Crash if window destroyed by protocol error while moving
Affected version
Operating system: Fedora 38
Mutter version: 44.1 (on Wayland)
Bug summary
When a window is destroyed because the client was terminated due to a protocol error, Mutter crashes with a null pointer dereference
Steps to reproduce
- From a Wayland client, open a window
- Press and hold and move the window
- While the window is being moved, trigger a protocol error from the client
What happened
The compositor crashes
What did you expect to happen
The compositor should not crash
Relevant logs, screenshots, screencasts etc.
GDB Backtrace with relevant lines:
Core was generated by `/usr/bin/gnome-shell'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 wl_resource_add_destroy_listener (resource=0x0, listener=0x561c1ddab720) at ../src/wayland-server.c:842
Downloading source file /usr/src/debug/wayland-1.22.0-1.fc38.x86_64/redhat-linux-build/../src/wayland-server.c
842 if (resource_is_deprecated(resource))
[Current thread is 1 (Thread 0x7f636b5e6600 (LWP 171355))]
Missing separate debuginfos, use: dnf debuginfo-install cairo-1.17.8-4.fc38.x86_64 llvm-libs-16.0.4-1.fc38.x86_64 mesa-dri-drivers-23.0.3-5.fc38.x86_64 mozjs102-102.9.0-1.fc38.x86_64
(gdb) bt
#0 wl_resource_add_destroy_listener (resource=0x0, listener=0x561c1ddab720) at ../src/wayland-server.c:842
#1 0x00007f636edb6ded in meta_wayland_keyboard_set_focus (keyboard=0x561c1ddab6e0, surface=0x561c1e64c8a0) at ../src/wayland/meta-wayland-keyboard.c:791
#2 0x00007f636edc1269 in meta_wayland_seat_set_input_focus (seat=0x561c1ddabb80, surface=0x561c1e64c8a0) at ../src/wayland/meta-wayland-seat.c:424
#3 0x00007f636eda6b68 in meta_wayland_compositor_set_input_focus (compositor=0x561c1db61a00, window=0x561c1e6e52d0) at ../src/wayland/meta-wayland.c:360
#4 0x00007f636ecfaa75 in meta_display_sync_wayland_input_focus (display=0x561c1e031a20) at ../src/core/display.c:1354
#5 0x00007f636ecdb2ee in meta_compositor_server_grab_end (compositor=0x561c1e03f700) at ../src/compositor/meta-compositor-server.c:67
#6 0x00007f636ecd0024 in meta_compositor_grab_end (compositor=0x561c1e03f700) at ../src/compositor/compositor.c:377
#7 0x00007f636ed0000e in meta_display_handle_event (display=0x561c1e031a20, event=0x561c257017d0, event_actor=0x561c1e6fd200) at ../src/core/events.c:242
#8 0x00007f636ed00723 in event_callback (event=0x561c257017d0, event_actor=0x561c1e6fd200, data=0x561c1e031a20) at ../src/core/events.c:520
#9 0x00007f636f0a7a31 in _clutter_event_process_filters (event=0x561c257017d0, event_actor=0x561c1e6fd200) at ../clutter/clutter/clutter-event.c:1691
#10 0x00007f636f0f2c8e in clutter_stage_notify_grab_on_pointer_entry
(stage=0x561c1de2d900, entry=0x561c1fc06150, grab_actor=0x561c1de2d900, old_grab_actor=0x561c252d9230) at ../clutter/clutter/clutter-stage.c:4020
#11 0x00007f636f0f2ea5 in clutter_stage_notify_grab (stage=0x561c1de2d900, cur=0x0, old=0x561c2248a6f0) at ../clutter/clutter/clutter-stage.c:4086
#12 0x00007f636f0f3442 in clutter_stage_unlink_grab (stage=0x561c1de2d900, grab=0x561c2248a6f0) at ../clutter/clutter/clutter-stage.c:4218
#13 0x00007f636f0f3585 in clutter_grab_dismiss (grab=0x561c2248a6f0) at ../clutter/clutter/clutter-stage.c:4264
#14 0x00007f636eceac86 in meta_window_drag_end (window_drag=0x561c25839d60) at ../src/compositor/meta-window-drag.c:387
#15 0x00007f636eceae1d in on_grab_window_unmanaging (window=0x561c1e6e52d0, window_drag=0x561c25839d60) at ../src/compositor/meta-window-drag.c:412
#16 0x00007f636f9fa4ea in g_closure_invoke
(closure=0x561c257a21e0, return_value=0x0, n_param_values=1, param_values=0x7fffd1f36ea0, invocation_hint=0x7fffd1f36e20) at ../gobject/gclosure.c:832
#17 0x00007f636fa28e16 in signal_emit_unlocked_R.isra.0
(node=node@entry=0x561c256ce530, detail=detail@entry=0, instance=instance@entry=0x561c1e6e52d0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffd1f36ea0) at ../gobject/gsignal.c:3812
#18 0x00007f636fa19cbd in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffd1f37040) at ../gobject/gsignal.c:3565
#19 0x00007f636fa19f33 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../gobject/gsignal.c:3622
#20 0x00007f636ed26a9a in meta_window_unmanage (window=0x561c1e6e52d0, timestamp=76079307) at ../src/core/window.c:1463
#21 0x00007f636edc216e in meta_wayland_shell_surface_destroy_window (shell_surface=0x561c25a7ffc0) at ../src/wayland/meta-wayland-shell-surface.c:314
#22 0x00007f636edd5bf7 in xdg_toplevel_destructor (resource=0x561c1f178fe0) at ../src/wayland/meta-wayland-xdg-shell.c:214
#23 0x00007f636e090791 in destroy_resource (element=0x561c1f178fe0, data=data@entry=0x0, flags=0) at ../src/wayland-server.c:732
#24 0x00007f636e09272a in wl_resource_destroy (resource=<optimized out>) at ../src/wayland-server.c:749
#25 0x00007f636edd70ac in meta_wayland_xdg_toplevel_finalize (object=0x561c25a7ffc0) at ../src/wayland/meta-wayland-xdg-shell.c:1008
#26 0x00007f636fa08a53 in g_object_unref (_object=0x561c25a7ffc0) at ../gobject/gobject.c:3938
#27 g_object_unref (_object=0x561c25a7ffc0) at ../gobject/gobject.c:3802
#28 0x00007f636edc723f in meta_wayland_surface_finalize (object=0x561c1e64c8a0) at ../src/wayland/meta-wayland-surface.c:1456
#29 0x00007f636fa08a53 in g_object_unref (_object=0x561c1e64c8a0) at ../gobject/gobject.c:3938
#30 g_object_unref (_object=0x561c1e64c8a0) at ../gobject/gobject.c:3802
--Type <RET> for more, q to quit, c to continue without paging--
#31 0x00007f636edc7667 in wl_surface_destructor (resource=0x561c22468490) at ../src/wayland/meta-wayland-surface.c:1525
#32 0x00007f636e090791 in destroy_resource (element=0x561c22468490, data=data@entry=0x7fffd1f374d4, flags=0) at ../src/wayland-server.c:732
#33 0x00007f636e090f2b in for_each_helper (entries=0x561c1ecfe820, data=0x7fffd1f374d4, func=0x7f636e0906e0 <destroy_resource>) at ../src/wayland-util.c:416
#34 wl_map_for_each (data=0x7fffd1f374d4, func=0x7f636e0906e0 <destroy_resource>, map=0x561c1ecfe820) at ../src/wayland-util.c:430
#35 wl_client_destroy (client=client@entry=0x561c1ecfe7f0) at ../src/wayland-server.c:928
#36 0x00007f636e0916c1 in destroy_client_with_error (reason=<optimized out>, client=<optimized out>) at ../src/wayland-server.c:325
#37 wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x561c1ecfe7f0) at ../src/wayland-server.c:454
#38 0x00007f636e0908e2 in wl_event_loop_dispatch (loop=0x561c1db61cb0, timeout=<optimized out>) at ../src/event-loop.c:1027
#39 0x00007f636eda658b in wayland_event_source_dispatch (base=0x561c1db61e90, callback=0x0, data=0x0) at ../src/wayland/meta-wayland.c:125
#40 0x00007f636f34039c in g_main_dispatch (context=0x561c1dae7960) at ../glib/gmain.c:3460
#41 g_main_context_dispatch (context=0x561c1dae7960) at ../glib/gmain.c:4200
#42 0x00007f636f39e438 in g_main_context_iterate.isra.0 (context=0x561c1dae7960, block=1, dispatch=1, self=<optimized out>) at ../glib/gmain.c:4276
#43 0x00007f636f33f99f in g_main_loop_run (loop=0x561c1fa3a2f0) at ../glib/gmain.c:4479
#44 0x00007f636ed0cb70 in meta_context_run_main_loop (context=0x561c1dae5d00, error=0x7fffd1f37b30) at ../src/core/meta-context.c:482
#45 0x0000561c1d140f87 in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:663
(gdb) frame 791
No frame at level 791.
(gdb) frame 1
#1 0x00007f636edb6ded in meta_wayland_keyboard_set_focus (keyboard=0x561c1ddab6e0, surface=0x561c1e64c8a0) at ../src/wayland/meta-wayland-keyboard.c:791
791 wl_resource_add_destroy_listener (focus_surface_resource,
(gdb) l
786 {
787 struct wl_resource *focus_surface_resource;
788
789 keyboard->focus_surface = surface;
790 focus_surface_resource = keyboard->focus_surface->resource;
791 wl_resource_add_destroy_listener (focus_surface_resource,
792 &keyboard->focus_surface_listener);
793
794 move_resources_for_client (&keyboard->focus_resource_list,
795 &keyboard->resource_list,