libweston: clear parent_view when the parent view is destroyed

When a view is destroyed then the views of subsurfaces remain until the view
list is rebuilt for the next repaint.
During that time view->parent_view contains an invalid pointer and weston will
crash when it tries to access the view.

This happens for a surface with subsurfaces with views on two different outputs
with the ivi-shell:

When the surface is destroyed then the destroy handler of the ivi-shell
(shell_handle_surface_destroy()) may be called first. It will (indirectly)
destroy the view of the main surface with weston_view_destroy().
Next the surface destroy handler of the subsurfaces
(subsurface_handle_parent_destroy() is called. It will unmap the first view of
the subsurface. Here weston_surface_assign_output() is called which tries to
find the output of the second view and accesses the now invalid
view->parent_view in the process.

There are probably other ways to trigger similar crashes.

To avoid this, clear view->parent_view when the parent view is destroyed.

Fixes 0669d4de4f22 ("libweston: Skip views without a layer assignment in
      output_mask calculations")

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
(cherry picked from commit 39796f88e6ed4a33a42c74b743e999294b3e4651)

1 files changed, 1 insertions, 0 deletions

diff --git a/libweston/compositor.c b/libweston/compositor.c
index 6cfcba25..428e4b5e 100644
--- a/libweston/compositor.c
+++ b/libweston/compositor.c
@@ -1827,6 +1827,7 @@ transform_parent_handle_parent_destroy(struct wl_listener *listener,
 			     geometry.parent_destroy_listener);
 
 	weston_view_set_transform_parent(view, NULL);
+	view->parent_view = NULL;
 }
 
 WL_EXPORT void