Segfault in handle_pad_tablet_surface_destroy

[jhalmen]

sway version 1.2-rc1-64-gf79f00db (Oct 11 2019, branch 'master')

I just bought a HUION H640P which surprisingly works great without the need to install any extra drivers. However using it (and especially the buttons) rather consistently crashes sway.
I'm already aware of the currently open issue #4617 for the wacom tablet, but as it does crash rather consistently, i decided to open a new issue.
I also use xournalpp as the client. Reading the mentioned issue i'm trying to give as much info as possible.
sway.log obtained by running sway -d debug 2>~/sway.log
client log obtained by running env WAYLAND_DEBUG=client xournalpp 2>~/client.log
I then crashed sway by repeatedly using the pen on the tablet, using its buttons, (and then because for some reason it wouldn't crash, opened the settings, changed what the buttons would do) then continued using the pen and the buttons. now it crashed.
stack trace

i'd be happy to provide more info if needed!

[jhalmen]

for completeness sake: i just found this issue xournalpp/xournalpp#1475

[emersion]

Can you try again with master?

[jhalmen]

unless i'm mistaken, this is on master. i just rebuilt it to check

[jhalmen]

Or did you mean the xournalpp master?
I did that in the meantime -- this version is even less usable: it crashes (and also crashes sway) even when i just try to quit the program. i opened xournalpp/xournalpp#1536 for that

[emersion]

Yeah, I meant the Sway version. The version number is messed up, so I thought it was an old version.

[emersion]

Can you try building sway with ASan (meson build/ -Db_sanitize=address) and get a stack trace from the ASan logs?

[jhalmen]

is this what you're looking for?

#1  0x00007fc324907897 in abort () at /usr/lib/libc.so.6
#2  0x00007fc324961258 in __libc_message () at /usr/lib/libc.so.6
#3  0x00007fc32496877a in  () at /usr/lib/libc.so.6
#4  0x00007fc324969006 in unlink_chunk.isra () at /usr/lib/libc.so.6
#5  0x00007fc32496bc31 in _int_malloc () at /usr/lib/libc.so.6
#6  0x00007fc32496dc15 in calloc () at /usr/lib/libc.so.6
#7  0x00007fc322a57734 in  () at /usr/lib/dri/i965_dri.so
#8  0x00007fc322b7c761 in  () at /usr/lib/dri/i965_dri.so
#9  0x00007fc324b6a29c in wlr_gles2_texture_from_pixels (egl=0x555a07b947c0, wl_fmt=<optimized out>, stride=96, width=24, height=24, data=0x7fc3251cc000) at ../render/gles2/texture.c:175
        fmt = 0x7fc324b9e8c0 <formats>
        texture = 0x555a082c9ef0
        __func__ = "wlr_gles2_texture_from_pixels"
#10 0x00007fc324b7b55b in wlr_buffer_create (renderer=0x555a07d13690, resource=resource@entry=0x555a08213970) at ../types/wlr_buffer.c:70
        fmt = WL_SHM_FORMAT_ARGB8888
        data = <optimized out>
        stride = 96
        width = 24
        height = 24
        __PRETTY_FUNCTION__ = "wlr_buffer_create"
        texture = 0x0
        released = false
        shm_buf = 0x555a0825c500
        buffer = <optimized out>
#11 0x00007fc324b903d7 in surface_apply_damage (surface=0x555a082954b0) at ../types/wlr_surface.c:302
        resource = 0x555a08213970
        buffer = <optimized out>
        invalid_buffer = true
        subsurface = <optimized out>
#12 0x00007fc324b903d7 in surface_commit_pending (surface=surface@entry=0x555a082954b0) at ../types/wlr_surface.c:353
        invalid_buffer = true
        subsurface = <optimized out>
#13 0x00007fc324b905c8 in surface_commit (client=<optimized out>, resource=<optimized out>) at ../types/wlr_surface.c:444
        surface = 0x555a082954b0
        subsurface = <optimized out>
#14 0x00007fc32406b6d0 in ffi_call_unix64 () at /usr/lib/libffi.so.6
#15 0x00007fc32406b0a0 in ffi_call () at /usr/lib/libffi.so.6
#16 0x00007fc324bd982f in  () at /usr/lib/libwayland-server.so.0
#17 0x00007fc324bd6193 in  () at /usr/lib/libwayland-server.so.0
#18 0x00007fc324bd77f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#19 0x00007fc324bd639c in wl_display_run () at /usr/lib/libwayland-server.so.0
#20 0x0000555a079b8583 in main (argc=1, argv=0x7fff97dae1d8) at ../sway/sway/main.c:402
        verbose = 0
        debug = 0
        validate = 0
        allow_unsupported_gpu = 0
        long_options =
            {{name = 0x555a07a004db "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x555a07a03415 "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x555a07a004e0 "validate", has_arg = 0, flag = 0x0, val = 67}, {name = 0x555a07a004e9 "debug", has_arg = 0, flag = 0x0, val = 100}, {name = 0x555a07a0043f "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x555a079ff5df "verbose", has_arg = 0, flag = 0x0, val = 86}, {name = 0x555a07a004ef "get-socketpath", has_arg = 0, flag = 0x0, val = 112}, {name = 0x555a07a004fe "unsupported-gpu", has_arg = 0, flag = 0x0, val = 117}, {name = 0x555a07a0050e "my-next-gpu-wont-be-nvidia", has_arg = 0, flag = 0x0, val = 117}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        config_path = 0x0
        usage = 0x555a07a00840 "Usage: sway [options] [command]\n\n  -h, --help", ' ' <repeats 13 times>, "Show help message and quit.\n  -c, --config <config>  Specify a config file.\n  -C, --validate         Check the validity of the config file, th"...
        c = <optimized out>

[jhalmen]

hm, looks like that's a different one, compared to the first one i got.
i just got yet another one, wlr_seat_client_next_serial gets called with a NULL client:

#0  0x00007f69a6d5e6a4 in wlr_seat_client_next_serial (client=0x0) at ../types/seat/wlr_seat.c:375
        serial = <optimized out>
        set = <optimized out>
#1  0x00007f69a6d5f89e in wlr_send_tablet_v2_tablet_pad_leave (pad=0x55d33ee563f0, surface=0x55d33ee92da0) at ../types/tablet_v2/wlr_tablet_v2_pad.c:534
        client = <optimized out>
        serial = <optimized out>
#2  0x000055d33cd3b8e2 in handle_pad_tablet_surface_destroy (listener=0x55d33ee59fa0, data=<optimized out>) at ../sway/sway/input/tablet.c:308
        tablet_pad = 0x55d33ee59f10
#3  0x00007f69a6d82f3e in wlr_signal_emit_safe (signal=signal@entry=0x55d33ee93060, data=data@entry=0x55d33ee92da0) at ../util/signal.c:29
        pos = 0x55d33ee59fa0
        l = 0x55d33ee59fa0
        cursor = {link = {prev = 0x55d33ee59fa0, next = 0x7ffd62784f80}, notify = 0x7f69a6d82eb0 <handle_noop>}
        end = {link = {prev = 0x7ffd62784f60, next = 0x55d33ee93060}, notify = 0x7f69a6d82eb0 <handle_noop>}
#4  0x00007f69a6d7dc3a in surface_handle_resource_destroy (resource=<optimized out>) at ../types/wlr_surface.c:567
        surface = 0x55d33ee92da0
#5  0x00007f69a6dc3d6f in  () at /usr/lib/libwayland-server.so.0
#6  0x00007f69a6dc8182 in  () at /usr/lib/libwayland-server.so.0
#7  0x00007f69a6dc868f in  () at /usr/lib/libwayland-server.so.0
#8  0x00007f69a6dc3eef in wl_client_destroy () at /usr/lib/libwayland-server.so.0
#9  0x00007f69a6dc3fcb in  () at /usr/lib/libwayland-server.so.0
#10 0x00007f69a6dc57f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#11 0x00007f69a6dc439c in wl_display_run () at /usr/lib/libwayland-server.so.0
#12 0x000055d33cd1c583 in main (argc=1, argv=0x7ffd62785468) at ../sway/sway/main.c:402
        verbose = 0
        debug = 0
        validate = 0
        allow_unsupported_gpu = 0
        long_options =
            {{name = 0x55d33cd644db "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x55d33cd67415 "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x55d33cd644e0 "validate", has_arg = 0, flag = 0x0, val = 67}, {name = 0x55d33cd644e9 "debug", has_arg = 0, flag = 0x0, val = 100}, {name = 0x55d33cd6443f "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x55d33cd635df "verbose", has_arg = 0, flag = 0x0, val = 86}, {name = 0x55d33cd644ef "get-socketpath", has_arg = 0, flag = 0x0, val = 112}, {name = 0x55d33cd644fe "unsupported-gpu", has_arg = 0, flag = 0x0, val = 117}, {name = 0x55d33cd6450e "my-next-gpu-wont-be-nvidia", has_arg = 0, flag = 0x0, val = 117}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        config_path = 0x0
        usage = 0x55d33cd64840 "Usage: sway [options] [command]\n\n  -h, --help", ' ' <repeats 13 times>, "Show help message and quit.\n  -c, --config <config>  Specify a config file.\n  -C, --validate         Check the validity of the config file, th"...
        c = <optimized out>

[jhalmen]

i now saw that that's not what you were asking for. here's the asan log for the last crash

=================================================================
==37892==ERROR: AddressSanitizer: SEGV on unknown address 0x6100470002f3 (pc 0x7fa19739bc50 bp 0x60f000028090 sp 0x7fff661bfb28 T0)
==37892==The signal is caused by a READ memory access.
    #0 0x7fa19739bc4f  (/usr/lib/libwayland-server.so.0+0x7c4f)
    #1 0x7fa1973356ac in wlr_seat_client_next_serial ../types/seat/wlr_seat.c:375
    #2 0x7fa1973368a5 in wlr_send_tablet_v2_tablet_pad_leave ../types/tablet_v2/wlr_tablet_v2_pad.c:534
    #3 0x5632593c8370 in handle_pad_tablet_surface_destroy ../sway/input/tablet.c:308
    #4 0x7fa197359f4d in wlr_signal_emit_safe ../util/signal.c:29
    #5 0x7fa197354c49 in surface_handle_resource_destroy ../types/wlr_surface.c:567
    #6 0x7fa19739cd6e  (/usr/lib/libwayland-server.so.0+0x8d6e)
    #7 0x7fa1973a1181  (/usr/lib/libwayland-server.so.0+0xd181)
    #8 0x7fa1973a168e  (/usr/lib/libwayland-server.so.0+0xd68e)
    #9 0x7fa19739ceee in wl_client_destroy (/usr/lib/libwayland-server.so.0+0x8eee)
    #10 0x7fa19739cfca  (/usr/lib/libwayland-server.so.0+0x8fca)
    #11 0x7fa19739e7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1)
    #12 0x7fa19739d39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b)
    #13 0x56325937e4bc in server_run ../sway/server.c:205
    #14 0x56325937cc90 in main ../sway/main.c:402
    #15 0x7fa1970d1152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #16 0x56325935d27d in _start (/home/djos/sway/build/sway/sway+0x3b27d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/libwayland-server.so.0+0x7c4f) 
==37892==ABORTING

[kuruczgy]

@jhalmen, you mentioned that my proposed changes fixed this for you. They just got merged (swaywm/wlroots#1882). Can you check if this issue can be closed?

[jhalmen]

it does fix it! Thanks @kuruczgy!