wayfire
wayfire copied to clipboard
WayfireWM
Wayfire Crashes When Interacting with Floating Gtk Popup
This issue arises with a Gtk Popup Creation : When a volume slider is adjusted through mouse scroll in waypanel, a new layer surface (popup) is created to display the volume slider, this popup set layershell margin based on cursor position
Popup Destruction : If the user dismisses the popup (e.g., by clicking outside or releasing the volume control), the layer surface is destroyed.
The popup is dismissed while the volume slider is still updating. The LayerShell API attempts to adjust the popup's position after it has been destroyed.
EE 12-04-25 00:10:23.853 - [types/wlr_layer_shell_v1.c:296] A configure is sent to an uninitialized wlr_layer_surface_v1 0x5120000fe140
EE 12-04-25 00:10:23.853 - [src/view/layer-shell/layer-shell.cpp:632] layer-surface has calculated width and height < 0
=================================================================
==140543==ERROR: AddressSanitizer: heap-use-after-free on address 0x51600029b880 at pc 0x5f5482acd74c bp 0x7ffe2c6b4b10 sp 0x7ffe2c6b4b00
READ of size 8 at 0x51600029b880 thread T0
#0 0x5f5482acd74b in wayfire_layer_shell_view::configure(wlr_box) ../src/view/layer-shell/layer-shell.cpp:638
#1 0x5f5482adad88 in wf_layer_shell_manager::pin_view(wayfire_layer_shell_view*, wlr_box) ../src/view/layer-shell/layer-shell.cpp:314
#2 0x5f5482adc4b4 in wf_layer_shell_manager::arrange_unmapped_view(wayfire_layer_shell_view*) ../src/view/layer-shell/layer-shell.cpp:355
#3 0x5f5482ac10cf in operator() ../src/view/layer-shell/layer-shell.cpp:415
#4 0x5f5482ad2d64 in __invoke_impl<void, wayfire_layer_shell_view::wayfire_layer_shell_view(wlr_layer_surface_v1*)::<lambda(void*)>&, void*> /usr/include/c++/14.2.1/bits/invoke.h:61
#5 0x5f5482ad1cc7 in __invoke_r<void, wayfire_layer_shell_view::wayfire_layer_shell_view(wlr_layer_surface_v1*)::<lambda(void*)>&, void*> /usr/include/c++/14.2.1/bits/invoke.h:111
#6 0x5f5482ad0688 in _M_invoke /usr/include/c++/14.2.1/bits/std_function.h:290
#7 0x5f54823b2fc8 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.2.1/bits/std_function.h:591
#8 0x5f54823b052f in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
#9 0x5f54823aff16 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
#10 0x7e8d67ca255d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x855d) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#11 0x7e8d67bf18f7 (/usr/lib/libwlroots-0.18.so+0x878f7) (BuildId: b5766d0294a489ffc3c0cdc2c27d03b64467b610)
#12 0x7e8d6732943d (/usr/lib/libffi.so.8+0x843d) (BuildId: 12353781b24e5125f8a82e1eeb363ff354b9e9ca)
#13 0x7e8d673252a4 (/usr/lib/libffi.so.8+0x42a4) (BuildId: 12353781b24e5125f8a82e1eeb363ff354b9e9ca)
#14 0x7e8d6732880d in ffi_call (/usr/lib/libffi.so.8+0x780d) (BuildId: 12353781b24e5125f8a82e1eeb363ff354b9e9ca)
#15 0x7e8d67ca0c76 (/usr/lib/libwayland-server.so.0+0x6c76) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#16 0x7e8d67ca6604 (/usr/lib/libwayland-server.so.0+0xc604) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#17 0x7e8d67ca4589 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa589) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#18 0x7e8d67ca6ac6 in wl_display_run (/usr/lib/libwayland-server.so.0+0xcac6) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#19 0x5f5482382319 in main ../src/main.cpp:479
#20 0x7e8d65c278cd (/usr/lib/libc.so.6+0x278cd) (BuildId: 6cb3848fe8b7e02ffe7b4d9db1cffb88b14b0659)
#21 0x7e8d65c27989 in __libc_start_main (/usr/lib/libc.so.6+0x27989) (BuildId: 6cb3848fe8b7e02ffe7b4d9db1cffb88b14b0659)
#22 0x5f5482375a64 in _start (/usr/bin/wayfire+0x1a18a64) (BuildId: 6967754355abc0ea0b6ce4f9cda6b36e673e4bd2)
0x51600029b880 is located 0 bytes inside of 552-byte region [0x51600029b880,0x51600029baa8)
freed by thread T0 here:
#0 0x7e8d67557cf2 in operator delete(void*, unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:164
#1 0x5f5482af522a in wayfire_layer_shell_view::~wayfire_layer_shell_view() ../src/view/layer-shell/layer-shell.cpp:66
#2 0x5f54826e17d3 in wf::tracking_allocator_t<wf::view_interface_t>::deallocate_object(wf::view_interface_t*) ../src/api/wayfire/nonstd/tracking-allocator.hpp:71
#3 0x5f5482af4a21 in void std::__invoke_impl<void, void (wf::tracking_allocator_t<wf::view_interface_t>::*&)(wf::view_interface_t*), wf::tracking_allocator_t<wf::view_interface_t>*&, wayfire_layer_shell_view*&>(std::__invoke_memfun_deref, void (wf::tracking_allocator_t<wf::view_interface_t>::*&)(wf::view_interface_t*), wf::tracking_allocator_t<wf::view_interface_t>*&, wayfire_layer_shell_view*&) /usr/include/c++/14.2.1/bits/invoke.h:74
#4 0x5f5482af45bd in std::__invoke_result<void (wf::tracking_allocator_t<wf::view_interface_t>::*&)(wf::view_interface_t*), wf::tracking_allocator_t<wf::view_interface_t>*&, wayfire_layer_shell_view*&>::type std::__invoke<void (wf::tracking_allocator_t<wf::view_interface_t>::*&)(wf::view_interface_t*), wf::tracking_allocator_t<wf::view_interface_t>*&, wayfire_layer_shell_view*&>(void (wf::tracking_allocator_t<wf::view_interface_t>::*&)(wf::view_interface_t*), wf::tracking_allocator_t<wf::view_interface_t>*&, wayfire_layer_shell_view*&) /usr/include/c++/14.2.1/bits/invoke.h:96
#5 0x5f5482af3b25 in void std::_Bind<void (wf::tracking_allocator_t<wf::view_interface_t>::*(wf::tracking_allocator_t<wf::view_interface_t>*, std::_Placeholder<1>))(wf::view_interface_t*)>::__call<void, wayfire_layer_shell_view*&, 0ul, 1ul>(std::tuple<wayfire_layer_shell_view*&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/14.2.1/functional:513
#6 0x5f5482af29d7 in void std::_Bind<void (wf::tracking_allocator_t<wf::view_interface_t>::*(wf::tracking_allocator_t<wf::view_interface_t>*, std::_Placeholder<1>))(wf::view_interface_t*)>::operator()<wayfire_layer_shell_view*&, void>(wayfire_layer_shell_view*&) /usr/include/c++/14.2.1/functional:598
#7 0x5f5482af5557 in std::_Sp_counted_deleter<wayfire_layer_shell_view*, std::_Bind<void (wf::tracking_allocator_t<wf::view_interface_t>::*(wf::tracking_allocator_t<wf::view_interface_t>*, std::_Placeholder<1>))(wf::view_interface_t*)>, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:527
#8 0x5f54823ab398 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release_last_use() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:175
#9 0x5f54823a7c6d in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release_last_use_cold() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:199
#10 0x5f54823a6e4f in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:353
#11 0x5f54823a86fd in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:1069
#12 0x5f5482adcf5d in std::__shared_ptr<wayfire_layer_shell_view, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/14.2.1/bits/shared_ptr_base.h:1525
#13 0x5f5482adcfcb in std::shared_ptr<wayfire_layer_shell_view>::~shared_ptr() /usr/include/c++/14.2.1/bits/shared_ptr.h:175
#14 0x5f5482add947 in layer_shell_view_controller_t::~layer_shell_view_controller_t() ../src/view/layer-shell/layer-shell.cpp:675
#15 0x5f5482add066 in auto layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}::operator()<void*>(void*) const ../src/view/layer-shell/layer-shell.cpp:667
#16 0x5f5482aee064 in void std::__invoke_impl<void, layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}&, void*>(std::__invoke_other, layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}&, void*&&) /usr/include/c++/14.2.1/bits/invoke.h:61
#17 0x5f5482aeac7a in std::enable_if<is_invocable_r_v<void, layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}&, void*>, void>::type std::__invoke_r<void, layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}&, void*>(layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}&, void*&&) /usr/include/c++/14.2.1/bits/invoke.h:111
#18 0x5f5482ae731f in std::_Function_handler<void (void*), layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*)::{lambda(auto:1)#1}>::_M_invoke(std::_Any_data const&, void*&&) /usr/include/c++/14.2.1/bits/std_function.h:290
#19 0x5f54823b2fc8 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.2.1/bits/std_function.h:591
#20 0x5f54823b052f in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
#21 0x5f54823aff16 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
#22 0x7e8d67ca255d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x855d) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#23 0x7ffe2c6b4a5f ([stack]+0x42a5f)
previously allocated by thread T0 here:
#0 0x7e8d67556b92 in operator new(unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:95
#1 0x5f5482ae5ad4 in std::shared_ptr<wayfire_layer_shell_view> wf::tracking_allocator_t<wf::view_interface_t>::allocate<wayfire_layer_shell_view, wlr_layer_surface_v1*>(wlr_layer_surface_v1*) ../src/api/wayfire/nonstd/tracking-allocator.hpp:44
#2 0x5f5482ae0acb in std::shared_ptr<wayfire_layer_shell_view> wf::view_interface_t::create<wayfire_layer_shell_view, wlr_layer_surface_v1*>(wlr_layer_surface_v1*) ../src/api/wayfire/view.hpp:192
#3 0x5f5482ac46e2 in wayfire_layer_shell_view::create(wlr_layer_surface_v1*) ../src/view/layer-shell/layer-shell.cpp:426
#4 0x5f5482add486 in layer_shell_view_controller_t::layer_shell_view_controller_t(wlr_layer_surface_v1*) ../src/view/layer-shell/layer-shell.cpp:669
#5 0x5f5482ace371 in operator() ../src/view/layer-shell/layer-shell.cpp:689
#6 0x5f5482ad2f8c in __invoke_impl<void, wf::init_layer_shell()::<lambda(void*)>&, void*> /usr/include/c++/14.2.1/bits/invoke.h:61
#7 0x5f5482ad2052 in __invoke_r<void, wf::init_layer_shell()::<lambda(void*)>&, void*> /usr/include/c++/14.2.1/bits/invoke.h:111
#8 0x5f5482ad0901 in _M_invoke /usr/include/c++/14.2.1/bits/std_function.h:290
#9 0x5f54823b2fc8 in std::function<void (void*)>::operator()(void*) const /usr/include/c++/14.2.1/bits/std_function.h:591
#10 0x5f54823b052f in wf::wl_listener_wrapper::emit(void*) ../src/wl-listener-wrapper.tpp:57
#11 0x5f54823aff16 in handle_wrapped_listener ../src/wl-listener-wrapper.tpp:10
#12 0x7e8d67ca255d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x855d) (BuildId: 4e2b07d107615e7827f73c05ac1fb98b592b8e0d)
#13 0x7ffe2c6b512f ([stack]+0x4312f)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/view/layer-shell/layer-shell.cpp:638 in wayfire_layer_shell_view::configure(wlr_box)
Shadow bytes around the buggy address:
0x51600029b600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029b680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029b700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029b780: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x51600029b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x51600029b880:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029b900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029ba00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51600029ba80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x51600029bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==140543==ABORTING`
