Current implementation of wayland-backend makes it difficult to use Wayland surfaces safely

[notgull]

Realized this issue while discussing rust-windowing/raw-window-handle#182

ObjectId is effectively a weak pointer to an underlying wl_proxy. However, it's unique in that any existing ObjectId can destroy the underlying wl_proxy, invalidating it for any other object ID. For example:

use winit_wayland::Window;

let window: Window = /* ... */;

// We can arbitrarily destroy the surface.
window.surface().destroy();
window.set_fullscreen(None); /* Will panic with `InvalidId` */

Internally, this is kept safe by the fact that an ObjectId cannot actually be used to send requests if the underlying object is invalid; it keeps track of whether destroy() has been called and, if it has, returns an error when a request attempts to be marshalled.

However, for the underlying proxy, we need to pass the pointer to other APIs that do not know of wayland-backend, like EGL. If the proxy is destroyed while the EGL object still exists, it will cause a use-after-free.

let window: Arc<Window> = Arc::new(/* ... */);
let egl: glutin::api::egl::Surface = Surface::new(window.clone()); /* Simplified. */

window.surface().destroy();
egl.swap_buffers(); /* EGL doesn't know the pointer is invalid, use-after-free occurs here! */

It seems to me that in this case it is on the onus of the graphics API to ensure that the WlSurface is valid before continuing to do anything with it. If this is true, then both glutin and wgpu are implementing the Wayland window incorrectly, and all windowing calls need to be guarded before being called.

[notgull]

This problem would be solved if the ObjectId kept the underlying wl_proxy alive.

[ids1024]

Overall I'm more familiar with the rs backend of wayland-backend than the sys backend (or the C API of libwayland). But auditing the sys backend for possible soundness issues is something wayland-rs could certainly use.

window.surface().destroy();
window.set_fullscreen(None); /* Will panic with `InvalidId` */

If it's true that this panics, I don't understand exactly why. It should just result in the set_fullscreen call being ignored?

If I modify wayland-client/examples/simple_window.rs to add a toplevel.destroy() call before toplevel.set_title, WAYLAND_DEBUG=1 cargo run --example simple_window --features wayland-backend/client_system shows:

[4135279.990][rs][discarded] -> xdg_toplevel@10.set_title(Some("A fantastic window!"))

I haven't been following all the changes in winit 0.31, but glancing at winit-wayland I don't see a reason it would be different.

If you've seen a panic like this, do you have a full example?

It seems to me that in this case it is on the onus of the graphics API to ensure that the WlSurface is valid before continuing to do anything with. If the proxy is destroyed while the EGL object still exists, it will cause a use-after-free.

I'm not sure what glutin/wgpu can do differently here. It can be assumed that EGLSwapBuffers will involve a Wayland call, but I don't think there's any explicit guarantee about which EGL/Vulkan calls may or may not interact with the windowing system.

https://registry.khronos.org/EGL/extensions/EXT/EGL_EXT_platform_wayland.txt and https://docs.vulkan.org/refpages/latest/refpages/source/VK_KHR_wayland_surface.html don't really seem to say anything explicit about the lifetimes of the wl_display and wl_surface.

[notgull]

If it's true that this panics, I don't understand exactly why. It should just result in the set_fullscreen call being ignored?

Ah, it looks like the message is just discarded. My mistake. Still:

I'm not sure what glutin/wgpu can do differently here. It can be assumed that EGLSwapBuffers will involve a Wayland call, but I don't think there's any explicit guarantee about which EGL/Vulkan calls may or may not interact with the windowing system.

I would assume that EGL/Vulkan assumes the default: that the underlying Wayland surface won't be deallocated mid-call. Unfortunately there's not much wgpu or glutin can do without changes to wayland-backend, since due to the thread safety of wayland it is possible that the wl_proxy will be deallocated in the middle of a call.