Created attachment 8508 xfwm4.txt I got this backtrace a few times in the last days, with master at that day: $ coredumpctl list | grep xfwm4 Wed 2019-04-10 15:31:17 CEST 2327 1000 100 5 missing /usr/bin/xfwm4 Wed 2019-04-17 11:34:14 CEST 6368 1000 100 11 missing /usr/bin/xfwm4 Tue 2019-04-30 21:39:39 CEST 2223 1000 100 11 missing /usr/bin/xfwm4 Wed 2019-05-01 12:16:47 CEST 2241 1000 100 5 missing /usr/bin/xfwm4 Fri 2019-05-03 07:59:04 CEST 2500 1000 100 11 missing /usr/bin/xfwm4 Fri 2019-05-10 11:20:15 CEST 2455 1000 100 11 present /usr/bin/xfwm4 Fri 2019-05-10 16:23:12 CEST 2215 1000 100 11 present /usr/bin/xfwm4 Program terminated with signal SIGSEGV, Segmentation fault. #0 __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57 57 vmovdqu (%rdi), %ymm8 [Current thread is 1 (Thread 0x7f4a44903f00 (LWP 2215))] (gdb) bt #0 0x00007f4a4036da58 in __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57 #1 0x00005631e347f600 in frameDrawWin (c=c@entry=0x5631e4738c00) at frame.c:1071 #2 0x00005631e3480aee in update_frame_idle_cb (data=data@entry=0x5631e4738c00) at frame.c:1330 (gdb) disassemble $pc Dump of assembler code for function __strchr_avx2: 0x00007f4a4036da40 <+0>: mov %edi,%ecx 0x00007f4a4036da42 <+2>: vmovd %esi,%xmm0 0x00007f4a4036da46 <+6>: vpxor %xmm9,%xmm9,%xmm9 0x00007f4a4036da4b <+11>: vpbroadcastb %xmm0,%ymm0 0x00007f4a4036da50 <+16>: and $0x3f,%ecx 0x00007f4a4036da53 <+19>: cmp $0x20,%ecx 0x00007f4a4036da56 <+22>: ja 0x7f4a4036da90 <__strchr_avx2+80> => 0x00007f4a4036da58 <+24>: vmovdqu (%rdi),%ymm8 (gdb) info registers rax 0x0 0 rbx 0x5631e4738c00 94772286163968 rcx 0x0 0 rdx 0x0 0 rsi 0x4f 79 rdi 0x4c0 1216 rbp 0x5631e34a25f8 0x5631e34a25f8 rsp 0x7ffc8c37feb8 0x7ffc8c37feb8 r8 0x1f52 8018 r9 0x6 6 r10 0x20 32 r11 0x33 51 r12 0x0 0 r13 0x0 0 r14 0x7f4a405c9108 139956884115720 r15 0x5631e4848d70 94772287278448 rip 0x7f4a4036da58 0x7f4a4036da58 <__strchr_avx2+24> eflags 0x10283 [ CF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 Odd that it went into strchr anyway, looks like it just calculated the pointer and sent it on to strchr: (gdb) down #1 0x00005631e347f600 in frameDrawWin (c=c@entry=0x5631e4738c00) at frame.c:1071 1071 if ((!b) || !strchr (screen_info->params->button_layout, b)) (gdb) p screen_info $3 = (ScreenInfo *) 0x7f4a405c9108 <main_arena+1256> (gdb) p screen_info->params $4 = (XfwmParams *) 0x0 openSUSE Leap 15.0, all packages run git.xfce.org#master. Unclear what action triggers it.
Weird. Can you please post the content of: (gdb) f 1 (gdb) p *c (gdb) p *screen_info
(gdb) f 1 #1 0x00005631e347f600 in frameDrawWin (c=c@entry=0x5631e4738c00) at frame.c:1071 1071 if ((!b) || !strchr (screen_info->params->button_layout, b)) (gdb) p *c $1 = {screen_info = 0x7f4a405c9108 <main_arena+1256>, window = 139956884115720, frame = 94772286163952, transient_for = 94772286163952, user_time_win = 48239516, cmap_windows = 0x0, title = {screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 8, y = 0, width = 314, height = 29, map = 0}, sides = {{ screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 0, y = 29, width = 5, height = 189, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 325, y = 29, width = 5, height = 189, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 8, y = 0, width = 314, height = 1, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 16, y = 229, width = 298, height = 5, map = 0}}, corners = {{ screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 0, y = 218, width = 16, height = 16, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 314, y = 218, width = 16, height = 16, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 0, y = 0, width = 8, height = 29, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 322, y = 0, width = 8, height = 29, map = 0}}, buttons = {{ screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 5, y = 0, width = 22, height = 29, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 0, y = 0, width = 1, height = 1, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 0, y = 0, width = 1, height = 1, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 258, y = 0, width = 21, height = 29, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 281, y = 0, width = 21, height = 29, map = 0}, { screen_info = 0x5631e438f0b0, visual = 0x5631e40a4c60, pict_format = 0x5631e41f7ff0, depth = 24, window = 0, x = 304, y = 0, width = 21, height = 29, map = 0}}, client_leader = 48234497, group_leader = 48234497, appmenu = {{screen_info = 0x5631e438f0b0, pixmap = 0, mask = 0, pict_format = 0x5631e41f7ff0, pict = 0, width = 0, height = 0}, { screen_info = 0x5631e438f0b0, pixmap = 0, mask = 0, pict_format = 0x5631e41f7ff0, pict = 0, width = 0, height = 0}, {screen_info = 0x5631e438f0b0, pixmap = 0, mask = 0, pict_format = 0x5631e41f7ff0, pict = 0, width = 0, height = 0}, {screen_info = 0x5631e438f0b0, pixmap = 0, mask = 0, pict_format = 0x5631e41f7ff0, pict = 0, width = 0, height = 0}}, cmap = 34, win_layer = 4, serial = 44, initial_layer = 4, type_atom = 368, visual = 0x5631e40a4c60, size = 0x5631e4848b10, wmhints = 0x5631e48c2a80, class = { res_name = 0x5631e4806510 "\220\070\204\344\061V", res_class = 0x5631e47d28a0 "\240Ɣ\344\061V"}, next = 0x5631e47dd980, prev = 0x5631e4837a10, mwm_hints = 0x0, type = WINDOW_NORMAL, x = 795, y = 423, width = 320, height = 200, depth = 24, border_width = 0, gravity = 1, win_workspace = 1, ignore_unmap = 0, saved_x = 0, saved_y = 0, old_x = 800, old_y = 452, old_width = 320, old_height = 200, fullscreen_old_x = 800, fullscreen_old_y = 452, fullscreen_old_width = 320, fullscreen_old_height = 200, fullscreen_old_layer = 4, previous_width = 320, previous_height = 200, ncmap = 0, blink_iterations = 0, button_status = {0, 0, 0, 0, 0, 0}, struts = {0 <repeats 12 times>}, hostname = 0x5631e47fe620 "\360\270{\344\061V", name = 0x5631e4815980 "", user_time = 0, pid = 2753, ping_time = 0, flags = 8454148, wm_flags = 39, xfwm_flags = 35583, fullscreen_monitors = {0, 0, 0, 0}, frame_extents = {0, 0, 0, 0}, dialog_pid = 0, dialog_fd = -1, icon_timeout_id = 0, frame_timeout_id = 0, blink_timeout_id = 0, ping_timeout_id = 0, opacity = 4294967295, opacity_applied = 4294967295, opacity_flags = 0, startup_id = 0x0, xsync_alarm = 0, xsync_counter = 48239517, xsync_value = {hi = 0, lo = 0}, next_xsync_value = { hi = 0, lo = 1}, xsync_timeout_id = 1680} (gdb) p *screen_info $2 = {display_info = 0x5631e4839fa0, windows_stack = 0x5631e4839fa0 = {0xffffffffffffffff, <error reading variable>
Created attachment 8509 xfwm4.txt Reading symbols from /usr/bin/xfwm4...Reading symbols from /usr/lib/debug/usr/bin/xfwm4-20190509T082824.3dfe0130-20.xfce.1.x86_64.debug...done. Core was generated by `xfwm4 --display :0.0 --sm-client-id 28dbe116f-f05f-44b5-a978-da27009218de'. Program terminated with signal SIGSEGV, Segmentation fault. #0 myDisplayGetCurrentTime (display=display@entry=0xcacacacacacacaca) at display.c:842 842 return display->current_time; [Current thread is 1 (Thread 0x7f167f9f3f00 (LWP 6332))] (gdb) bt #0 0x00005566da655f25 in myDisplayGetCurrentTime (display=display@entry=0xcacacacacacacaca) at display.c:842 #1 0x00005566da64871b in clientClose (c=0x5566dcff4560) at client.c:2639 #2 0x00005566da64b277 in clientButtonPress (c=c@entry=0x5566dcff4560, w=w@entry=12138982, event=event@entry=0x5566dd0bff00) at client.c:3914 #3 0x00005566da659198 in handleButtonPress (event=0x5566dd0bff00, display_info=0x5566dcb695f0) at events.c:974 #4 0x00005566da659198 in handleEvent (event=<optimized out>, display_info=0x5566dcb695f0) at events.c:2231 #5 0x00005566da659198 in xfwm4_event_filter (event=0x5566dd0bff00, data=0x5566dcb695f0) at events.c:2342 #6 0x00005566da656649 in eventXfwmFilter (gdk_xevent=<optimized out>, gevent=<optimized out>, data=<optimized out>) at event_filter.c:177 #7 0x00007f167d926a0f in gdk_event_apply_filters (xevent=xevent@entry=0x7ffd310c6360, event=event@entry=0x7f166c008e80, window=window@entry=0x0) at gdkeventsource.c:79 #8 0x00007f167d926e02 in gdk_event_source_translate_event (xevent=0x7ffd310c6360, event_source=0x5566dc8a7bc0) at gdkeventsource.c:198 #9 0x00007f167d926e02 in _gdk_x11_display_queue_events (display=0x5566dc8830e0 [GdkX11Display]) at gdkeventsource.c:341 #10 0x00007f167d8f0890 in gdk_display_get_event (display=display@entry=0x5566dc8830e0 [GdkX11Display]) at gdkdisplay.c:438 #11 0x00007f167d926aa2 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:363 #12 0x00007f167c5bbe07 in g_main_dispatch (context=0x5566dc8a7c40) at gmain.c:3142 #13 0x00007f167c5bbe07 in g_main_context_dispatch (context=context@entry=0x5566dc8a7c40) at gmain.c:3795 #14 0x00007f167c5bc1b0 in g_main_context_iterate (context=0x5566dc8a7c40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3868 #15 0x00007f167c5bc4c2 in g_main_loop_run (loop=0x5566dcf4f6e0) at gmain.c:4064 #16 0x00007f167ddf6515 in gtk_main () at gtkmain.c:1323 #17 0x00005566da6459c9 in main (argc=<optimized out>, argv=<optimized out>) at main.c:773
so it looks like screen_info gets corrupted in various ways
yes, looks like the commonality is handleButtonPress / clientButtonPress, is that a recent regression? I wonder if that could be related to commit f5da3d6
I will see if valgrind finds anything.
Regarding regression, I do not know. I did not inspect each crash, but it happend a few times in frameDrawWin with the same symptoms as described in comment#0
I tried running xfwm4 within valgrind in various use cases and could not spot any use after free that could explain such a crash.
Created attachment 8526 xfwm4.txt xfwm4-20190513T201228.3ff53a9f #0 myDisplayGetDefaultScreen (display=display@entry=0x55e43b91a0e0) at display.c:755 #1 getXServerTime (display_info=0x55e43b91a0e0) at hints.c:1325 #2 myDisplayGetTime (display=display@entry=0x55e43b91a0e0, timestamp=<optimized out>) at display.c:853 #3 clientClose (c=0x55e43bbd0280) at client.c:2653 #4 clientButtonPress (c=c@entry=0x55e43bbd0280, w=w@entry=66241163, event=event@entry=0x55e43b86a1a0) at client.c:3929 #5 handleButtonPress (event=0x55e43b86a1a0, display_info=0x55e43b46d5c0) at events.c:974 #6 handleEvent (event=<optimized out>, display_info=0x55e43b46d5c0) at events.c:2233 #7 xfwm4_event_filter (event=0x55e43b86a1a0, data=0x55e43b46d5c0) at events.c:2344 #8 eventXfwmFilter (gdk_xevent=<optimized out>, gevent=<optimized out>, data=<optimized out>) at event_filter.c:177 #9 gdk_event_apply_filters (xevent=xevent@entry=0x7ffd659e9cb0, event=event@entry=0x7f8a5c00a520, window=window@entry=0x0) at gdkeventsource.c:79 #10 gdk_event_source_translate_event (xevent=0x7ffd659e9cb0, event_source=0x55e43b1a47c0) at gdkeventsource.c:198 #11 _gdk_x11_display_queue_events (display=0x55e43b1880e0 [GdkX11Display]) at gdkeventsource.c:341 #12 gdk_display_get_event (display=display@entry=0x55e43b1880e0 [GdkX11Display]) at gdkdisplay.c:438 #13 gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:363 #14 g_main_dispatch (context=0x55e43b1a4840) at gmain.c:3142 #15 g_main_context_dispatch (context=context@entry=0x55e43b1a4840) at gmain.c:3795 #16 g_main_context_iterate (context=0x55e43b1a4840, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3868 #17 g_main_loop_run (loop=0x55e43b81ab50) at gmain.c:4064 #18 gtk_main () at gtkmain.c:1323 #19 main (argc=<optimized out>, argv=<optimized out>) at main.c:773 I did not have time to arrange the session for valgrind.
Ah! found out, this is indeed a regression caused by f5da3d6... Reproducer is trivial once you know what to look for :)
Olivier Fourdan referenced this bugreport in commit 0f34265d83207ffe3486986d269af868cef29e30 Revert "events: Fix implicit grabs" https://git.xfce.org/xfce/xfwm4/commit?id=0f34265d83207ffe3486986d269af868cef29e30
Should be fixed now.