1417996 – Firefox/Wayland: crash at subsurface_role_get_toplevel()

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1417996 - Firefox/Wayland: crash at subsurface_role_get_toplevel()

Summary: Firefox/Wayland: crash at subsurface_role_get_toplevel()

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnome-shell
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Owen Taylor
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:8ee440234af510ad061a50806d8...
Duplicates (1):	1412311 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-31 14:50 UTC by Martin Stransky
Modified:	2017-06-19 12:29 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-19 12:29:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (36.94 KB, text/plain) 2017-01-31 14:50 UTC, Martin Stransky	no flags	Details
File: cgroup (240 bytes, text/plain) 2017-01-31 14:50 UTC, Martin Stransky	no flags	Details
File: core_backtrace (4.73 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: dso_list (25.39 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: environ (1.60 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: exploitable (82 bytes, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: limits (1.29 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: maps (167.77 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: mountinfo (3.72 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: namespaces (102 bytes, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: open_fds (9.58 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: proc_pid_status (1.11 KB, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
File: var_log_messages (986 bytes, text/plain) 2017-01-31 14:51 UTC, Martin Stransky	no flags	Details
View All

Description Martin Stransky 2017-01-31 14:50:51 UTC

Description of problem:
testing wayland firefox

Version-Release number of selected component:
gnome-shell-3.22.2-2.fc25

Additional info:
reporter:       libreport-2.8.0
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell
crash_function: subsurface_role_get_toplevel
executable:     /usr/bin/gnome-shell
global_pid:     12652
kernel:         4.9.6-200.fc25.x86_64
pkg_fingerprint: 4089 D8F2 FDB1 9C98
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            500

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 subsurface_role_get_toplevel at wayland/meta-wayland-surface.c:608
 #1 actor_surface_commit at wayland/meta-wayland-surface.c:2012
 #2 subsurface_role_commit at wayland/meta-wayland-surface.c:593
 #3 meta_wayland_surface_role_commit at wayland/meta-wayland-surface.c:1886
 #4 apply_pending_state at wayland/meta-wayland-surface.c:798
 #5 ffi_call_unix64 at ../src/x86/unix64.S:76
 #6 ffi_call at ../src/x86/ffi64.c:525
 #7 wl_closure_invoke at src/connection.c:935
 #8 wl_client_connection_data at src/wayland-server.c:371
 #9 wl_event_loop_dispatch at src/event-loop.c:423

Comment 1 Martin Stransky 2017-01-31 14:50:57 UTC

Created attachment 1246293 [details]
File: backtrace

Comment 2 Martin Stransky 2017-01-31 14:50:58 UTC

Created attachment 1246294 [details]
File: cgroup

Comment 3 Martin Stransky 2017-01-31 14:51:00 UTC

Created attachment 1246295 [details]
File: core_backtrace

Comment 4 Martin Stransky 2017-01-31 14:51:02 UTC

Created attachment 1246296 [details]
File: dso_list

Comment 5 Martin Stransky 2017-01-31 14:51:03 UTC

Created attachment 1246297 [details]
File: environ

Comment 6 Martin Stransky 2017-01-31 14:51:04 UTC

Created attachment 1246298 [details]
File: exploitable

Comment 7 Martin Stransky 2017-01-31 14:51:06 UTC

Created attachment 1246299 [details]
File: limits

Comment 8 Martin Stransky 2017-01-31 14:51:08 UTC

Created attachment 1246300 [details]
File: maps

Comment 9 Martin Stransky 2017-01-31 14:51:10 UTC

Created attachment 1246301 [details]
File: mountinfo

Comment 10 Martin Stransky 2017-01-31 14:51:11 UTC

Created attachment 1246303 [details]
File: namespaces

Comment 11 Martin Stransky 2017-01-31 14:51:13 UTC

Created attachment 1246304 [details]
File: open_fds

Comment 12 Martin Stransky 2017-01-31 14:51:15 UTC

Created attachment 1246305 [details]
File: proc_pid_status

Comment 13 Martin Stransky 2017-01-31 14:51:16 UTC

Created attachment 1246306 [details]
File: var_log_messages

Comment 14 Martin Stransky 2017-01-31 14:57:05 UTC

I happens to me regularly when I test Firefox Wayland build.

Comment 15 Martin Stransky 2017-01-31 15:14:25 UTC

*** Bug 1412311 has been marked as a duplicate of this bug. ***

Comment 16 Martin Stransky 2017-04-13 08:37:53 UTC

Hello, can we move with this please? It's blocking our Firefox/Wayland effort. Not sure it's Firefox or Mutter/gnome-shell bug but needs to be fixed.

Reproduction steps:

1) Install Wayland Firefox from https://firefox-flatpak.mojefedora.cz/
2) Run it, try to show some popups repeatedly (menu, tooltips...)
3) Crashes whole session

Comment 17 Jonas Ådahl 2017-04-17 05:38:27 UTC

Fixed in the patch on https://bugzilla.gnome.org/show_bug.cgi?id=781391 .

The problem was that Firefox committed surface state to a surface of a subsurface which had been destroyed. Mutter did not handle that well, and the patch in the upstream bug fixes that.

Now, another issue here is that Firefox uses subsurface's for popups. That is wrong for various reasons:

1) you wont be able to keep the popup window within the monitor region. At best, a popup menu can be kept within the parent window by managing the position itself, but this is not how popup menus usually work.

2) dismissing the popup menu will only work if its the Firefox client itself that does it; for example opening a popup and clicking outside of the window will not dismiss the popup.

To fix 1 and 2 and get proper popup menu semantics you must use xdg_popup (currently zxdg_popup_v6) or gtk's popup API.

Just a side note; it would have been fixed faster if this issue had been reported upstream.

Comment 18 Martin Stransky 2017-06-19 12:29:41 UTC

(In reply to Jonas Ådahl from comment #17)

Thanks Jonas, the crashes seems to be fixed now (Fedora 26, gtk3-3.22.15-2.fc26.x86_64)

> Fixed in the patch on https://bugzilla.gnome.org/show_bug.cgi?id=781391 .
> 
> The problem was that Firefox committed surface state to a surface of a
> subsurface which had been destroyed. Mutter did not handle that well, and
> the patch in the upstream bug fixes that.

Filed as Bug 1462725 for further investigation.
 
> Now, another issue here is that Firefox uses subsurface's for popups. That
> is wrong for various reasons:
> 
> 1) you wont be able to keep the popup window within the monitor region. At
> best, a popup menu can be kept within the parent window by managing the
> position itself, but this is not how popup menus usually work.

I think we cal live with that now.
 
> 2) dismissing the popup menu will only work if its the Firefox client itself
> that does it; for example opening a popup and clicking outside of the window
> will not dismiss the popup.

That's recent popup behavior at Firefox where Firefox handles all popups by itself. It's also a reason why https://bugzilla.gnome.org/show_bug.cgi?id=783957 breaks that.

> To fix 1 and 2 and get proper popup menu semantics you must use xdg_popup
> (currently zxdg_popup_v6) or gtk's popup API.

Unfortunately xdg_popup requires exact pop-up hierarchy which Firefox does not follow. Using xdg_popup means that some sub-menus are now shown (see Bug 1457201) because FF creates all popups as a child of main window. 

To utilize the xdg_popups we will need rewrite and update FF popup code to create popup hierarchy or at least detect which popups should map together which is not so easy AFAIK.

I think we can close it now as the crashes are fixed.

Note You need to log in before you can comment on or make changes to this bug.