i3: workspace output can crash i3

Output of i3 --moreversion 2>&- || i3 --version:

Binary i3 version:  4.15-71-g45be56be (2018-03-27, branch "next") © 2009 Michael Stapelberg and contributors

URL to a logfile as per https://i3wm.org/docs/debugging.html:

https://logs.i3wm.org/logs/5678957424803840.bz2

What I did:

# i3 config file (v4)

workspace 5 output left
# I guess it should work with real outputs as well
fake-outputs 800x500+0+0,800x500+800+0,800x500+800+500,800x500+0+500

Run i3-msg workspace 2, rename workspace 1 to 5

What I saw:

==5487==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000001e9c at pc 0x55556eb52de7 bp 0x7ffe742200c0 sp 0x7ffe742200b0
READ of size 4 at 0x614000001e9c thread T0
    #0 0x55556eb52de6 in con_get_workspace ../../i3/src/con.c:421
    #1 0x55556eb4380a in cmd_rename_workspace ../../i3/src/commands.c:2012
    #2 0x55556eb46957 in GENERATED_call parser/GENERATED_command_call.h:22
    #3 0x55556eb4a3aa in next_state ../../i3/src/commands_parser.c:185
    #4 0x55556eb4c4c4 in parse_command ../../i3/src/commands_parser.c:346
    #5 0x55556eba0ebf in handle_run_command ../../i3/src/ipc.c:124
    #6 0x55556ebac906 in ipc_receive_message ../../i3/src/ipc.c:1248
    #7 0x7f73d9fa44e2 in ev_invoke_pending (/usr/lib/libev.so.4+0x44e2)
    #8 0x7f73d9fa7ad5 in ev_run (/usr/lib/libev.so.4+0x7ad5)
    #9 0x55556ebb7a3f in ev_loop /usr/local/include/ev.h:835
    #10 0x55556ebc3495 in main ../../i3/src/main.c:964
    #11 0x7f73d8978f49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)
    #12 0x55556eb01749 in _start (/home/orestis/Documents/programming/i3/build/i3+0x189749)

0x614000001e9c is located 92 bytes inside of 448-byte region [0x614000001e40,0x614000002000)
freed by thread T0 here:
    #0 0x7f73dcef9711 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x55556eb4f19c in con_free ../../i3/src/con.c:96
    #2 0x55556ebfffec in tree_close_internal ../../i3/src/tree.c:340
    #3 0x55556eb5ee2d in con_on_remove_child ../../i3/src/con.c:1986
    #4 0x55556ec14a63 in workspace_move_to_output ../../i3/src/workspace.c:1004
    #5 0x55556eb437ed in cmd_rename_workspace ../../i3/src/commands.c:2009
    #6 0x55556eb46957 in GENERATED_call parser/GENERATED_command_call.h:22
    #7 0x55556eb4a3aa in next_state ../../i3/src/commands_parser.c:185
    #8 0x55556eb4c4c4 in parse_command ../../i3/src/commands_parser.c:346
    #9 0x55556eba0ebf in handle_run_command ../../i3/src/ipc.c:124
    #10 0x55556ebac906 in ipc_receive_message ../../i3/src/ipc.c:1248
    #11 0x7f73d9fa44e2 in ev_invoke_pending (/usr/lib/libev.so.4+0x44e2)

previously allocated by thread T0 here:
    #0 0x7f73dcef9ce1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:70
    #1 0x55556ec378c1 in scalloc ../../i3/libi3/safewrappers.c:31
    #2 0x55556eb4dc49 in con_new_skeleton ../../i3/src/con.c:40
    #3 0x55556eb4e5e2 in con_new ../../i3/src/con.c:71
    #4 0x55556ec0c726 in create_workspace_on_output ../../i3/src/workspace.c:178
    #5 0x55556ebdc34d in init_ws_for_output ../../i3/src/randr.c:520
    #6 0x55556eb82a0e in fake_outputs_init ../../i3/src/fake_outputs.c:77
    #7 0x55556ebc02b1 in main ../../i3/src/main.c:714
    #8 0x7f73d8978f49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)

What I expected instead: I guess we shouldn’t interpret directional outputs as such in workspace <workspace> output <output>.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 19 (19 by maintainers)

Commits related to this issue

Workspace renaming: Interpret outputs as nondirectional Currently when renaming outputs, an output assignment of "left" will cause the workspace to move left. Treat this assignment as a proper name i... — committed to ograff/i3 by ograff 6 years ago
Show test addition for #3208 fails without fix Add test for ignoring direcionality during rename Tests the fix for the directionality during rename issue found on #3208 — committed to ograff/i3 by ograff 6 years ago
Add test for ignoring direcionality during rename Tests the fix for the directionality during rename issue found on #3208 — committed to ograff/i3 by ograff 6 years ago
Workspace renaming: Interpret outputs as nondirectional Currently when renaming outputs, an output assignment of "left" will cause the workspace to move left. Treat this assignment as a proper name i... — committed to ograff/i3 by ograff 6 years ago
Merge pull request #3221 from ograff/issue-3208 Issue #3208 — committed to i3/i3 by orestisfl 6 years ago

Most upvoted comments

I like the solution suggested by @Airblader I’ll have a PR up with at least the implementation changes, and hopefully the appropriate tests by sometime tomorrow.

ograff on Apr 2, 2018

Instead of a new parameter, it might make sense to make the function take the (already parsed) output as a parameter instead. Then parsing the string into the correct output is done outside the function giving the caller control over how this is done.

Haven’t looked at the code, though. I’m a bit short on time and will be until Monday at least. I do trust that @orestisf1993 can make a good decision here; it’s really not all that crucial anyway 😃

Airblader on Mar 31, 2018

I’d like to take this.

I know I didn’t get to #3136 before someone else got a patch up but I have considerably more time now.

ograff on Mar 29, 2018