search

hyprwm / Hyprland

Hyprland is an independent, highly customizable, dynamic tiling Wayland compositor that doesn't sacrifice on its looks.
https://hyprland.org
BSD 3-Clause "New" or "Revised" License
19.75k stars 839 forks source link

ASan crash in `CScreencopyProtocolManager::removeClient` when finishing capture #2803

Open jbeich opened 1 year ago

jbeich commented 1 year ago

Hyprland Version

v0.27.2-51-gf5913135

Bug or Regression?

Bug

Description

When Hyprland is built with AddressSanitizer capturing screen crashes the compositor. Affects wf-recorder, wl-screenrec, wl-mirror (-b screencopy) but not grim. I didn't test other wlr-screencopy-unstable-v1 clients.

How to reproduce

$ meson setup --buildtype=debug -Db_sanitize=address /tmp/hyprland_build
$ meson compile -C /tmp/hyprland_build
$ cat /tmp/hyprland.conf
exec-once = timeout 3 wl-screenrec
$ /tmp/hyprland_build/src/Hyprland -c /tmp/hyprland.conf
[...]
Using output WL-1
[h264_vaapi @ 0x8086d2800] Driver does not support any RC mode compatible with selected options (supported modes: CQP).
failed to open encoder in low_power mode (Invalid argument), trying non low_power mode. if you have an intel iGPU, set enable_guc=2 in the i915 module to use the fixed function encoder. pass --low-power=off to suppress this warning
59 fps
26 fps
00:00:03.066 [wayland] failed to read client connection (pid 54268)
=================================================================
==54260==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700004bd60 at pc 0x000000df8b5a bp 0x7fffffffd460 sp 0x7fffffffd458
READ of size 4 at 0x60700004bd60 thread T0
    #0 0xdf8b59 in CScreencopyProtocolManager::removeClient(CScreencopyClient*, bool) (/tmp/hyprland_build/src/Hyprland+0xdf8b59)
    #1 0xdfb6c3 in CScreencopyProtocolManager::removeFrame(SScreencopyFrame*, bool) (/tmp/hyprland_build/src/Hyprland+0xdfb6c3)
    #2 0xdfda41 in handleFrameResourceDestroy(wl_resource*) Screencopy.cpp
    #3 0x801180e2a in destroy_resource wayland-1.22.0/src/wayland-server.c:732:3
    #4 0x80118b2b6 in for_each_helper wayland-1.22.0/src/wayland-util.c:416:10
    #5 0x80118b1e4 in wl_map_for_each wayland-1.22.0/src/wayland-util.c:430:8
    #6 0x801181432 in wl_client_destroy wayland-1.22.0/src/wayland-server.c:928:2
    #7 0x8011836b4 in destroy_client_with_error wayland-1.22.0/src/wayland-server.c:325:2
    #8 0x80118068d in wl_client_connection_data wayland-1.22.0/src/wayland-server.c:368:4
    #9 0x801184c46 in wl_event_source_fd_dispatch wayland-1.22.0/src/event-loop.c:112:9
    #10 0x801186363 in wl_event_loop_dispatch wayland-1.22.0/src/event-loop.c:1027:4
    #11 0x801181fbe in wl_display_run wayland-1.22.0/src/wayland-server.c:1493:3
    #12 0xcc1798 in CCompositor::startCompositor() (/tmp/hyprland_build/src/Hyprland+0xcc1798)
    #13 0xed44ae in main (/tmp/hyprland_build/src/Hyprland+0xed44ae)
    #14 0x801976269 in __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:155:7
    #15 0x5a767f in _start /usr/src/lib/csu/amd64/crt1_s.S:83

0x60700004bd60 is located 16 bytes inside of 80-byte region [0x60700004bd50,0x60700004bda0)
freed by thread T0 here:
    #0 0x703d4d in operator delete(void*) (/tmp/hyprland_build/src/Hyprland+0x703d4d)
    #1 0x715024 in void std::__1::__libcpp_operator_delete[abi:v160006]<void*>(void*) HyprError.cpp
    #2 0x714fd8 in void std::__1::__do_deallocate_handle_size[abi:v160006]<>(void*, unsigned long) HyprError.cpp
    #3 0x714f64 in std::__1::__libcpp_deallocate[abi:v160006](void*, unsigned long, unsigned long) HyprError.cpp
    #4 0x73721d in std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>::deallocate[abi:v160006](std::__1::__list_node<CScreencopyClient, void*>*, unsigned long) HyprError.cpp
    #5 0x7370c4 in std::__1::allocator_traits<std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>>::deallocate[abi:v160006](std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>&, std::__1::__list_node<CScreencopyClient, void*>*, unsigned long) HyprError.cpp
    #6 0x736dcf in std::__1::__list_imp<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::clear() (/tmp/hyprland_build/src/Hyprland+0x736dcf)
    #7 0x736c28 in std::__1::__list_imp<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::~__list_imp() (/tmp/hyprland_build/src/Hyprland+0x736c28)
    #8 0x736444 in std::__1::list<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::~list() (/tmp/hyprland_build/src/Hyprland+0x736444)
    #9 0xe082b0 in std::__1::list<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::remove(CScreencopyClient const&) (/tmp/hyprland_build/src/Hyprland+0xe082b0)
    #10 0xdf8be0 in CScreencopyProtocolManager::removeClient(CScreencopyClient*, bool) (/tmp/hyprland_build/src/Hyprland+0xdf8be0)
    #11 0xdfb2b4 in handleManagerResourceDestroy(wl_resource*) Screencopy.cpp
    #12 0x801180e2a in destroy_resource wayland-1.22.0/src/wayland-server.c:732:3
    #13 0x80118b2b6 in for_each_helper wayland-1.22.0/src/wayland-util.c:416:10
    #14 0x80118b1e4 in wl_map_for_each wayland-1.22.0/src/wayland-util.c:430:8
    #15 0x801181432 in wl_client_destroy wayland-1.22.0/src/wayland-server.c:928:2
    #16 0x8011836b4 in destroy_client_with_error wayland-1.22.0/src/wayland-server.c:325:2
    #17 0x80118068d in wl_client_connection_data wayland-1.22.0/src/wayland-server.c:368:4
    #18 0x801184c46 in wl_event_source_fd_dispatch wayland-1.22.0/src/event-loop.c:112:9
    #19 0x801186363 in wl_event_loop_dispatch wayland-1.22.0/src/event-loop.c:1027:4
    #20 0x801181fbe in wl_display_run wayland-1.22.0/src/wayland-server.c:1493:3
    #21 0xcc1798 in CCompositor::startCompositor() (/tmp/hyprland_build/src/Hyprland+0xcc1798)
    #22 0xed44ae in main (/tmp/hyprland_build/src/Hyprland+0xed44ae)
    #23 0x801976269 in __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:155:7
    #24 0x5a767f in _start /usr/src/lib/csu/amd64/crt1_s.S:83
    #25 0x801155007  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7034ed in operator new(unsigned long) (/tmp/hyprland_build/src/Hyprland+0x7034ed)
    #1 0x74b5f4 in void* std::__1::__libcpp_operator_new[abi:v160006]<unsigned long>(unsigned long) HyprError.cpp
    #2 0x74b57c in std::__1::__libcpp_allocate[abi:v160006](unsigned long, unsigned long) HyprError.cpp
    #3 0xe18319 in std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>::allocate[abi:v160006](unsigned long) Screencopy.cpp
    #4 0xe1809c in std::__1::allocator_traits<std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>>::allocate[abi:v160006](std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>&, unsigned long) Screencopy.cpp
    #5 0xe17cf2 in std::__1::list<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::__allocate_node[abi:v160006](std::__1::allocator<std::__1::__list_node<CScreencopyClient, void*>>&) Screencopy.cpp
    #6 0xe0856b in CScreencopyClient& std::__1::list<CScreencopyClient, std::__1::allocator<CScreencopyClient>>::emplace_back<>() (/tmp/hyprland_build/src/Hyprland+0xe0856b)
    #7 0xdfb0cb in CScreencopyProtocolManager::bindManager(wl_client*, void*, unsigned int, unsigned int) (/tmp/hyprland_build/src/Hyprland+0xdfb0cb)
    #8 0xdf8a97 in bindManagerInt(wl_client*, void*, unsigned int, unsigned int) Screencopy.cpp
    #9 0x801183b00 in registry_bind wayland-1.22.0/src/wayland-server.c:992:3
    #10 0x801d2d679 in ffi_call_unix64 libffi-3.4.4/src/x86/unix64.S:104

SUMMARY: AddressSanitizer: heap-use-after-free (/tmp/hyprland_build/src/Hyprland+0xdf8b59) in CScreencopyProtocolManager::removeClient(CScreencopyClient*, bool)
Shadow bytes around the buggy address:
  0x60700004ba80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x60700004bb00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x60700004bb80: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x60700004bc00: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
  0x60700004bc80: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
=>0x60700004bd00: 00 00 00 00 00 00 fa fa fa fa fd fd[fd]fd fd fd
  0x60700004bd80: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x60700004be00: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x60700004be80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x60700004bf00: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x60700004bf80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==54260==ABORTING

Crash reports, logs, images, videos

No response

vaxerski commented 4 months ago

is this still a thing?