sway
sway copied to clipboard
Published
20 hours ago •
swaywm
swaywm
Sway crashes at dock connection because of segfault in seat.c
- Sway Version: sway version 1.8-dev
sway: a7898637de43de1757f72393ef1caedf568f45e4 wlroots: 410c08cdc676de1f24d71d8817587e1f7e6b4093
-
Debug Log: I will try to obtain some log next time it happens.
-
Configuration File: https://gist.github.com/nurelin/1c930ab407ca2d1458515601d418a296
-
Stack Trace: I will get a stacktrace with wlroots debug symbols next time it happens.
(gdb) bt full
#0 0x00007fef03a36bf8 in __strlen_evex () from /nix/store/4s21k8k7p1mfik0b33r2spq5hq7774k1-glibc-2.33-108/lib/libc.so.6
No symbol table info available.
#1 0x00007fef039541de in strdup () from /nix/store/4s21k8k7p1mfik0b33r2spq5hq7774k1-glibc-2.33-108/lib/libc.so.6
No symbol table info available.
#2 0x000000000042f745 in set_workspace (new_ws=0x16bef80, seat=0xd91b10) at ../sway/input/seat.c:1120
No locals.
#3 seat_set_focus (seat=0xd91b10, node=<optimized out>) at ../sway/input/seat.c:1230
last_focus = 0x0
last_workspace = 0x1454ff0
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = 0x16bef80
layer = <optimized out>
#4 0x000000000045c054 in output_enable (output=output@entry=0x11947e0) at ../sway/tree/output.c:133
ws_name = 0x10bc1c0 "7"
seat = 0xd91b10
__PRETTY_FUNCTION__ = "output_enable"
wlr_output = 0x1346860
ws = 0x16bef80
#5 0x0000000000437a70 in apply_output_config (oc=oc@entry=0x116b610, output=output@entry=0x11947e0) at ../sway/config/output.c:557
wlr_output = 0x1346860
output_box = {x = 1920, y = 0, width = 1920, height = 1080}
#6 0x0000000000420f8b in handle_new_output (listener=0x484130 <server+112>, data=<optimized out>) at ../sway/desktop/output.c:919
server = 0x4840c0 <server>
wlr_output = <optimized out>
output = 0x11947e0
oc = 0x116b610
#7 0x00007fef03bb640c in wlr_signal_emit_safe () from /nix/store/rnmyffbgpvmq05bvix0hrsjk0wb4jpch-wlroots-410c08cdc676de1f24d71d8817587e1f7e6b4093/lib/libwlroots.so.11
No symbol table info available.
#8 0x00007fef03bb640c in wlr_signal_emit_safe () from /nix/store/rnmyffbgpvmq05bvix0hrsjk0wb4jpch-wlroots-410c08cdc676de1f24d71d8817587e1f7e6b4093/lib/libwlroots.so.11
No symbol table info available.
#9 0x00007fef03b7053e in scan_drm_connectors () from /nix/store/rnmyffbgpvmq05bvix0hrsjk0wb4jpch-wlroots-410c08cdc676de1f24d71d8817587e1f7e6b4093/lib/libwlroots.so.11
No symbol table info available.
#10 0x00007fef03bb640c in wlr_signal_emit_safe () from /nix/store/rnmyffbgpvmq05bvix0hrsjk0wb4jpch-wlroots-410c08cdc676de1f24d71d8817587e1f7e6b4093/lib/libwlroots.so.11
No symbol table info available.
#11 0x00007fef03b80699 in handle_udev_event () from /nix/store/rnmyffbgpvmq05bvix0hrsjk0wb4jpch-wlroots-410c08cdc676de1f24d71d8817587e1f7e6b4093/lib/libwlroots.so.11
No symbol table info available.
#12 0x00007fef03c11632 in wl_event_loop_dispatch () from /nix/store/pz2wx67gskw438ysws82nwk84whwd63d-wayland-1.20.0/lib/libwayland-server.so.0
No symbol table info available.
#13 0x00007fef03c0f2b5 in wl_display_run () from /nix/store/pz2wx67gskw438ysws82nwk84whwd63d-wayland-1.20.0/lib/libwayland-server.so.0
No symbol table info available.
#14 0x000000000041cd30 in server_run (server=<optimized out>) at ../sway/server.c:309
No locals.
#15 0x0000000000410d8a in main (argc=<optimized out>, argv=<optimized out>) at ../sway/main.c:431
verbose = false
debug = false
validate = false
allow_unsupported_gpu = false
config_path = 0x0
c = <optimized out>
- Description: Simply connect the thunderbolt dock while sway is running and sometimes, it will crash. It seems to happens because seat->workspace->name is NULL which makes strdup segfault. It is not reproducible each time the dock is connected.
#2 0x000000000042f745 in set_workspace (new_ws=0x16bef80, seat=0xd91b10) at ../sway/input/seat.c:1120
1120 in ../sway/input/seat.c
(gdb) p seat->workspace->name
$10 = 0x0
If anyone runs into this problem, I currently run sway with this patch:
diff --git a/sway/input/seat.c b/sway/input/seat.c
index fe61e0fe..e68d8f83 100644
--- a/sway/input/seat.c
+++ b/sway/input/seat.c
@@ -1117,7 +1117,7 @@ static void set_workspace(struct sway_seat *seat,
if (seat->workspace) {
free(seat->prev_workspace_name);
- seat->prev_workspace_name = strdup(seat->workspace->name);
+ seat->prev_workspace_name = strdup("workaround");
if (!seat->prev_workspace_name) {
sway_log(SWAY_ERROR, "Unable to allocate previous workspace name");
}
It probably breaks something else, but at least sway does not crash every other day.
Look like workspace->name is allowed to be NULL 1. Maybe a null check would be more suitable than this workaround.
Have you tried giving the workspace a name in your config file?
Look like workspace->name is allowed to be NULL 1. Maybe a null check would be more suitable than this workaround.
I saw that too and tried that first, but unfortunately I got pretty much the same result with sway crashing. The only difference was instead of a NULL pointer, it was a garbled one. Sadly, I cannot post its content, coredumpctl seems to have deleted the coredump.
Have you tried giving the workspace a name in your config file?
No, I use the default workspace names. You can see my config in the top post.
I don't have a docking station on my end to reproduce but I ran your config file and saw the following lines
00:00:00.091 [DEBUG] [sway/tree/output.c:127] Creating default workspace 1
00:00:00.091 [DEBUG] [sway/tree/workspace.c:63] Adding workspace 1 for output WL-1
Could you share a debug log please?
Okay, I got a crash log https://gist.github.com/nurelin/007d8423c6d44a3bbbf729f4465cc2b4 And the backtrace for this crash https://gist.github.com/nurelin/ae45f7e979873c7403a3b336f9199d64
Jul 04 09:43:28 titan sway[2236]: 11:21:36.952 [DEBUG] [sway/tree/output.c:127] Creating default workspace 5
Jul 04 09:43:28 titan sway[2236]: 11:21:36.952 [DEBUG] [sway/tree/workspace.c:63] Adding workspace 5 for output DP-1
Is DP-1 a screen connected to the docking station?
I was able to reproduce this bug once. It seems like container->name == NULL is not a valid state (at least it makes sense that it ought not to be) However, a NULL name is programmed to be correct in workspace_create which is contradictory. Instead, I'm ensuring in workspace_create that we send in a valid name. When the fault happens, it should abort on workspace creation which should be a lot more helpful in debugging then getting a crash after things went wrong some other place. I haven't been able to reproduce this crash again, but I think applying this to your tree and getting you to reproduce would be very helpful.
diff --git a/sway/tree/workspace.c b/sway/tree/workspace.c
index b1d6fe78..b94f7082 100644
--- a/sway/tree/workspace.c
+++ b/sway/tree/workspace.c
@@ -56,6 +56,11 @@ struct sway_output *workspace_get_initial_output(const char *name) {
struct sway_workspace *workspace_create(struct sway_output *output,
const char *name) {
+ if (!name) {
+ sway_log(SWAY_ERROR, "NULL name given to workspace_create");
+ abort();
+ }
+
if (output == NULL) {
output = workspace_get_initial_output(name);
}
@@ -81,7 +86,7 @@ struct sway_workspace *workspace_create(struct sway_output *output,
return NULL;
}
- ws->name = name ? strdup(name) : NULL;
+ ws->name = strdup(name);
ws->prev_split_layout = L_NONE;
ws->layout = output_get_default_layout(output);
ws->floating = create_list();
I keep running into this issue when waking up from suspend, but only seeing the segfault after unlocking swaylock. For now all I have is a backtrace, but I'll try to get some debug logs next time.
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1 0x00007f223629ed52 in __GI___strdup (s=0x0) at strdup.c:41
len = <optimized out>
new = <optimized out>
#2 0x000055eefcb9341c in set_workspace (new_ws=<optimized out>, seat=0x55eefe5647c0) at ../sway/sway/input/seat.c:1120
last_focus = 0x0
last_workspace = 0x55eefe65e190
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#3 seat_set_focus (seat=0x55eefe5647c0, node=<optimized out>) at ../sway/sway/input/seat.c:1230
last_focus = 0x0
last_workspace = 0x55eefe65e190
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#4 0x000055eefcb7a5ab in seat_set_focus (node=0x55eefe9311a0, seat=0x55eefe5647c0) at ../sway/sway/lock.c:113
previous = 0x55eefe9311a0
seat = 0x55eefe5647c0
#5 handle_unlock (listener=<optimized out>, data=<optimized out>) at ../sway/sway/lock.c:104
previous = 0x55eefe9311a0
seat = 0x55eefe5647c0
#6 0x00007f22365b873e in wlr_signal_emit_safe (signal=<optimized out>, data=0x0) at ../wlroots-git/util/signal.c:29
pos = 0x55eefcbe8340 <server+640>
l = 0x55eefcbe8340 <server+640>
cursor = {link = {prev = 0x55eefe8f13a8, next = 0x7ffe79587ec0}, notify = 0x7f22365b3200 <handle_noop>}
end = {link = {prev = 0x7ffe79587ee0, next = 0x55eefe8f13a8}, notify = 0x7f22365b3200 <handle_noop>}
#7 0x00007f22365ac4bd in lock_handle_unlock_and_destroy (client=<optimized out>, lock_resource=0x55eefeb09a90) at ../wlroots-git/types/wlr_session_lock_v1.c:325
lock = <optimized out>
#8 0x00007f2235c84536 in ffi_call_unix64 () at ../src/x86/unix64.S:105
#9 0x00007f2235c81037 in ffi_call_int (cif=<optimized out>, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>) at ../src/x86/ffi64.c:672
classes = {X86_64_INTEGER_CLASS, 21998, 727445520, 32546}
stack = <optimized out>
argp = 0x7ffe79587f40 ""
arg_types = <optimized out>
gprcount = 2
ssecount = <optimized out>
ngpr = 1
nsse = 0
i = <optimized out>
avn = <optimized out>
flags = <optimized out>
reg_args = <optimized out>
#10 0x00007f223660cada in wl_closure_invoke (closure=closure@entry=0x55eefeaf6330, target=<optimized out>, target@entry=0x55eefeb09a90, opcode=opcode@entry=2, data=<optimized out>, data@entry=0x55eefe9a7b50, flags=2) at ../wayland-1.21.0/src/connection.c:1025
count = <optimized out>
cif = {abi = FFI_UNIX64, nargs = 2, arg_types = 0x7ffe795880a0, rtype = 0x7f2235c851a0 <ffi_type_void>, bytes = 0, flags = 0}
ffi_types = {0x7f2235c852a0 <ffi_type_pointer>, 0x7f2235c852a0 <ffi_type_pointer>, 0x55eefdd67400, 0x7f2232eb57b6 <hash_table_search()+150>, 0x55eefdd67c40, 0x0, 0x55eefe7b6d70, 0x55eefde3b82c, 0xf, 0x0, 0x0, 0x55eefde1c550, 0x7f222b5bf010, 0xf90c7c91f8da4000, 0x55eefdd5f880, 0xf90c7c91f8da4000, 0x0, 0xfffffffffffffde0, 0xb, 0xf90c7c91f8da4000, 0x55eefdd59660, 0xfffffffffffffde0}
ffi_args = {0x7ffe79588060, 0x7ffe79588068, 0x55eefdd59660, 0x7f22365c01f6, 0x55eefe75c350, 0x7f223629c8f3 <__GI___libc_free+115>, 0x55eefdd63f60, 0x7f2235b27643 <__eglDestroyAPIState+67>, 0x55eefdd63f60, 0x7f223660e471 <log_closure+81>, 0x55eefeb77df0, 0x55eefdd59570, 0x7f22363fdbc0 <main_arena>, 0x0, 0x55eefe60aae0, 0x7f223629d1a9 <__libc_calloc+217>, 0x55eefde79c90, 0x7f22363135fa <__libc_recvmsg+106>, 0x7ffe79588240, 0x7f22365d64e9, 0x7f22365fe7d0 <ext_session_lock_v1_requests+48>, 0x0}
implementation = <optimized out>
#11 0x00007f2236611010 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../wayland-1.21.0/src/wayland-server.c:437
connection = <optimized out>
resource = 0x55eefeb09a90
object = 0x55eefeb09a90
closure = <optimized out>
message = 0x7f22365fe7d0 <ext_session_lock_v1_requests+48>
p = {3, 524290}
resource_flags = 0
opcode = 2
size = <optimized out>
since = <optimized out>
len = <optimized out>
#12 0x00007f223660f9e2 in wl_event_loop_dispatch (loop=0x55eefdd59660, timeout=timeout@entry=-1) at ../wayland-1.21.0/src/event-loop.c:1027
ep = {{events = 1, data = {ptr = 0x55eefea15aa0, fd = -22979936, u32 = 4271987360, u64 = 94484962564768}}, {events = 4, data = {ptr = 0x55eefeaf20f0, fd = -22077200, u32 = 4272890096, u64 = 94484963467504}}, {events = 4175052800, data = {ptr = 0x55eef90c7c91, fd = -116622191, u32 = 4178345105, u64 = 94484868922513}}, {events = 1, data = {ptr = 0x18, fd = 24, u32 = 24, u64 = 24}}, {events = 4273180224, data = {ptr = 0x795884d0000055ee, fd = 21998, u32 = 21998, u64 = 8743884705427903982}}, {events = 32766, data = {ptr = 0x55eefeb3be58, fd = -21774760, u32 = 4273192536, u64 = 94484963769944}}, {events = 4273184328, data = {ptr = 0x79588510000055ee, fd = 21998, u32 = 21998, u64 = 8743884980305810926}}, {events = 32766, data = {ptr = 0x7f223660c500 <wl_connection_flush+304>, fd = 912311552, u32 = 912311552, u64 = 139784917927168}}, {events = 1, data = {ptr = 0x18fe909c90, fd = -24077168, u32 = 4270890128, u64 = 107350105232}}, {events = 0, data = {ptr = 0x7ffe79588530, fd = 2035844400, u32 = 2035844400, u64 = 140730934265136}}, {events = 4267317600, data = {ptr = 0x14ac, fd = 5292, u32 = 5292, u64 = 5292}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0xfffffffffffffde0, fd = -544, u32 = 4294966752, u64 = 18446744073709551072}}, {events = 4273185524, data = {ptr = 0x18000055ee, fd = 21998, u32 = 21998, u64 = 103079237102}}, {events = 0, data = {ptr = 0x55eefeb39e48, fd = -21782968, u32 = 4273184328, u64 = 94484963761736}}, {events = 20, data = {ptr = 0x1400000000, fd = 0, u32 = 0, u64 = 85899345920}}, {events = 0, data = {ptr = 0x100000001, fd = 1, u32 = 1, u64 = 4294967297}}, {events = 109, data = {ptr = 0xa200000098, fd = 152, u32 = 152, u64 = 695784702104}}, {events = 172, data = {ptr = 0xc0000000b6, fd = 182, u32 = 182, u64 = 824633721014}}, {events = 205, data = {ptr = 0xe1000000d7, fd = 215, u32 = 215, u64 = 966367641815}}, {events = 235, data = {ptr = 0xff000000f5, fd = 245, u32 = 245, u64 = 1095216660725}}, {events = 4240216243, data = {ptr = 0x131000055ee, fd = 21998, u32 = 21998, u64 = 1309965047278}}, {events = 0, data = {ptr = 0x55eefe54a4c0, fd = -28007232, u32 = 4266960064, u64 = 94484957537472}}, {events = 4258566160, data = {ptr = 0xfe5647c0000055ee, fd = 21998, u32 = 21998, u64 = 18326914623590127086}}, {events = 21998, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 911946240, data = {ptr = 0xfea119a000007f22, fd = 32546, u32 = 32546, u64 = 18347974531869605666}}, {events = 21998, data = {ptr = 0x55eefe563ee0, fd = -27902240, u32 = 4267065056, u64 = 94484957642464}}, {events = 4175052800, data = {ptr = 0xf90c7c91, fd = -116622191, u32 = 4178345105, u64 = 4178345105}}, {events = 0, data = {ptr = 0x55eefe9a7b50, fd = -23430320, u32 = 4271536976, u64 = 94484962114384}}}
source = <optimized out>
i = 0
count = <optimized out>
has_timers = <optimized out>
#13 0x00007f2236610197 in wl_display_run (display=0x55eefdd59570) at ../wayland-1.21.0/src/wayland-server.c:1431
#14 0x000055eefcb6cb0f in server_run (server=<optimized out>) at ../sway/sway/server.c:307
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
#15 main (argc=1, argv=0x7ffe79588858) at ../sway/sway/main.c:415
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
And the underlying issue seems to be a workspace's name being null for me as well:
(gdb) f 2
#2 0x000055eefcb9341c in set_workspace (new_ws=<optimized out>, seat=0x55eefe5647c0) at ../sway/sway/input/seat.c:1120
1120 seat->prev_workspace_name = strdup(seat->workspace->name);
(gdb) p seat->workspace->name
$1 = 0x0
I believe I managed to catch this issue with gcc's address sanitizer:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001c5808 at pc 0x555ce0f8ae7a bp 0x7ffe2c3737e0 sp 0x7ffe2c3737d0
READ of size 8 at 0x6120001c5808 thread T0
#0 0x555ce0f8ae79 in seat_set_focus ../sway/sway/input/seat.c:1190
#1 0x555ce0f443aa in seat_set_focus ../sway/sway/lock.c:113
#2 0x555ce0f443aa in handle_unlock ../sway/sway/lock.c:104
#3 0x7fb4d3ad35fd in wlr_signal_emit_safe ../wlroots-git/util/signal.c:29
#4 0x7fb4d3ac737c in lock_handle_unlock_and_destroy ../wlroots-git/types/wlr_session_lock_v1.c:325
#5 0x7fb4d3458535 (/usr/lib/libffi.so.8+0x7535)
#6 0x7fb4d3455036 (/usr/lib/libffi.so.8+0x4036)
#7 0x7fb4d3b27ad9 (/usr/lib/libwayland-server.so.0+0x8ad9)
#8 0x7fb4d3b2c00f (/usr/lib/libwayland-server.so.0+0xd00f)
#9 0x7fb4d3b2a9e1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xb9e1)
#10 0x7fb4d3b2b196 in wl_display_run (/usr/lib/libwayland-server.so.0+0xc196)
#11 0x555ce0f1cc96 in server_run ../sway/sway/server.c:307
#12 0x555ce0f1cc96 in main ../sway/sway/main.c:415
#13 0x7fb4d362928f (/usr/lib/libc.so.6+0x2928f)
#14 0x7fb4d3629349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
#15 0x555ce0f1dfb4 (/usr/bin/sway+0x41fb4)
0x6120001c5808 is located 72 bytes inside of 280-byte region [0x6120001c57c0,0x6120001c58d8)
freed by thread T0 here:
#0 0x7fb4d40be672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x555ce0f56468 in container_destroy ../sway/sway/tree/container.c:91
#2 0x555ce0f56468 in container_destroy ../sway/sway/tree/container.c:57
#3 0x555ce0f56468 in transaction_destroy ../sway/sway/desktop/transaction.c:74
#4 0x555ce0f56468 in transaction_progress ../sway/sway/desktop/transaction.c:343
previously allocated by thread T0 here:
#0 0x7fb4d40bf411 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x555ce0ffb1af in workspace_create ../sway/sway/tree/workspace.c:66
SUMMARY: AddressSanitizer: heap-use-after-free ../sway/sway/input/seat.c:1190 in seat_set_focus
Shadow bytes around the buggy address:
0x0c2480030ab0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2480030ac0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480030ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480030ae0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2480030af0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480030b00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480030b10: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c2480030b20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480030b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480030b40: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2480030b50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Hope this helps
@baltitenger I think I've seen that error and fixed it in https://github.com/swaywm/sway/pull/6970 - so it may or may not be the same issue here, which seems like it doesn't require locking to happen.
I was able to reproduce this bug once. It seems like container->name == NULL is not a valid state (at least it makes sense that it ought not to be) However, a NULL name is programmed to be correct in workspace_create which is contradictory. Instead, I'm ensuring in workspace_create that we send in a valid name. When the fault happens, it should abort on workspace creation which should be a lot more helpful in debugging then getting a crash after things went wrong some other place. I haven't been able to reproduce this crash again, but I think applying this to your tree and getting you to reproduce would be very helpful.
diff --git a/sway/tree/workspace.c b/sway/tree/workspace.c index b1d6fe78..b94f7082 100644 --- a/sway/tree/workspace.c +++ b/sway/tree/workspace.c @@ -56,6 +56,11 @@ struct sway_output *workspace_get_initial_output(const char *name) { struct sway_workspace *workspace_create(struct sway_output *output, const char *name) { + if (!name) { + sway_log(SWAY_ERROR, "NULL name given to workspace_create"); + abort(); + } + if (output == NULL) { output = workspace_get_initial_output(name); } @@ -81,7 +86,7 @@ struct sway_workspace *workspace_create(struct sway_output *output, return NULL; } - ws->name = name ? strdup(name) : NULL; + ws->name = strdup(name); ws->prev_split_layout = L_NONE; ws->layout = output_get_default_layout(output); ws->floating = create_list();
The patch is not enough. Sway just crashed on the same strdup and with the name still being null. If I have made no mistake, that would mean that the name is either created/changed elsewhere or there is a memory corruption somewhere.
I got yet another crash, similar backtrace:
Backtrace
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1 0x00007f9f0df56672 in __GI___strdup (s=0x0) at strdup.c:41
len = <optimized out>
new = <optimized out>
#2 0x0000557350005408 in set_workspace (new_ws=<optimized out>, seat=0x557351389de0) at ../sway/sway/input/seat.c:1116
last_focus = 0x557351928610
last_workspace = 0x557351922520
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#3 seat_set_workspace_focus (seat=0x557351389de0, node=<optimized out>) at ../sway/sway/input/seat.c:1213
last_focus = 0x557351928610
last_workspace = 0x557351922520
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#4 0x000055735002607b in workspace_switch (workspace=0x5573518f9e30) at ../sway/sway/tree/workspace.c:602
seat = 0x557351389de0
next = <optimized out>
auto_back_and_forth = true
seat = 0x557351389de0
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#5 cmd_workspace (argv=<optimized out>, argc=1) at ../sway/sway/commands/workspace.c:237
auto_back_and_forth = true
seat = 0x557351389de0
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#6 cmd_workspace (argc=<optimized out>, argv=<optimized out>) at ../sway/sway/commands/workspace.c:125
error = <optimized out>
#7 0x000055734fff2421 in execute_command (_exec=<optimized out>, seat=0x557351389de0, con=0x0) at ../sway/sway/commands.c:294
res = <optimized out>
argc = 2
argv = 0x55735147c110
handler = 0x55735005e7d0 <handlers+848>
cmd = <optimized out>
matched_delim = 0 '\000'
containers = 0x0
using_criteria = false
exec = 0x557351841ec0 "workspace prev_on_output"
head = 0x0
res_list = <optimized out>
__PRETTY_FUNCTION__ = "execute_command"
#8 0x0000557350013af6 in seat_execute_command (seat=0x557351389de0, binding=0x5573513b8f50) at ../sway/sway/commands/bind.c:632
con = <optimized out>
res_list = <optimized out>
success = <optimized out>
#9 0x0000557350007eab in handle_key_event (keyboard=0x5573514a0cd0, event=0x7ffee3358fa0) at ../sway/sway/input/keyboard.c:487
seat = 0x557351389de0
wlr_seat = 0x55735138a120
wlr_device = <optimized out>
device_identifier = 0x55735158a390 "0:0:wlr_keyboard_group"
exact_identifier = <optimized out>
input_inhibited = false
sway_inhibitor = <optimized out>
shortcuts_inhibited = false
keyinfo = {keycode = 23, code_modifiers = 65, raw_keysyms = 0x55735144cea8, raw_modifiers = 65, raw_keysyms_len = 1, translated_keysyms = 0x55735144cec8, translated_modifiers = 64, translated_keysyms_len = 1}
handled = <optimized out>
binding_released = 0x0
binding = 0x5573513b8f50
#10 0x00007f9f0e1b89ce in wlr_signal_emit_safe () at /usr/lib/libwlroots.so.11
#11 0x00007f9f0e1a1a85 in wlr_keyboard_notify_key () at /usr/lib/libwlroots.so.11
#12 0x00007f9f0e1b89ce in wlr_signal_emit_safe () at /usr/lib/libwlroots.so.11
#13 0x00007f9f0e1a1a85 in wlr_keyboard_notify_key () at /usr/lib/libwlroots.so.11
#14 0x00007f9f0e16e85c in () at /usr/lib/libwlroots.so.11
#15 0x00007f9f0e2119e2 in wl_event_loop_dispatch (loop=0x557350b7cf00, timeout=timeout@entry=-1) at ../wayland-1.21.0/src/event-loop.c:1027
ep = {{events = 1, data = {ptr = 0x55735156be90, fd = 1364639376, u32 = 1364639376, u64 = 93953774239376}}, {events = 17, data = {ptr = 0x557351716630, fd = 1366386224, u32 = 1366386224, u64 = 93953775986224}}, {events = 1165185024, data = {ptr = 0x55730bbf758e, fd = 197096846, u32 = 197096846, u64 = 93952606696846}}, {events = 1, data = {ptr = 0x20, fd = 32, u32 = 32, u64 = 32}}, {events = 1368011552, data = {ptr = 0xe33590f000005573, fd = 21875, u32 = 21875, u64 = 16372151380841878899}}, {events = 32766, data = {ptr = 0x5573518a6338, fd = 1368023864, u32 = 1368023864, u64 = 93953777623864}}, {events = 1368015656, data = {ptr = 0xe335913000005573, fd = 21875, u32 = 21875, u64 = 16372151655719785843}}, {events = 32766, data = {ptr = 0x7f9f0e20e500 <wl_connection_flush+304>, fd = 237036800, u32 = 237036800, u64 = 140321113564416}}, {events = 3811938632, data = {ptr = 0x2000007ffe, fd = 32766, u32 = 32766, u64 = 137438986238}}, {events = 0, data = {ptr = 0x7ffee3359150, fd = -483028656, u32 = 3811938640, u64 = 140732710359376}}, {events = 236685802, data = {ptr = 0x20b70, fd = 134000, u32 = 134000, u64 = 134000}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0xbbf758e45735000, fd = 1165185024, u32 = 1165185024, u64 = 846524508879933440}}, {events = 1368018584, data = {ptr = 0x2000005573, fd = 21875, u32 = 21875, u64 = 137438975347}}, {events = 0, data = {ptr = 0x557351916f78, fd = 1368485752, u32 = 1368485752, u64 = 93953778085752}}, {events = 8, data = {ptr = 0x1400000000, fd = 0, u32 = 0, u64 = 85899345920}}, {events = 0, data = {ptr = 0x100000001, fd = 1, u32 = 1, u64 = 4294967297}}, {events = 114, data = {ptr = 0x9e00000093, fd = 147, u32 = 147, u64 = 678604832915}}, {events = 169, data = {ptr = 0xbf000000b4, fd = 180, u32 = 180, u64 = 820338753716}}, {events = 205, data = {ptr = 0xe3000000d8, fd = 216, u32 = 216, u64 = 974957576408}}, {events = 238, data = {ptr = 0x104000000f9, fd = 249, u32 = 249, u64 = 1116691497209}}, {events = 1342451971, data = {ptr = 0x13000005573, fd = 21875, u32 = 21875, u64 = 1305670079859}}, {events = 0, data = {ptr = 0x55735135b920, fd = 1362475296, u32 = 1362475296, u64 = 93953772075296}}, {events = 0, data = {ptr = 0x43800000000, fd = 0, u32 = 0, u64 = 4638564679680}}, {events = 21875, data = {ptr = 0x7ffe00000780, fd = 1920, u32 = 1920, u64 = 140728898422656}}, {events = 1354220336, data = {ptr = 0x5573, fd = 21875, u32 = 21875, u64 = 21875}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 1165185024, data = {ptr = 0x517521500bbf758e, fd = 197096846, u32 = 197096846, u64 = 5869634317025506702}}, {events = 21875, data = {ptr = 0x5573518f6f80, fd = 1368354688, u32 = 1368354688, u64 = 93953777954688}}}
source = <optimized out>
i = 0
count = <optimized out>
has_timers = <optimized out>
#16 0x00007f9f0e212197 in wl_display_run (display=0x557350b7ce10) at ../wayland-1.21.0/src/wayland-server.c:1431
#17 0x000055734ffebb8a in server_run (server=<optimized out>) at ../sway/sway/server.c:306
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
#18 main (argc=<optimized out>, argv=0x7ffee3359468) at ../sway/sway/main.c:411
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
Sadly this time I wasn't running with ASan. The whole workspace seems to contain random junk
(gdb) p *seat->workspace
$2 = {node = {type = 236972736, {sway_root = 0x7f9f0e1feaa8, sway_output = 0x7f9f0e1feaa8, sway_workspace = 0x7f9f0e1feaa8, sway_container = 0x7f9f0e1feaa8}, id = 21,
instruction = 0x7f9f0e1aa200, ntxnrefs = 93953776028656, destroying = 192, dirty = 234, events = {destroy = {listener_list = {prev = 0x55735175be50, next = 0x55735175be50}}}}, layers = {
tiling = 0x5573518034b0, fullscreen = 0x0}, fullscreen = 0x2, name = 0x0, representation = 0x55735175be80 "\200\276uQsU", x = 4.6419333152543742e-310, y = 4.6419333152551647e-310,
width = 1366670992, height = 21875, layout = L_NONE, prev_split_layout = L_NONE, current_gaps = {top = 145, right = 0, bottom = 236964768, left = 32671}, gaps_inner = 1920, gaps_outer = {
top = 1536, right = 1, bottom = 0, left = 2}, output = 0x0, floating = 0x55735175bed8, tiling = 0x55735175bed8, output_priority = 0x55735175bee8, urgent = 232, current = {
fullscreen = 0x55735175bef8, x = 4.641933315260303e-310, y = 4.6419334154113619e-310, width = 1363462784, height = 21875, layout = 1363462824, output = 0x55735144caa8,
floating = 0x7f9f0e192d30, tiling = 0x0, focused_inactive_child = 0x21, focused = 16}}
Got another similar crash, now with ASan. For some reason though, it didn't find the debug symbols for sway?
ASan output
=================================================================
==409==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200005fa98 at pc 0x5567b2db26d0 bp 0x7fff9a3b29a0 sp 0x7fff9a3b2990
READ of size 8 at 0x61200005fa98 thread T0
#0 0x5567b2db26cf (/usr/bin/sway+0x836cf)
#1 0x5567b2e03c68 (/usr/bin/sway+0xd4c68)
#2 0x5567b2d7dc83 (/usr/bin/sway+0x4ec83)
#3 0x5567b2ddb4ab (/usr/bin/sway+0xac4ab)
#4 0x5567b2db8d5a (/usr/bin/sway+0x89d5a)
#5 0x7f79599689cd in wlr_signal_emit_safe ../wlroots-git/util/signal.c:29
#6 0x7f7959951a84 in wlr_keyboard_notify_key ../wlroots-git/types/wlr_keyboard.c:103
#7 0x7f79599689cd in wlr_signal_emit_safe ../wlroots-git/util/signal.c:29
#8 0x7f7959951a84 in wlr_keyboard_notify_key ../wlroots-git/types/wlr_keyboard.c:103
#9 0x7f795991e85b in handle_keyboard_key ../wlroots-git/backend/libinput/keyboard.c:54
#10 0x7f795991e85b in handle_libinput_event ../wlroots-git/backend/libinput/events.c:167
#11 0x7f795991e85b in handle_libinput_readable ../wlroots-git/backend/libinput/backend.c:58
#12 0x7f795991e85b in handle_libinput_readable ../wlroots-git/backend/libinput/backend.c:48
#13 0x7f79599bf9e1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xb9e1)
#14 0x7f79599c0196 in wl_display_run (/usr/lib/libwayland-server.so.0+0xc196)
#15 0x5567b2d6eef7 (/usr/bin/sway+0x3fef7)
#16 0x7f795966d2cf (/usr/lib/libc.so.6+0x232cf)
#17 0x7f795966d389 in __libc_start_main (/usr/lib/libc.so.6+0x23389)
#18 0x5567b2d701c4 (/usr/bin/sway+0x411c4)
0x61200005fa98 is located 88 bytes inside of 296-byte region [0x61200005fa40,0x61200005fb68)
freed by thread T0 here:
#0 0x7f7959ebe672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5567b2d98673 (/usr/bin/sway+0x69673)
previously allocated by thread T0 here:
#0 0x7f7959ebf411 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x5567b2e27483 (/usr/bin/sway+0xf8483)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/bin/sway+0x836cf)
Shadow bytes around the buggy address:
0x0c2480003f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2480003f10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480003f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480003f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480003f40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480003f50: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480003f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c2480003f70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480003f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480003f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480003fa0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==409==ABORTING
Backtrace
#9 0x00005567b2db26d0 in seat_set_workspace_focus (seat=0x616000007580, node=<optimized out>) at ../sway/sway/input/seat.c:1247
view = <optimized out>
last_focus = <optimized out>
last_workspace = <optimized out>
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#10 0x00005567b2e03c69 in workspace_switch (workspace=0x61200005c2c0) at ../sway/sway/tree/workspace.c:602
seat = 0x616000007580
next = <optimized out>
auto_back_and_forth = <optimized out>
seat = 0x616000007580
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#11 cmd_workspace (argv=<optimized out>, argc=1) at ../sway/sway/commands/workspace.c:237
auto_back_and_forth = <optimized out>
seat = 0x616000007580
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#12 cmd_workspace (argc=<optimized out>, argv=<optimized out>) at ../sway/sway/commands/workspace.c:125
error = <optimized out>
#13 0x00005567b2d7dc84 in execute_command (_exec=<optimized out>, seat=0x616000007580, con=<optimized out>) at ../sway/sway/commands.c:294
res = <optimized out>
argv = 0x603000597760
handler = <optimized out>
cmd = <optimized out>
containers = 0x0
using_criteria = false
exec = 0x603000597790 "workspace next_on_output"
res_list = 0x602000b33830
__PRETTY_FUNCTION__ = "execute_command"
#14 0x00005567b2ddb4ac in seat_execute_command (seat=0x616000007580, binding=0x6060000a4000) at ../sway/sway/commands/bind.c:632
con = <optimized out>
res_list = <optimized out>
success = <optimized out>
#15 0x00005567b2db8d5b in handle_key_event (keyboard=0x61a000021680, event=<optimized out>) at ../sway/sway/input/keyboard.c:487
seat = 0x616000007580
wlr_seat = 0x61800000c880
wlr_device = <optimized out>
device_identifier = 0x6030005977c0 "0:0:wlr_keyboard_group"
exact_identifier = <optimized out>
input_inhibited = false
sway_inhibitor = <optimized out>
shortcuts_inhibited = false
handled = <optimized out>
#16 0x00007f79599689ce in wlr_signal_emit_safe (signal=<optimized out>, data=0x7fff9a3b3270) at ../wlroots-git/util/signal.c:29
pos = 0x60c000186e90
l = 0x60c000186e90
cursor = {link = {prev = 0x60c000186e90, next = 0x7fff9a3b3110}, notify = 0x7f7959963120 <handle_noop>}
end = {link = {prev = 0x7fff9a3b3130, next = 0x615000149038}, notify = 0x7f7959963120 <handle_noop>}
#17 0x00007f7959951a85 in wlr_keyboard_notify_key (keyboard=0x615000148f00, event=0x7fff9a3b3270) at ../wlroots-git/types/wlr_keyboard.c:103
updated = <optimized out>
#18 0x00007f79599689ce in wlr_signal_emit_safe (signal=<optimized out>, data=0x7fff9a3b3270) at ../wlroots-git/util/signal.c:29
pos = 0x60d0000e8988
l = 0x60d0000e8988
cursor = {link = {prev = 0x60d0000e8988, next = 0x61a0000294a8}, notify = 0x7f7959963120 <handle_noop>}
end = {link = {prev = 0x61a0000294a8, next = 0x61a000028fc0}, notify = 0x7f7959963120 <handle_noop>}
#19 0x00007f7959951a85 in wlr_keyboard_notify_key (keyboard=0x61a000028e88, event=0x7fff9a3b3270) at ../wlroots-git/types/wlr_keyboard.c:103
updated = <optimized out>
#20 0x00007f795991e85c in handle_keyboard_key (kb=0x61a000028e88, event=0x6040007a9ad0) at ../wlroots-git/backend/libinput/keyboard.c:54
kbevent = 0x6040007a9ad0
wlr_event = {time_msec = 2473168, keycode = 15, update_state = true, state = WL_KEYBOARD_KEY_STATE_PRESSED}
state = <optimized out>
libinput_dev = 0x61c000025080
dev = 0x61a000028e80
event_type = <optimized out>
event = 0x6040007a9ad0
backend = <optimized out>
ret = <optimized out>
#21 handle_libinput_event (event=0x6040007a9ad0, backend=0x60f000000400) at ../wlroots-git/backend/libinput/events.c:167
libinput_dev = 0x61c000025080
dev = 0x61a000028e80
event_type = <optimized out>
event = 0x6040007a9ad0
backend = <optimized out>
ret = <optimized out>
#22 handle_libinput_readable (fd=<optimized out>, mask=<optimized out>, _backend=<optimized out>) at ../wlroots-git/backend/libinput/backend.c:58
event = 0x6040007a9ad0
backend = <optimized out>
ret = <optimized out>
#23 handle_libinput_readable (fd=<optimized out>, mask=<optimized out>, _backend=<optimized out>) at ../wlroots-git/backend/libinput/backend.c:48
backend = <optimized out>
ret = <optimized out>
#24 0x00007f79599bf9e2 in wl_event_loop_dispatch (loop=0x60d000000450, timeout=timeout@entry=-1) at ../wayland-1.21.0/src/event-loop.c:1027
ep = {{events = 1, data = {ptr = 0x60600014f360, fd = 1373024, u32 = 1373024, u64 = 105965434499936}}, {events = 25232, data = {ptr = 0x6290001cd208, fd = 1888776, u32 = 1888776, u64 = 108370616701448}}, {events = 563354368, data = {ptr = 0x1cc2003af84638, fd = 989349432, u32 = 989349432, u64 = 8094605593036344}}, {events = 25232, data = {ptr = 0x20, fd = 32, u32 = 32, u64 = 32}}, {events = 1884672, data = {ptr = 0x9a3b33c000006290, fd = 25232, u32 = 25232, u64 = 11113533405193593488}}, {events = 32767, data = {ptr = 0x6290001cf218, fd = 1896984, u32 = 1896984, u64 = 108370616709656}}, {events = 1888776, data = {ptr = 0x9a3b340000006290, fd = 25232, u32 = 25232, u64 = 11113533680071500432}}, {events = 32767, data = {ptr = 0x7f79599bc500 <wl_connection_flush+304>, fd = 1503380736, u32 = 1503380736, u64 = 140159171151104}}, {events = 30080, data = {ptr = 0x2000006160, fd = 24928, u32 = 24928, u64 = 137438978400}}, {events = 0, data = {ptr = 0x7fff9a3b3420, fd = -1707396064, u32 = 2587571232, u64 = 140735780959264}}, {events = 473744, data = {ptr = 0x10ef4, fd = 69364, u32 = 69364, u64 = 69364}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events = 0, data = {ptr = 0xffff347668c, fd = -213424500, u32 = 4081542796, u64 = 17591972619916}}, {events = 1892604, data = {ptr = 0x2000006290, fd = 25232, u32 = 25232, u64 = 137438978704}}, {events = 0, data = {ptr = 0x629000222208, fd = 2236936, u32 = 2236936, u64 = 108370617049608}}, {events = 176, data = {ptr = 0x1400000000, fd = 0, u32 = 0, u64 = 85899345920}}, {events = 0, data = {ptr = 0x100000001, fd = 1, u32 = 1, u64 = 4294967297}}, {events = 60, data = {ptr = 0x9d00000093, fd = 147, u32 = 147, u64 = 674309865619}}, {events = 167, data = {ptr = 0xbb000000b1, fd = 177, u32 = 177, u64 = 803158884529}}, {events = 200, data = {ptr = 0xdc000000d2, fd = 210, u32 = 210, u64 = 944892805330}}, {events = 230, data = {ptr = 0xfa000000f0, fd = 240, u32 = 240, u64 = 1073741824240}}, {events = 74192, data = {ptr = 0x6020, fd = 24608, u32 = 24608, u64 = 24608}}, {events = 0, data = {ptr = 0x5567b2d96d90 <transaction_progress>, fd = -1294373488, u32 = 3000593808, u64 = 93903870586256}}, {events = 3000627630, data = {ptr = 0x300005567, fd = 21863, u32 = 21863, u64 = 12884923751}}, {events = 0, data = {ptr = 0x614000073a40, fd = 473664, u32 = 473664, u64 = 106927506274880}}, {events = 1503015200, data = {ptr = 0x21941b0001007f79, fd = 16809849, u32 = 16809849, u64 = 2419588586635558777}}, {events = 989349432, data = {ptr = 0x617000003f80, fd = 16256, u32 = 16256, u64 = 107133664247680}}, {events = 563354368, data = {ptr = 0x77cc83af84638, fd = 989349432, u32 = 989349432, u64 = 2107524261627448}}, {events = 24800, data = {ptr = 0x6100004b6a40, fd = 4942400, u32 = 4942400, u64 = 106652632836672}}}
source = <optimized out>
i = 0
count = <optimized out>
has_timers = <optimized out>
#25 0x00007f79599c0197 in wl_display_run (display=0x611000000e00) at ../wayland-1.21.0/src/wayland-server.c:1431
#26 0x00005567b2d6eef8 in server_run (server=<optimized out>) at ../sway/sway/server.c:306
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
#27 main (argc=<optimized out>, argv=<optimized out>) at ../sway/sway/main.c:411
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
Got one with usable ASan now:
ASan output
=================================================================
==414==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000048998 at pc 0x5606d6e216d0 bp 0x7ffee1fe3750 sp 0x7ffee1fe3740
READ of size 8 at 0x612000048998 thread T0
#0 0x5606d6e216cf in seat_set_workspace_focus ../sway/sway/input/seat.c:1247
#1 0x5606d6e72c68 in workspace_switch ../sway/sway/tree/workspace.c:602
#2 0x5606d6e72c68 in cmd_workspace ../sway/sway/commands/workspace.c:237
#3 0x5606d6e72c68 in cmd_workspace ../sway/sway/commands/workspace.c:125
#4 0x5606d6decc83 in execute_command ../sway/sway/commands.c:294
#5 0x5606d6e4a4ab in seat_execute_command ../sway/sway/commands/bind.c:632
#6 0x5606d6e27d5a in handle_key_event ../sway/sway/input/keyboard.c:487
#7 0x7faa223159cd in wlr_signal_emit_safe ../wlroots-git/util/signal.c:29
#8 0x7faa222fea84 in wlr_keyboard_notify_key ../wlroots-git/types/wlr_keyboard.c:103
#9 0x7faa223159cd in wlr_signal_emit_safe ../wlroots-git/util/signal.c:29
#10 0x7faa222fea84 in wlr_keyboard_notify_key ../wlroots-git/types/wlr_keyboard.c:103
#11 0x7faa222cb85b in handle_keyboard_key ../wlroots-git/backend/libinput/keyboard.c:54
#12 0x7faa222cb85b in handle_libinput_event ../wlroots-git/backend/libinput/events.c:167
#13 0x7faa222cb85b in handle_libinput_readable ../wlroots-git/backend/libinput/backend.c:58
#14 0x7faa222cb85b in handle_libinput_readable ../wlroots-git/backend/libinput/backend.c:48
#15 0x7faa2236c9e1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xb9e1)
#16 0x7faa2236d196 in wl_display_run (/usr/lib/libwayland-server.so.0+0xc196)
#17 0x5606d6dddef7 in server_run ../sway/sway/server.c:306
#18 0x5606d6dddef7 in main ../sway/sway/main.c:411
#19 0x7faa220212cf (/usr/lib/libc.so.6+0x232cf)
#20 0x7faa22021389 in __libc_start_main (/usr/lib/libc.so.6+0x23389)
#21 0x5606d6ddf1c4 in _start ../sysdeps/x86_64/start.S:115
0x612000048998 is located 88 bytes inside of 296-byte region [0x612000048940,0x612000048a68)
freed by thread T0 here:
#0 0x7faa228be672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5606d6e07673 in container_destroy ../sway/sway/tree/container.c:411
#2 0x5606d6e07673 in container_destroy ../sway/sway/tree/container.c:385
#3 0x5606d6e07673 in transaction_destroy ../sway/sway/desktop/transaction.c:74
#4 0x5606d6e07673 in transaction_progress ../sway/sway/desktop/transaction.c:752
previously allocated by thread T0 here:
#0 0x7faa228bf411 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x5606d6e96483 in workspace_create ../sway/sway/tree/workspace.c:66
SUMMARY: AddressSanitizer: heap-use-after-free ../sway/sway/input/seat.c:1247 in seat_set_workspace_focus
Shadow bytes around the buggy address:
0x0c24800010e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c24800010f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480001100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2480001110: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c2480001120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480001130: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480001140: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c2480001150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480001160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2480001170: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c2480001180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==414==ABORTING
Backtrace
#9 0x00005606d6e216d0 in seat_set_workspace_focus (seat=0x616000007580, node=<optimized out>) at ../sway/sway/input/seat.c:1247
view = <optimized out>
last_focus = <optimized out>
last_workspace = <optimized out>
new_workspace = <optimized out>
container = <optimized out>
new_output = <optimized out>
new_output_last_ws = <optimized out>
#10 0x00005606d6e72c69 in workspace_switch (workspace=0x612000211240) at ../sway/sway/tree/workspace.c:602
seat = 0x616000007580
next = <optimized out>
auto_back_and_forth = <optimized out>
seat = 0x616000007580
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#11 cmd_workspace (argv=<optimized out>, argc=2) at ../sway/sway/commands/workspace.c:237
auto_back_and_forth = <optimized out>
seat = 0x616000007580
ws = <optimized out>
error = <optimized out>
gaps_location = <optimized out>
error = <optimized out>
#12 cmd_workspace (argc=<optimized out>, argv=<optimized out>) at ../sway/sway/commands/workspace.c:125
error = <optimized out>
#13 0x00005606d6decc84 in execute_command (_exec=<optimized out>, seat=0x616000007580, con=<optimized out>) at ../sway/sway/commands.c:294
res = <optimized out>
argv = 0x6060004559c0
handler = <optimized out>
cmd = <optimized out>
containers = 0x0
using_criteria = false
exec = 0x6030009a8d00 "workspace number 1"
res_list = 0x602000791250
__PRETTY_FUNCTION__ = "execute_command"
#14 0x00005606d6e4a4ac in seat_execute_command (seat=0x616000007580, binding=0x6060000a34c0) at ../sway/sway/commands/bind.c:632
con = <optimized out>
res_list = <optimized out>
success = <optimized out>
#15 0x00005606d6e27d5b in handle_key_event (keyboard=0x61a000021680, event=<optimized out>) at ../sway/sway/input/keyboard.c:487
seat = 0x616000007580
wlr_seat = 0x61800000c880
wlr_device = <optimized out>
device_identifier = 0x6030009a8d30 "0:0:wlr_keyboard_group"
exact_identifier = <optimized out>
input_inhibited = false
sway_inhibitor = <optimized out>
shortcuts_inhibited = false
handled = <optimized out>
#16 0x00007faa223159ce in wlr_signal_emit_safe (signal=<optimized out>, data=0x7ffee1fe4020) at ../wlroots-git/util/signal.c:29
pos = 0x60c000187010
l = 0x60c000187010
cursor = {link = {prev = 0x60c000187010, next = 0x7ffee1fe3ec0}, notify = 0x7faa22310120 <handle_noop>}
end = {link = {prev = 0x7ffee1fe3ee0, next = 0x615000149038}, notify = 0x7faa22310120 <handle_noop>}
#17 0x00007faa222fea85 in wlr_keyboard_notify_key (keyboard=0x615000148f00, event=0x7ffee1fe4020) at ../wlroots-git/types/wlr_keyboard.c:103
updated = <optimized out>
#18 0x00007faa223159ce in wlr_signal_emit_safe (signal=<optimized out>, data=0x7ffee1fe4020) at ../wlroots-git/util/signal.c:29
pos = 0x60d0000e8988
l = 0x60d0000e8988
cursor = {link = {prev = 0x60d0000e8988, next = 0x61a0000294a8}, notify = 0x7faa22310120 <handle_noop>}
end = {link = {prev = 0x61a0000294a8, next = 0x61a000028fc0}, notify = 0x7faa22310120 <handle_noop>}
#19 0x00007faa222fea85 in wlr_keyboard_notify_key (keyboard=0x61a000028e88, event=0x7ffee1fe4020) at ../wlroots-git/types/wlr_keyboard.c:103
updated = <optimized out>
#20 0x00007faa222cb85c in handle_keyboard_key (kb=0x61a000028e88, event=0x604000454710) at ../wlroots-git/backend/libinput/keyboard.c:54
kbevent = 0x604000454710
wlr_event = {time_msec = 18942082, keycode = 2, update_state = true, state = WL_KEYBOARD_KEY_STATE_PRESSED}
state = <optimized out>
libinput_dev = 0x61c000025080
dev = 0x61a000028e80
event_type = <optimized out>
event = 0x604000454710
backend = <optimized out>
ret = <optimized out>
#21 handle_libinput_event (event=0x604000454710, backend=0x60f000000400) at ../wlroots-git/backend/libinput/events.c:167
libinput_dev = 0x61c000025080
dev = 0x61a000028e80
event_type = <optimized out>
event = 0x604000454710
backend = <optimized out>
ret = <optimized out>
#22 handle_libinput_readable (fd=<optimized out>, mask=<optimized out>, _backend=<optimized out>) at ../wlroots-git/backend/libinput/backend.c:58
event = 0x604000454710
backend = <optimized out>
ret = <optimized out>
#23 handle_libinput_readable (fd=<optimized out>, mask=<optimized out>, _backend=<optimized out>) at ../wlroots-git/backend/libinput/backend.c:48
backend = <optimized out>
ret = <optimized out>
#24 0x00007faa2236c9e2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#25 0x00007faa2236d197 in wl_display_run () at /usr/lib/libwayland-server.so.0
#26 0x00005606d6dddef8 in server_run (server=<optimized out>) at ../sway/sway/server.c:306
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
#27 main (argc=<optimized out>, argv=<optimized out>) at ../sway/sway/main.c:411
config_path = 0x0
c = <optimized out>
validate = false
debug = false
allow_unsupported_gpu = false
verbose = false
Again, this seems pretty messed up, since that object was allocated in workspace_create and deallocated in container_destroy.
Well I had no crashes since https://github.com/swaywm/sway/commit/6e023257e8e9a6673fc3ff69048cdaf8baa70044. So unless others people had the same issue. I think it can be closed.