Crash in g_rw_lock_get_impl() via meta_seat_impl_query_state() due to seat_impl being NULL when logging out
Affected version
Fedora 39, GNOME 45.2 on Wayland. I haven't added any extensions.
Bug summary
gnome-shell crashed sometimes in g_rw_lock_get_impl when logging out. lock=0x78 in g_rw_lock_get_impl in frame 0 and rw_lock=0x78 in g_rw_lock_reader_lock in frame 1 looked like invalid pointers which might've been null plus an offset.
Core was generated by `/usr/bin/gnome-shell'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f277d989d94 in g_rw_lock_get_impl (lock=0x78) at ../glib/gthread-posix.c:468
468 pthread_rwlock_t *impl = g_atomic_pointer_get (&lock->p);
[Current thread is 1 (Thread 0x7f2721ffb6c0 (LWP 31261))]
(gdb) bt
#0 0x00007f277d989d94 in g_rw_lock_get_impl (lock=0x78) at ../glib/gthread-posix.c:468
#1 g_rw_lock_reader_lock (rw_lock=0x78) at ../glib/gthread-posix.c:624
#2 0x00007f277d3aa552 in meta_seat_impl_query_state
(modifiers=0x0, coords=0x7f2721ff9b08, sequence=0x0, device=<optimized out>, seat_impl=0x0)
at ../src/backends/native/meta-seat-impl.c:3222
#3 meta_seat_native_query_state
(seat=<optimized out>, device=0x564301ba1110, sequence=0x0, coords=0x7f2721ff9b08, modifiers=0x0)
at ../src/backends/native/meta-seat-native.c:364
#4 0x00007f277d3a2850 in meta_barrier_manager_native_process_in_impl
(y=0x7f2721ff9af8, x=0x7f2721ff9afc, time=18579510, device=0x564301ba1110, manager=0x564301b4fca0) at ../src/backends/native/meta-barrier-native.c:554
#5 constrain_to_barriers
(new_y=0x7f2721ff9af8, new_x=0x7f2721ff9afc, time=18579510, device=0x564301ba1110, seat_impl=0x564301b9ed10) at ../src/backends/native/meta-seat-impl.c:1105
#6 meta_seat_impl_constrain_pointer
(new_y=0x7f2721ff9af8, new_x=0x7f2721ff9afc, y=444.620209, x=<optimized out>, time_us=<optimized out>, core_pointer=0x564301ba1110, seat_impl=0x564301b9ed10)
at ../src/backends/native/meta-seat-impl.c:1174
#7 constrain_coordinates
(seat_impl=seat_impl@entry=0x564301b9ed10, input_device=input_device@entry=0x7f270c108170, time_us=time_us@entry=18579510719, x=<optimized out>, y=<optimized out>, x_out=0x7f2721ff9c18, y_out=y_out@entry=0x7f2721ff9c14) at ../src/backends/native/meta-seat-impl.c:533
#8 0x00007f277d3a357f in meta_seat_impl_notify_relative_motion_in_impl
--Type <RET> for more, q to quit, c to continue without paging--c
(seat_impl=<optimized out>, input_device=<optimized out>, time_us=18579510719, dx=<optimized out>, dy=<optimized out>, dx_unaccel=<optimized out>, dy_unaccel=<optimized out>)
at ../src/backends/native/meta-seat-impl.c:607
#9 0x00007f277d3af44e in process_device_event (event=0x7f270c00bcb0, seat_impl=<optimized out>)
at ../src/backends/native/meta-seat-impl.c:2130
#10 process_event (event=0x7f270c00bcb0, seat_impl=0x564301b9ed10)
at ../src/backends/native/meta-seat-impl.c:2644
#11 process_events (seat_impl=0x564301b9ed10) at ../src/backends/native/meta-seat-impl.c:2658
#12 0x00007f277d3a3357 in dispatch_libinput (seat_impl=0x564301b9ed10)
at ../src/backends/native/meta-seat-impl.c:251
#13 0x00007f277d3a969d in meta_libinput_source_dispatch (user_data=<optimized out>)
at ../src/backends/native/meta-seat-impl.c:2787
#14 0x00007f277d92fe5c in g_main_dispatch (context=0x564301ba1490) at ../glib/gmain.c:3476
#15 g_main_context_dispatch_unlocked (context=0x564301ba1490) at ../glib/gmain.c:4284
#16 0x00007f277d98af18 in g_main_context_iterate_unlocked.isra.0
(context=0x564301ba1490, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
at ../glib/gmain.c:4349
#17 0x00007f277d931447 in g_main_loop_run (loop=0x7f270c03b6e0) at ../glib/gmain.c:4551
#18 0x00007f277d3b13d7 in input_thread (seat_impl=0x564301b9ed10)
at ../src/backends/native/meta-seat-impl.c:2920
#19 0x00007f277d960523 in g_thread_proxy (data=0x564301a65d80) at ../glib/gthread.c:831
#20 0x00007f277d0aa897 in start_thread (arg=<optimized out>) at pthread_create.c:444
#21 0x00007f277d1316fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
I've seen crashes with this trace at least twice the first with 45.0 then with 45.2. The problem might involve a race condition in which lock/rw_lock was freed then used sometimes.
Steps to reproduce
- Log in to GNOME 45.2 on Wayland in a Fedora 39 KDE Plasma installation with the GNOME desktop group installed
- Log out of GNOME using the menu at the top right
- If the problem didn't happen, repeat 1-2 until it does.
What happened
gnome-shell crashed sometimes in g_rw_lock_get_impl when logging out.
What did you expect to happen
gnome-shell should have logged out without crashing.
Relevant logs, screenshots, screencasts etc.
I'm attaching the full trace of all threads.coredumpctl-gdb-gnome-shell-45.2-logout-segmentation-fault-full-trace-all-threads-1.txt
Edited by Matt Fagnani