1570612 - Crash in [@ gdk_broadway_get_last_seen_time] with use-after-free

Status: RESOLVED WORKSFORME

(Core :: Widget: Gtk, defect)

Description

[Christian Holler (:decoder)]

This bug is for crash report bp-93433b1e-7b1a-4d20-a038-faee50190729.

Top 10 frames of crashing thread:

0 libgdk-3.so.0.2404.4 gdk_broadway_get_last_seen_time 
1 libffi.so.6.0.4 libffi.so.6.0.4@0x681d 
2 libffi.so.6.0.4 libffi.so.6.0.4@0x61ee 
3 libxul.so _fini 
4 libgdk-3.so.0.2404.4 gdk_broadway_get_last_seen_time 
5 libwayland-client.so.0.3.0 wl_array_copy 
6 libgdk-3.so.0.2404.4 gdk_wayland_window_set_transient_for_exported 
7 libwayland-client.so.0.3.0 wl_log_set_handler_client 
8 libwayland-client.so.0.3.0 libwayland-client.so.0.3.0@0x5968 
9 libwayland-client.so.0.3.0 wl_display_dispatch_queue_pending 

This is a PHC report, manually symbolized PHC stacks:

Free stack:

#0    gdk_window_geometry_changed
#1    gdk_broadway_get_last_seen_time
#2    (missing symbols for module libffi.so.6.0.4)
#3    (missing symbols for module libffi.so.6.0.4)
#4    wl_log_set_handler_client
#5    ??? (unresolved symbol in libwayland-client.so.0.3.0)
#6    wl_display_dispatch_queue_pending
#7    gdk_wayland_display_query_registry
#8    gdk_display_get_event
#9    gdk_wayland_display_query_registry
#10    g_main_context_dispatch
#11    g_main_context_dispatch
#12    g_main_context_iteration
#13    nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)
    in file hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 259
#14    nsThread::ProcessNextEvent(bool, bool*)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 1120
#15    <name omitted>
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 486

Alloc stack:

#0    <name omitted>
    in file hg:hg.mozilla.org/mozilla-central:memory/build/malloc_decls.h:1416771db267f77fa6bd28b2eaa214a706427f55 line 38
#1    g_malloc
#2    g_slice_alloc
#3    g_slice_alloc0
#4    gdk_event_new
#5    gdk_broadway_get_last_seen_time
#6    gdk_broadway_get_last_seen_time
#7    (missing symbols for module libffi.so.6.0.4)
#8    (missing symbols for module libffi.so.6.0.4)
#9    wl_log_set_handler_client
#10    ??? (unresolved symbol in libwayland-client.so.0.3.0)
#11    wl_display_dispatch_queue_pending
#12    gdk_wayland_display_query_registry
#13    gdk_display_get_event
#14    gdk_wayland_display_query_registry
#15    g_main_context_dispatch

Judging from the stacks, this could be a bug in GDK, in particular in gdk_broadway_get_last_seen_time where an event is used after it was freed in gdk_window_geometry_changed.

Comment 1

[Frederik Braun [:freddy]]

I happen to have the same version of ubuntu installed as the bug reporter, so I can symbolize some of the things that are ??? in the stack trace from comment 0. I hope it helps.

Free stack:

#0    gdk_window_geometry_changed (libgdk-3.so.0.2404.4 +0x4f798)
      gdk_windowing_got_event ./debian/build/deb/gdk/../../../../gdk/gdkwindow.c:10101
#1    gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8bd0f)
      gdk_wayland_tablet_flush_frame_event ./debian/build/deb/gdk/wayland/../../../../../gdk/wayland/gdkdevice-wayland.c:3507
#2    ffi_call_unix64 in ./build/../src/x86/unix64.S:79 (libffi.so.6.0.4 0x681e)
#3    ffi_call in ./build/../src/x86/ffi64.c:527 (libffi.so.6.0.4 0x61ef)
#4    wl_closure_invoke in ./build/../src/connection.c:1008 (wl_log_set_handler_client (libwayland-client.so.0.3.0 +0x912d))
#5    dispatch_event in ./build/../src/wayland-client.c:1427 (libwayland-client.so.0.3.0 +0x5969)
#6    dispatch_queue in ./build/../src/wayland-client.c:1574
wl_display_dispatch_queue_pending (libwayland-client.so.0.3.0 +0x6e34)
#7    gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x949a4)
#8    gdk_display_get_event (libgdk-3.so.0.2404.4 +0x34ad0)
#9    gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x946c2)
#10    g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4e9ee)
#11    g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4ec88)
#12    g_main_context_iteration (libglib-2.0.so.0.6000.4 +0x4ed1c)
#13    nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)
    in file hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 259
#14    nsThread::ProcessNextEvent(bool, bool*)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 1120
#15    <name omitted>
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 486

Alloc stack:

#0    <name omitted>
    in file hg:hg.mozilla.org/mozilla-central:memory/build/malloc_decls.h:1416771db267f77fa6bd28b2eaa214a706427f55 line 38
#1    g_malloc (libglib-2.0.so.0.6000.4 +0x544e1)
#2    g_slice_alloc (libglib-2.0.so.0.6000.4 +0x6c583)
#3    g_slice_alloc0 (libglib-2.0.so.0.6000.4 +0x6cbb9)
#4    gdk_event_new (libgdk-3.so.0.2404.4 +0x39b60)
#5    gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8be22)
#6    gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8c09d)
#7    (missing symbols for module libffi.so.6.0.4)
#8    (missing symbols for module libffi.so.6.0.4)
#9    wl_log_set_handler_client (libwayland-client.so.0.3.0 +0x912d)
#10    dispatch_event in ./build/../src/wayland-client.c:1427 (libwayland-client.so.0.3.0 +0x5969)
#11    wl_display_dispatch_queue_pending (libwayland-client.so.0.3.0 +0x6e34)
#12    gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x949a4)
#13    gdk_display_get_event (libgdk-3.so.0.2404.4 +0x34ad0)
#14    gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x946c2)
#15    g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4e9ee)

Comment 2

[Marco Castelluccio [:marco]]

We have not seen any reports for a year.