:423
        ep = {{events = 1, data = {ptr = 0x55597c746410, fd = 2088002576, u32 = 2088002576, u64 = 93842828452880}}, {events = 21849, data = {ptr = 0x555979d6aee4, fd = 2044112612, u32 = 2044112612, u64 = 93842784562916}}, {events = 4096, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 2706934992, data = {ptr = 0x100007fff, fd = 32767, u32 = 32767, u64 = 4295000063}}, {events = 0, data = {ptr = 0x7fffa1588d20, fd = -1588032224, u32 = 2706935072, u64 = 140735900323104}}, {events = 80, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x7fffa1588d90, fd = -1588032112, u32 = 2706935184, u64 = 140735900323216}}, {events = 2706935200, data = {ptr = 0x79d3983000007fff, fd = 32767, u32 = 32767, u64 = 8778527430601113599}}, {events = 21849, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 2043910192, data = {ptr = 0xa1588d8000005559, fd = 21849, u32 = 21849, u64 = 11626198018952287577}}, {events = 32767, data = {ptr = 0x7fd6d764f525 <_clutter_stage_window_get_update_time+263>, fd = -681249499, u32 = 3613717797, u64 = 140560713446693}}, {events = 0, data = {ptr = 0x79d3983000000000, fd = 0, u32 = 0, u64 = 8778527430601080832}}, {events = 21849, data = {ptr = 0x1a1588da0, fd = -1588032096, u32 = 2706935200, u64 = 7001902496}}, {events = 2043910192, data = {ptr = 0x79d2b2d000005559, fd = 21849, u32 = 21849, u64 = 8778275230121481561}}, {events = 21849, data = {ptr = 0x555979d1c100, fd = 2043789568, u32 = 2043789568, u64 = 93842784239872}}, {events = 2706935216, data = {ptr = 0xd764cc2900007fff, fd = 32767, u32 = 32767, u64 = 15520754692291330047}}, {events = 32726, data = {ptr = 0x7fffa1588db0, fd = -1588032080, u32 = 2706935216, u64 = 140735900323248}}, {events = 2043802400, data = {ptr = 0x5559, fd = 21849, u32 = 21849, u64 = 21849}}, {events = 0, data = {ptr = 0x555979d39830, fd = 2043910192, u32 = 2043910192, u64 = 93842784360496}}, {events = 2706935312, data = {ptr = 0xd762a57600007fff, fd = 32767, u32 = 32767, u64 = 15520149192096907263}}, {events = 32726, data = {ptr = 0x555979cac8b0, fd = 2043332784, u32 = 2043332784, u64 = 93842783783088}}, {events = 2044032064, data = {ptr = 0xa1588e1000005559, fd = 21849, u32 = 21849, u64 = 11626198637427578201}}, {events = 32767, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 4294967295, data = {ptr = 0x79ae6260ffffffff, fd = -1, u32 = 4294967295, u64 = 8768053693288284159}}, {events = 21849, data = {ptr = 0x555979d1e770, fd = 2043799408, u32 = 2043799408, u64 = 93842784249712}}, {events = 2706935344, data = {ptr = 0xa15d8bd900007fff, fd = 32767, u32 = 32767, u64 = 11627603577064685567}}, {events = 32767, data = {ptr = 0x7fffa1588e60, fd = -1588031904, u32 = 2706935392, u64 = 140735900323424}}, {events = 2706935376, data = {ptr = 0x2f00000001, fd = 1, u32 = 1, u64 = 201863462913}}, {events = 0, data = {ptr = 0x20, fd = 32, u32 = 32, u64 = 32}}, {events = 3553927716, data = {ptr = 0xa1588e6000007fd6, fd = 32726, u32 = 32726, u64 = 11626198981024972758}}, {events = 32767, data = {ptr = 0x7fd6d7626e29 <_clutter_context_unlock+16>, fd = -681415127, u32 = 3613552169, u64 = 140560713281065}}}
        source = <optimized out>
        i = <optimized out>
        count = <optimized out>
#14 0x00007fd6d85e9549 in wayland_event_source_dispatch (base=0x555979d57c40, callback=0x0, data=0x0) at wayland/meta-wayland.c:79
        source = 0x555979d57c40
        loop = 0x555979acdfb0
#15 0x00007fd6d3d2be42 in g_main_dispatch (context=0x555979accf00) at gmain.c:3203
        dispatch = 0x7fd6d85e9508 <wayland_event_source_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x555979d57c40
        current = 0x555979add030
        i = 0
#16 0x00007fd6d3d2be42 in g_main_context_dispatch (context=context@entry=0x555979accf00) at gmain.c:3856
#17 0x00007fd6d3d2c1c0 in g_main_context_iterate (context=0x555979accf00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
        max_priority = 2147483647
        timeout = 299898
        some_ready = 1
        nfds = 17
        allocated_nfds = 18
        fds = <optimized out>
#18 0x00007fd6d3d2c4e2 in g_main_loop_run (loop=0x555979d5a2b0) at gmain.c:4125
        __func__ = "g_main_loop_run"
#19 0x00007fd6d85a6f82 in meta_run () at core/main.c:572
#20 0x00005559785d8657 in main (argc=<optimized out>, argv=<optimized out>) at main.c:471
        ctx = <optimized out>
        error = 0x0
        ecode = <optimized out>
        sender = 0x7fd6b0013590 [TpDebugSender]
Comment 21 Fedora End Of Life 2017-07-25 23:03:24 UTC 
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 22 Fedora End Of Life 2017-08-08 17:22:49 UTC 
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 23 Scott Talbert 2018-04-20 01:07:40 UTC 
Still happens on F27, reopening.
Comment 24 Scott Talbert 2018-05-15 14:10:09 UTC 
This has been fixed in mutter-3.28.2-1.fc28.