Segmentation fault in meta_frame_calc_borders

[epsilontheta]

Expected behaviour

No segfault

Actual behaviour

Segfault

Steps to reproduce the behaviour

I haven't found a way to always trigger a segfault, but what I did was execute marco --replace --no-force-fullscreen and bring guake to foreground using a shortcut. The crash happened twice until now in about 2-3 hours after executing the command. Side note: I am running maximus to remove the decoration of windows when in fullscreen mode. I have both coredumps of the crash but I'm not sure which privacy related data is in there. Here is the systemd-coredump message for start:

Sep 29 00:36:37 tarvos systemd-coredump[153768]: Process 146925 (marco) of user 1001 dumped core.

                                                 Stack trace of thread 146925:
                                                 #0  0x00007f3c57cfb45a meta_frame_calc_borders (libmarco-private.so.2)
                                                 #1  0x00007f3c57ce9f01 n/a (libmarco-private.so.2)
                                                 #2  0x00007f3c57cebed5 n/a (libmarco-private.so.2)
                                                 #3  0x00007f3c57ceced2 n/a (libmarco-private.so.2)
                                                 #4  0x00007f3c57cf5c41 n/a (libmarco-private.so.2)
                                                 #5  0x00007f3c57d3f815 n/a (libmarco-private.so.2)
                                                 #6  0x00007f3c571fa58f n/a (libgdk-3.so.0)
                                                 #7  0x00007f3c57204b94 n/a (libgdk-3.so.0)
                                                 #8  0x00007f3c57259ceb gdk_display_get_event (libgdk-3.so.0)
                                                 #9  0x00007f3c572048f4 n/a (libgdk-3.so.0)
                                                 #10 0x00007f3c57c083ae g_main_context_dispatch (libglib-2.0.so.0)
                                                 #11 0x00007f3c57c0a1c1 n/a (libglib-2.0.so.0)
                                                 #12 0x00007f3c57c0b0d3 g_main_loop_run (libglib-2.0.so.0)
                                                 #13 0x0000556121fe18c9 main (marco)
                                                 #14 0x00007f3c579e0ee3 __libc_start_main (libc.so.6)
                                                 #15 0x0000556121fe1d1e n/a (marco)

                                                 Stack trace of thread 146928:
                                                 #0  0x00007f3c57aab667 __poll (libc.so.6)
                                                 #1  0x00007f3c57c0a130 n/a (libglib-2.0.so.0)
                                                 #2  0x00007f3c57c0a201 g_main_context_iteration (libglib-2.0.so.0)
                                                 #3  0x00007f3c57d82e5e n/a (libdconfsettings.so)
                                                 #4  0x00007f3c57be6bc1 n/a (libglib-2.0.so.0)
                                                 #5  0x00007f3c57b8657f start_thread (libpthread.so.0)
                                                 #6  0x00007f3c57ab60e3 __clone (libc.so.6)

                                                 Stack trace of thread 146927:
                                                 #0  0x00007f3c57aab667 __poll (libc.so.6)
                                                 #1  0x00007f3c57c0a130 n/a (libglib-2.0.so.0)
                                                 #2  0x00007f3c57c0b0d3 g_main_loop_run (libglib-2.0.so.0)
                                                 #3  0x00007f3c56e99b18 n/a (libgio-2.0.so.0)
                                                 #4  0x00007f3c57be6bc1 n/a (libglib-2.0.so.0)
                                                 #5  0x00007f3c57b8657f start_thread (libpthread.so.0)
                                                 #6  0x00007f3c57ab60e3 __clone (libc.so.6)

                                                 Stack trace of thread 146926:
                                                 #0  0x00007f3c57aab667 __poll (libc.so.6)
                                                 #1  0x00007f3c57c0a130 n/a (libglib-2.0.so.0)
                                                 #2  0x00007f3c57c0a201 g_main_context_iteration (libglib-2.0.so.0)
                                                 #3  0x00007f3c57c0a252 n/a (libglib-2.0.so.0)
                                                 #4  0x00007f3c57be6bc1 n/a (libglib-2.0.so.0)
                                                 #5  0x00007f3c57b8657f start_thread (libpthread.so.0)
                                                 #6  0x00007f3c57ab60e3 __clone (libc.so.6)

And here is some more:

(gdb) frame 0
#0  0x00007f3c57cfb45a in meta_frame_calc_borders () from /usr/lib/libmarco-private.so.2
(gdb) info frame
Stack level 0, frame at 0x7ffc6cb62a00:
 rip = 0x7f3c57cfb45a in meta_frame_calc_borders; saved rip = 0x7f3c57ce9f01
 called by frame at 0x7ffc6cb62b30
 Arglist at 0x7ffc6cb629f0, args: 
 Locals at 0x7ffc6cb629f0, Previous frame's sp is 0x7ffc6cb62a00
 Saved registers:
  rip at 0x7ffc6cb629f8
(gdb) x/10x $sp
0x7ffc6cb629f8: 0x57ce9f01  0x00007f3c  0x2334cfc0  0x00005561
0x7ffc6cb62a08: 0x56a57558  0x00007f3c  0x6cb62a70  0x00007ffc
0x7ffc6cb62a18: 0x00000000  0x00000001

MATE general version

1.22.2

Package version

1.22.3-1

Linux Distribution

Arch Linux

Link to downstream report of your Distribution

n/a

[epsilontheta]

Stdout/Stderr:

marco --replace --no-force-fullscreen
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
[1]    153812 segmentation fault (core dumped)  marco --replace --no-force-fullscreen

[epsilontheta]

It seems to have some timing related behavior. I could always trigger it when I wait some time between closing guake and opening it again. Btw: I'm running guake in fullscreen mode.

[epsilontheta]

Also happened without --no-force-fullscreen.

marco --replace                      
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (324285336).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x10117e6 (Panel Prop) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request
[1]    260742 segmentation fault (core dumped)  marco --replace

[lukefromdc]

I've seen plently ofBuggy client sent a _NET_ACTIVE_WINDOW message type warnings from various programs under both marco and compiz without causing a crash for years. I don't think the timestamp error did it. The last warning before the segfault was the Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request warning so good chance that's where the problem is.

Try opening dconf-editor and setting org>mate>marco>disable-workarounds to TRUE and see if that makes any difference. If it's already set to TRUE try setting it to FALSE and see what happens. The reference to "legacy application" suggests this might be able to avoid the offending code on one setting or the other.

[epsilontheta]

After setting /org/mate/marco/general disable-workarounds to TRUE:

marco --replace
Window manager warning: Workarounds for broken applications disabled. Some applications may not behave properly.
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (331128423).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x1014f7d (Run Applic) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (331129238).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x1015038 (Error) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (331164975).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x1015360 (Panel Prop) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (331175757).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x10155c6 (Panel Prop) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: last_user_time (1218739888) is greater than comparison timestamp (331222106).  This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW.  Trying to work around...
Window manager warning: 0x1015de4 (About the ) appears to be one of the offending windows with a timestamp of 1218739888.  Working around...
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3000008 ()
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.
[1]    265590 segmentation fault (core dumped)  marco --replace

Core was generated by `marco --replace'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f4d3729945a in meta_frame_calc_borders () from /usr/lib/libmarco-private.so.2
[Current thread is 1 (Thread 0x7f4d34590980 (LWP 266520))]
(gdb) bt
#0  0x00007f4d3729945a in meta_frame_calc_borders () at /usr/lib/libmarco-private.so.2
#1  0x00007f4d37287f01 in  () at /usr/lib/libmarco-private.so.2
#2  0x00007f4d37289ed5 in  () at /usr/lib/libmarco-private.so.2
#3  0x00007f4d3728aed2 in  () at /usr/lib/libmarco-private.so.2
#4  0x00007f4d37293c41 in  () at /usr/lib/libmarco-private.so.2
#5  0x00007f4d372dd815 in  () at /usr/lib/libmarco-private.so.2
#6  0x00007f4d3679858f in  () at /usr/lib/libgdk-3.so.0
#7  0x00007f4d367a2b94 in  () at /usr/lib/libgdk-3.so.0
#8  0x00007f4d367f7ceb in gdk_display_get_event () at /usr/lib/libgdk-3.so.0
#9  0x00007f4d367a28f4 in  () at /usr/lib/libgdk-3.so.0
#10 0x00007f4d371a63ae in g_main_context_dispatch () at /usr/lib/libglib-2.0.so.0
#11 0x00007f4d371a81c1 in  () at /usr/lib/libglib-2.0.so.0
#12 0x00007f4d371a90d3 in g_main_loop_run () at /usr/lib/libglib-2.0.so.0
#13 0x000055cddc8388c9 in main ()

[muktupavels]

Most likely regression from https://github.com/mate-desktop/marco/pull/518...

[lukefromdc]

Does this occur with marco from git master (assuming you can build and install it)? If it does not we have an issue with the cherrypicked commit needing something that isn't in 1.22

[Safari77]

I started getting segfaults with 1.23.2, 1.23.1 worked OK. But with 1.23.1 I used compton (https://github.com/yshui/compton).

kernel: marco[1598146]: segfault at 2800013 ip 00007f1d9f5c4844 sp 00007ffc5b38de38 error 4 in libmarco-private.so.2.0.0[7f1d9f5a200068000]
systemd[1]: Started Process Core Dump (PID 1601647/UID 0).
...
(gdb) bt
#0  0x00007f1d9f5c4844 in meta_frame_get_frame_bounds (frame=0x2800013) at core/frame.c:411
#1  0x00007f1d9f5e7ded in meta_window_get_frame_bounds (window=0x564474ecc090) at core/window.c:8888
#2  0x00007f1d9f5b3ae0 in border_size (cw=0x564474c4bfd0) at compositor/compositor-xrender.c:1154
#3  0x00007f1d9f5b3ae0 in paint_windows
    (region=12868370, root_pixmap=<optimized out>, root_buffer=<optimized out>, windows=<optimized out>, screen=0x5644742fd900)
    at compositor/compositor-xrender.c:1420
#4  0x00007f1d9f5b3ae0 in paint_all (screen=screen@entry=0x5644742fd900, region=region@entry=12868370, b=<optimized out>)
    at compositor/compositor-xrender.c:1593
#5  0x00007f1d9f5b4c8e in repair_screen (screen=screen@entry=0x5644742fd900) at compositor/compositor-xrender.c:1620
#6  0x00007f1d9f5b6239 in xrender_present_complete (ce=<optimized out>, screen=0x5644742fd900) at compositor/compositor-xrender.c:2719
#7  0x00007f1d9f5b6239 in process_generic (compositor=0x56447433e700, compositor=0x56447433e700, event=0x7ffc5b38e2c0)
    at compositor/compositor-xrender.c:2743
#8  0x00007f1d9f5b6239 in xrender_process_event (compositor=0x56447433e700, event=0x7ffc5b38e2c0, window=<optimized out>)
    at compositor/compositor-xrender.c:3113
#9  0x00007f1d9f5becfa in event_callback (event=0x7ffc5b38e2c0, data=0x5644742ea190) at core/display.c:2696
#10 0x00007f1d9f608bb9 in filter_func (xevent=0x7ffc5b38e2c0, event=<optimized out>, data=<optimized out>) at ui/ui.c:223
#11 0x00007f1d9eaccfdf in gdk_event_apply_filters (xevent=xevent@entry=0x7ffc5b38e2c0, event=event@entry=0x7f1d8000c530, window=window@entry=0x0)
    at gdkeventsource.c:79
#12 0x00007f1d9eacd3ca in gdk_event_source_translate_event (xevent=0x7ffc5b38e2c0, event_source=0x56447428af20) at gdkeventsource.c:198
#13 0x00007f1d9eacd3ca in _gdk_x11_display_queue_events (display=0x5644742640e0 [GdkX11Display]) at gdkeventsource.c:341
#14 0x00007f1d9ea950f4 in gdk_display_get_event (display=display@entry=0x5644742640e0 [GdkX11Display]) at gdkdisplay.c:441
#15 0x00007f1d9eacd076 in gdk_event_source_dispatch (source=source@entry=0x56447428af20, callback=<optimized out>, user_data=<optimized out>)
    at gdkeventsource.c:363
#16 0x00007f1d9f4aa4a0 in g_main_dispatch (context=0x5644742436d0) at ../glib/gmain.c:3179
#17 0x00007f1d9f4aa4a0 in g_main_context_dispatch (context=context@entry=0x5644742436d0) at ../glib/gmain.c:3844
#18 0x00007f1d9f4aa830 in g_main_context_iterate (context=0x5644742436d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../glib/gmain.c:3917
#19 0x00007f1d9f4aab23 in g_main_loop_run (loop=0x564474243ae0) at ../glib/gmain.c:4111
#20 0x00005644728dd243 in main ()
(gdb) p *frame
Cannot access memory at address 0x2800013

kernel: marco[676727]: segfault at f5 ip 00007f163e1037b4 sp 00007ffd8a040f98 error 4 in libcairo.so.2.11600.0[7f163e0af000+d1000]
kernel: Code: 41 5c c3 0f 1f 00 4c 89 e7 4c 8d 25 06 24 08 00 e8 31 ff ff ff eb e1 0f 1f 80 00 00 00 00 e9 23 fc ff ff 0f 1f 00 f3 
(gdb) bt
#0  0x00007f163e1037b4 in INT_cairo_region_num_rectangles (region=region@entry=0xf1) at cairo-region.c:451
#1  0x00007f163ed9e5ce in cairo_region_to_xserver_region (xdisplay=xdisplay@entry=0x55b98b3116b0, region=0xf1) at compositor/compositor-xrender.c:607
#2  0x00007f163eda0af4 in border_size (cw=0x55b98c4f3bc0) at compositor/compositor-xrender.c:1157
#3  0x00007f163eda0af4 in paint_windows
    (region=13043429, root_pixmap=<optimized out>, root_buffer=<optimized out>, windows=<optimized out>, screen=0x55b98b3a9800)
    at compositor/compositor-xrender.c:1420
#4  0x00007f163eda0af4 in paint_all (screen=screen@entry=0x55b98b3a9800, region=region@entry=13043429, b=<optimized out>)
    at compositor/compositor-xrender.c:1593
#5  0x00007f163eda1c8e in repair_screen (screen=screen@entry=0x55b98b3a9800) at compositor/compositor-xrender.c:1620
#6  0x00007f163eda3239 in xrender_present_complete (ce=<optimized out>, screen=0x55b98b3a9800) at compositor/compositor-xrender.c:2719
#7  0x00007f163eda3239 in process_generic (compositor=0x55b98b3fa310, compositor=0x55b98b3fa310, event=0x7ffd8a041480)
    at compositor/compositor-xrender.c:2743
#8  0x00007f163eda3239 in xrender_process_event (compositor=0x55b98b3fa310, event=0x7ffd8a041480, window=<optimized out>)
    at compositor/compositor-xrender.c:3113
#9  0x00007f163edabcfa in event_callback (event=0x7ffd8a041480, data=0x55b98b36cd50) at core/display.c:2696
#10 0x00007f163edf5bb9 in filter_func (xevent=0x7ffd8a041480, event=<optimized out>, data=<optimized out>) at ui/ui.c:223
#11 0x00007f163e2b9fdf in gdk_event_apply_filters (xevent=xevent@entry=0x7ffd8a041480, event=event@entry=0x55b98b34bca0, window=window@entry=0x0)
    at gdkeventsource.c:79
#12 0x00007f163e2ba3ca in gdk_event_source_translate_event (xevent=0x7ffd8a041480, event_source=0x55b98b34dab0) at gdkeventsource.c:198
#13 0x00007f163e2ba3ca in _gdk_x11_display_queue_events (display=0x55b98b3280e0 [GdkX11Display]) at gdkeventsource.c:341
#14 0x00007f163e2820f4 in gdk_display_get_event (display=display@entry=0x55b98b3280e0 [GdkX11Display]) at gdkdisplay.c:441
#15 0x00007f163e2ba076 in gdk_event_source_dispatch (source=source@entry=0x55b98b34dab0, callback=<optimized out>, user_data=<optimized out>)
    at gdkeventsource.c:363
#16 0x00007f163ec974a0 in g_main_dispatch (context=0x55b98b3096d0) at ../glib/gmain.c:3179
#17 0x00007f163ec974a0 in g_main_context_dispatch (context=context@entry=0x55b98b3096d0) at ../glib/gmain.c:3844
#18 0x00007f163ec97830 in g_main_context_iterate (context=0x55b98b3096d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../glib/gmain.c:3917
#19 0x00007f163ec97b23 in g_main_loop_run (loop=0x55b98b309ae0) at ../glib/gmain.c:4111
#20 0x000055b98a8f1243 in main ()
(gdb) frame 2
#2  0x00007f163eda0af4 in border_size (cw=0x55b98c4f3bc0) at compositor/compositor-xrender.c:1157
1157            visible = cairo_region_to_xserver_region (xdisplay, visible_region);
(gdb) p *xdisplay
$3 = {ext_data = 0x55b98b3e15f0, free_funcs = 0x55b98b3129c0, fd = 6, conn_checker = 0, proto_major_version = 11, proto_minor_version = 0, 
  vendor = 0x55b98b30b170 "Fedora Project", resource_base = 12582912, resource_mask = 2097151, resource_id = 0, resource_shift = 0, 
  resource_alloc = 0x7f163dca1db0 <_XAllocID>, byte_order = 0, bitmap_unit = 32, bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7, 
  pixmap_format = 0x55b98b312a10, vnumber = 11, release = 12006000, head = 0x55b98b34edc0, tail = 0x55b98b41b830, qlen = 4, 
  last_request_read = 136811224, request = 136811607, last_req = 0x55b98b31c634 "\211\n\002", buffer = 0x55b98b31bcf0 "<\002\002", 
  bufptr = 0x55b98b31c63c "", bufmax = 0x55b98b31fcf0 "", max_request_size = 65535, db = 0x55b98b39b1e0, synchandler = 0x0, 
  display_name = 0x55b98b30b190 ":0", default_screen = 0, nscreens = 1, screens = 0x55b98b312ac0, motion_buffer = 256, flags = 128, min_keycode = 8, 
  max_keycode = 255, keysyms = 0x0, modifiermap = 0x0, keysyms_per_keycode = 0, 
  xdefaults = 0x55b98b313490 "XEphem*Sitename:\tSolms, Germany\nXft.dpi:\t72\nxscreensaver.Dialog.bodyFont:\t-bitstream-charter-medium-r-*-*-33-*-*-*-*-*-iso8859-1\nxscreensaver.Dialog.buttonFont:\t-bitstream-charter-medium-r-*-*-33-*-*-"..., scratch_buffer = 0x55b98c208930 "", 
  scratch_length = 262108, ext_number = 15, ext_procs = 0x55b98b463e00, event_vec = {0x7f163dca39c0 <_XUnknownWireEvent>, 
    0x7f163dca39c0 <_XUnknownWireEvent>, 0x7f163dca3a00 <_XWireToEvent> <repeats 33 times>, 0x7f163dc54100 <_xgeWireToEvent>, 
    0x7f163dca39c0 <_XUnknownWireEvent> <repeats 28 times>, 0x7f163dc4e730 <wire_to_event>, 0x7f163dc4f7c0 <wire_to_event>, 
    0x7f163dca39c0 <_XUnknownWireEvent> <repeats 17 times>, 0x7f163dc51010 <wire_to_event>, 0x7f163dc51010 <wire_to_event>, 
    0x7f163dcf85a0 <wire_to_event>, 0x7f163de0c570 <XFixesWireToEvent>, 0x7f163de0c570 <XFixesWireToEvent>, 0x7f163ddd3d00 <XRRWireToEvent>, 
    0x7f163ddd3d00 <XRRWireToEvent>, 0x7f163de14710 <XDamageWireToEvent>, 0x7f163dca39c0 <_XUnknownWireEvent> <repeats 37 times>}, wire_vec = {
    0x7f163dca39f0 <_XUnknownNativeEvent>, 0x7f163dca39f0 <_XUnknownNativeEvent>, 0x0 <repeats 16 times>, 0x7f163dc81ec0 <_XEventToWire>, 0x0, 0x0, 
    0x0, 0x7f163dc81ec0 <_XEventToWire>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f163dc81ec0 <_XEventToWire>, 0x0, 
    0x7f163dc54080 <_xgeEventToWire>, 0x7f163dca39f0 <_XUnknownNativeEvent> <repeats 28 times>, 0x7f163dc4e810 <event_to_wire>, 
    0x7f163dc4f880 <event_to_wire>, 0x7f163dca39f0 <_XUnknownNativeEvent> <repeats 17 times>, 0x7f163dc517b0 <event_to_wire>, 
    0x7f163dc517b0 <event_to_wire>, 0x7f163dca39f0 <_XUnknownNativeEvent>, 0x7f163de0c4a0 <XFixesEventToWire>, 0x7f163de0c4a0 <XFixesEventToWire>, 
    0x7f163ddd3af0 <XRREventToWire>, 0x7f163ddd3af0 <XRREventToWire>, 0x7f163de14630 <XDamageEventToWire>, 
    0x7f163dca39f0 <_XUnknownNativeEvent> <repeats 37 times>}, lock_meaning = 0, lock = 0x0, async_handlers = 0x0, bigreq_size = 4194303, 
  lock_fns = 0x0, idlist_alloc = 0x7f163dca1e00 <_XAllocIDs>, key_bindings = 0x0, cursor_font = 12582920, atoms = 0x55b98b329b50, mode_switch = 0, 
  num_lock = 0, context_db = 0x0, error_vec = 0x0, cms = {defaultCCCs = 0x0, clientCmaps = 0x55b98b6b3610 "8", <incomplete sequence \314>, 
    perVisualIntensityMaps = 0x0}, im_filters = 0x0, qfree = 0x55b98b513670, next_event_serial_num = 3838809, flushes = 0x0, im_fd_info = 0x0, 
  im_fd_length = 0, conn_watchers = 0x55b98b327660, watcher_count = 1, filedes = 0x55b98b302f10 "\006", savedsynchandler = 0x0, 
  resource_max = 2097146, xcmisc_opcode = 0, xkb_info = 0x55b98b3137b0, trans_conn = 0x0, xcb = 0x55b98b312910, next_cookie = 1113822, 
  generic_event_vec = {0x0 <repeats 19 times>, 0x7f163ddcd730, 0x0 <repeats 108 times>}, generic_event_copy_vec = {0x0 <repeats 19 times>, 
    0x7f163ddcd670, 0x0 <repeats 108 times>}, cookiejar = 0x0, req_seq_syncing = 0}
(gdb) p *cw
$4 = {screen = 0x55b98b3a9800, window = 0x55b98c32c790, id = 13033753, attrs = {x = -20, y = 28, width = 980, height = 1452, border_width = 0, 
    depth = 24, visual = 0x55b98b320ac8, root = 1255, class = 1, bit_gravity = 1, win_gravity = 1, backing_store = 0, backing_planes = 4294967295, 
    backing_pixel = 0, save_under = 0, colormap = 12582926, map_installed = 0, map_state = 2, all_event_masks = 16417020, 
    your_event_mask = 12222716, do_not_propagate_mask = 0, override_redirect = 0, screen = 0x55b98b312ac0}, back_pixmap = 13035215, 
  shaded_back_pixmap = 0, mode = 0, damaged = 1, shaped = 0, shape_bounds = {x = -20, y = 28, width = 980, height = 1452}, 
  type = META_COMP_WINDOW_NORMAL, damage = 13033772, picture = 13035216, alpha_pict = 0, needs_shadow = 1, shadow_type = META_SHADOW_MEDIUM, 
  shadow_pict = 0, border_size = 0, extents = 13043457, shadow = 13043453, shadow_dx = 11, shadow_dy = 13, shadow_width = 958, shadow_height = 1430, 
  opacity = 4294967295, border_clip = 0, updates_frozen = 0, update_pending = 0}
(gdb) 

Could be also libXext (XShapeCombineRectangles) bug, but who knows. https://gitlab.gnome.org/GNOME/gtk/issues/2286

[Safari77]

segfault triggered when I just exit mupdf-gl.

[klingtnet]

I can confirm this issue using tilix in drop-down mode:

$ mate-session --version 
mate-session 1.22.3

Jan 16 13:21:32 m604 systemd-coredump[87154]: Process 86943 (marco) of user 1000 dumped core.

Stack trace of thread 86943:
#0  0x00007fc0aaa113fa meta_frame_calc_borders (libmarco-private.so.2 + 0x383fa)
#1  0x00007fc0aa9ffef1 n/a (libmarco-private.so.2 + 0x26ef1)
#2  0x00007fc0aaa023fc n/a (libmarco-private.so.2 + 0x293fc)
#3  0x00007fc0aaa34be7 meta_window_notify_focus (libmarco-private.so.2 + 0x5bbe7)
#4  0x00007fc0aaa0cbb5 n/a (libmarco-private.so.2 + 0x33bb5)
#5  0x00007fc0aaa56025 n/a (libmarco-private.so.2 + 0x7d025)
#6  0x00007fc0a9f0a58f n/a (libgdk-3.so.0 + 0x3758f)
#7  0x00007fc0a9f14cb7 n/a (libgdk-3.so.0 + 0x41cb7)
#8  0x00007fc0a9f69d8b gdk_display_get_event (libgdk-3.so.0 + 0x96d8b)
#9  0x00007fc0a9f148f4 n/a (libgdk-3.so.0 + 0x418f4)
#10 0x00007fc0aa91e39e g_main_context_dispatch (libglib-2.0.so.0 + 0x6a39e)
#11 0x00007fc0aa9201b1 n/a (libglib-2.0.so.0 + 0x6c1b1)
#12 0x00007fc0aa9210c3 g_main_loop_run (libglib-2.0.so.0 + 0x6d0c3)
#13 0x0000559ef3b018c9 main (marco + 0x28c9)
#14 0x00007fc0aa6f2153 __libc_start_main (libc.so.6 + 0x27153)
#15 0x0000559ef3b01d1e n/a (marco + 0x2d1e)

Stack trace of thread 86955:
#0  0x00007fc0aa7bf9ef __poll (libc.so.6 + 0xf49ef)
#1  0x00007fc0aa920120 n/a (libglib-2.0.so.0 + 0x6c120)
#2  0x00007fc0aa9201f1 g_main_context_iteration (libglib-2.0.so.0 + 0x6c1f1)
#3  0x00007fc0aaad7e5e n/a (libdconfsettings.so + 0x4e5e)
#4  0x00007fc0aa8fcbb1 n/a (libglib-2.0.so.0 + 0x48bb1)
#5  0x00007fc0aa89b4cf start_thread (libpthread.so.0 + 0x94cf)
#6  0x00007fc0aa7ca2d3 __clone (libc.so.6 + 0xff2d3)

Stack trace of thread 86956:
#0  0x00007fc0aa7bf9ef __poll (libc.so.6 + 0xf49ef)
#1  0x00007fc0aa920120 n/a (libglib-2.0.so.0 + 0x6c120)
#2  0x00007fc0aa9210c3 g_main_loop_run (libglib-2.0.so.0 + 0x6d0c3)
#3  0x00007fc0a9ba9bc8 n/a (libgio-2.0.so.0 + 0x59bc8)
#4  0x00007fc0aa8fcbb1 n/a (libglib-2.0.so.0 + 0x48bb1)
#5  0x00007fc0aa89b4cf start_thread (libpthread.so.0 + 0x94cf)
#6  0x00007fc0aa7ca2d3 __clone (libc.so.6 + 0xff2d3)

Stack trace of thread 86953:
#0  0x00007fc0aa7bf9ef __poll (libc.so.6 + 0xf49ef)
#1  0x00007fc0aa920120 n/a (libglib-2.0.so.0 + 0x6c120)
#2  0x00007fc0aa9201f1 g_main_context_iteration (libglib-2.0.so.0 + 0x6c1f1)
#3  0x00007fc0aa920242 n/a (libglib-2.0.so.0 + 0x6c242)
#4  0x00007fc0aa8fcbb1 n/a (libglib-2.0.so.0 + 0x48bb1)
#5  0x00007fc0aa89b4cf start_thread (libpthread.so.0 + 0x94cf)
#6  0x00007fc0aa7ca2d3 __clone (libc.so.6 + 0xff2d3)

I wanted to try marco from master but could not start is because some configuration key is missig:

$ ./src/marco --replace

(lt-marco:126990): GLib-GIO-ERROR **: 13:43:11.768: Settings schema 'org.mate.Marco.general' does not contain a key named 'allow-tile-cycling'
zsh: trace trap (core dumped)  ./src/marco --replace

[lukefromdc]

You need to recompile schemas after installing if you built with --disable-schemas-compile for any reason. This also could come from an incomplete installation or trying to run the built binary in place while an older version of Marco with a different version of that schema (compilable configuration file) remains installed

[joakim-tjernlund]

We also see random SEGV in marco(1.22.4) like below, not sure how to trigger but seems like closing an app may do it.

Reading symbols from /usr/bin/marco...
(No debugging symbols found in /usr/bin/marco)
[New LWP 5928]
[New LWP 5936]
[New LWP 5932]
[New LWP 5930]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `marco'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f374b552380 in meta_frame_calc_borders () from /usr/lib64/libmarco-private.so.2
[Current thread is 1 (Thread 0x7f3745745000 (LWP 5928))]
(gdb) bt full
#0  0x00007f374b552380 in meta_frame_calc_borders () at /usr/lib64/libmarco-private.so.2
#1  0x00007f374b54148e in  () at /usr/lib64/libmarco-private.so.2
#2  0x00007f374b5433f2 in  () at /usr/lib64/libmarco-private.so.2
#3  0x00007f374b5443d1 in  () at /usr/lib64/libmarco-private.so.2
#4  0x00007f374b54cd47 in  () at /usr/lib64/libmarco-private.so.2
#5  0x00007f374b595315 in  () at /usr/lib64/libmarco-private.so.2
#6  0x00007f374a68d4bf in  () at /usr/lib64/libgdk-3.so.0
#7  0x00007f374a68d789 in  () at /usr/lib64/libgdk-3.so.0
#8  0x00007f374a656a10 in gdk_display_get_event () at /usr/lib64/libgdk-3.so.0
#9  0x00007f374a68d552 in  () at /usr/lib64/libgdk-3.so.0
#10 0x00007f374b4436ce in g_main_dispatch (context=0x55da593923a0) at ../glib-2.60.7/glib/gmain.c:3189
        dispatch = 0x7f374a68d540
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = <optimized out>
        cb_data = <optimized out>
        need_destroy = <optimized out>
        source = 0x55da593c3340
        current = 0x55da594131a0
        i = 0
        __FUNCTION__ = "g_main_dispatch"
#11 0x00007f374b4436ce in g_main_context_dispatch (context=context@entry=0x55da593923a0)
    at ../glib-2.60.7/glib/gmain.c:3854
#12 0x00007f374b443968 in g_main_context_iterate
    (context=0x55da593923a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../glib-2.60.7/glib/gmain.c:3927
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 4
        fds = 0x55da596559f0
#13 0x00007f374b443c62 in g_main_loop_run (loop=0x55da59392bd0) at ../glib-2.60.7/glib/gmain.c:4123
        __FUNCTION__ = "g_main_loop_run"
#14 0x000055da58d46d76 in main ()

[rcaridade145]

The last warning before the segfault was the Treating resize request of legacy application 0xc0000d (Guake!) as a fullscreen request

@lukefromdc Does PR #581 help here?

[lukefromdc]

I do not know, as I have never once seen this segfault on my system. That said, I am normally running compiz (with marco providing the decorations for gtk-window-decorator) and only running marco itself for short periods while testing changes to it-or testing experimental compiz builds.

[Safari77]

@lukefromdc because the bug happens only when marco is compositing-manager.

[lukefromdc]

My test was with marco set for compositing, which my GTK theme does not look good without

[monsta]

I just had it in 1.22.4. Both backtraces in https://github.com/mate-desktop/marco/issues/559#issuecomment-565549185 mention border_size function in compositor-xrender.c:

  if (cw->window)
    {
      visible_region = meta_window_get_frame_bounds (cw->window);

      if (visible_region)
        visible = cairo_region_to_xserver_region (xdisplay, visible_region);
    }

Here frame argument points to invalid address:

#0  0x00007f1d9f5c4844 in meta_frame_get_frame_bounds (frame=0x2800013) at core/frame.c:411

Here region argument points to invalid address:

#1  0x00007f163ed9e5ce in cairo_region_to_xserver_region (xdisplay=xdisplay@entry=0x55b98b3116b0, region=0xf1) at compositor/compositor-xrender.c:607

This is really from #518. @vkareh: can you please look at it?

[monsta]

Everybody else with the crash in meta_frame_calc_borders: you'll need to install the debug symbols packages for marco and libmarco-private, otherwise the backtrace is incomplete...

[rcaridade145]

@vkareh @rbuj Can you please take a look at https://gitlab.gnome.org/GNOME/metacity/commit/5ac3277b965366bb7c0fd57cee82d4c166b0fdf3 and https://gitlab.gnome.org/GNOME/metacity/commit/e1231d85e656fc8a566002f0b9e848c83e348d8d . It introduces

First renames border_size to window_region and the second one:

if (cw->window_region != None)

So the offending code is never called.

[vkareh]

To add those commits, I need to follow this order:

1. https://gitlab.gnome.org/GNOME/metacity/commit/aa7a2578
2. https://gitlab.gnome.org/GNOME/metacity/commit/5ac3277b
3. https://gitlab.gnome.org/GNOME/metacity/commit/59819563
4. https://gitlab.gnome.org/GNOME/metacity/commit/e1231d85

Unfortunately, the first commit in the series leaves an ugly black border around windows, where the invisible border should be. I'm not quite sure how to fix that yet... :(

[vkareh]

Like this:

[rcaridade145]

@vkareh The only reference i can find on gitlab is https://gitlab.gnome.org/GNOME/metacity/commit/0f2e32d15f593fc69414aa5fdaf166d83f6eeb0b

An ARGB window with a frame is likely something like a transparent terminal. It looks awful (and breaks transparency) to draw a big opaque black shadow under the window

https://gitlab.gnome.org/search?project_id=1708&repository_ref=master&scope=commits&search=ARGB&snippets=

[raveit65]

I got some redhat bugzilla reports with similar stacktraces. https://bugzilla.redhat.com/show_bug.cgi?id=1785157 https://bugzilla.redhat.com/show_bug.cgi?id=1787130

Version-Release number of selected component:
marco-1.22.4-1.fc30

Additional info:
reporter:       libreport-2.11.3
backtrace_rating: 3
cmdline:        marco
crash_function: meta_frame_calc_borders
executable:     /usr/bin/marco
journald_cursor: s=5f707054fc564ab5ae2f7bb3db452475;i=34f18;b=64b1c42851f44ef8a2c52df61be9273d;m=28c778301f;t=59a0a62487cd0;x=b06d76914ebac47d
kernel:         5.3.15-200.fc30.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000
xsession_errors: 

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 meta_frame_calc_borders at core/frame.c:320
 #1 win_extents at compositor/compositor-xrender.c:1094
 #2 resize_win at compositor/compositor-xrender.c:2308
 #3 process_configure_notify at compositor/compositor-xrender.c:2410
 #4 xrender_process_event at compositor/compositor-xrender.c:3081
 #5 event_callback at core/display.c:2614
 #6 filter_func at ui/ui.c:223
 #7 gdk_event_apply_filters at gdkeventsource.c:79
 #8 gdk_event_source_translate_event at gdkeventsource.c:198
 #9 _gdk_x11_display_queue_events at gdkeventsource.c:341

Full stacktraces you will found at reports.