quitting CS:GO crashes sway

[LastLightSith]

• Sway Version:

  • sway -v
    sway version 1.5.1

• Debug Log:

  • https://pastebin.com/embed_js/0NQFv9A1

• Configuration File:
  slightly modified configs(mostly waybar) I took from r/unixporn from here

• Description:
  I can't always reproduce this. But most of the time when I rage quit by typingquit or exit in console, it happens. existing normally by clicking exit button crashes sway less often then typing quit in game console.

steps:-

1. Start Sway
2. Start CS:GO
3. quickly exit the game as soon as you can.
4. Observe entire session crash

I tested this on kwin_wayland and this does not happen on it.

GPU:- Intel UHD Graphics 620
CPU: Intel i7-8565U
Drivers:- Mesa 20.3.0
OS: ArchLinux

[emersion]

Please provide a stack trace. You can do so by compiling from source, reproducing the crash and then running coredumpctl gdb and then bt full.

Here are some instructions to compile from source: https://github.com/swaywm/sway/wiki/Development-Setup#compiling-as-a-subproject

[LastLightSith]

@emersion sorry, coredumpctl gdb command is giving me something about latte-dock and kde stuff.

I compiled sway like this:-

❯ meson -Db_sanitize=address,undefined build/
❯ ninja -C build/

and executed ./build/sway/sway with -d flag and here is something I think is new

=================================================================
==70033==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000ea408 at pc 0x5638e3ce78ee bp 0x7ffed6ba0150 sp 0x7ffed6ba0140
READ of size 8 at 0x6160000ea408 thread T0
    #0 0x5638e3ce78ed in is_transient_for ../sway/desktop/xwayland.c:328
    #1 0x5638e3cce74e in view_is_transient_for ../sway/tree/view.c:1347
    #2 0x5638e3caf047 in container_is_transient_for ../sway/tree/container.c:1451
    #3 0x5638e3b5cfeb in output_for_each_surface ../sway/desktop/output.c:376
    #4 0x5638e3b5ea75 in send_frame_done ../sway/desktop/output.c:488
    #5 0x5638e3b60f81 in damage_handle_frame ../sway/desktop/output.c:681
    #6 0x7fbca779b6ad in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #7 0x7fbca772de4f in output_handle_frame ../subprojects/wlroots/types/wlr_output_damage.c:56
    #8 0x7fbca779b6ad in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
    #9 0x7fbca774cae9 in wlr_output_send_frame ../subprojects/wlroots/types/wlr_output.c:680
    #10 0x7fbca7644f03 in surface_frame_callback ../subprojects/wlroots/backend/wayland/output.c:40
    #11 0x7fbca572cacc  (/usr/lib/libffi.so.7+0x6acc)
    #12 0x7fbca572c039  (/usr/lib/libffi.so.7+0x6039)
    #13 0x7fbca5e60e91  (/usr/lib/libwayland-client.so.0+0x9e91)
    #14 0x7fbca5e5d6c0  (/usr/lib/libwayland-client.so.0+0x66c0)
    #15 0x7fbca5e5eccb in wl_display_dispatch_queue_pending (/usr/lib/libwayland-client.so.0+0x7ccb)
    #16 0x7fbca7640c59 in dispatch_events ../subprojects/wlroots/backend/wayland/backend.c:51
    #17 0x7fbca6c57fa9 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xafa9)
    #18 0x7fbca6c564e6 in wl_display_run (/usr/lib/libwayland-server.so.0+0x94e6)
    #19 0x5638e3b442b9 in server_run ../sway/server.c:247
    #20 0x5638e3b3fbc4 in main ../sway/main.c:431
    #21 0x7fbca60bc151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
    #22 0x5638e3b0472d in _start (/home/smit/sway/build/sway/sway+0x33072d)

0x6160000ea408 is located 136 bytes inside of 616-byte region [0x6160000ea380,0x6160000ea5e8)
freed by thread T0 here:
    #0 0x7fbca7d5e0e9 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7fbca77cba98 in xwayland_surface_destroy ../subprojects/wlroots/xwayland/xwm.c:385
    #2 0x7fbca77d3a76 in xwm_handle_destroy_notify ../subprojects/wlroots/xwayland/xwm.c:898
    #3 0x7fbca77daf97 in x11_event_handler ../subprojects/wlroots/xwayland/xwm.c:1459
    #4 0x7fbca6c57fa9 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xafa9)

previously allocated by thread T0 here:
    #0 0x7fbca7d5e639 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7fbca77c66eb in xwayland_surface_create ../subprojects/wlroots/xwayland/xwm.c:122
    #2 0x7fbca77d38f6 in xwm_handle_create_notify ../subprojects/wlroots/xwayland/xwm.c:887
    #3 0x7fbca77daf7f in x11_event_handler ../subprojects/wlroots/xwayland/xwm.c:1456
    #4 0x7fbca6c57fa9 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xafa9)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/xwayland.c:328 in is_transient_for
Shadow bytes around the buggy address:
  0x0c2c80015430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80015440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80015450: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2c80015460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80015470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c80015480: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80015490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800154a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800154b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2c800154c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800154d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==70033==ABORTING
Gdk-Message: 17:15:31.020: Error reading events from display: Broken pipe
(EE)[2020-12-15 17:15:31.020] [error] Mode: Unable to receive IPC header
 failed to read Wayland events: Broken pipe

full output:- https://pastebin.com/embed_js/z0yrHTbT

[rpigott]

I guess that means the parent surface has been freed and our surface has a dangling reference to it. Sure looks a lot like 4a1c9a1. I don't understand why it's not already handled by that patch though.

[FuzzyQuils]

Reporting in to say I may be getting this bug with Team Fortress 2 as well, as closing that game crashes sway... well, until I decided to try -windowed -noborder in my launch options.

It appears the game doesn't crash sway when windowed in any way, so this may be a good temporary workaround. I am going to try this with Portal and Portal 2 as well to see if it affects them.

It's a great pity I don't understand sway's source code too well, because otherwise I'd take a crack at fixing it myself.