SEGV on wlr_output_destroy

[KenMacD]

From sway 1.6.1

00:00:00.000 [INFO] [sway/main.c:349] Sway version 1.6.1
00:00:00.000 [INFO] [sway/main.c:350] wlroots version 0.14.1
...
00:01:34.090 [DEBUG] [wlr] [backend/session/session.c:153] udev event for card0 (change)
00:01:34.090 [DEBUG] [wlr] [backend/session/session.c:182] DRM device card0 changed
00:01:34.090 [DEBUG] [wlr] [backend/drm/backend.c:145] /dev/dri/card0 invalidated
00:01:34.090 [INFO] [wlr] [backend/drm/drm.c:1297] Scanning DRM connectors on /dev/dri/card0
00:01:34.334 [INFO] [wlr] [backend/drm/drm.c:1499] 'DP-4' disappeared
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1771470==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f17f6b16f27 bp 0x7ffe1f489cb0 sp 0x7ffe1f489c88 T0)
==1771470==The signal is caused by a WRITE memory access.
==1771470==Hint: address points to the zero page.
    #0 0x7f17f6b16f27 in wl_list_remove (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xdf27)
    #1 0x7f17f6a10781 in wlr_output_destroy /build/source/build/../types/wlr_output.c:393:2
    #2 0x7f17f69a30e9 in disconnect_drm_connector /build/source/build/../backend/drm/drm.c:1647:2
    #3 0x7f17f69a32ad in destroy_drm_connector /build/source/build/../backend/drm/drm.c:1653:2
    #4 0x7f17f69a2cbb in scan_drm_connectors /build/source/build/../backend/drm/drm.c:1500:3
    #5 0x7f17f699cf3b in handle_dev_change /build/source/build/../backend/drm/backend.c:146:2
    #6 0x7f17f6a3452e in wlr_signal_emit_safe /build/source/build/../util/signal.c:29:3
    #7 0x7f17f69cfa6a in handle_udev_event /build/source/build/../backend/session/session.c
    #8 0x7f17f6b14491 in wl_event_loop_dispatch (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xb491)
    #9 0x7f17f6b12134 in wl_display_run (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0x9134)
    #10 0x51ffe7 in server_run /build/source/build/../sway/server.c:254:2
    #11 0x51e153 in main /build/source/build/../sway/main.c:435:2
    #12 0x7f17f668c77f in __libc_start_main (/nix/store/mij848h2x5wiqkwhg027byvmf9x3gx7y-glibc-2.33-50/lib/libc.so.6+0x2777f)
    #13 0x42d559 in _start /build/glibc-2.33/csu/../sysdeps/x86_64/start.S:120

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xdf27) in wl_list_remove
==1771470==ABORTING

log lines from wlr

---

wlroots has migrated to gitlab.freedesktop.org. This issue has been moved to:

https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3284

[emersion]

Please try master.

[KenMacD]

• sway: 215787e8b28d4e52d97bdcadd4b64305c7a62ac5
• wlroots: 3dc99ed

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2808924==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f749eadbf27 bp 0x7ffd0c29ce90 sp 0x7ffd0c29ce68 T0)
==2808924==The signal is caused by a WRITE memory access.
==2808924==Hint: address points to the zero page.
    #0 0x7f749eadbf27 in wl_list_remove (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xdf27)
    #1 0x7f749e9b976c in wlr_output_destroy /build/source/build/../types/wlr_output.c:395:2
    #2 0x7f749e945f49 in disconnect_drm_connector /build/source/build/../backend/drm/drm.c:1503:2
    #3 0x7f749e944c00 in scan_drm_connectors /build/source/build/../backend/drm/drm.c:1377:4
    #4 0x7f749e93f8cb in handle_dev_change /build/source/build/../backend/drm/backend.c:138:2
    #5 0x7f749e9e214e in wlr_signal_emit_safe /build/source/build/../util/signal.c:29:3
    #6 0x7f749e972bda in handle_udev_event /build/source/build/../backend/session/session.c
    #7 0x7f749ead9491 in wl_event_loop_dispatch (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xb491)
    #8 0x7f749ead7134 in wl_display_run (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0x9134)
    #9 0x51fcf7 in server_run /build/source/build/../sway/server.c:285:2
    #10 0x51dc8e in main /build/source/build/../sway/main.c:398:2
    #11 0x7f749e60877f in __libc_start_main (/nix/store/mij848h2x5wiqkwhg027byvmf9x3gx7y-glibc-2.33-50/lib/libc.so.6+0x2777f)
    #12 0x42d5f9 in _start /build/glibc-2.33/csu/../sysdeps/x86_64/start.S:120

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/nix/store/irv0iagrl3c583m4niizcsbpxqf2l2iw-wayland-1.19.0/lib/libwayland-server.so.0+0xdf27) in wl_list_remove
==2808924==ABORTING

[KenMacD]

Recompiled with ASAN on for wayland to generate more info:

==7807==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000009554 at pc 0x7fd88f164478 bp 0x7ffc10e829a0 sp 0x7ffc10e82998
READ of size 1 at 0x618000009554 thread T0
    #0 0x7fd88f164477 in frame_handle_copy /build/source/build/../types/wlr_screencopy_v1.c:357:15
    #1 0x7fd88e500869 in ffi_call_unix64 (/nix/store/2z8hacx9dphisbf7syd9hvkiw4578r23-libffi-3.4.2/lib/libffi.so.8+0x7869)
    #2 0x7fd88e4ff9c1 in ffi_call_int (/nix/store/2z8hacx9dphisbf7syd9hvkiw4578r23-libffi-3.4.2/lib/libffi.so.8+0x69c1)
    #3 0x7fd88f28be56 in wl_closure_invoke (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x21e56)
    #4 0x7fd88f27dc25 in wl_client_connection_data (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x13c25)
    #5 0x7fd88f283c8a in wl_event_source_fd_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x19c8a)
    #6 0x7fd88f286945 in wl_event_loop_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x1c945)
    #7 0x7fd88f27facf in wl_display_run (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x15acf)
    #8 0x51fcf7 in server_run /build/source/build/../sway/server.c:285:2
    #9 0x51dc8e in main /build/source/build/../sway/main.c:398:2
    #10 0x7fd88eda477f in __libc_start_main (/nix/store/mij848h2x5wiqkwhg027byvmf9x3gx7y-glibc-2.33-50/lib/libc.so.6+0x2777f)
    #11 0x42d5f9 in _start /build/glibc-2.33/csu/../sysdeps/x86_64/start.S:120

0x618000009554 is located 212 bytes inside of 864-byte region [0x618000009480,0x6180000097e0)
freed by thread T0 here:
    #0 0x4d07ef in __interceptor_free (/nix/store/kckrd4bvbwp5532sb44d3n3jc0j7acgy-sway-unwrapped-215787e8b28d4e52d97bdcadd4b64305c7a62ac5/bin/sway+0x4d07ef)
    #1 0x7fd88f0e2121 in destroy_drm_connector /build/source/build/../backend/drm/drm.c:1512:2
    #2 0x7fd88f0e1afb in scan_drm_connectors /build/source/build/../backend/drm/drm.c:1397:3
    #3 0x7fd88f0db8cb in handle_dev_change /build/source/build/../backend/drm/backend.c:138:2
    #4 0x7fd88f17e14e in wlr_signal_emit_safe /build/source/build/../util/signal.c:29:3
    #5 0x7fd88f10ebda in handle_udev_event /build/source/build/../backend/session/session.c
    #6 0x7fd88f283c8a in wl_event_source_fd_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x19c8a)
    #7 0x7fd88f286945 in wl_event_loop_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x1c945)
    #8 0x7fd88f27facf in wl_display_run (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x15acf)
    #9 0x51fcf7 in server_run /build/source/build/../sway/server.c:285:2
    #10 0x51dc8e in main /build/source/build/../sway/main.c:398:2
    #11 0x7fd88eda477f in __libc_start_main (/nix/store/mij848h2x5wiqkwhg027byvmf9x3gx7y-glibc-2.33-50/lib/libc.so.6+0x2777f)

previously allocated by thread T0 here:
    #0 0x4d0cb7 in calloc (/nix/store/kckrd4bvbwp5532sb44d3n3jc0j7acgy-sway-unwrapped-215787e8b28d4e52d97bdcadd4b64305c7a62ac5/bin/sway+0x4d0cb7)
    #1 0x7fd88f0e0787 in scan_drm_connectors /build/source/build/../backend/drm/drm.c:1226:15
    #2 0x7fd88f0db8cb in handle_dev_change /build/source/build/../backend/drm/backend.c:138:2
    #3 0x7fd88f17e14e in wlr_signal_emit_safe /build/source/build/../util/signal.c:29:3
    #4 0x7fd88f10ebda in handle_udev_event /build/source/build/../backend/session/session.c
    #5 0x7fd88f283c8a in wl_event_source_fd_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x19c8a)
    #6 0x7fd88f286945 in wl_event_loop_dispatch (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x1c945)
    #7 0x7fd88f27facf in wl_display_run (/nix/store/5xfjzm1v773759gl7gkd8yi3yifzra9b-wayland-1.19.0/lib/libwayland-server.so.0+0x15acf)
    #8 0x51fcf7 in server_run /build/source/build/../sway/server.c:285:2
    #9 0x51dc8e in main /build/source/build/../sway/main.c:398:2
    #10 0x7fd88eda477f in __libc_start_main (/nix/store/mij848h2x5wiqkwhg027byvmf9x3gx7y-glibc-2.33-50/lib/libc.so.6+0x2777f)

SUMMARY: AddressSanitizer: heap-use-after-free /build/source/build/../types/wlr_screencopy_v1.c:357:15 in frame_handle_copy
Shadow bytes around the buggy address:
  0x0c307fff9250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9270: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c307fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff9290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fff92a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c307fff92b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff92c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff92d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff92e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7807==ABORTING

[emersion]

Thanks, that's helpful. Does #3301 fix it?

[KenMacD]

@emersion np! That PR appears to fix the last log I posted, but I'm still getting the first one (I thought they were the same, but I guess not). I'll see if there's any way to collect more info on the remaining issue.

[KenMacD]

Okay, so disabling ASAN got me a coredump. In this case it looks like:

#0  0x00007f91169c3e37 in wl_list_remove (elm=0x2486858) at ../src/wayland-util.c:55
#1  0x00007f911709316d in wlr_output_destroy (output=0x24865c0) at ../subprojects/wlroots/types/output/output.c:385
#2  0x00007f911707206b in disconnect_drm_connector (conn=0x24865c0) at ../subprojects/wlroots/backend/drm/drm.c:1503
#3  0x00007f9117071e39 in scan_drm_connectors (drm=0x1a9da40) at ../subprojects/wlroots/backend/drm/drm.c:1377
#4  0x00007f911706e5b7 in handle_dev_change (listener=0x1a9db50, data=0x0) at ../subprojects/wlroots/backend/drm/backend.c:138
#5  0x00007f91170d908f in wlr_signal_emit_safe (signal=0x1a8b940, data=0x0) at ../subprojects/wlroots/util/signal.c:29
#6  0x00007f911708be86 in handle_udev_event (fd=6, mask=1, data=0x1a84820) at ../subprojects/wlroots/backend/session/session.c:183
#7  0x00007f91169c1096 in wl_event_source_fd_dispatch (source=0x0, ep=<optimized out>) at ../src/event-loop.c:112
#8  0x00007f91169c1d2c in wl_event_loop_dispatch (loop=0x1a7d8b0, timeout=<optimized out>, timeout@entry=-1) at ../src/event-loop.c:1027
#9  0x00007f91169bf905 in wl_display_run (display=0x1a7dc20) at ../src/wayland-server.c:1351
#10 0x0000000000421d65 in server_run (server=0x49e570 <server>) at ../sway/server.c:285
#11 0x0000000000420b33 in main (argc=2, argv=0x7ffed4438ad8) at ../sway/main.c:396

From some poking around through the frames it looks to me like the output is attempting to be cleaned up but was never initialized to begin with:

(gdb) frame 2
#2  0x00007f911707206b in disconnect_drm_connector (conn=0x24865c0) at ../subprojects/wlroots/backend/drm/drm.c:1503
1503		wlr_output_destroy(&conn->output);
(gdb) p &conn->output
$24 = (struct wlr_output *) 0x24865c0
(gdb) p conn->output.scale
$25 = 0

(all the other fields are \0 too, but from the wlr_output_init() method I saw scale was being set)