wl_pointer interface ends up in a message queue.

[emilio]

I was debugging a crash similar to #75, and ended up with a segfault where the wl_pointer interface ends up in an event queue (so when trying to read the signature wayland crashes).

Does this ring any bells? I have an RR trace and it was a simple glutin example (just clearing colors).

[emilio]

Program received signal SIGSEGV, Segmentation fault.
wl_connection_demarshal (connection=0x7ffff703d040, size=8, objects=0x7ffff70352f8, 
    message=0x5555559d9b70 <wayland_client::sys::wayland::interfaces::wl_pointer_interface::h17316c0bf5b44cae>) at src/connection.c:636
636		count = arg_count_for_signature(message->signature);
(gdb) p message
$1 = (const struct wl_message *) 0x5555559d9b70 <wayland_client::sys::wayland::interfaces::wl_pointer_interface::h17316c0bf5b44cae>
(gdb) p message->
name       signature  types      
(gdb) p message->name 
$2 = 0x5555557417f8 <byte_str> "wl_pointer"
(gdb) p (struct wl_interface*)message
$3 = (struct wl_interface *) 0x5555559d9b70 <wayland_client::sys::wayland::interfaces::wl_pointer_interface::h17316c0bf5b44cae>
(gdb) p *message
$4 = {name = 0x5555557417f8 <byte_str> "wl_pointer", signature = 0x200000003 <error: Cannot access memory at address 0x200000003>, 
  types = 0x5555559d9ac8 <wayland_client::sys::wayland::interfaces::wl_pointer_requests::hfbd53d614004c3a3>}
(gdb) p *$3
$5 = {name = 0x5555557417f8 <byte_str> "wl_pointer", version = 3, method_count = 2, 
  methods = 0x5555559d9ac8 <wayland_client::sys::wayland::interfaces::wl_pointer_requests::hfbd53d614004c3a3>, event_count = 5, 
  events = 0x5555559d9af8 <wayland_client::sys::wayland::interfaces::wl_pointer_events::h4f719bf045887709>}

[emilio]

This is an off-by-one read. the opcode is 5, but there are just four events in wl_pointer.

[emilio]

Err, five events, I mean.

[emilio]

This was with glutin 0.6, which presumably uses an old version of this lib, so feel free to close if this is known.

[elinorbgr]

Glutin 0.6 indeed uses an old version of wayland-client, however such a bug seems to related to the code generating the interfaces, which has not really changed since.

First of all, it is perfectly normal for the wl_pointer_interface to be read by the wayland lib, it's its exact purpose. What is not normal is:

signature = 0x200000003 <error: Cannot access memory at address 0x200000003>

Thanks for the report, I'll dig that.

[elinorbgr]

hmm, wait, I read that too quickly....

I guess I'll need to go dig into the source of wl_connection_demarshal to understand what this function does exactly.

[elinorbgr]

Okay, I get what you meant with "off by one" : it's from here https://cgit.freedesktop.org/wayland/wayland/tree/src/wayland-client.c#n1239 right ?

[elinorbgr]

Was this reproduced without Mesa ?

[elinorbgr]

Anyway having here an opcode number greater than the one we expected means that the compositor sent us an invalid content, probably believing we requested a greater version of the interface than we actually did... Either the compositor is buggy, or my lib is.

And the C lib blindly trusts the compositor on this, which does not help.

[elinorbgr]

As you have an RR trace, can you check the value of proxy->version in the function queue_event I linked before, just before the call to wl_connection_demarshal that crashed everything?

[emilio]

(rr) p *proxy->object.interface
$3 = {name = 0x5623aafc6f38 <byte_str> "wl_pointer", version = 3, method_count = 2,
methods = 0x5623ab259ac8 <wayland_client::sys::wayland::interfaces::wl_pointer_requests::hc2b8c10704cce26f>, event_count = 5,
events = 0x5623ab259af8 <wayland_client::sys::wayland::interfaces::wl_pointer_events::h4d5689dc83b83ae3>}
(rr) p proxy->version
$4 = 0

[elinorbgr]

ooooh.

Ok, yeah, The old version of my crate didn't use the versionned interface. So yeah, this bug will be hard to debug, and likely not reproduced in the new version of the crate.

I'll keep this issue open for now, it can give us some insight regarding #75

[elinorbgr]

I'll close this, as it relates to an old version than #75 is fixed.