Byzantium - phoc 0.7.0 crash with small diagnosis
I'm able to crash phoc 0.7.0 on regular use, with my software having bad behaviors, and with this specific backtrace:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/phoc -C /usr/share/phosh/phoc.ini -E bash -lc 'gnome-session --builtin'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f335f904490 in wl_event_loop_dispatch (loop=0x55ef803cd000, timeout=timeout@entry=0) at ../src/event-loop.c:1027
[Current thread is 1 (Thread 0x7f335b650f40 (LWP 508))]
#0 0x00007f335f904490 in wl_event_loop_dispatch (loop=0x55ef803cd000, timeout=timeout@entry=0) at ../src/event-loop.c:1027
#1 0x000055ef80229277 in wayland_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at ../src/server.c:42
#2 0x00007f335fba3e6b in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007f335fba4118 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007f335fba440b in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5 0x000055ef80228fcc in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:137
I have already seen this crash with the previous version, so I decided to clone the wayland project (HEAD on commit d224e6c, after tag 1.19.0) and tried to find out why it crash at the line 1027 of the src/event-loop.c file
if (source->fd != -1) {
source->interface->dispatch(source, &ep[i]);
I added those traces
if (source->fd != -1) {
fd = open( "/log/server.log" , O_CREAT | O_RDWR );
if( fd > 0 ) {
dprintf( fd, "[%d/%d] source : '%p'\n", i, count, source );
dprintf( fd, " - ep.events : '%u'\n", ep[i].events );
dprintf( fd, " - ep.data.ptr : '%p'\n", ep[i].data.ptr );
dprintf( fd, " - ep.data.fd : '%d'\n", ep[i].data.fd );
dprintf( fd, " - ep.data.u32 : '%u'\n", ep[i].data.u32 );
dprintf( fd, " - ep.data.u64 : '%lu'\n", ep[i].data.u64 );
dprintf( fd, " - source->interface : '%p'\n", source->interface );
dprintf( fd, " - source->interface->dispatch : '%p'\n", source->interface->dispatch );
close( fd );
}
source->interface->dispatch(source, &ep[i]);
}
After compilation and while in use, I get this kind of output when everything is OK
[0/1] source : '0x564d90983690'
- ep.events : '1'
- ep.data.ptr : '0x564d90983690'
- ep.data.fd : '-1869072752'
- ep.data.u32 : '2425894544'
- ep.data.u64 : '94891138365072'
- source->interface : '0x7f2b977b9650'
- source->interface->dispatch : '0x7f2b977ad580'
And this kind of output, when I made it crash again
[0/4] source : '0x560b34f54e00'
- ep.events : '17'
- ep.data.ptr : '0x560b34f54e00'
- ep.data.fd : '888491520'
- ep.data.u32 : '888491520'
- ep.data.u64 : '94606133120512'
- source->interface : '0x560b3518d210'
- source->interface->dispatch : '0x30'
So it seems somewhere ( EPOLLIN | EPOLLHUP ) is put to ep.events, and source->interface (not same range of address) or source->interface->dispatch is set with an invalid value