aboutsummaryrefslogtreecommitdiff
path: root/backend
diff options
context:
space:
mode:
authorSimon Ser <contact@emersion.fr>2021-07-08 13:39:33 +0200
committerSimon Zeni <simon@bl4ckb0ne.ca>2021-07-08 10:08:47 -0400
commite035f2b9c42b39e3eff37d0fe98bfa6422877d7a (patch)
tree659e6433536a86e861d8cf8e86a9bdc2f575280d /backend
parentb934fbaf046126705b96e5253551ccab64a72320 (diff)
Fix invalid uses of wl_array_for_each
[1] and [2] have introduced new wl_array usage in wlroots, but contains a mistake: wl_array_for_each iterates over pointers to the wl_array entries, not over entries themselves. Fix all wl_array_for_each call sites. Name the variables "ptr" to avoid confusion. Found via ASan: ==148752==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x602000214111 in thread T0 #0 0x7f6ff2235f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f6ff1c04004 in wlr_tablet_destroy ../subprojects/wlroots/types/wlr_tablet_tool.c:24 #2 0x7f6ff1b8463c in wlr_input_device_destroy ../subprojects/wlroots/types/wlr_input_device.c:51 #3 0x7f6ff1ab9941 in backend_destroy ../subprojects/wlroots/backend/wayland/backend.c:306 #4 0x7f6ff1a68323 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:57 #5 0x7f6ff1ab36b4 in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:57 #6 0x7f6ff1ab417c in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:124 #7 0x7f6ff106184e in wl_display_destroy (/usr/lib/libwayland-server.so.0+0x884e) #8 0x55cd1a77c9e5 in server_fini ../sway/server.c:218 #9 0x55cd1a77893f in main ../sway/main.c:400 #10 0x7f6ff04bdb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #11 0x55cd1a73a7ad in _start (/home/simon/src/sway/build/sway/sway+0x33a7ad) 0x602000214111 is located 1 bytes inside of 16-byte region [0x602000214110,0x602000214120) freed by thread T0 here: #0 0x7f6ff2235f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f6ff1c04004 in wlr_tablet_destroy ../subprojects/wlroots/types/wlr_tablet_tool.c:24 #2 0x7f6ff1b8463c in wlr_input_device_destroy ../subprojects/wlroots/types/wlr_input_device.c:51 #3 0x7f6ff1ab9941 in backend_destroy ../subprojects/wlroots/backend/wayland/backend.c:306 #4 0x7f6ff1a68323 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:57 #5 0x7f6ff1ab36b4 in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:57 #6 0x7f6ff1ab417c in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:124 #7 0x7f6ff106184e in wl_display_destroy (/usr/lib/libwayland-server.so.0+0x884e) previously allocated by thread T0 here: #0 0x7f6ff2236279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f6ff1066d03 in wl_array_add (/usr/lib/libwayland-server.so.0+0xdd03) [1]: https://github.com/swaywm/wlroots/pull/3002 [2]: https://github.com/swaywm/wlroots/pull/3004
Diffstat (limited to 'backend')
-rw-r--r--backend/libinput/backend.c8
-rw-r--r--backend/libinput/events.c5
-rw-r--r--backend/libinput/tablet_tool.c11
3 files changed, 13 insertions, 11 deletions
diff --git a/backend/libinput/backend.c b/backend/libinput/backend.c
index a9595df2..c7bde4a9 100644
--- a/backend/libinput/backend.c
+++ b/backend/libinput/backend.c
@@ -141,13 +141,13 @@ static void backend_destroy(struct wlr_backend *wlr_backend) {
struct wlr_libinput_backend *backend =
get_libinput_backend_from_backend(wlr_backend);
- struct wl_list *wlr_devices;
- wl_array_for_each(wlr_devices, &backend->wlr_device_lists) {
+ struct wl_list **wlr_devices_ptr;
+ wl_array_for_each(wlr_devices_ptr, &backend->wlr_device_lists) {
struct wlr_input_device *wlr_dev, *next;
- wl_list_for_each_safe(wlr_dev, next, wlr_devices, link) {
+ wl_list_for_each_safe(wlr_dev, next, *wlr_devices_ptr, link) {
wlr_input_device_destroy(wlr_dev);
}
- free(wlr_devices);
+ free(*wlr_devices_ptr);
}
wlr_backend_finish(wlr_backend);
diff --git a/backend/libinput/events.c b/backend/libinput/events.c
index 1fc8cc09..f149b2f1 100644
--- a/backend/libinput/events.c
+++ b/backend/libinput/events.c
@@ -220,8 +220,9 @@ static void handle_device_removed(struct wlr_libinput_backend *backend,
wlr_input_device_destroy(dev);
}
size_t i = 0;
- struct wl_list *iter;
- wl_array_for_each(iter, &backend->wlr_device_lists) {
+ struct wl_list **ptr;
+ wl_array_for_each(ptr, &backend->wlr_device_lists) {
+ struct wl_list *iter = *ptr;
if (iter == wlr_devices) {
array_remove_at(&backend->wlr_device_lists,
i * sizeof(struct wl_list *), sizeof(struct wl_list *));
diff --git a/backend/libinput/tablet_tool.c b/backend/libinput/tablet_tool.c
index 8b143e7f..b0427e5f 100644
--- a/backend/libinput/tablet_tool.c
+++ b/backend/libinput/tablet_tool.c
@@ -48,8 +48,9 @@ static void destroy_tablet(struct wlr_tablet *wlr_tablet) {
struct wlr_libinput_tablet *tablet =
wl_container_of(wlr_tablet, tablet, wlr_tablet);
- struct wlr_libinput_tablet_tool *tool;
- wl_array_for_each(tool, &tablet->tools) {
+ struct wlr_libinput_tablet_tool **tool_ptr;
+ wl_array_for_each(tool_ptr, &tablet->tools) {
+ struct wlr_libinput_tablet_tool *tool = *tool_ptr;
if (--tool->pad_refs == 0) {
destroy_tool(tool);
}
@@ -151,9 +152,9 @@ static void ensure_tool_reference(struct wlr_libinput_tablet_tool *tool,
struct wlr_libinput_tablet *tablet =
wl_container_of(wlr_dev, tablet, wlr_tablet);
- struct wlr_libinput_tablet_tool *iter;
- wl_array_for_each(iter, &tablet->tools) {
- if (iter == tool) { // We already have a ref
+ struct wlr_libinput_tablet_tool **tool_ptr;
+ wl_array_for_each(tool_ptr, &tablet->tools) {
+ if (*tool_ptr == tool) { // We already have a ref
// XXX: We *could* optimize the tool to the front of
// the list here, since we will probably get the next
// couple of events from the same tool.