libweston: clear parent_view when the parent view is destroyed

When a view is destroyed then the views of subsurfaces remain until the view
list is rebuilt for the next repaint.
During that time view->parent_view contains an invalid pointer and weston will
crash when it tries to access the view.

This happens for a surface with subsurfaces with views on two different outputs
with the ivi-shell:

When the surface is destroyed then the destroy handler of the ivi-shell
(shell_handle_surface_destroy()) may be called first. It will (indirectly)
destroy the view of the main surface with weston_view_destroy().
Next the surface destroy handler of the subsurfaces
(subsurface_handle_parent_destroy() is called. It will unmap the first view of
the subsurface. Here weston_surface_assign_output() is called which tries to
find the output of the second view and accesses the now invalid
view->parent_view in the process.

There are probably other ways to trigger similar crashes.

To avoid this, clear view->parent_view when the parent view is destroyed.

Fixes 0669d4de4f ("libweston: Skip views without a layer assignment in
      output_mask calculations")

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
(cherry picked from commit 39796f88e6ed4a33a42c74b743e999294b3e4651)
dev
Michael Olbrich 2 years ago committed by Marius Vlad
parent 2d66d01cf5
commit 5ad870f505
  1. 1
      libweston/compositor.c

@ -1827,6 +1827,7 @@ transform_parent_handle_parent_destroy(struct wl_listener *listener,
geometry.parent_destroy_listener); geometry.parent_destroy_listener);
weston_view_set_transform_parent(view, NULL); weston_view_set_transform_parent(view, NULL);
view->parent_view = NULL;
} }
WL_EXPORT void WL_EXPORT void

Loading…
Cancel
Save