Mir

Bug #1669177
Comment #4

Comment 4 for bug 1669177

Revision history for this message

Michał Kuchta (kuchtam) wrote on 2017-03-14:

I added additional logs to figure out what happened and here is the output:

…
mir_window_spec_set_pointer_confinement
XXXXX MirProtobufRpcChannel::call_method [sending...] method_name:modify_surface
XXXXX PendingCallCache::save_completion_details [sending...] id: 23 address: 140737219953968
XXXXX MirProtobufRpcChannel::call_method [sending...] method_name:release_surface
XXXXX PendingCallCache::save_completion_details [sending...] id: 24 address: 6416816
XXXXX PendingCallCache::populate_message_for_result [receiving...] id: 22 address: 140737219953968
XXXXX PendingCallCache::populate_message_for_result [receiving...] id: 23 address: 140737219953968
mir_window_spec_set_pointer_confinement
XXXXX MirProtobufRpcChannel::call_method [sending...] method_name:modify_surface
XXXXX PendingCallCache::save_completion_details [sending...] id: 25 address: 140737219953968
XXXXX PendingCallCache::populate_message_for_result [receiving...] id: 24 address: 6416816
XXXXX MirProtobufRpcChannel::call_method [sending...] method_name:disconnect
XXXXX PendingCallCache::save_completion_details [sending...] id: 26 address: 6417056
XXXXX PendingCallCache::populate_message_for_result [receiving...] id: 25 address: 140737219953968

From logs I see such flow of communication client-server:
       client server
    ...
   | modify_surface id:23 |
          |----------------------------->|
          | release_surface id:24 |
    |----------------------------->|
          |populate_messag(RES for id:23)|
          |<-----------------------------|
          | (release_surface with id:24 processing)
          | (Cleanup internal server's resources for surface)
          | modify_surface id:25 |
          |----------------------------->|
          |populate_messag(RES for id:24)|
          |<-----------------------------|
   | (modify_surface with id:25 processing)
          | (Server create resp with error code)
          | |
(release_surface with id:24 processing) |
(Cleanup internal client's resources for surface)
(But PendingCallCache map is not cleaned)
(PendingCallCache[25] still contains pointer to deleted structure)
          | |
          |populate_messag(RES for id:25)|
          |<-----------------------------|
  (PendingCallCache[25]->ParseFromString())
  (Client crash!)

I added additional logs to figure out what happened and here is the output:

From logs I see such flow of  communication client-server:
       client 				server
	   ...
	  |	modify_surface id:23	 |
          |----------------------------->|
          |     release_surface id:24    |
 	  |----------------------------->|
          |populate_messag(RES for id:23)|
          |<-----------------------------|
          |              (release_surface with id:24 processing)
          |            (Cleanup internal server's resources for surface)
          |	modify_surface id:25	 |
          |----------------------------->|   
          |populate_messag(RES for id:24)|
          |<-----------------------------|
	  |		  (modify_surface with id:25 processing)
          |               (Server create resp with error code)
          |                              |
 (release_surface with id:24 processing) |
 (Cleanup internal client's resources for surface)
 (But PendingCallCache map is not cleaned)
 (PendingCallCache[25] still contains pointer to deleted structure)
          |                              |
          |populate_messag(RES for id:25)|
          |<-----------------------------|
  (PendingCallCache[25]->ParseFromString())
  (Client crash!)