Bug 1376569 - [Wayland] mutter: is_surface_effectively_synchronized() kills whole session
Summary: [Wayland] mutter: is_surface_effectively_synchronized() kills whole session
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: mutter
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Florian Müllner
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:5b0d87293dafffd28fa9fcadded...
Depends On:
Blocks: WaylandRelated
TreeView+ depends on / blocked
 
Reported: 2016-09-15 18:35 UTC by Nicolas Dufresne
Modified: 2019-08-08 15:56 UTC (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-15 14:10:09 UTC


Attachments (Terms of Use)
File: backtrace (39.47 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: cgroup (242 bytes, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: core_backtrace (3.81 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: dso_list (26.41 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: environ (910 bytes, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: exploitable (112 bytes, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: limits (1.29 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: maps (140.59 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: mountinfo (3.65 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: namespaces (102 bytes, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: open_fds (7.06 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: proc_pid_status (1.13 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details
File: var_log_messages (1.06 KB, text/plain)
2016-09-15 18:35 UTC, Nicolas Dufresne
no flags Details

Description Nicolas Dufresne 2016-09-15 18:35:06 UTC
Description of problem:
I was running a gtkwaylandsink a test of the waylandsink element in gst-plugins-bad. It worked until I pressed
the X button. At that moment the entire compostitor crash. Does not happen in Weston.

Version-Release number of selected component:
gnome-shell-3.20.4-1.fc24

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell
crash_function: is_surface_effectively_synchronized
executable:     /usr/bin/gnome-shell
global_pid:     29942
kernel:         4.7.2-201.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 is_surface_effectively_synchronized at wayland/meta-wayland-surface.c:590
 #1 meta_wayland_surface_commit at wayland/meta-wayland-surface.c:814
 #2 wl_surface_commit at wayland/meta-wayland-surface.c:966
 #3 ffi_call_unix64 at ../src/x86/unix64.S:76
 #4 ffi_call at ../src/x86/ffi64.c:525
 #5 wl_closure_invoke at src/connection.c:949
 #6 wl_client_connection_data at src/wayland-server.c:337
 #7 wl_event_loop_dispatch at src/event-loop.c:421
 #8 wayland_event_source_dispatch at wayland/meta-wayland.c:77
 #13 meta_run at core/main.c:537

Comment 1 Nicolas Dufresne 2016-09-15 18:35:10 UTC
Created attachment 1201355 [details]
File: backtrace

Comment 2 Nicolas Dufresne 2016-09-15 18:35:11 UTC
Created attachment 1201356 [details]
File: cgroup

Comment 3 Nicolas Dufresne 2016-09-15 18:35:12 UTC
Created attachment 1201357 [details]
File: core_backtrace

Comment 4 Nicolas Dufresne 2016-09-15 18:35:14 UTC
Created attachment 1201358 [details]
File: dso_list

Comment 5 Nicolas Dufresne 2016-09-15 18:35:15 UTC
Created attachment 1201359 [details]
File: environ

Comment 6 Nicolas Dufresne 2016-09-15 18:35:16 UTC
Created attachment 1201360 [details]
File: exploitable

Comment 7 Nicolas Dufresne 2016-09-15 18:35:17 UTC
Created attachment 1201361 [details]
File: limits

Comment 8 Nicolas Dufresne 2016-09-15 18:35:19 UTC
Created attachment 1201362 [details]
File: maps

Comment 9 Nicolas Dufresne 2016-09-15 18:35:20 UTC
Created attachment 1201363 [details]
File: mountinfo

Comment 10 Nicolas Dufresne 2016-09-15 18:35:21 UTC
Created attachment 1201364 [details]
File: namespaces

Comment 11 Nicolas Dufresne 2016-09-15 18:35:22 UTC
Created attachment 1201365 [details]
File: open_fds

Comment 12 Nicolas Dufresne 2016-09-15 18:35:23 UTC
Created attachment 1201366 [details]
File: proc_pid_status

Comment 13 Nicolas Dufresne 2016-09-15 18:35:25 UTC
Created attachment 1201367 [details]
File: var_log_messages

Comment 14 Nicolas Dufresne 2016-09-15 18:36:40 UTC
The test application can be found here:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/tree/tests/examples/waylandsink

Comment 15 Martin Stransky 2016-10-31 10:09:20 UTC
I hit the bug with Firefox Wayland port. Crashes whole session after 1-2 minutes of browsing.

Comment 16 Martin Stransky 2016-10-31 10:11:05 UTC
Backtrace from gnome-shell crash caused by FF:

#0  0x00007f07d128f3e1 in is_surface_effectively_synchronized (surface=0x0) at wayland/meta-wayland-surface.c:621
        surface = 0x559d38530810 [MetaWaylandSurface]
#1  0x00007f07d128f3e1 in meta_wayland_surface_commit (surface=<optimized out>) at wayland/meta-wayland-surface.c:851
        surface = 0x559d38530810 [MetaWaylandSurface]
#2  0x00007f07d128f3e1 in wl_surface_commit (client=<optimized out>, resource=<optimized out>) at wayland/meta-wayland-surface
        surface = 0x559d38530810 [MetaWaylandSurface]
#3  0x00007f07c82aec58 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#4  0x00007f07c82ae6ba in ffi_call (cif=cif@entry=0x7fffb282d220, fn=<optimized out>, rvalue=<optimized out>, rvalue@entry=0x0
        classes = {X86_64_INTEGER_CLASS, X86_64_NO_CLASS, 943809696, 21917}
        stack = <optimized out>
        argp = 0x7fffb282d0f0 ""
        arg_types = <optimized out>
        gprcount = 2
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        ret_in_memory = <optimized out>
        reg_args = <optimized out>
#5  0x00007f07cc3ef58e in wl_closure_invoke (closure=closure@entry=0x559d3b7bfd10, flags=flags@entry=2, target=<optimized out>
        count = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7fffb282d240, rtype = 0x7f07c82af040 <ffi_type_void>, bytes = 0, fla
        ffi_types = {0x7f07c82aef20 <ffi_type_pointer>, 0x7f07c82aef20 <ffi_type_pointer>, 0x7fffb282d2c0, 0x7fffb282d2bf, 0x7
        ffi_args = {0x7fffb282d210, 0x7fffb282d218, 0x6, 0x559d3ae6a100, 0x7f07ce0a00d0 <wl_surface_requests+144>, 0x7f07caeeb
        implementation = <optimized out>
#6  0x00007f07cc3eb787 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x559d3ae6a100) at src/way
        client = 0x559d3ae6a100
        connection = 0x559d3c8f7290
        resource = 0x559d384164a0
        object = 0x559d384164a0
        closure = 0x559d3b7bfd10
        message = 0x7f07ce0a00d0 <wl_surface_requests+144>
        p = {54, 524294}
        resource_flags = <optimized out>
        opcode = 6
        size = <optimized out>
        since = <optimized out>
        len = <optimized out>
#7  0x00007f07cc3ed802 in wl_event_loop_dispatch (loop=0x559d3829e130, timeout=timeout@entry=0) at src/event-loop.c:423
        ep = {{events = 1, data = {ptr = 0x559d3c3c64d0, fd = 1010590928, u32 = 1010590928, u64 = 94133808817360}}, {events =
        source = <optimized out>
        i = <optimized out>
        count = <optimized out>

Comment 17 Martin Stransky 2016-10-31 10:33:19 UTC
Owen, is that something which should be fixed on application side or is that a bug in mutter?

Comment 18 Martin Stransky 2016-10-31 10:34:40 UTC
I can reproduce that on Fedora 24 and Fedora 25.

Comment 19 Martin Stransky 2016-10-31 10:35:55 UTC
Sorry if I broke the bug assignment, please move if necessary.

Comment 20 Martin Stransky 2016-10-31 13:21:00 UTC
If I add a simple null pointer check to is_surface_effectively_synchronized() the crash is a bit different:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fd6d8606de3 in subsurface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:608
608	  if (parent->role)
[Current thread is 1 (Thread 0x7fd6dd67c640 (LWP 1378))]

Thread 1 (Thread 0x7fd6dd67c640 (LWP 1378)):
#0  0x00007fd6d8606de3 in subsurface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:608
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        parent = 0x0
#1  0x00007fd6d860966c in meta_wayland_surface_role_get_toplevel (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface]) at wayland/meta-wayland-surface.c:1913
        klass = 0x55597a20aba0
#2  0x00007fd6d8608efe in meta_wayland_surface_get_toplevel (surface=0x55597bdf58f0 [MetaWaylandSurface]) at wayland/meta-wayland-surface.c:1693
#3  0x00007fd6d86098af in actor_surface_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:2015
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        toplevel_surface = 0x55597aefec90
#4  0x00007fd6d8606d64 in subsurface_role_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:593
        surface_role_class = 0x55597aefec90
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
        surface_actor = 0x55597c4a3c60 [MetaSurfaceActorWayland]
#5  0x00007fd6d86095d5 in meta_wayland_surface_role_commit (surface_role=0x55597d4daf10 [MetaWaylandSurfaceRoleSubsurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:1889
#6  0x00007fd6d86073cd in apply_pending_state (surface=0x55597bdf58f0 [MetaWaylandSurface], pending=0x55597c4e1a40 [MetaWaylandPendingState]) at wayland/meta-wayland-surface.c:801
        surface_actor_wayland = 0x55597c4a3c60 [MetaSurfaceActorWayland]
        __func__ = "apply_pending_state"
#7  0x00007fd6d8607551 in meta_wayland_surface_commit (surface=0x55597bdf58f0 [MetaWaylandSurface]) at wayland/meta-wayland-surface.c:857
#8  0x00007fd6d8607a04 in wl_surface_commit (client=0x55597c756e00, resource=0x55597d54a360) at wayland/meta-wayland-surface.c:1006
        surface = 0x55597bdf58f0 [MetaWaylandSurface]
#9  0x00007fd6cf57cc58 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#10 0x00007fd6cf57c6ba in ffi_call (cif=cif@entry=0x7fffa1588a70, fn=<optimized out>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7fffa1588b40) at ../src/x86/ffi64.c:525
        classes = {X86_64_INTEGER_CLASS, 32767, 2102698848, 21849}
        stack = <optimized out>
        argp = 0x7fffa1588940 ""
        arg_types = <optimized out>
        gprcount = 2
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        ret_in_memory = <optimized out>
        reg_args = <optimized out>
#11 0x00007fd6d36bd58e in wl_closure_invoke (closure=closure@entry=0x55597d533ee0, flags=flags@entry=2, target=<optimized out>, target@entry=0x55597d54a360, opcode=opcode@entry=6, data=<optimized out>, data@entry=0x55597c756e00) at src/connection.c:935
        count = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7fffa1588a90, rtype = 0x7fd6cf57d040 <ffi_type_void>, bytes = 0, flags = 0}
        ffi_types = {0x7fd6cf57cf20 <ffi_type_pointer>, 0x7fd6cf57cf20 <ffi_type_pointer>, 0x7fffa1588b10, 0x7fffa1588b0f, 0x7fd6cf57cf80 <ffi_type_sint32>, 0x7fd6cf57cf80 <ffi_type_sint32>, 0x7fd6cf57cf80 <ffi_type_sint32>, 0xffff80005ea774f1, 0x3, 0x330000000e, 0x0, 0x0, 0x6e0000005b, 0x0, 0x0, 0x7c00000077, 0x0, 0x555900000000, 0x7fffa1588b50, 0x2, 0x7fffa1588b70, 0x7fd6d24f4ae0 <main_arena>}
        ffi_args = {0x7fffa1588a60, 0x7fffa1588a68, 0x6, 0x55597c756e00, 0x7fd6d53970d0 <wl_surface_requests+144>, 0x7fd6d21b9f74 <__GI___libc_malloc+84>, 0x55597d5525d8, 0x0, 0x0, 0x7fd6d36bce29 <wl_connection_demarshal+265>, 0x55597d533fb8, 0x55597d062d30, 0x55597d533ee0, 0x55597d552670, 0x55597d55267c, 0x55597c756e38, 0x55597d5525a0, 0x55597c756e38, 0x7fd6d53970d0 <wl_surface_requests+144>, 0x7fd6d36b8847 <log_closure+71>, 0x55597c756e38, 0x7fd6d53970d0 <wl_surface_requests+144>}
        implementation = <optimized out>
#12 0x00007fd6d36b9787 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x55597c756e00) at src/wayland-server.c:371
        client = 0x55597c756e00
        connection = 0x55597d062d30
        resource = 0x55597d54a360
        object = 0x55597d54a360
        closure = 0x55597d533ee0
        message = 0x7fd6d53970d0 <wl_surface_requests+144>
        p = {49, 524294}
        resource_flags = <optimized out>
        opcode = 6
        size = <optimized out>
        since = <optimized out>
        len = <optimized out>
#13 0x00007fd6d36bb802 in wl_event_loop_dispatch (loop=0x555979acdfb0, timeout=<optimized out>) at src/event-loop.c:423
        ep = {{events = 1, data = {ptr = 0x55597c746410, fd = 2088002576, u32 = 2088002576, u64 = 93842828452880}}, {events = 21849, data = {ptr = 0x555979d6aee4, fd = 2044112612, u32 = 2044112612, u64 = 93842784562916}}, {events = 4096, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 2706934992, data = {ptr = 0x100007fff, fd = 32767, u32 = 32767, u64 = 4295000063}}, {events = 0, data = {ptr = 0x7fffa1588d20, fd = -1588032224, u32 = 2706935072, u64 = 140735900323104}}, {events = 80, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x7fffa1588d90, fd = -1588032112, u32 = 2706935184, u64 = 140735900323216}}, {events = 2706935200, data = {ptr = 0x79d3983000007fff, fd = 32767, u32 = 32767, u64 = 8778527430601113599}}, {events = 21849, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 2043910192, data = {ptr = 0xa1588d8000005559, fd = 21849, u32 = 21849, u64 = 11626198018952287577}}, {events = 32767, data = {ptr = 0x7fd6d764f525 <_clutter_stage_window_get_update_time+263>, fd = -681249499, u32 = 3613717797, u64 = 140560713446693}}, {events = 0, data = {ptr = 0x79d3983000000000, fd = 0, u32 = 0, u64 = 8778527430601080832}}, {events = 21849, data = {ptr = 0x1a1588da0, fd = -1588032096, u32 = 2706935200, u64 = 7001902496}}, {events = 2043910192, data = {ptr = 0x79d2b2d000005559, fd = 21849, u32 = 21849, u64 = 8778275230121481561}}, {events = 21849, data = {ptr = 0x555979d1c100, fd = 2043789568, u32 = 2043789568, u64 = 93842784239872}}, {events = 2706935216, data = {ptr = 0xd764cc2900007fff, fd = 32767, u32 = 32767, u64 = 15520754692291330047}}, {events = 32726, data = {ptr = 0x7fffa1588db0, fd = -1588032080, u32 = 2706935216, u64 = 140735900323248}}, {events = 2043802400, data = {ptr = 0x5559, fd = 21849, u32 = 21849, u64 = 21849}}, {events = 0, data = {ptr = 0x555979d39830, fd = 2043910192, u32 = 2043910192, u64 = 93842784360496}}, {events = 2706935312, data = {ptr = 0xd762a57600007fff, fd = 32767, u32 = 32767, u64 = 15520149192096907263}}, {events = 32726, data = {ptr = 0x555979cac8b0, fd = 2043332784, u32 = 2043332784, u64 = 93842783783088}}, {events = 2044032064, data = {ptr = 0xa1588e1000005559, fd = 21849, u32 = 21849, u64 = 11626198637427578201}}, {events = 32767, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 4294967295, data = {ptr = 0x79ae6260ffffffff, fd = -1, u32 = 4294967295, u64 = 8768053693288284159}}, {events = 21849, data = {ptr = 0x555979d1e770, fd = 2043799408, u32 = 2043799408, u64 = 93842784249712}}, {events = 2706935344, data = {ptr = 0xa15d8bd900007fff, fd = 32767, u32 = 32767, u64 = 11627603577064685567}}, {events = 32767, data = {ptr = 0x7fffa1588e60, fd = -1588031904, u32 = 2706935392, u64 = 140735900323424}}, {events = 2706935376, data = {ptr = 0x2f00000001, fd = 1, u32 = 1, u64 = 201863462913}}, {events = 0, data = {ptr = 0x20, fd = 32, u32 = 32, u64 = 32}}, {events = 3553927716, data = {ptr = 0xa1588e6000007fd6, fd = 32726, u32 = 32726, u64 = 11626198981024972758}}, {events = 32767, data = {ptr = 0x7fd6d7626e29 <_clutter_context_unlock+16>, fd = -681415127, u32 = 3613552169, u64 = 140560713281065}}}
        source = <optimized out>
        i = <optimized out>
        count = <optimized out>
#14 0x00007fd6d85e9549 in wayland_event_source_dispatch (base=0x555979d57c40, callback=0x0, data=0x0) at wayland/meta-wayland.c:79
        source = 0x555979d57c40
        loop = 0x555979acdfb0
#15 0x00007fd6d3d2be42 in g_main_dispatch (context=0x555979accf00) at gmain.c:3203
        dispatch = 0x7fd6d85e9508 <wayland_event_source_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x555979d57c40
        current = 0x555979add030
        i = 0
#16 0x00007fd6d3d2be42 in g_main_context_dispatch (context=context@entry=0x555979accf00) at gmain.c:3856
#17 0x00007fd6d3d2c1c0 in g_main_context_iterate (context=0x555979accf00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
        max_priority = 2147483647
        timeout = 299898
        some_ready = 1
        nfds = 17
        allocated_nfds = 18
        fds = <optimized out>
#18 0x00007fd6d3d2c4e2 in g_main_loop_run (loop=0x555979d5a2b0) at gmain.c:4125
        __func__ = "g_main_loop_run"
#19 0x00007fd6d85a6f82 in meta_run () at core/main.c:572
#20 0x00005559785d8657 in main (argc=<optimized out>, argv=<optimized out>) at main.c:471
        ctx = <optimized out>
        error = 0x0
        ecode = <optimized out>
        sender = 0x7fd6b0013590 [TpDebugSender]

Comment 21 Fedora End Of Life 2017-07-25 23:03:24 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 22 Fedora End Of Life 2017-08-08 17:22:49 UTC
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 23 Scott Talbert 2018-04-20 01:07:40 UTC
Still happens on F27, reopening.

Comment 24 Scott Talbert 2018-05-15 14:10:09 UTC
This has been fixed in mutter-3.28.2-1.fc28.


Note You need to log in before you can comment on or make changes to this bug.