Use-after-free in phoc_cursor_handle_request_set_cursor
=================================================================
==153==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000024080 at pc 0x560cc9fea1cf bp 0x7ffd09f24270 sp 0x7ffd09f24268
READ of size 8 at 0x618000024080 thread T0
#0 0x560cc9fea1ce in phoc_cursor_handle_request_set_cursor ../src/cursor.c:1233
#1 0x560cca1b288e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29
#2 0x560cca0c6fc2 in pointer_set_cursor ../subprojects/wlroots/types/seat/wlr_seat_pointer.c:104
#3 0x7fbeca545d1c (/lib/x86_64-linux-gnu/libffi.so.7+0x6d1c)
#4 0x7fbeca545288 (/lib/x86_64-linux-gnu/libffi.so.7+0x6288)
#5 0x7fbecb51b4d1 (/lib/x86_64-linux-gnu/libwayland-server.so.0+0xd4d1)
#6 0x7fbecb516ae1 (/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8ae1)
#7 0x7fbecb519491 in wl_event_loop_dispatch (/lib/x86_64-linux-gnu/libwayland-server.so.0+0xb491)
#8 0x560cc9f28761 in wayland_event_source_dispatch ../src/server.c:52
#9 0x7fbecb7b9e6a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51e6a)
#10 0x7fbecb7ba117 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x52117)
#11 0x7fbecb7ba40a in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5240a)
#12 0x560cc9f240a1 in main ../src/main.c:150
#13 0x7fbeca6b0d09 in __libc_start_main ../csu/libc-start.c:308
#14 0x560cc9f25c29 in _start (/usr/local/bin/phoc+0x49ec29)
0x618000024080 is located 0 bytes inside of 824-byte region [0x618000024080,0x6180000243b8)
freed by thread T0 here:
#0 0x7fbecbbddb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x7fbecb515dbe (/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7dbe)
previously allocated by thread T0 here:
#0 0x7fbecbbde037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x560cca17deab in surface_create ../subprojects/wlroots/types/wlr_surface.c:733
#2 0x560cca10c023 in compositor_create_surface ../subprojects/wlroots/types/wlr_compositor.c:122
#3 0x7fbeca545d1c (/lib/x86_64-linux-gnu/libffi.so.7+0x6d1c)
Seems like seat->pointer_state.focused_surface
has a hanging reference to destroyed surface. I can usually trigger it when mouse cursor is displayed (and moved?) when launching some app that shows splash screen.