Sway crashes when the window is closed while IME is active

[eternal-sorrow]

Please read the following before submitting:

• Please do NOT submit bug reports for questions. Ask questions on IRC at #sway on Libera Chat.
• Proprietary graphics drivers, including nvidia, are not supported. Please use the open source equivalents, such as nouveau, if you would like to use Sway.
• Please do NOT submit issues for information from the github wiki. The github wiki is community maintained and therefore may contain outdated information, scripts that don't work or obsolete workarounds.
  If you fix a script or find outdated information, don't hesitate to adjust the wiki page.

Please fill out the following:

• Sway Version:

  • sway version 1.10

• Debug Log:

sway.log

• Configuration File:
• Minimal config that I use to reproduce the issue:

bindsym Mod1+F4 kill
bindsym --locked Mod4+Shift+j exec --no-startup-id systemd-cat -t anthywl "$HOME/.local/bin/anthywl.sh"
bindsym Mod4+x exec gedit
exec gedit

• Stack Trace:
  • Stack trace is slightly different every time, but here is one that I got when I reproduced the issue with minimal config. I'll add some more in the comments, but no debug log for them.

#0  0x00007fa3f8539851 in wlr_scene_node_coords (node=0x91, lx_ptr=lx_ptr@entry=0x7ffd3ed431d0, ly_ptr=ly_ptr@entry=0x7ffd3ed431d4) at ../wlroots-0.18.2/types/scene/wlr_scene.c:1101
#1  0x000055a6ba24f233 in arrange_popups (popups=0x55a6d8b4f0d0) at ../sway-1.10/sway/desktop/transaction.c:617
#2  0x000055a6ba24f64c in arrange_root (root=0x55a6d8b4e8b0) at ../sway-1.10/sway/desktop/transaction.c:687
#3  transaction_progress () at ../sway-1.10/sway/desktop/transaction.c:741
#4  0x000055a6ba24fed7 in transaction_commit_pending () at ../sway-1.10/sway/desktop/transaction.c:861
#5  0x000055a6ba25030a in _transaction_commit_dirty (server_request=server_request@entry=true) at ../sway-1.10/sway/desktop/transaction.c:937
#6  0x000055a6ba25043c in transaction_commit_dirty () at ../sway-1.10/sway/desktop/transaction.c:941
#7  0x000055a6ba27f6b5 in view_unmap (view=view@entry=0x55a6d9f15080) at ../sway-1.10/sway/tree/view.c:923
#8  0x000055a6ba2508bb in handle_unmap (listener=0x55a6d9f15290, data=<optimized out>) at ../sway-1.10/sway/desktop/xdg_shell.c:449
#9  0x00007fa3f85ea38e in wl_signal_emit_mutable (signal=signal@entry=0x55a6d9f37858, data=data@entry=0x0) at ../wayland-1.23.1/src/wayland-server.c:2314
#10 0x00007fa3f8548442 in wlr_surface_unmap (surface=0x55a6d9f37560) at ../wlroots-0.18.2/types/wlr_compositor.c:839
#11 0x00007fa3f85466b6 in destroy_xdg_toplevel (toplevel=0x55a6d9f35780) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:533
#12 0x00007fa3f8544b55 in destroy_xdg_surface_role_object (surface=surface@entry=0x55a6d9e6fc90) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:457
#13 0x00007fa3f8544b7c in xdg_surface_handle_role_resource_destroy (listener=0x55a6d9e6fdb8, data=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:474
#14 0x00007fa3f85eab9f in wl_priv_signal_final_emit (signal=signal@entry=0x55a6d9f6ef80, data=data@entry=0x55a6d9f6ef20) at ../wayland-1.23.1/src/wayland-server.c:2478
#15 0x00007fa3f85eac70 in remove_and_destroy_resource (element=element@entry=0x55a6d9f6ef20, data=data@entry=0x0, flags=0) at ../wayland-1.23.1/src/wayland-server.c:754
#16 0x00007fa3f85eacb1 in wl_resource_destroy (resource=0x55a6d9f6ef20) at ../wayland-1.23.1/src/wayland-server.c:782
#17 0x00007fa3f8545a3a in xdg_toplevel_handle_destroy (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:426
#18 0x00007fa3f7c91336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#19 0x00007fa3f7c90940 in ffi_call_int (cif=cif@entry=0x7ffd3ed43630, fn=fn@entry=0x7fa3f8545a2a <xdg_toplevel_handle_destroy>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffd3ed43700, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#20 0x00007fa3f7c90ea4 in ffi_call (cif=cif@entry=0x7ffd3ed43630, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffd3ed43700) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#21 0x00007fa3f85ee6c9 in wl_closure_invoke (closure=0x55a6d9e66da0, flags=<optimized out>, target=<optimized out>, opcode=0, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#22 0x00007fa3f85eb00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x55a6d9f00920) at ../wayland-1.23.1/src/wayland-server.c:444
#23 0x00007fa3f85ebefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#24 0x00007fa3f85ecd7f in wl_event_loop_dispatch (loop=0x55a6d8b4e7b0, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#25 0x00007fa3f85eb1e4 in wl_display_run (display=0x55a6d8b4e6c0) at ../wayland-1.23.1/src/wayland-server.c:1530
#26 0x000055a6ba24b185 in server_run (server=server@entry=0x55a6ba2ad4e0 <server>) at ../sway-1.10/sway/server.c:501
#27 0x000055a6ba249fc3 in main (argc=<optimized out>, argv=0x7ffd3ed43c58) at ../sway-1.10/sway/main.c:373

• Description:
  Steps to reproduce:

1. Open any window wit an input area. I used Gedit to reproduce, but I had crashes with Firefox too.
2. Start an IME. I use anthywl.
3. Input something.
4. Close the window with a keyboard shortcut. Gedit shows the dialogue "save or not", I click "no save" and then get sway crash.

[eternal-sorrow]

I also got this Stack trace with Gedit:

#0  0x00007feb2c9df5a3 in scene_node_get_root (node=node@entry=0x5578fdcc7810) at ../wlroots-0.18.2/types/scene/wlr_scene.c:51
#1  0x00007feb2c9e0ac9 in wlr_scene_node_destroy (node=0x5578fdcc7810) at ../wlroots-0.18.2/types/scene/wlr_scene.c:102
#2  0x00005578f3a86011 in input_popup_set_focus (popup=popup@entry=0x5578fdc553e0, surface=0x5578fdc44f80) at ../sway-1.10/sway/input/text_input.c:376
#3  0x00005578f3a861ef in relay_send_im_state (relay=relay@entry=0x5578fd620720, input=<optimized out>) at ../sway-1.10/sway/input/text_input.c:238
#4  0x00005578f3a86217 in relay_disable_text_input (relay=relay@entry=0x5578fd620720, text_input=text_input@entry=0x5578fdc4e7b0) at ../sway-1.10/sway/input/text_input.c:281
#5  0x00005578f3a86b63 in sway_input_method_relay_set_focus (relay=relay@entry=0x5578fd620720, surface=0x5578fdc00f90) at ../sway-1.10/sway/input/text_input.c:608
#6  0x00005578f3a7f24c in seat_send_focus (node=node@entry=0x5578fdc0a410, seat=seat@entry=0x5578fd620690) at ../sway-1.10/sway/input/seat.c:202
#7  0x00005578f3a7f98d in seat_set_workspace_focus (seat=0x5578fd620690, node=<optimized out>) at ../sway-1.10/sway/input/seat.c:1202
#8  0x00005578f3a7fb08 in seat_set_focus (seat=seat@entry=0x5578fd620690, node=node@entry=0x5578fdc0a410) at ../sway-1.10/sway/input/seat.c:1277
#9  0x00005578f3a802b2 in handle_seat_node_destroy (listener=<optimized out>, data=<optimized out>) at ../sway-1.10/sway/input/seat.c:314
#10 0x00007feb2ca9038e in wl_signal_emit_mutable (signal=signal@entry=0x5578fdc25340, data=data@entry=0x5578fdc25310) at ../wayland-1.23.1/src/wayland-server.c:2314
#11 0x00005578f3aa2f0e in container_begin_destroy (con=0x5578fdc25310) at ../sway-1.10/sway/tree/container.c:535
#12 0x00005578f3aa6672 in view_unmap (view=view@entry=0x5578fdbd17b0) at ../sway-1.10/sway/tree/view.c:895
#13 0x00005578f3a778bb in handle_unmap (listener=0x5578fdbd19c0, data=<optimized out>) at ../sway-1.10/sway/desktop/xdg_shell.c:449
#14 0x00007feb2ca9038e in wl_signal_emit_mutable (signal=signal@entry=0x5578fdc45278, data=data@entry=0x0) at ../wayland-1.23.1/src/wayland-server.c:2314
#15 0x00007feb2c9ee442 in wlr_surface_unmap (surface=0x5578fdc44f80) at ../wlroots-0.18.2/types/wlr_compositor.c:839
#16 0x00007feb2c9ec6b6 in destroy_xdg_toplevel (toplevel=0x5578fdc54d60) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:533
#17 0x00007feb2c9eab55 in destroy_xdg_surface_role_object (surface=surface@entry=0x5578fdbd11b0) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:457
#18 0x00007feb2c9eab7c in xdg_surface_handle_role_resource_destroy (listener=0x5578fdbd12d8, data=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_surface.c:474
#19 0x00007feb2ca90b9f in wl_priv_signal_final_emit (signal=signal@entry=0x5578fdc54f70, data=data@entry=0x5578fdc54f10) at ../wayland-1.23.1/src/wayland-server.c:2478
#20 0x00007feb2ca90c70 in remove_and_destroy_resource (element=element@entry=0x5578fdc54f10, data=data@entry=0x0, flags=0) at ../wayland-1.23.1/src/wayland-server.c:754
#21 0x00007feb2ca90cb1 in wl_resource_destroy (resource=0x5578fdc54f10) at ../wayland-1.23.1/src/wayland-server.c:782
#22 0x00007feb2c9eba3a in xdg_toplevel_handle_destroy (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/xdg_shell/wlr_xdg_toplevel.c:426
#23 0x00007feb2c137336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#24 0x00007feb2c136940 in ffi_call_int (cif=cif@entry=0x7ffc81c3f2e0, fn=fn@entry=0x7feb2c9eba2a <xdg_toplevel_handle_destroy>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc81c3f3b0, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#25 0x00007feb2c136ea4 in ffi_call (cif=cif@entry=0x7ffc81c3f2e0, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc81c3f3b0) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#26 0x00007feb2ca946c9 in wl_closure_invoke (closure=0x5578fdc94e00, flags=<optimized out>, target=<optimized out>, opcode=0, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#27 0x00007feb2ca9100c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x5578fdc46500) at ../wayland-1.23.1/src/wayland-server.c:444
#28 0x00007feb2ca91efd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#29 0x00007feb2ca92d7f in wl_event_loop_dispatch (loop=0x5578fc820790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#30 0x00007feb2ca911e4 in wl_display_run (display=0x5578fc8206a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#31 0x00005578f3a72185 in server_run (server=server@entry=0x5578f3ad44e0 <server>) at ../sway-1.10/sway/server.c:501
#32 0x00005578f3a70fc3 in main (argc=<optimized out>, argv=0x7ffc81c3f908) at ../sway-1.10/sway/main.c:373

[eternal-sorrow]

And this one with Firefox:

#0  0x00007f251cb0d5a3 in scene_node_get_root (node=node@entry=0x561f7068b4b0) at ../wlroots-0.18.2/types/scene/wlr_scene.c:51
#1  0x00007f251cb0eac9 in wlr_scene_node_destroy (node=0x561f7068b4b0) at ../wlroots-0.18.2/types/scene/wlr_scene.c:102
#2  0x0000561f5b59d011 in input_popup_set_focus (popup=popup@entry=0x561f70609880, surface=0x561f704ec9d0) at ../sway-1.10/sway/input/text_input.c:376
#3  0x0000561f5b59d1ef in relay_send_im_state (relay=0x561f6fef4680, input=<optimized out>) at ../sway-1.10/sway/input/text_input.c:238
#4  0x0000561f5b59d458 in handle_text_input_enable (listener=0x561f704af9f0, data=<optimized out>) at ../sway-1.10/sway/input/text_input.c:255
#5  0x00007f251cbbe38e in wl_signal_emit_mutable (signal=signal@entry=0x561f704af968, data=data@entry=0x561f704af8a0) at ../wayland-1.23.1/src/wayland-server.c:2314
#6  0x00007f251cb36ca0 in text_input_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_text_input_v3.c:189
#7  0x00007f251c265336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#8  0x00007f251c264940 in ffi_call_int (cif=cif@entry=0x7ffcada76730, fn=fn@entry=0x7f251cb36bd3 <text_input_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffcada76800, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#9  0x00007f251c264ea4 in ffi_call (cif=cif@entry=0x7ffcada76730, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffcada76800) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#10 0x00007f251cbc26c9 in wl_closure_invoke (closure=0x561f705cc960, flags=<optimized out>, target=<optimized out>, opcode=7, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#11 0x00007f251cbbf00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x561f70007f80) at ../wayland-1.23.1/src/wayland-server.c:444
#12 0x00007f251cbbfefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#13 0x00007f251cbc0d7f in wl_event_loop_dispatch (loop=0x561f6f0f5790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#14 0x00007f251cbbf1e4 in wl_display_run (display=0x561f6f0f56a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#15 0x0000561f5b589185 in server_run (server=server@entry=0x561f5b5eb4e0 <server>) at ../sway-1.10/sway/server.c:501
#16 0x0000561f5b587fc3 in main (argc=<optimized out>, argv=0x7ffcada76d58) at ../sway-1.10/sway/main.c:373

[eternal-sorrow]

Also, I'm not sure if this is related or not, but It is related to IME popups definitely. This one happened when my session got locked while IME was active. When I tried to unlock, I pressed a key on my keyboard and got crash.

#0  constrain_popup (popup=0x556806b957c0) at ../sway-1.10/sway/input/text_input.c:159
#1  0x00005567f08be42c in handle_im_popup_surface_commit (listener=<optimized out>, data=<optimized out>) at ../sway-1.10/sway/input/text_input.c:468
#2  0x00007f256f99b38e in wl_signal_emit_mutable (signal=signal@entry=0x556806c44458, data=data@entry=0x556806c44180) at ../wayland-1.23.1/src/wayland-server.c:2314
#3  0x00007f256f8facbe in surface_commit_state (surface=surface@entry=0x556806c44180, next=next@entry=0x556806c44300) at ../wlroots-0.18.2/types/wlr_compositor.c:560
#4  0x00007f256f8fb284 in surface_handle_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_compositor.c:591
#5  0x00007f256f042336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#6  0x00007f256f041940 in ffi_call_int (cif=cif@entry=0x7ffc7b50f260, fn=fn@entry=0x7f256f8faed3 <surface_handle_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc7b50f330, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#7  0x00007f256f041ea4 in ffi_call (cif=cif@entry=0x7ffc7b50f260, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc7b50f330) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#8  0x00007f256f99f6c9 in wl_closure_invoke (closure=0x556806b48a60, flags=<optimized out>, target=<optimized out>, opcode=6, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#9  0x00007f256f99c00c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x556806bf8140) at ../wayland-1.23.1/src/wayland-server.c:444
#10 0x00007f256f99cefd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#11 0x00007f256f99dd7f in wl_event_loop_dispatch (loop=0x55680567c790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#12 0x00007f256f99c1e4 in wl_display_run (display=0x55680567c6a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#13 0x00005567f08aa185 in server_run (server=server@entry=0x5567f090c4e0 <server>) at ../sway-1.10/sway/server.c:501
#14 0x00005567f08a8fc3 in main (argc=<optimized out>, argv=0x7ffc7b50f888) at ../sway-1.10/sway/main.c:373

[layercak3]

I'm pretty sure I've been having occasional crashes like in OP/comment 1/comment 2 for a while but I don't have the coredumps anymore to check.

I now found something that's easy (for me) to consistently crash on master, with fcitx5:

1. start chromium with --disable-gtk-ime --enable-wayland-ime --wayland-text-input-version=3 in tiled mode.
2. on the address bar, switch to IM which will keyboard grab when you type (if you don't have one installed, press Ctrl+Alt+Shift+U which performs search by unicode description). Type some keys in the popup window.
3. press keybinding that switches chromium into floating mode (floating toggle)
4. press keybinding for kill

It's annoying to debug since I cannot reproduce it in a headless/wayland backend sandbox, only on a spare laptop or my actual desktop session which I don't want to crash with right now.
I did run sway with valgrind once on the laptop and the first invalid access was:

log

==9832== Invalid read of size 8
==9832==    at 0x4EE8069: wl_list_insert (wayland-util.c:47)
==9832==    by 0x4EE843F: wl_signal_emit_mutable (wayland-server.c:2302)
==9832==    by 0x4F5FFEF: UnknownInlinedFun (wlr_scene.c:105)
==9832==    by 0x4F5FFEF: wlr_scene_node_destroy (wlr_scene.c:97)
==9832==    by 0x13C4BF: input_popup_set_focus (text_input.c:376)
==9832==    by 0x13C6DF: relay_send_im_state (text_input.c:238)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x58F9595: ffi_call_unix64 (unix64.S:104)
==9832==    by 0x58F600D: ffi_call_int.lto_priv.0 (ffi64.c:673)
==9832==    by 0x58F8BD2: ffi_call (ffi64.c:710)
==9832==    by 0x4EE6E84: wl_closure_invoke.constprop.0 (connection.c:1228)
==9832==    by 0x4EEBD21: wl_client_connection_data (wayland-server.c:444)
==9832==    by 0x4EEA111: wl_event_loop_dispatch (event-loop.c:1105)
==9832==  Address 0x7912868 is 56 bytes inside a block of size 128 free'd
==9832==    at 0x48478EF: free (vg_replace_malloc.c:989)
==9832==    by 0x4F600C4: UnknownInlinedFun (wlr_scene.c:155)
==9832==    by 0x4F600C4: wlr_scene_node_destroy (wlr_scene.c:97)
==9832==    by 0x167580: UnknownInlinedFun (view.c:83)
==9832==    by 0x167580: view_destroy (view.c:66)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x4F6C1A2: UnknownInlinedFun (wlr_xdg_toplevel.c:526)
==9832==    by 0x4F6C1A2: destroy_xdg_surface_role_object (wlr_xdg_surface.c:489)
==9832==    by 0x4F6C43B: xdg_surface_handle_role_resource_destroy (wlr_xdg_surface.c:506)
==9832==    by 0x4EEAB9F: UnknownInlinedFun (wayland-server.c:2478)
==9832==    by 0x4EEAB9F: remove_and_destroy_resource (wayland-server.c:754)
==9832==    by 0x58F9595: ffi_call_unix64 (unix64.S:104)
==9832==    by 0x58F600D: ffi_call_int.lto_priv.0 (ffi64.c:673)
==9832==    by 0x58F8BD2: ffi_call (ffi64.c:710)
==9832==    by 0x4EE6E84: wl_closure_invoke.constprop.0 (connection.c:1228)
==9832==    by 0x4EEBD21: wl_client_connection_data (wayland-server.c:444)
==9832==  Block was alloc'd at
==9832==    at 0x484BC13: calloc (vg_replace_malloc.c:1675)
==9832==    by 0x4F5D2C2: wlr_scene_tree_create (wlr_scene.c:204)
==9832==    by 0x13C52F: input_popup_set_focus (text_input.c:414)
==9832==    by 0x13C6DF: relay_send_im_state (text_input.c:238)
==9832==    by 0x13FC2C: UnknownInlinedFun (text_input.c:281)
==9832==    by 0x13FC2C: sway_input_method_relay_set_focus (text_input.c:608)
==9832==    by 0x1744DC: seat_send_focus.part.0.isra.0 (seat.c:202)
==9832==    by 0x1340CF: UnknownInlinedFun (seat.c:1222)
==9832==    by 0x1340CF: seat_set_workspace_focus (seat.c:1198)
==9832==    by 0x13449F: seat_set_focus (seat.c:1271)
==9832==    by 0x4EE847D: wl_signal_emit_mutable (wayland-server.c:2314)
==9832==    by 0x163F2E: container_begin_destroy (container.c:537)
==9832==    by 0x16A305: view_unmap (view.c:924)
==9832==    by 0x12861B: handle_unmap.lto_priv.1 (xdg_shell.c:448)

After around 20 more invalid accesses near the same location it segfaults.

[eternal-sorrow]

Reproduced in 1.10.1:

#0  0x00007ff238d93851 in wlr_scene_node_coords (node=0x91, lx_ptr=lx_ptr@entry=0x7ffcab0022b0, ly_ptr=ly_ptr@entry=0x7ffcab0022b4) at ../wlroots-0.18.2/types/scene/wlr_scene.c:1101
#1  0x0000564ab18f93b3 in arrange_popups (popups=0x564ac74400b0) at ../sway-1.10.1/sway/desktop/transaction.c:618
#2  0x0000564ab18f6dd9 in arrange_layers (output=0x564ac853d4e0) at ../sway-1.10.1/sway/desktop/layer_shell.c:100
#3  0x0000564ab18f7162 in handle_surface_commit (listener=0x564ac83468d0, data=<optimized out>) at ../sway-1.10.1/sway/desktop/layer_shell.c:286
#4  0x00007ff238e4438e in wl_signal_emit_mutable (signal=signal@entry=0x564ac884aef8, data=data@entry=0x564ac884ac20) at ../wayland-1.23.1/src/wayland-server.c:2314
#5  0x00007ff238da3cbe in surface_commit_state (surface=surface@entry=0x564ac884ac20, next=next@entry=0x564ac884ada0) at ../wlroots-0.18.2/types/wlr_compositor.c:560
#6  0x00007ff238da4284 in surface_handle_commit (client=<optimized out>, resource=<optimized out>) at ../wlroots-0.18.2/types/wlr_compositor.c:591
#7  0x00007ff2384eb336 in ffi_call_unix64 () at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/unix64.S:104
#8  0x00007ff2384ea940 in ffi_call_int (cif=cif@entry=0x7ffcab002630, fn=fn@entry=0x7ff238da3ed3 <surface_handle_commit>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffcab002700, closure=closure@entry=0x0)
    at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:676
#9  0x00007ff2384eaea4 in ffi_call (cif=cif@entry=0x7ffcab002630, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffcab002700) at /tmp/portage/dev-libs/libffi-3.4.6-r2/work/libffi-3.4.6/src/x86/ffi64.c:713
#10 0x00007ff238e486c9 in wl_closure_invoke (closure=0x564ac87771f0, flags=<optimized out>, target=<optimized out>, opcode=6, data=<optimized out>) at ../wayland-1.23.1/src/connection.c:1228
#11 0x00007ff238e4500c in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x564ac8897660) at ../wayland-1.23.1/src/wayland-server.c:444
#12 0x00007ff238e45efd in wl_event_source_fd_dispatch (source=<optimized out>, ep=<optimized out>) at ../wayland-1.23.1/src/event-loop.c:113
#13 0x00007ff238e46d7f in wl_event_loop_dispatch (loop=0x564ac743f790, timeout=<optimized out>, timeout@entry=-1) at ../wayland-1.23.1/src/event-loop.c:1105
#14 0x00007ff238e451e4 in wl_display_run (display=0x564ac743f6a0) at ../wayland-1.23.1/src/wayland-server.c:1530
#15 0x0000564ab18f51c5 in server_run (server=server@entry=0x564ab19574c0 <server>) at ../sway-1.10.1/sway/server.c:501
#16 0x0000564ab18f4008 in main (argc=<optimized out>, argv=0x7ffcab002c58) at ../sway-1.10.1/sway/main.c:374

[layercak3]

I cannot reproduce it in a headless/wayland backend sandbox

I can get it to reproduce now. I needed to start foot first then chromium. It doesn't reproduce if chromium is the only program in the workspace. This is also with fcitx5 6af78b6 (August 2024), I had unrelated issues with newer versions where it would get sway into sending clients keymap format no_keymap instead of xkb_v1 (which caused some clients to fail asserts)

WLR_RENDERER=pixman WLR_RENDERER_FORCE_SOFTWARE=1 WLR_BACKENDS=wayland sway -c ./config &
WAYLAND_DISPLAY=wayland-2 fcitx5 &
WAYLAND_DISPLAY=wayland-2 foot &
WAYLAND_DISPLAY=wayland-2 chromium --ozone-platform=wayland --gtk-version=4 --disable-gtk-ime --enable-wayland-ime --wayland-text-input-version=3 &
# press Ctrl+Alt+Shift+u to open "type to search unicode by code or description" menu
# press 'a'
# press F9 (floating toggle)
# press F10 (kill)
# segfault

config:

bindsym F9 floating toggle
bindsym F10 kill

example backtrace

(gdb) bt
#0  0x000079036bc00013 in scene_node_get_root (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:59
#1  wlr_scene_node_destroy (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:110
#2  wlr_scene_node_destroy (node=0x64f7205f8a90) at ../wlroots/types/scene/wlr_scene.c:97
#3  0x000064f6fb3af4c0 in input_popup_set_focus (popup=popup@entry=0x64f7205c9f20, surface=0x64f7204a5a50)
    at ../sway/sway/input/text_input.c:376
#4  0x000064f6fb3af6e0 in relay_send_im_state (relay=0x64f71fe060b0, input=<optimized out>) at ../sway/sway/input/text_input.c:238
#5  0x000079036bcc647e in wl_signal_emit_mutable (signal=<optimized out>, data=0x64f7204a4eb0)
    at ../wayland-1.23.1/src/wayland-server.c:2314
#6  0x000079036b2bc596 in ffi_call_unix64 () at ../src/x86/unix64.S:104
#7  0x000079036b2b900e in ffi_call_int (cif=cif@entry=0x7ffee680c960, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, 
    closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
#8  0x000079036b2bbbd3 in ffi_call (cif=cif@entry=0x7ffee680c960, fn=<optimized out>, rvalue=rvalue@entry=0x0, 
    avalue=avalue@entry=0x7ffee680ca30) at ../src/x86/ffi64.c:710
#9  0x000079036bcc4e85 in wl_closure_invoke (closure=closure@entry=0x64f720571c50, target=<optimized out>, target@entry=0x64f7204a4e20, 
    opcode=opcode@entry=7, data=<optimized out>, data@entry=0x64f7203656d0, flags=2) at ../wayland-1.23.1/src/connection.c:1228
#10 0x000079036bcc9d22 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x64f7203656d0)
    at ../wayland-1.23.1/src/wayland-server.c:444
#11 0x000079036bcc8112 in wl_event_loop_dispatch (loop=0x64f71f0d9840, timeout=<optimized out>, timeout@entry=-1)
    at ../wayland-1.23.1/src/event-loop.c:1105
#12 0x000079036bcca1f7 in wl_display_run (display=0x64f71f0d9750) at ../wayland-1.23.1/src/wayland-server.c:1530
#13 0x000064f6fb38ae56 in server_run (server=<optimized out>) at ../sway/sway/server.c:514
#14 main (argc=3, argv=0x7ffee680d188) at ../sway/sway/main.c:374