sway icon indicating copy to clipboard operation
sway copied to clipboard

Published 20 hours ago verified publisher icon swaywm

Sway crashes when the window is closed while IME is active

Open eternal-sorrow opened this issue 10 months ago • 16 comments

Please read the following before submitting:

  • Please do NOT submit bug reports for questions. Ask questions on IRC at #sway on Libera Chat.
  • Proprietary graphics drivers, including nvidia, are not supported. Please use the open source equivalents, such as nouveau, if you would like to use Sway.
  • Please do NOT submit issues for information from the github wiki. The github wiki is community maintained and therefore may contain outdated information, scripts that don't work or obsolete workarounds. If you fix a script or find outdated information, don't hesitate to adjust the wiki page.

Please fill out the following:

  • Sway Version:

    • sway version 1.10

  • Debug Log:

sway.log

  • Configuration File:
  • Minimal config that I use to reproduce the issue:
bindsym Mod1+F4 kill
bindsym --locked Mod4+Shift+j exec --no-startup-id systemd-cat -t anthywl "$HOME/.local/bin/anthywl.sh"
bindsym Mod4+x exec gedit
exec gedit
  • Stack Trace:
    • Stack trace is slightly different every time, but here is one that I got when I reproduced the issue with minimal config. I'll add some more in the comments, but no debug log for them.
#0  0x00007fa3f8539851 in wlr_scene_node_coords (node=0x91, lx_ptr=lx_ptr@entry=0x7ffd3ed431d0, ly_ptr=ly_ptr@entry=0x7ffd3ed431d4) at ../wlroots-0.18.2/types/scene/wlr_scene.c:1101
#1  0x000055a6ba24f233 in arrange_popups (popups=0x55a6d8b4f0d0) at ../sway-1.10/sway/desktop/transaction.c:617
#2  0x000055a6ba24f64c in arrange_root (root=0x55a6d8b4e8b0) at ../sway-1.10/sway/desktop/transaction.c:687
#3  transaction_progress () at ../sway-1.10/sway/desktop/transaction.c:741
#4  0x000055a6ba24fed7 in transaction_commit_pending () at ../sway-1.10/sway/desktop/transaction.c:861
#5  0x000055a6ba25030a in _transaction_commit_dirty (server_request=server_request@entry=true) at ../sway-1.10/sway/desktop/transaction.c:937
#6  0x000055a6ba25043c in transaction_commit_dirty () at ../sway-1.10/sway/desktop/transaction.c:941
#7  0x000055a6ba27f6b5 in view_unmap (view=view@entry=0x55a6d9f15080) at ../sway-1.10/sway/tree/view.c:923
#8  0x000055a6ba2508bb in handle_unmap (listener=0x55a6d9f15290, data=<optimized out>) at ../sway-1.10/sway/desktop/xdg_shell.c:449
#9  0x00007fa3f85ea38e in wl_signal_emit_mutable (signal=signal@entry=0x55a6d9f37858, data=data@entry=0x0) at ../wayland-1.23.1/src/wayland-server.c:2314
#10 0x00007fa3f8548442 in wlr_surface_unmap (surface=0x55a6d9f37560) at ../wlroots-0.18.2/types/wlr_compositor.c:839
#11 0x00007fa3f85466b6 in destroy_xdg_toplevel (toplevel=0x55a6d9f35780) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:533
#12 0x00007fa3f8544b55 in destroy_xdg_surface_role_object (surface=surface@entry=0x55a6d9e6fc90) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:457
#13 0x00007fa3f8544b7c in xdg_surface_handle_role_resource_destroy (listener=0x55a6d9e6fdb8, data=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:474
#14 0x00007fa3f85eab9f in wl_priv_signal_final_emit (signal=signal@entry=0x55a6d9f6ef80, data=data@entry=0x55a6d9f6ef20) at ../wayland-1.23.1/src/wayland-server.c:2478
#15 0x00007fa3f85eac70 in remove_and_destroy_resource (element=element@entry=0x55a6d9f6ef20, data=data@entry=0x0, flags=0) at ../wayland-1.23.1/src/wayland-server.c:754
#16 0x00007fa3f85eacb1 in wl_resource_destroy (resource=0x55a6d9f6ef20) at ../wayland-1.23.1/src/wayland-server.c:782
#17 0x00007fa3f8545a3a in xdg_toplevel_handle_destroy (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:426
#18 0x00007fa3f7c91336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#19 0x00007fa3f7c90940 in ffi_call_int (cif=cif@entry=0x7ffd3ed43630, fn=fn@entry=0x7fa3f8545a2a <xdg_toplevel_handle_destroy>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffd3ed43700, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#20 0x00007fa3f7c90ea4 in ffi_call (cif=cif@entry=0x7ffd3ed43630, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffd3ed43700) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#21 0x00007fa3f85ee6c9 in wl_closure_invoke (closure=0x55a6d9e66da0, flags=<optimized out>, target=<optimized out>, opcode=0, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#22 0x00007fa3f85eb00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x55a6d9f00920) at ../wayland-1.23.1/src/wayland-server.c:444
#23 0x00007fa3f85ebefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#24 0x00007fa3f85ecd7f in wl_event_loop_dispatch (loop=0x55a6d8b4e7b0, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#25 0x00007fa3f85eb1e4 in wl_display_run (display=0x55a6d8b4e6c0) at ../wayland-1.23.1/src/wayland-server.c:1530
#26 0x000055a6ba24b185 in server_run (server=server@entry=0x55a6ba2ad4e0 <server>) at ../sway-1.10/sway/server.c:501
#27 0x000055a6ba249fc3 in main (argc=<optimized out>, argv=0x7ffd3ed43c58) at ../sway-1.10/sway/main.c:373
  • Description: Steps to reproduce:
  1. Open any window wit an input area. I used Gedit to reproduce, but I had crashes with Firefox too.
  2. Start an IME. I use anthywl.
  3. Input something.
  4. Close the window with a keyboard shortcut. Gedit shows the dialogue "save or not", I click "no save" and then get sway crash.

eternal-sorrow avatar Jan 23 '25 04:01 eternal-sorrow

I also got this Stack trace with Gedit:

#0  0x00007feb2c9df5a3 in scene_node_get_root (node=node@entry=0x5578fdcc7810) at ../wlroots-0.18.2/types/scene/wlr_scene.c:51
#1  0x00007feb2c9e0ac9 in wlr_scene_node_destroy (node=0x5578fdcc7810) at ../wlroots-0.18.2/types/scene/wlr_scene.c:102
#2  0x00005578f3a86011 in input_popup_set_focus (popup=popup@entry=0x5578fdc553e0, surface=0x5578fdc44f80) at ../sway-1.10/sway/input/text_input.c:376
#3  0x00005578f3a861ef in relay_send_im_state (relay=relay@entry=0x5578fd620720, input=<optimized out>) at ../sway-1.10/sway/input/text_input.c:238
#4  0x00005578f3a86217 in relay_disable_text_input (relay=relay@entry=0x5578fd620720, text_input=text_input@entry=0x5578fdc4e7b0) at ../sway-1.10/sway/input/text_input.c:281
#5  0x00005578f3a86b63 in sway_input_method_relay_set_focus (relay=relay@entry=0x5578fd620720, surface=0x5578fdc00f90) at ../sway-1.10/sway/input/text_input.c:608
#6  0x00005578f3a7f24c in seat_send_focus (node=node@entry=0x5578fdc0a410, seat=seat@entry=0x5578fd620690) at ../sway-1.10/sway/input/seat.c:202
#7  0x00005578f3a7f98d in seat_set_workspace_focus (seat=0x5578fd620690, node=<optimized out>) at ../sway-1.10/sway/input/seat.c:1202
#8  0x00005578f3a7fb08 in seat_set_focus (seat=seat@entry=0x5578fd620690, node=node@entry=0x5578fdc0a410) at ../sway-1.10/sway/input/seat.c:1277
#9  0x00005578f3a802b2 in handle_seat_node_destroy (listener=<optimized out>, data=<optimized out>) at ../sway-1.10/sway/input/seat.c:314
#10 0x00007feb2ca9038e in wl_signal_emit_mutable (signal=signal@entry=0x5578fdc25340, data=data@entry=0x5578fdc25310) at ../wayland-1.23.1/src/wayland-server.c:2314
#11 0x00005578f3aa2f0e in container_begin_destroy (con=0x5578fdc25310) at ../sway-1.10/sway/tree/container.c:535
#12 0x00005578f3aa6672 in view_unmap (view=view@entry=0x5578fdbd17b0) at ../sway-1.10/sway/tree/view.c:895
#13 0x00005578f3a778bb in handle_unmap (listener=0x5578fdbd19c0, data=<optimized out>) at ../sway-1.10/sway/desktop/xdg_shell.c:449
#14 0x00007feb2ca9038e in wl_signal_emit_mutable (signal=signal@entry=0x5578fdc45278, data=data@entry=0x0) at ../wayland-1.23.1/src/wayland-server.c:2314
#15 0x00007feb2c9ee442 in wlr_surface_unmap (surface=0x5578fdc44f80) at ../wlroots-0.18.2/types/wlr_compositor.c:839
#16 0x00007feb2c9ec6b6 in destroy_xdg_toplevel (toplevel=0x5578fdc54d60) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:533
#17 0x00007feb2c9eab55 in destroy_xdg_surface_role_object (surface=surface@entry=0x5578fdbd11b0) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:457
#18 0x00007feb2c9eab7c in xdg_surface_handle_role_resource_destroy (listener=0x5578fdbd12d8, data=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:474
#19 0x00007feb2ca90b9f in wl_priv_signal_final_emit (signal=signal@entry=0x5578fdc54f70, data=data@entry=0x5578fdc54f10) at ../wayland-1.23.1/src/wayland-server.c:2478
#20 0x00007feb2ca90c70 in remove_and_destroy_resource (element=element@entry=0x5578fdc54f10, data=data@entry=0x0, flags=0) at ../wayland-1.23.1/src/wayland-server.c:754
#21 0x00007feb2ca90cb1 in wl_resource_destroy (resource=0x5578fdc54f10) at ../wayland-1.23.1/src/wayland-server.c:782
#22 0x00007feb2c9eba3a in xdg_toplevel_handle_destroy (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:426
#23 0x00007feb2c137336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#24 0x00007feb2c136940 in ffi_call_int (cif=cif@entry=0x7ffc81c3f2e0, fn=fn@entry=0x7feb2c9eba2a <xdg_toplevel_handle_destroy>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc81c3f3b0, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#25 0x00007feb2c136ea4 in ffi_call (cif=cif@entry=0x7ffc81c3f2e0, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc81c3f3b0) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#26 0x00007feb2ca946c9 in wl_closure_invoke (closure=0x5578fdc94e00, flags=<optimized out>, target=<optimized out>, opcode=0, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#27 0x00007feb2ca9100c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x5578fdc46500) at ../wayland-1.23.1/src/wayland-server.c:444
#28 0x00007feb2ca91efd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#29 0x00007feb2ca92d7f in wl_event_loop_dispatch (loop=0x5578fc820790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#30 0x00007feb2ca911e4 in wl_display_run (display=0x5578fc8206a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#31 0x00005578f3a72185 in server_run (server=server@entry=0x5578f3ad44e0 <server>) at ../sway-1.10/sway/server.c:501
#32 0x00005578f3a70fc3 in main (argc=<optimized out>, argv=0x7ffc81c3f908) at ../sway-1.10/sway/main.c:373

eternal-sorrow avatar Jan 23 '25 04:01 eternal-sorrow

And this one with Firefox:

#0  0x00007f251cb0d5a3 in scene_node_get_root (node=node@entry=0x561f7068b4b0) at ../wlroots-0.18.2/types/scene/wlr_scene.c:51
#1  0x00007f251cb0eac9 in wlr_scene_node_destroy (node=0x561f7068b4b0) at ../wlroots-0.18.2/types/scene/wlr_scene.c:102
#2  0x0000561f5b59d011 in input_popup_set_focus (popup=popup@entry=0x561f70609880, surface=0x561f704ec9d0) at ../sway-1.10/sway/input/text_input.c:376
#3  0x0000561f5b59d1ef in relay_send_im_state (relay=0x561f6fef4680, input=<optimized out>) at ../sway-1.10/sway/input/text_input.c:238
#4  0x0000561f5b59d458 in handle_text_input_enable (listener=0x561f704af9f0, data=<optimized out>) at ../sway-1.10/sway/input/text_input.c:255
#5  0x00007f251cbbe38e in wl_signal_emit_mutable (signal=signal@entry=0x561f704af968, data=data@entry=0x561f704af8a0) at ../wayland-1.23.1/src/wayland-server.c:2314
#6  0x00007f251cb36ca0 in text_input_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_text_input_v3.c:189
#7  0x00007f251c265336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#8  0x00007f251c264940 in ffi_call_int (cif=cif@entry=0x7ffcada76730, fn=fn@entry=0x7f251cb36bd3 <text_input_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffcada76800, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#9  0x00007f251c264ea4 in ffi_call (cif=cif@entry=0x7ffcada76730, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffcada76800) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#10 0x00007f251cbc26c9 in wl_closure_invoke (closure=0x561f705cc960, flags=<optimized out>, target=<optimized out>, opcode=7, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#11 0x00007f251cbbf00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x561f70007f80) at ../wayland-1.23.1/src/wayland-server.c:444
#12 0x00007f251cbbfefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#13 0x00007f251cbc0d7f in wl_event_loop_dispatch (loop=0x561f6f0f5790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#14 0x00007f251cbbf1e4 in wl_display_run (display=0x561f6f0f56a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#15 0x0000561f5b589185 in server_run (server=server@entry=0x561f5b5eb4e0 <server>) at ../sway-1.10/sway/server.c:501
#16 0x0000561f5b587fc3 in main (argc=<optimized out>, argv=0x7ffcada76d58) at ../sway-1.10/sway/main.c:373

eternal-sorrow avatar Jan 23 '25 05:01 eternal-sorrow

Also, I'm not sure if this is related or not, but It is related to IME popups definitely. This one happened when my session got locked while IME was active. When I tried to unlock, I pressed a key on my keyboard and got crash.

#0  constrain_popup (popup=0x556806b957c0) at ../sway-1.10/sway/input/text_input.c:159
#1  0x00005567f08be42c in handle_im_popup_surface_commit (listener=<optimized out>, data=<optimized out>) at ../sway-1.10/sway/input/text_input.c:468
#2  0x00007f256f99b38e in wl_signal_emit_mutable (signal=signal@entry=0x556806c44458, data=data@entry=0x556806c44180) at ../wayland-1.23.1/src/wayland-server.c:2314
#3  0x00007f256f8facbe in surface_commit_state (surface=surface@entry=0x556806c44180, next=next@entry=0x556806c44300) at ../wlroots-0.18.2/types/wlr_compositor.c:560
#4  0x00007f256f8fb284 in surface_handle_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_compositor.c:591
#5  0x00007f256f042336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#6  0x00007f256f041940 in ffi_call_int (cif=cif@entry=0x7ffc7b50f260, fn=fn@entry=0x7f256f8faed3 <surface_handle_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc7b50f330, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#7  0x00007f256f041ea4 in ffi_call (cif=cif@entry=0x7ffc7b50f260, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc7b50f330) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#8  0x00007f256f99f6c9 in wl_closure_invoke (closure=0x556806b48a60, flags=<optimized out>, target=<optimized out>, opcode=6, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#9  0x00007f256f99c00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x556806bf8140) at ../wayland-1.23.1/src/wayland-server.c:444
#10 0x00007f256f99cefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#11 0x00007f256f99dd7f in wl_event_loop_dispatch (loop=0x55680567c790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#12 0x00007f256f99c1e4 in wl_display_run (display=0x55680567c6a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#13 0x00005567f08aa185 in server_run (server=server@entry=0x5567f090c4e0 <server>) at ../sway-1.10/sway/server.c:501
#14 0x00005567f08a8fc3 in main (argc=<optimized out>, argv=0x7ffc7b50f888) at ../sway-1.10/sway/main.c:373

eternal-sorrow avatar Jan 23 '25 05:01 eternal-sorrow

In general I think IME popups code is ridden with segfaults and crashes.

eternal-sorrow avatar Jan 23 '25 05:01 eternal-sorrow

I'm pretty sure I've been having occasional crashes like in OP/comment 1/comment 2 for a while but I don't have the coredumps anymore to check.

I now found something that's easy (for me) to consistently crash on master, with fcitx5:

  1. start chromium with --disable-gtk-ime --enable-wayland-ime --wayland-text-input-version=3 in tiled mode.
  2. on the address bar, switch to IM which will keyboard grab when you type (if you don't have one installed, press Ctrl+Alt+Shift+U which performs search by unicode description). Type some keys in the popup window.
  3. press keybinding that switches chromium into floating mode (floating toggle)
  4. press keybinding for kill

It's annoying to debug since I cannot reproduce it in a headless/wayland backend sandbox, only on a spare laptop or my actual desktop session which I don't want to crash with right now. I did run sway with valgrind once on the laptop and the first invalid access was:

log 
==9832== Invalid read of size 8
==9832==    at 0x4EE8069: wl_list_insert (wayland-util.c:47)
==9832==    by 0x4EE843F: wl_signal_emit_mutable (wayland-server.c:2302)
==9832==    by 0x4F5FFEF: UnknownInlinedFun (wlr_scene.c:105)
==9832==    by 0x4F5FFEF: wlr_scene_node_destroy (wlr_scene.c:97)
==9832==    by 0x13C4BF: input_popup_set_focus (text_input.c:376)
==9832==    by 0x13C6DF: relay_send_im_state (text_input.c:238)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x58F9595: ffi_call_unix64 (unix64.S:104)
==9832==    by 0x58F600D: ffi_call_int.lto_priv.0 (ffi64.c:673)
==9832==    by 0x58F8BD2: ffi_call (ffi64.c:710)
==9832==    by 0x4EE6E84: wl_closure_invoke.constprop.0 (connection.c:1228)
==9832==    by 0x4EEBD21: wl_client_connection_data (wayland-server.c:444)
==9832==    by 0x4EEA111: wl_event_loop_dispatch (event-loop.c:1105)
==9832==  Address 0x7912868 is 56 bytes inside a block of size 128 free'd
==9832==    at 0x48478EF: free (vg_replace_malloc.c:989)
==9832==    by 0x4F600C4: UnknownInlinedFun (wlr_scene.c:155)
==9832==    by 0x4F600C4: wlr_scene_node_destroy (wlr_scene.c:97)
==9832==    by 0x167580: UnknownInlinedFun (view.c:83)
==9832==    by 0x167580: view_destroy (view.c:66)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x4F6C1A2: UnknownInlinedFun (wlr_xdg_toplevel.c:526)
==9832==    by 0x4F6C1A2: destroy_xdg_surface_role_object (wlr_xdg_surface.c:489)
==9832==    by 0x4F6C43B: xdg_surface_handle_role_resource_destroy (wlr_xdg_surface.c:506)
==9832==    by 0x4EEAB9F: UnknownInlinedFun (wayland-server.c:2478)
==9832==    by 0x4EEAB9F: remove_and_destroy_resource (wayland-server.c:754)
==9832==    by 0x58F9595: ffi_call_unix64 (unix64.S:104)
==9832==    by 0x58F600D: ffi_call_int.lto_priv.0 (ffi64.c:673)
==9832==    by 0x58F8BD2: ffi_call (ffi64.c:710)
==9832==    by 0x4EE6E84: wl_closure_invoke.constprop.0 (connection.c:1228)
==9832==    by 0x4EEBD21: wl_client_connection_data (wayland-server.c:444)
==9832==  Block was alloc'd at
==9832==    at 0x484BC13: calloc (vg_replace_malloc.c:1675)
==9832==    by 0x4F5D2C2: wlr_scene_tree_create (wlr_scene.c:204)
==9832==    by 0x13C52F: input_popup_set_focus (text_input.c:414)
==9832==    by 0x13C6DF: relay_send_im_state (text_input.c:238)
==9832==    by 0x13FC2C: UnknownInlinedFun (text_input.c:281)
==9832==    by 0x13FC2C: sway_input_method_relay_set_focus (text_input.c:608)
==9832==    by 0x1744DC: seat_send_focus.part.0.isra.0 (seat.c:202)
==9832==    by 0x1340CF: UnknownInlinedFun (seat.c:1222)
==9832==    by 0x1340CF: seat_set_workspace_focus (seat.c:1198)
==9832==    by 0x13449F: seat_set_focus (seat.c:1271)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x163F2E: container_begin_destroy (container.c:537)
==9832==    by 0x16A305: view_unmap (view.c:924)
==9832==    by 0x12861B: handle_unmap.lto_priv.1 (xdg_shell.c:448)
After around 20 more invalid accesses near the same location it segfaults.

layercak3 avatar Jan 28 '25 06:01 layercak3

Reproduced in 1.10.1:

#0  0x00007ff238d93851 in wlr_scene_node_coords (node=0x91, lx_ptr=lx_ptr@entry=0x7ffcab0022b0, ly_ptr=ly_ptr@entry=0x7ffcab0022b4) at ../wlroots-0.18.2/types/scene/wlr_scene.c:1101
#1  0x0000564ab18f93b3 in arrange_popups (popups=0x564ac74400b0) at ../sway-1.10.1/sway/desktop/transaction.c:618
#2  0x0000564ab18f6dd9 in arrange_layers (output=0x564ac853d4e0) at ../sway-1.10.1/sway/desktop/layer_shell.c:100
#3  0x0000564ab18f7162 in handle_surface_commit (listener=0x564ac83468d0, data=<optimized out>) at ../sway-1.10.1/sway/desktop/layer_shell.c:286
#4  0x00007ff238e4438e in wl_signal_emit_mutable (signal=signal@entry=0x564ac884aef8, data=data@entry=0x564ac884ac20) at ../wayland-1.23.1/src/wayland-server.c:2314
#5  0x00007ff238da3cbe in surface_commit_state (surface=surface@entry=0x564ac884ac20, next=next@entry=0x564ac884ada0) at ../wlroots-0.18.2/types/wlr_compositor.c:560
#6  0x00007ff238da4284 in surface_handle_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_compositor.c:591
#7  0x00007ff2384eb336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#8  0x00007ff2384ea940 in ffi_call_int (cif=cif@entry=0x7ffcab002630, fn=fn@entry=0x7ff238da3ed3 <surface_handle_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffcab002700, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#9  0x00007ff2384eaea4 in ffi_call (cif=cif@entry=0x7ffcab002630, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffcab002700) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#10 0x00007ff238e486c9 in wl_closure_invoke (closure=0x564ac87771f0, flags=<optimized out>, target=<optimized out>, opcode=6, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#11 0x00007ff238e4500c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x564ac8897660) at ../wayland-1.23.1/src/wayland-server.c:444
#12 0x00007ff238e45efd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#13 0x00007ff238e46d7f in wl_event_loop_dispatch (loop=0x564ac743f790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#14 0x00007ff238e451e4 in wl_display_run (display=0x564ac743f6a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#15 0x0000564ab18f51c5 in server_run (server=server@entry=0x564ab19574c0 <server>) at ../sway-1.10.1/sway/server.c:501
#16 0x0000564ab18f4008 in main (argc=<optimized out>, argv=0x7ffcab002c58) at ../sway-1.10.1/sway/main.c:374

eternal-sorrow avatar Jan 28 '25 06:01 eternal-sorrow

I cannot reproduce it in a headless/wayland backend sandbox

I can get it to reproduce now. I needed to start foot first then chromium. It doesn't reproduce if chromium is the only program in the workspace. This is also with fcitx5 6af78b6 (August 2024), I had unrelated issues with newer versions where it would get sway into sending clients keymap format no_keymap instead of xkb_v1 (which caused some clients to fail asserts)

WLR_RENDERER=pixman WLR_RENDERER_FORCE_SOFTWARE=1 WLR_BACKENDS=wayland sway -c ./config &
WAYLAND_DISPLAY=wayland-2 fcitx5 &
WAYLAND_DISPLAY=wayland-2 foot &
WAYLAND_DISPLAY=wayland-2 chromium --ozone-platform=wayland --gtk-version=4 --disable-gtk-ime --enable-wayland-ime --wayland-text-input-version=3 &
# press Ctrl+Alt+Shift+u to open "type to search unicode by code or description" menu
# press 'a'
# press F9 (floating toggle)
# press F10 (kill)
# segfault

config:

bindsym F9 floating toggle
bindsym F10 kill
example backtrace 
(gdb) bt
#0  0x000079036bc00013 in scene_node_get_root (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:59
#1  wlr_scene_node_destroy (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:110
#2  wlr_scene_node_destroy (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:97
#3  0x000064f6fb3af4c0 in input_popup_set_focus (popup=popup@entry=0x64f7205c9f20, surface=0x64f7204a5a50)
    at ../sway/sway/input/text_input.c:376
#4  0x000064f6fb3af6e0 in relay_send_im_state (relay=0x64f71fe060b0, input=<optimized out>) at ../sway/sway/input/text_input.c:238
#5  0x000079036bcc647e in wl_signal_emit_mutable (signal=<optimized out>, data=0x64f7204a4eb0)
    at ../wayland-1.23.1/src/wayland-server.c:2314
#6  0x000079036b2bc596 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#7  0x000079036b2b900e in ffi_call_int (cif=cif@entry=0x7ffee680c960, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, 
    closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
#8  0x000079036b2bbbd3 in ffi_call (cif=cif@entry=0x7ffee680c960, fn=<optimized out>, rvalue=rvalue@entry=0x0, 
    avalue=avalue@entry=0x7ffee680ca30) at ../src/x86/ffi64.c:710
#9  0x000079036bcc4e85 in wl_closure_invoke (closure=closure@entry=0x64f720571c50, target=<optimized out>, target@entry=0x64f7204a4e20, 
    opcode=opcode@entry=7, data=<optimized out>, data@entry=0x64f7203656d0, flags=2) at ../wayland-1.23.1/src/connection.c:1228
#10 0x000079036bcc9d22 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x64f7203656d0)
    at ../wayland-1.23.1/src/wayland-server.c:444
#11 0x000079036bcc8112 in wl_event_loop_dispatch (loop=0x64f71f0d9840, timeout=<optimized out>, timeout@entry=-1)
    at ../wayland-1.23.1/src/event-loop.c:1105
#12 0x000079036bcca1f7 in wl_display_run (display=0x64f71f0d9750) at ../wayland-1.23.1/src/wayland-server.c:1530
#13 0x000064f6fb38ae56 in server_run (server=<optimized out>) at ../sway/sway/server.c:514
#14 main (argc=3, argv=0x7ffee680d188) at ../sway/sway/main.c:374

layercak3 avatar Jan 28 '25 08:01 layercak3

Here is one definitely linked to the IME popups as evidenced by input_popup_set_focus being present in stacktrace. Happened when I tried to close a fullscreen window of another app. The popup wasn't even open and all I did is clicked on a "close" button.

#0  0x00007f84e102d951 in wl_list_insert (list=list@entry=0x558d8ae441d0, elm=elm@entry=0x7fff529f72d0) at ../wayland-1.23.1/src/wayland-util.c:50
#1  0x00007f84e1028344 in wl_signal_emit_mutable (signal=signal@entry=0x558d8ae441d0, data=data@entry=0x0) at ../wayland-1.23.1/src/wayland-server.c:2302
#2  0x00007f84e0f78aab in wlr_scene_node_destroy (node=0x558d8ae441a0) at ../wlroots-0.18.2/types/scene/wlr_scene.c:97
#3  0x0000558d5e009191 in input_popup_set_focus (popup=popup@entry=0x558d8ab13e00, surface=0x558d8abbf2f0) at ../sway-1.10.1/sway/input/text_input.c:376
#4  0x0000558d5e00936f in relay_send_im_state (relay=0x558d8a5ccd70, input=<optimized out>) at ../sway-1.10.1/sway/input/text_input.c:238
#5  0x0000558d5e0095d8 in handle_text_input_enable (listener=0x558d8abc23e0, data=<optimized out>) at ../sway-1.10.1/sway/input/text_input.c:255
#6  0x00007f84e102838e in wl_signal_emit_mutable (signal=signal@entry=0x558d8aafe428, data=data@entry=0x558d8aafe360) at ../wayland-1.23.1/src/wayland-server.c:2314
#7  0x00007f84e0fa0ca0 in text_input_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_text_input_v3.c:189
#8  0x00007f84e06ca336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#9  0x00007f84e06c9940 in ffi_call_int (cif=cif@entry=0x7fff529f7610, fn=fn@entry=0x7f84e0fa0bd3 <text_input_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7fff529f76e0, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#10 0x00007f84e06c9ea4 in ffi_call (cif=cif@entry=0x7fff529f7610, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7fff529f76e0) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#11 0x00007f84e102c6c9 in wl_closure_invoke (closure=0x558d8ab3ae20, flags=<optimized out>, target=<optimized out>, opcode=7, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#12 0x00007f84e102900c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x558d8aae2690) at ../wayland-1.23.1/src/wayland-server.c:444
#13 0x00007f84e1029efd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#14 0x00007f84e102ad7f in wl_event_loop_dispatch (loop=0x558d896f4790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#15 0x00007f84e10291e4 in wl_display_run (display=0x558d896f46a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#16 0x0000558d5dff51c5 in server_run (server=server@entry=0x558d5e0574c0 <server>) at ../sway-1.10.1/sway/server.c:501
#17 0x0000558d5dff4008 in main (argc=<optimized out>, argv=0x7fff529f7c38) at ../sway-1.10.1/sway/main.c:374

eternal-sorrow avatar Feb 14 '25 10:02 eternal-sorrow

Just got another one, stacktrace identical to the previous. This time Pinentry window opened, I started typing the password in, not noticing that IME is enabled, then changed my mind, pressed Escape to close the Pinentry window, sway crashed.

eternal-sorrow avatar Feb 21 '25 10:02 eternal-sorrow

Got the same stacktrace as https://github.com/swaywm/sway/issues/8541#issuecomment-2608863155. This time I started a game from Steam, pressed a key in the game window, Sway crashed. The IME was probably active.

eternal-sorrow avatar Feb 24 '25 12:02 eternal-sorrow

@Decodetalkers, you added the original implementation of IME popups, can you please look at this? Right now I have to make a script to kill the anthywl process when I switch windows to avoid these crashes. I found that with VScode specifically this crash https://github.com/swaywm/sway/issues/8541#issuecomment-2608863155 happens always 100% of times whenever I try to type anything if the IME is active.

eternal-sorrow avatar Feb 26 '25 17:02 eternal-sorrow

@Decodetalkers, you added the original implementation of IME popups, can you please look at this? Right now I have to make a script to kill the anthywl process when I switch windows to avoid these crashes. I found that with VScode specifically this crash https://github.com/swaywm/sway/issues/8541#issuecomment-2608863155 happens always 100% of times whenever I try to type anything if the IME is active.

Ok, I will try to look into it.

Decodetalkers avatar Feb 27 '25 02:02 Decodetalkers

I think it is because the wlr_scene_tree is destoried but the wlr_scene_node is still alive, then wl_container_of tried to find the scene_tree, finally it found a invaild ptr, that caused coredump

Maybe the problem is in the logic of the logic to call the hot key.. I think. Maybe that place the scene is not properly handled

Image

And the logic went into the 56 line in wlr_scene.c, which caused the code got a invalid ptr

Image

Decodetalkers avatar Feb 27 '25 13:02 Decodetalkers

@Nefsen402 Can you take a look at this issue? seems it is a quite serious bug, and I cannot find the clue

Decodetalkers avatar Mar 22 '25 02:03 Decodetalkers

Looks like a double free. From the stack trace in @Decodetalkers's screenshot, we might be calling wlr_scene_node_destroy() of a descendant of another scene node that was destroyed. (All scene node children will be destroyed if the parent is destroyed)

So, guessing from what I see:

  1. The window closes, wlr_scene_node_destroy() is called on the scene that renders the window.
  2. The IME popup had a descendant on something destroyed by the window close, and when it tries to clean up, it crashes.

The typical solution to this problem is to set the scene node that gets freed (as a descendant) to NULL, so that a normal destroy path can be used without crashing on an invalid pointer.

Nefsen402 avatar Mar 23 '25 06:03 Nefsen402

I am getting this crash consistently with anthywl and fuzzel on both sway master and v1.10.1.

Edit: This stacktrace doesn't look like the others, should I open a new issue?

Configuration

include /etc/sway/config
exec anthywl
bindsym MOD4+d exec fuzzel

Reproduction

  • Start sway with above config
  • Open a terminal
  • Open fuzzel with Super+d
  • Type anything
  • See crash

Log

sway-crash.log

Backtrace

#0  0x000055cfcfb8d385 in constrain_popup ()
#1  0x00007f28360b930e in wl_signal_emit_mutable () at /lib64/libwayland-server.so.0
#2  0x00007f2835ffbe2c in surface_commit_state () at /lib64/libwlroots-0.18.so
#3  0x00007f2835698056 in ffi_call_unix64 () at /lib64/libffi.so.8
#4  0x00007f2835693d08 in ffi_call_int.lto_priv () at /lib64/libffi.so.8
#5  0x00007f283569670e in ffi_call () at /lib64/libffi.so.8
#6  0x00007f28360b7e07 in wl_closure_invoke.constprop () at /lib64/libwayland-server.so.0
#7  0x00007f28360bca23 in wl_client_connection_data () at /lib64/libwayland-server.so.0
#8  0x00007f28360bae12 in wl_event_loop_dispatch () at /lib64/libwayland-server.so.0
#9  0x00007f28360bced5 in wl_display_run () at /lib64/libwayland-server.so.0
#10 0x000055cfcfb678f9 in main ()

raiguard avatar May 14 '25 17:05 raiguard

I am getting this crash consistently with anthywl and fuzzel on both sway master and v1.10.1.

I am getting this same trace in v1.11 (with fcitx5 though) and also wondering if we should create a new issue.

jessesung avatar Jun 19 '25 12:06 jessesung

Been running into this bug a lot. If there is something I can do to accelerate a fix here, I'm open to it.

tmathews avatar Sep 01 '25 16:09 tmathews

I just had it happen again when closing a window, but I cannot consistently reproduce that. I can consistently reproduce the constrain_popup crash though.

This is actively impeding my work, so I would really appreciate it if someone could look into this!

Reproduction:

  • Start sway with default config
  • Open foot with Super+Return
  • Start anthywl
  • Enable input mode in anthywl (I have it bound to Ctrl+Shift+Backspace)
  • Open wmenu-run with Super+d
  • Try to type something
  • Observe crash

sway-crash.log

https://github.com/user-attachments/assets/2849233c-4e59-4658-b2a8-4d686ecfffae

raiguard avatar Oct 13 '25 20:10 raiguard