From ffd37b664f6fbb01d6be44411b3117c88ee61fe2 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Mon, 25 Jun 2018 07:35:13 +0900 Subject: [PATCH] xdg_shell: destroy children popups with parent surface popups have a link in parent's surface->popups list and needs to be freed before: ==6902==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001a0300 at pc 0x7fc1447acb50 bp 0x7fffd396e680 sp 0x7fffd396e670 WRITE of size 8 at 0x6120001a0300 thread T0 #0 0x7fc1447acb4f in wl_list_remove ../util/signal.c:55 #1 0x7fc14477d206 in destroy_xdg_popup_v6 ../types/xdg_shell_v6/wlr_xdg_popup_v6.c:162 #2 0x7fc1447816e0 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:108 #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 #4 0x7fc144a1c091 in wl_resource_destroy src/wayland-server.c:705 #5 0x7fc14477fd6f in xdg_client_v6_handle_resource_destroy ../types/xdg_shell_v6/wlr_xdg_shell_v6.c:72 #6 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 #7 0x7fc144a20851 (/lib64/libwayland-server.so.0+0xc851) #8 0x7fc144a20d92 (/lib64/libwayland-server.so.0+0xcd92) #9 0x7fc144a1c140 in wl_client_destroy src/wayland-server.c:847 #10 0x7fc144a1c21c in destroy_client_with_error src/wayland-server.c:307 #11 0x7fc144a1c21c in wl_client_connection_data src/wayland-server.c:330 #12 0x7fc144a1df01 in wl_event_loop_dispatch src/event-loop.c:641 #13 0x7fc144a1c601 in wl_display_run src/wayland-server.c:1260 #14 0x40a2f4 in main ../sway/main.c:433 #15 0x7fc143ef718a in __libc_start_main ../csu/libc-start.c:308 #16 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6120001a0300 is located 64 bytes inside of 264-byte region [0x6120001a02c0,0x6120001a03c8) freed by thread T0 here: #0 0x7fc14690d880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7fc1447acce8 in wlr_signal_emit_safe ../util/signal.c:29 #2 0x7fc1447a3cac in surface_handle_resource_destroy ../types/wlr_surface.c:576 #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 previously allocated by thread T0 here: #0 0x7fc14690de50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7fc144781d38 in create_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:415 #2 0x7fc14147503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) Alternative would be to have popups listen to the parent's surface destroy event and remove themselves from the list at this point OR on their own destroy, whichever happens first, but that seems more complicated for little benefit. --- types/xdg_shell/wlr_xdg_surface.c | 6 ++++++ types/xdg_shell_v6/wlr_xdg_surface_v6.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/types/xdg_shell/wlr_xdg_surface.c b/types/xdg_shell/wlr_xdg_surface.c index c5d177b2..6931b92f 100644 --- a/types/xdg_shell/wlr_xdg_surface.c +++ b/types/xdg_shell/wlr_xdg_surface.c @@ -415,6 +415,12 @@ void destroy_xdg_surface(struct wlr_xdg_surface *surface) { wlr_signal_emit_safe(&surface->events.destroy, surface); + struct wlr_xdg_popup *popup_state, *next; + wl_list_for_each_safe(popup_state, next, &surface->popups, link) { + xdg_popup_send_popup_done(popup_state->resource); + destroy_xdg_popup(popup_state->base); + } + switch (surface->role) { case WLR_XDG_SURFACE_ROLE_TOPLEVEL: destroy_xdg_toplevel(surface); diff --git a/types/xdg_shell_v6/wlr_xdg_surface_v6.c b/types/xdg_shell_v6/wlr_xdg_surface_v6.c index e111adad..7343906f 100644 --- a/types/xdg_shell_v6/wlr_xdg_surface_v6.c +++ b/types/xdg_shell_v6/wlr_xdg_surface_v6.c @@ -100,6 +100,12 @@ void destroy_xdg_surface_v6(struct wlr_xdg_surface_v6 *surface) { wlr_signal_emit_safe(&surface->events.destroy, surface); + struct wlr_xdg_popup_v6 *popup_state, *next; + wl_list_for_each_safe(popup_state, next, &surface->popups, link) { + zxdg_popup_v6_send_popup_done(popup_state->resource); + destroy_xdg_popup_v6(popup_state->base); + } + switch (surface->role) { case WLR_XDG_SURFACE_V6_ROLE_TOPLEVEL: destroy_xdg_toplevel_v6(surface);