Prevent access of freed workspace in _workspace_show

The bug triggers when _workspace_show calls tree_close_internal and
old == old_focus. Ie, when the old workspace was empty and needs to be
closed but then is accessed as output_push_sticky_windows's argument:
Breakpoint 1, output_push_sticky_windows (to_focus=0x55555589c8a0) at ../../i3/src/output.c:102
102	                    con_move_to_workspace(current, visible_ws, true, false, current != to_focus->parent);
(gdb) print con_exists(to_focus)
$1 = false

The access violation can also be prevented by checking if
con_exists(old_focus) but it shouldn't be necessary: the old_focus
container can only be killed when it is an empty workspace.

With --enable-sanitizers this causes i3 to exit but with
--disable-sanitizers the access violation doesn't reliably cause a crash
and the con_move_to_workspace call continues with:
(gdb) print current != to_focus->parent
$2 = 1

Since current->type is CT_FLOATING_CON and to_focus->type is
CT_WORKSPACE, in this specific case ignore_focus would always be true.
So, in this case, passing NULL instead of old_focus to
output_push_sticky_windows doesn't change the behaviour of i3.

Fixes #3075.

diff --git a/src/output.c b/src/output.c
index e76903844821c532f14cca9b132beeb18ea3af93..c76dfd035d213360ef727663b3e98ff49fba6db4 100644 (file)
--- a/src/output.c
+++ b/src/output.c
@@ -99,7 +99,8 @@ void output_push_sticky_windows(Con *to_focus) {
                     continue;
 
                 if (con_is_sticky(current)) {
-                    con_move_to_workspace(current, visible_ws, true, false, current != to_focus->parent);
+                    bool ignore_focus = (to_focus == NULL) || (current != to_focus->parent);
+                    con_move_to_workspace(current, visible_ws, true, false, ignore_focus);
                 }
             }
         }

diff --git a/src/workspace.c b/src/workspace.c
index 4b350b822730938ea4f0d6f73ef1b34b9d6e2909..1531335765dff19438ac1ba3857a3f4d84d13b65 100644 (file)
--- a/src/workspace.c
+++ b/src/workspace.c
@@ -459,6 +459,11 @@ static void _workspace_show(Con *workspace) {
 
             y(free);
 
+            /* Avoid calling output_push_sticky_windows later with a freed container. */
+            if (old == old_focus) {
+                old_focus = NULL;
+            }
+
             ewmh_update_number_of_desktops();
             ewmh_update_desktop_names();
             ewmh_update_desktop_viewport();

diff --git a/testcases/t/293-sticky-output-crash.t b/testcases/t/293-sticky-output-crash.t
new file mode 100644 (file)
index 0000000..93ebaee
--- /dev/null
+++ b/testcases/t/293-sticky-output-crash.t
@@ -0,0 +1,41 @@
+#!perl
+# vim:ts=4:sw=4:expandtab
+#
+# Please read the following documents before working on tests:
+# • https://build.i3wm.org/docs/testsuite.html
+#   (or docs/testsuite)
+#
+# • https://build.i3wm.org/docs/lib-i3test.html
+#   (alternatively: perldoc ./testcases/lib/i3test.pm)
+#
+# • https://build.i3wm.org/docs/ipc.html
+#   (or docs/ipc)
+#
+# • http://onyxneon.com/books/modern_perl/modern_perl_a4.pdf
+#   (unless you are already familiar with Perl)
+#
+# Verifies that i3 does not crash when opening a floating sticky on one output
+# and then switching empty workspaces on the other output.
+# Ticket: #3075
+# Bug still in: 4.14-191-g9d2d602d
+use i3test i3_config => <<EOT;
+# i3 config file (v4)
+font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
+fake-outputs 1024x768+0+0,1024x768+1024+0
+EOT
+
+# A window on the left output.
+fresh_workspace(output => 0);
+open_window;
+cmd 'sticky enable, floating enable';
+
+# Switch to the right output and open a new workspace.
+my $ws = fresh_workspace(output => 1);
+does_i3_live;
+
+# Verify results.
+is(@{get_ws($ws)->{floating_nodes}}, 0, 'workspace in right output is empty');
+$ws = fresh_workspace(output => 0);
+is(@{get_ws($ws)->{floating_nodes}}, 1, 'new workspace in left output has the sticky container');
+
+done_testing;