segfault in process_crtc_color_updates starting with 45
Running gnome-shell --wayland
on console after updating to 45, I now get a segfault, where 44 worked fine.
https://gist.github.com/q66/e389529af064720cecb03a7bd0736e65
The affected code appears to be:
MetaGammaLut *gamma = color_update->gamma.state;
struct drm_color_lut drm_color_lut[gamma->size];
Particularly when trying to access gamma
. It would seem that gamma
is a NULL pointer at the time, but that's probably not the actual source of the issue, as adding if (!gamma) return TRUE;
just makes it segfault again (in the same place, but this time with gamma
being valid).
Mutter is compiled with Clang 16 on Chimera Linux, tested on x86_64 architecture for now (i7-1165G7, Intel Xe graphics, Mesa 23.1.8). I wonder if some undefined behavior somewhere in Mutter is causing the odd behavior.
In this function:
void
meta_kms_update_set_crtc_gamma (MetaKmsUpdate *update,
MetaKmsCrtc *crtc,
const MetaGammaLut *gamma)
{
MetaKmsCrtcColorUpdate *color_update;
MetaGammaLut *gamma_update = NULL;
const MetaKmsCrtcState *crtc_state = meta_kms_crtc_get_current_state (crtc);
g_assert (meta_kms_crtc_get_device (crtc) == update->device);
if (gamma)
gamma_update = meta_gamma_lut_copy_to_size (gamma, crtc_state->gamma.size);
color_update = ensure_color_update (update, crtc);
color_update->gamma.state = gamma_update;
color_update->gamma.has_update = TRUE;
update_latch_crtc (update, crtc);
}
the logic implies that an update with NULL state may happen, which is not handled in the other code (though looking at possible invocations of the function, I don't see any case where the gamma
argument would ever be NULL anyway). I don't think that is actually the issue in this case though.