Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

i3 feature support #2

Closed
ddevault opened this issue Aug 9, 2015 · 129 comments
Closed

i3 feature support #2

ddevault opened this issue Aug 9, 2015 · 129 comments

Comments

@ddevault
Copy link
Member

@ddevault ddevault commented Aug 9, 2015

Layouts

  • Horizontal tiling
  • Vertical tiling
  • Stacked
  • Tabbed
  • Floating
  • Saving layouts to disk will not support
  • Loading layouts from disk will not support

Config/commands

  • Config parser
  • Variables/set
  • bindsym
    • mouse bindings
    • --release
  • bindcode
    • --release
  • focus_follows_mouse
  • exit
  • exec
  • exec_always
  • fullscreen
  • workspace
    • left/right/up/down
    • number
    • next/prev
    • next_on_output/prev_on_output
    • <name>
    • <name> output <output>
    • back_and_forth
  • splith/splitv
  • focus
    • left/right/up/down
    • parent
    • mode_toggle
  • move
    • left/right/up/down
    • workspace to output
      • left/right/up/down
      • named output
    • position
  • kill
  • mode
  • layout
    • stacking
    • tabbed
    • splith
    • splitv
    • toggle split
  • bar
  • floating toggle
  • floating_modifier
  • for_window
  • font
  • default_orientation
  • workspace_layout
  • assign
  • popup_during_fullscreen
  • force_focus_wrapping
  • workspace_auto_back_and_forth
  • scratchpad
    • move scratchpad
    • scratchpad show
  • resize
    • grow
    • shrink
  • move position mouse
  • sticky toggle
  • show_marks
  • no_focus

Features

  • IPC
  • Restart in-place
  • Reload config on the fly
  • Resize containers with mouse
  • Command line options
  • Ignore i3 commands that aren't valid (i.e. force_xinerama)
  • swaybar
  • swaylock - usable, but incomplete
  • swaymsg
  • borders
  • color customization
  • Mode_switch
  • gaps
  • [criteria] command

See also:

IPC feature support: #98
i3bar feature support: #343
i3-gaps feature support: #307

@onny
Copy link

@onny onny commented Aug 9, 2015

Nice write up! Especially looking for a i3 statusbar

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 9, 2015

It'll probably be a while before I tackle i3bar (swaybar?)

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 9, 2015

exec implemented.

ddevault added a commit that referenced this issue Aug 9, 2015
@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 10, 2015

Today we implemented splith, splitv, fullscreen, and focus. Thanks for helping out, @jdiez17!

@jdiez17
Copy link
Contributor

@jdiez17 jdiez17 commented Aug 10, 2015

workspace [name] done.

@progandy
Copy link
Contributor

@progandy progandy commented Aug 16, 2015

You forgot the scratchpad functionality.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 16, 2015

Good call.

@Swoorup
Copy link

@Swoorup Swoorup commented Aug 18, 2015

Nice, I have been looking at i3way but there's no single line of code after so many years.

I want to propose a feature request though, which i3 developers ignored: A tiling mode for binary space layout representing windows as the leaves of a full binary tree, very similar to default window tiling mode that comes with bspwm. It could be very handy letting the software manage my windows(specially terminals) instead of managing the arrangement in a single desktop. I don't want to break any compatibility though so I am hoping it does not.

Also an option to set the gap between windows would be nice. This was done in i3 but by a third party git fork. I don't know why it was deemed not a necessity by i3 developers.

BTW This project should also get its own website.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 18, 2015

I want to propose a feature request though, which i3 developers ignored: A tiling mode for binary space layout representing windows as the leaves of a full binary tree, very similar to default window tiling mode that comes with bspwm. It could be very handy letting the software manage my windows(specially terminals) instead of managing the arrangement in a single desktop. I don't want to break any compatibility though so I am hoping it does not.

Perhaps eventually. That doesn't sound like it needs to be a high priority.

Also an option to set the gap between windows would be nice. This was done in i3 but by a third party git fork. I don't know why it was deemed not a necessity by i3 developers.

This is in the list of features to add.

BTW This project should also get its own website.

Yeah, it'll have one eventually.

@Half-Shot
Copy link
Contributor

@Half-Shot Half-Shot commented Aug 18, 2015

Also an option to set the gap between windows would be nice. This was done in i3 but by a third >party git fork. I don't know why it was deemed not a necessity by i3 developers.

Due to it not fitting the i3 way, which means using all the screen space. I can understand why, but that doesn't mean this project has to enforce the same rules.

@Half-Shot
Copy link
Contributor

@Half-Shot Half-Shot commented Aug 18, 2015

Will have a go at the move command. Should have some results tonight.

@robinmoussu
Copy link

@robinmoussu robinmoussu commented Aug 18, 2015

Hi. I want to propose a feature request: vertical bar. I think the easiest way is to only do a 90° rotation. The text orientation should be configurable: bottom to top, or top to bottom.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 18, 2015

Will consider that once we hit feature parity with i3.

@ghost
Copy link

@ghost ghost commented Aug 18, 2015

Sway looks like a really great project. I love i3, and the lack of something similar is the only thing that has been stopping me from giving Wayland a try. Great work so far!

However, looking at the list above, I see that sway is still missing tabbed layout, which is essential for my workflow; I use it heavily in i3. This is the main thing stopping me from trying out sway at this point. I could live without the other missing features.

Once tabbed layout is done, I will try playing around with sway. I am really looking forward to it. Hope to catch/report some bugs and maybe contribute some patches.

I honestly think this project has the potential to eventually become even better than i3.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 18, 2015

The tabbed layout is sort of blocked by the lack of borders.

@Airblader
Copy link

@Airblader Airblader commented Aug 18, 2015

@Swoorup This is off-topic, but

This was done in i3 but by a third party git fork. I don't know why it was deemed not a necessity by i3 developers.

We don't want this in i3 for many reasons. For one, the i3-gaps patch (of which I am the maintainer) is really more of a hack (for example, window decorations don't work with it). But that could be solved. However, gaps violate the i3 tiling philosophy and that is why they will never be found in i3 itself.

Being a collaborator of i3 I understand this reasoning, being the maintainer of i3-gaps I obviously personally prefer gaps, though. ;)

@Half-Shot
Copy link
Contributor

@Half-Shot Half-Shot commented Aug 19, 2015

Would it be sensible to have our own wallpaper management, or somehow hook into a process like feh?
(and as on a sidenote, how would I hint to sway/wlc that a surface should be drawn behind everything?)

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 19, 2015

No, we'll have something like feh for you to use instead.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Aug 19, 2015

And you can't do that hinting, I've been asking @Cloudef for it in wlc for a while.

@minus7 minus7 mentioned this issue Aug 21, 2015
@tiregram
Copy link

@tiregram tiregram commented Sep 10, 2015

hi,
can you add the support to layout keyboard azerty.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Sep 10, 2015

That's not really our problem, it's wlc's problem. And wlc let's you set it through XKB environment variables, XKB_DEFAULT_LAYOUT.

@progandy
Copy link
Contributor

@progandy progandy commented Sep 10, 2015

@SirCmpwn In the longterm, sway should implement configuration options for input and output devices, but that has to wait until wlc implements an API for that. Maybe even provide some ipc options to allow dynamic changes like xinput/xrandr.
Cloudef/wlc#6
Cloudef/wlc#37

@Luminarys
Copy link
Collaborator

@Luminarys Luminarys commented Sep 10, 2015

Sway already does provide configuration options to alter the size, position, and status(on/off) of monitors. As of right now dynamic changes are not available though.

@tiregram
Copy link

@tiregram tiregram commented Sep 12, 2015

Sorry , but the other keyboard are not supported on my pc (fr).
I know i just need to export XKB_DEFAULT_LAYOUT=fr
But i can't use number to switch to other worspace, because on fr keyboard the "1" is "&" and & was forbiden.
Message log:
Bindsym - unknow key &.
Can you help me ?

@Half-Shot
Copy link
Contributor

@Half-Shot Half-Shot commented Sep 12, 2015

I used to use bindcode in i3 for unknown symbols. I'm guessing another wlc feature.
On 12 Sep 2015 11:54, tiregram notifications@github.com wrote:Sorry , but the other keyboard are not supported on my pc (fr).
I know i just need to export XKB_DEFAULT_LAYOUT=fr
But i can't use number to switch to other worspace, because on fr keyboard the "1" is "&" and & was forbiden.
Message log:
Bindsym - unknow key &.
Can you help me ?

—Reply to this email directly or view it on GitHub.

@ddevault
Copy link
Member Author

@ddevault ddevault commented Sep 12, 2015

bindcode isn't supported on sway yet. Try binding "ampersand".

@tiregram
Copy link

@tiregram tiregram commented Sep 13, 2015

yes i have try but i have the message.
Bindsym - unknow key &
on the tty, this message error was genenrate by the line:
command.c:154
because you check
xkb_keysym_from_name(split->items[i], XKB_KEYSYM_CASE_INSENSITIVE);

@ddevault
Copy link
Member Author

@ddevault ddevault commented Oct 28, 2015

Updated with features from i3 4.11.

Emantor added a commit to Emantor/sway that referenced this issue Feb 23, 2019
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    swaywm#3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    swaywm#12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    swaywm#14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214
    swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405
    swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes swaywm#3759
RedSoxFan added a commit that referenced this issue Feb 23, 2019
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    #3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    #12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    #14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    #17 0x55571ce4c7fd in server_run ../sway/server.c:214
    #18 0x55571ce4ad59 in main ../sway/main.c:405
    #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes #3759
ddevault added a commit that referenced this issue Feb 25, 2019
Fixes memory leaks in the form of:

Direct leak of 20 byte(s) in 1 object(s) allocated from:
    #0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x563c7995b36a in join_args ../common/stringop.c:268
    #2 0x563c798a6a1a in main ../sway/main.c:348
    #3 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
ddevault added a commit that referenced this issue Feb 25, 2019
Fixes memory leaks in the form of:

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x563c799569f2 in ipc_recv_response ../common/ipc-client.c:94
    #2 0x563c79957062 in ipc_single_command ../common/ipc-client.c:138
    #3 0x563c798a56cc in run_as_ipc_client ../sway/main.c:127
    #4 0x563c798a6a3a in main ../sway/main.c:349
    #5 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
ddevault added a commit that referenced this issue Feb 25, 2019
Commit d3d7956 removed this NULL check, which
leads to the following backtrace:

  #0  0x0000557bd201df46 in node_is_view (node=0x0) at ../sway/sway/tree/node.c:41
  #1  0x0000557bd1ff5d4e in seat_get_focus_inactive (seat=0x557bd3fc7580, node=0x0) at ../sway/sway/input/seat.c:968
          current = 0x557bd2033485
  #2  0x0000557bd2009f24 in cmd_move_container (argc=3, argv=0x557bd46b19c0) at ../sway/sway/commands/move.c:557
          new_output_last_focus = 0x0
          error = 0x0
          node = 0x557bd469f360
          workspace = 0x557bd4572ee0
          container = 0x557bd469f360
          no_auto_back_and_forth = false
          seat = 0x557bd3fc7580
          old_parent = 0x0
          old_ws = 0x557bd4572ee0
          old_output = 0x557bd411f740
          destination = 0x557bd46a0cc0
          new_output = 0x557bd411f740
          new_output_last_ws = 0x0
          focus = 0x557bd469f360
          __PRETTY_FUNCTION__ = "cmd_move_container"
          new_workspace = 0x557bd4572ee0
  […]

Reintroduce the NULL check to fix the bug.

Fixes #3746
ddevault added a commit that referenced this issue Feb 25, 2019
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    #3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    #12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    #14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    #17 0x55571ce4c7fd in server_run ../sway/server.c:214
    #18 0x55571ce4ad59 in main ../sway/main.c:405
    #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes #3759
Emantor added a commit to Emantor/sway that referenced this issue Jun 2, 2019
handle_destroy would mark the output es being destroyed and commit the
transaction. Committing the transaction results in the output being
freed, the output manager can not retrieve the server reference
afterwards, resulting in the following use-after-free:

==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10
READ of size 8 at 0x614000017088 thread T0
    #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566
    swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225
    swaywm#10 0x560c1ac09382 in main ../sway/main.c:397
    swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d)

0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0)
freed by thread T0 here:
    #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243
    swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66
    swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348
    swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539
    swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564
    swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

previously allocated by thread T0 here:
    #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95
    swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91
    swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656
    swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294
    swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy
Shadow bytes around the buggy address:
  0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Retrieve the reference before the output is destroyed and update the
output_management state with the saved reference.
Emantor added a commit to Emantor/sway that referenced this issue Jun 2, 2019
handle_destroy would mark the output es being destroyed and commit the
transaction. Committing the transaction results in the output being
freed, the output manager can not retrieve the server reference
afterwards, resulting in the following use-after-free:

==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10
READ of size 8 at 0x614000017088 thread T0
    #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566
    swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225
    swaywm#10 0x560c1ac09382 in main ../sway/main.c:397
    swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d)

0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0)
freed by thread T0 here:
    #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243
    swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66
    swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348
    swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539
    swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564
    swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

previously allocated by thread T0 here:
    #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95
    swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91
    swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656
    swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294
    swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy
Shadow bytes around the buggy address:
  0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Retrieve the reference before the output is destroyed and update the
output_management state with the saved reference.
emersion added a commit that referenced this issue Jun 2, 2019
handle_destroy would mark the output es being destroyed and commit the
transaction. Committing the transaction results in the output being
freed, the output manager can not retrieve the server reference
afterwards, resulting in the following use-after-free:

==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10
READ of size 8 at 0x614000017088 thread T0
    #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566
    #1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    #3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    #4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    #8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    #9 0x560c1ac0afbe in server_run ../sway/server.c:225
    #10 0x560c1ac09382 in main ../sway/main.c:397
    #11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    #12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d)

0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0)
freed by thread T0 here:
    #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243
    #2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66
    #3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348
    #4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539
    #5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564
    #6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    #8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    #9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

previously allocated by thread T0 here:
    #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95
    #1 0x560c1acbc228 in output_create ../sway/tree/output.c:91
    #2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656
    #3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143
    #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294
    #7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy
Shadow bytes around the buggy address:
  0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Retrieve the reference before the output is destroyed and update the
output_management state with the saved reference.
ddevault added a commit that referenced this issue Jun 3, 2019
handle_destroy would mark the output es being destroyed and commit the
transaction. Committing the transaction results in the output being
freed, the output manager can not retrieve the server reference
afterwards, resulting in the following use-after-free:

==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10
READ of size 8 at 0x614000017088 thread T0
    #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566
    #1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    #3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    #4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    #8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    #9 0x560c1ac0afbe in server_run ../sway/server.c:225
    #10 0x560c1ac09382 in main ../sway/main.c:397
    #11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    #12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d)

0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0)
freed by thread T0 here:
    #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243
    #2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66
    #3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348
    #4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539
    #5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564
    #6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    #8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    #9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

previously allocated by thread T0 here:
    #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95
    #1 0x560c1acbc228 in output_create ../sway/tree/output.c:91
    #2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656
    #3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143
    #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294
    #7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    #8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    #10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy
Shadow bytes around the buggy address:
  0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Retrieve the reference before the output is destroyed and update the
output_management state with the saved reference.
lolzballs added a commit to lolzballs/sway that referenced this issue Dec 5, 2019
handle_destroy would mark the output es being destroyed and commit the
transaction. Committing the transaction results in the output being
freed, the output manager can not retrieve the server reference
afterwards, resulting in the following use-after-free:

==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10
READ of size 8 at 0x614000017088 thread T0
    #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566
    swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225
    swaywm#10 0x560c1ac09382 in main ../sway/main.c:397
    swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d)

0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0)
freed by thread T0 here:
    #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243
    swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66
    swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348
    swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539
    swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564
    swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448
    swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240
    swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

previously allocated by thread T0 here:
    #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95
    swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91
    swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656
    swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143
    swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294
    swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135
    swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52
    swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy
Shadow bytes around the buggy address:
  0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Retrieve the reference before the output is destroyed and update the
output_management state with the saved reference.
emersion added a commit to emersion/sway that referenced this issue Feb 6, 2020
This fixes the following crash:

    #0  0x00007f7daac3af25 in raise () at /usr/lib/libc.so.6
    swaywm#1  0x00007f7daac24897 in abort () at /usr/lib/libc.so.6
    swaywm#2  0x00007f7daac24767 in _nl_load_domain.cold () at /usr/lib/libc.so.6
    swaywm#3  0x00007f7daac33526 in  () at /usr/lib/libc.so.6
    swaywm#4  0x0000555bfbc35029 in seat_set_focus_layer (seat=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    swaywm#5  0x0000555bfbc35029 in seat_set_focus_layer (seat=seat@entry=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    swaywm#6  0x0000555bfbc25899 in handle_output_destroy (listener=0x555bfdb90688, data=<optimized out>)
        at ../sway/desktop/layer_shell.c:263
            layer = 0x555bfdd6b040
            sway_layer = 0x555bfdb90610
            seat = 0x555bfd76d860
            client = 0x555bfdb76d70
            set_focus = <optimized out>
    swaywm#7  0x0000555bfbc5b669 in wl_signal_emit (data=0x555bfd795930, signal=0x555bfd795ae0)
        at /usr/include/wayland-server-core.h:472
            l = <optimized out>
            next = 0x555bfdb6a3e8
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    swaywm#8  0x0000555bfbc5b669 in output_disable (output=output@entry=0x555bfd795930)
        at ../sway/tree/output.c:263
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    swaywm#9  0x0000555bfbc3b890 in apply_output_config (oc=0x555bfd7d73d0, output=output@entry=0x555bfd795930)
        at ../sway/config/output.c:321
            wlr_output = 0x555bfd7afaf0
            scale = <optimized out>
            output_box = <optimized out>
    swaywm#10 0x0000555bfbc28309 in handle_output_manager_apply
        (listener=0x555bfbc7f148 <server+488>, data=0x555bfdca6eb0) at ../sway/desktop/output.c:936
            wlr_output = <optimized out>
            output = 0x555bfd795930
            oc = <optimized out>
            server = 0x555bfbc7ef60 <server>
            config = 0x555bfdca6eb0
            config_head = 0x555bfdb79350
            ok = true
    swaywm#11 0x00007f7dab4fbf7c in wlr_signal_emit_safe (signal=<optimized out>, data=0x555bfdca6eb0)
        at ../subprojects/wlroots/util/signal.c:29
            pos = 0x555bfbc7f148 <server+488>
            l = 0x555bfbc7f148 <server+488>
            cursor =
              {link = {prev = 0x555bfbc7f148 <server+488>, next = 0x7fff238a8390}, notify = 0x7f7dab4fbef0 <handle_noop>}
            end =
              {link = {prev = 0x7fff238a8370, next = 0x555bfd7419f8}, notify = 0x7f7dab4fbef0 <handle_noop>}
    swaywm#12 0x00007f7daa45469a in ffi_call_unix64 () at /usr/lib/libffi.so.6
    swaywm#13 0x00007f7daa453fb6 in ffi_call () at /usr/lib/libffi.so.6
    swaywm#14 0x00007f7daae6f82f in  () at /usr/lib/libwayland-server.so.0
    swaywm#15 0x00007f7daae6c193 in  () at /usr/lib/libwayland-server.so.0
    swaywm#16 0x00007f7daae6d7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
    swaywm#17 0x00007f7daae6c39c in wl_display_run () at /usr/lib/libwayland-server.so.0

This crash happens because focus can only be set on mapped surfaces.
ddevault added a commit that referenced this issue Feb 6, 2020
This fixes the following crash:

    #0  0x00007f7daac3af25 in raise () at /usr/lib/libc.so.6
    #1  0x00007f7daac24897 in abort () at /usr/lib/libc.so.6
    #2  0x00007f7daac24767 in _nl_load_domain.cold () at /usr/lib/libc.so.6
    #3  0x00007f7daac33526 in  () at /usr/lib/libc.so.6
    #4  0x0000555bfbc35029 in seat_set_focus_layer (seat=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    #5  0x0000555bfbc35029 in seat_set_focus_layer (seat=seat@entry=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    #6  0x0000555bfbc25899 in handle_output_destroy (listener=0x555bfdb90688, data=<optimized out>)
        at ../sway/desktop/layer_shell.c:263
            layer = 0x555bfdd6b040
            sway_layer = 0x555bfdb90610
            seat = 0x555bfd76d860
            client = 0x555bfdb76d70
            set_focus = <optimized out>
    #7  0x0000555bfbc5b669 in wl_signal_emit (data=0x555bfd795930, signal=0x555bfd795ae0)
        at /usr/include/wayland-server-core.h:472
            l = <optimized out>
            next = 0x555bfdb6a3e8
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    #8  0x0000555bfbc5b669 in output_disable (output=output@entry=0x555bfd795930)
        at ../sway/tree/output.c:263
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    #9  0x0000555bfbc3b890 in apply_output_config (oc=0x555bfd7d73d0, output=output@entry=0x555bfd795930)
        at ../sway/config/output.c:321
            wlr_output = 0x555bfd7afaf0
            scale = <optimized out>
            output_box = <optimized out>
    #10 0x0000555bfbc28309 in handle_output_manager_apply
        (listener=0x555bfbc7f148 <server+488>, data=0x555bfdca6eb0) at ../sway/desktop/output.c:936
            wlr_output = <optimized out>
            output = 0x555bfd795930
            oc = <optimized out>
            server = 0x555bfbc7ef60 <server>
            config = 0x555bfdca6eb0
            config_head = 0x555bfdb79350
            ok = true
    #11 0x00007f7dab4fbf7c in wlr_signal_emit_safe (signal=<optimized out>, data=0x555bfdca6eb0)
        at ../subprojects/wlroots/util/signal.c:29
            pos = 0x555bfbc7f148 <server+488>
            l = 0x555bfbc7f148 <server+488>
            cursor =
              {link = {prev = 0x555bfbc7f148 <server+488>, next = 0x7fff238a8390}, notify = 0x7f7dab4fbef0 <handle_noop>}
            end =
              {link = {prev = 0x7fff238a8370, next = 0x555bfd7419f8}, notify = 0x7f7dab4fbef0 <handle_noop>}
    #12 0x00007f7daa45469a in ffi_call_unix64 () at /usr/lib/libffi.so.6
    #13 0x00007f7daa453fb6 in ffi_call () at /usr/lib/libffi.so.6
    #14 0x00007f7daae6f82f in  () at /usr/lib/libwayland-server.so.0
    #15 0x00007f7daae6c193 in  () at /usr/lib/libwayland-server.so.0
    #16 0x00007f7daae6d7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
    #17 0x00007f7daae6c39c in wl_display_run () at /usr/lib/libwayland-server.so.0

This crash happens because focus can only be set on mapped surfaces.
luispabon added a commit to luispabon/sway that referenced this issue Feb 7, 2020
This fixes the following crash:

    #0  0x00007f7daac3af25 in raise () at /usr/lib/libc.so.6
    swaywm#1  0x00007f7daac24897 in abort () at /usr/lib/libc.so.6
    swaywm#2  0x00007f7daac24767 in _nl_load_domain.cold () at /usr/lib/libc.so.6
    swaywm#3  0x00007f7daac33526 in  () at /usr/lib/libc.so.6
    swaywm#4  0x0000555bfbc35029 in seat_set_focus_layer (seat=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    swaywm#5  0x0000555bfbc35029 in seat_set_focus_layer (seat=seat@entry=0x555bfd76d860, layer=0x555bfdda2ff0)
        at ../sway/input/seat.c:1164
            __PRETTY_FUNCTION__ = "seat_set_focus_layer"
    swaywm#6  0x0000555bfbc25899 in handle_output_destroy (listener=0x555bfdb90688, data=<optimized out>)
        at ../sway/desktop/layer_shell.c:263
            layer = 0x555bfdd6b040
            sway_layer = 0x555bfdb90610
            seat = 0x555bfd76d860
            client = 0x555bfdb76d70
            set_focus = <optimized out>
    swaywm#7  0x0000555bfbc5b669 in wl_signal_emit (data=0x555bfd795930, signal=0x555bfd795ae0)
        at /usr/include/wayland-server-core.h:472
            l = <optimized out>
            next = 0x555bfdb6a3e8
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    swaywm#8  0x0000555bfbc5b669 in output_disable (output=output@entry=0x555bfd795930)
        at ../sway/tree/output.c:263
            __PRETTY_FUNCTION__ = "output_disable"
            index = <optimized out>
    swaywm#9  0x0000555bfbc3b890 in apply_output_config (oc=0x555bfd7d73d0, output=output@entry=0x555bfd795930)
        at ../sway/config/output.c:321
            wlr_output = 0x555bfd7afaf0
            scale = <optimized out>
            output_box = <optimized out>
    swaywm#10 0x0000555bfbc28309 in handle_output_manager_apply
        (listener=0x555bfbc7f148 <server+488>, data=0x555bfdca6eb0) at ../sway/desktop/output.c:936
            wlr_output = <optimized out>
            output = 0x555bfd795930
            oc = <optimized out>
            server = 0x555bfbc7ef60 <server>
            config = 0x555bfdca6eb0
            config_head = 0x555bfdb79350
            ok = true
    swaywm#11 0x00007f7dab4fbf7c in wlr_signal_emit_safe (signal=<optimized out>, data=0x555bfdca6eb0)
        at ../subprojects/wlroots/util/signal.c:29
            pos = 0x555bfbc7f148 <server+488>
            l = 0x555bfbc7f148 <server+488>
            cursor =
              {link = {prev = 0x555bfbc7f148 <server+488>, next = 0x7fff238a8390}, notify = 0x7f7dab4fbef0 <handle_noop>}
            end =
              {link = {prev = 0x7fff238a8370, next = 0x555bfd7419f8}, notify = 0x7f7dab4fbef0 <handle_noop>}
    swaywm#12 0x00007f7daa45469a in ffi_call_unix64 () at /usr/lib/libffi.so.6
    swaywm#13 0x00007f7daa453fb6 in ffi_call () at /usr/lib/libffi.so.6
    swaywm#14 0x00007f7daae6f82f in  () at /usr/lib/libwayland-server.so.0
    swaywm#15 0x00007f7daae6c193 in  () at /usr/lib/libwayland-server.so.0
    swaywm#16 0x00007f7daae6d7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
    swaywm#17 0x00007f7daae6c39c in wl_display_run () at /usr/lib/libwayland-server.so.0

This crash happens because focus can only be set on mapped surfaces.
Emantor added a commit to Emantor/sway that referenced this issue Apr 5, 2020
Instead of removing the destroy listeners in the output destory, remove
them in the damage destroy handler. Fixes the following use after free:

  ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
  WRITE of size 8 at 0x61200017cab8 thread T0

      #0 0x4f8f28 in wl_list_remove ../common/list.c:181
      swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
  (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
      swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
      swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177
      swaywm#10 0x42dd01 in main ../sway/main.c:414
      swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
      swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

  0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
  freed by thread T0 here:
      #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
      swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
      swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)

  previously allocated by thread T0 here:
      #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
      swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
      swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
      swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
      swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
      swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
      swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#11 0x42f4ba in server_start ../sway/server.c:205
      swaywm#12 0x42dbd7 in main ../sway/main.c:394
      swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Fixes swaywm#5158
Emantor added a commit to Emantor/sway that referenced this issue Apr 5, 2020
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:

  ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
  WRITE of size 8 at 0x61200017cab8 thread T0

      #0 0x4f8f28 in wl_list_remove ../common/list.c:181
      swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
  (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
      swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
      swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177
      swaywm#10 0x42dd01 in main ../sway/main.c:414
      swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
      swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

  0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
  freed by thread T0 here:
      #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
      swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
      swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)

  previously allocated by thread T0 here:
      #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
      swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
      swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
      swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
      swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
      swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
      swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#11 0x42f4ba in server_start ../sway/server.c:205
      swaywm#12 0x42dbd7 in main ../sway/main.c:394
      swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Fixes swaywm#5158
Emantor added a commit to Emantor/sway that referenced this issue Apr 10, 2020
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:

  ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
  WRITE of size 8 at 0x61200017cab8 thread T0

      #0 0x4f8f28 in wl_list_remove ../common/list.c:181
      swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
  (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
      swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
      swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177
      swaywm#10 0x42dd01 in main ../sway/main.c:414
      swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
      swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

  0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
  freed by thread T0 here:
      #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
      swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
      swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)

  previously allocated by thread T0 here:
      #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
      swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
      swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
      swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
      swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
      swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
      swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
      swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      swaywm#11 0x42f4ba in server_start ../sway/server.c:205
      swaywm#12 0x42dbd7 in main ../sway/main.c:394
      swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Fixes swaywm#5158
emersion added a commit that referenced this issue Apr 10, 2020
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:

  ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
  WRITE of size 8 at 0x61200017cab8 thread T0

      #0 0x4f8f28 in wl_list_remove ../common/list.c:181
      #1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
  (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
      #2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      #4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      #5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      #6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      #7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      #8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
      #9 0x42f0b2 in server_fini ../sway/server.c:177
      #10 0x42dd01 in main ../sway/main.c:414
      #11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
      #12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

  0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
  freed by thread T0 here:
      #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
      #1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
      #2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
      #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      #5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      #6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      #7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      #8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      #9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)

  previously allocated by thread T0 here:
      #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
      #1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
      #2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
      #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
      #5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
      #7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
      #8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      #9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
      #10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      #11 0x42f4ba in server_start ../sway/server.c:205
      #12 0x42dbd7 in main ../sway/main.c:394
      #13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Fixes #5158
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.