OEM Priority Project

gnome-shell crashed on logout with SIGSEGV in js::gc::Cell::storeBuffer() from js::gc::PostWriteBarrierImpl<JSObject>()

Bug #1974293 reported by Andy Chi
180
This bug affects 15 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
Fix Released
Critical
Andy Chi
gjs
Fix Released
Unknown
gjs (Ubuntu)
Fix Released
High
Daniel van Vugt
Ubuntu ubuntu-23.04
Jammy
Fix Released
Medium
Ghadi Rahme
Kinetic
Won't Fix
Medium
Jeremy Bícha
Lunar
Fix Released
High
Daniel van Vugt
Ubuntu ubuntu-23.04
gnome-shell (Fedora)
Confirmed
Undecided

Bug Description

[ Impact ]

gnome-shell often crashes on logout causing annoyance to the user as an error report dialog is displayed at the next login.

[ Test Plan ]

1. Log into gnome-shell

2. Use gnome-shell for long enough to trigger a garbage collection cycle: Scroll the app grid and repeatedly open the calendar from the top bar for 30 seconds.

3. Log out.

4. Verify no new gnome-shell crash files appear in /var/crash/

[ Where problems could occur ]

Only gnome-shell shutdown/logout is affected.

[ Other Info ]

https://errors.ubuntu.com/problem/256d1c0d1aad03bb024b525f4c80868e8f6a85b4
https://errors.ubuntu.com/problem/b1669e114babda005eb5a6414867a0eb7293f7e7

Description: Ubuntu 22.04 LTS
Release: 22.04

ProblemType: Crash
DistroRelease: Ubuntu 22.04
Package: gnome-shell 42.0-2ubuntu1
ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
Uname: Linux 5.15.0-30-generic x86_64
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri May 20 16:06:35 2022
DisplayManager: gdm3
ExecutablePath: /usr/bin/gnome-shell
ExecutableTimestamp: 1649813447
InstallationDate: Installed on 2022-05-05 (14 days ago)
InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
ProcCmdline: /usr/bin/gnome-shell
ProcCwd: /home/ubuntu
RelatedPackageVersions: mutter-common 42.0-3ubuntu2
Signal: 11
SourcePackage: gnome-shell
StacktraceTop:
 ?? () from /lib/x86_64-linux-gnu/libmozjs-91.so.0
 ?? () from /lib/x86_64-linux-gnu/libgjs.so.0
 ?? () from /lib/x86_64-linux-gnu/libgjs.so.0
 g_object_unref () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
 ?? ()
Title: gnome-shell crashed with SIGSEGV in g_object_unref()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo
separator:

See original description
Revision history for this message
Andy Chi (andch) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 js::gc::Cell::storeBuffer (this=<optimized out>, this=<optimized out>) at .././js/src/gc/Cell.h:357
 js::gc::PostWriteBarrierImpl<JSObject> (next=<optimized out>, prev=<optimized out>, cellp=<optimized out>) at .././js/src/gc/StoreBuffer.h:654
 js::gc::PostWriteBarrier<js::SavedFrame> (next=<optimized out>, prev=<optimized out>, vp=<optimized out>) at .././js/src/gc/StoreBuffer.h:666
 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (next=<optimized out>, prev=<optimized out>, vp=0x558a251d1210) at .././js/src/gc/Barrier.h:333
 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (vp=0x558a251d1210, prev=<optimized out>, next=<optimized out>) at .././js/src/gc/Barrier.h:332

tags: removed: need-amd64-retrace
Daniel van Vugt (vanvugt)
Changed in oem-priority:
assignee: nobody → Andy Chi (andch)
importance: Undecided → Critical
status: New → Confirmed
summary: - gnome-shell crashed with SIGSEGV in g_object_unref()
+ gnome-shell crashed with SIGSEGV in js::gc::Cell::storeBuffer() from
+ js::gc::PostWriteBarrierImpl<JSObject>()
Yuan-Chen Cheng (ycheng-twn)
tags: added: oem-priority
Revision history for this message
Daniel van Vugt (vanvugt) wrote (last edit ): Re: gnome-shell crashed with SIGSEGV in js::gc::Cell::storeBuffer() from js::gc::PostWriteBarrierImpl<JSObject>()

This appears to be the same as bug 1964458. The fix is what I proposed originally in:

  https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/60/diffs

but that's not the fix that got released to jammy. An 'if' statement was added so that the fix is only applied in live sessions:

  https://salsa.debian.org/gnome-team/gnome-shell/-/commit/0fb70b0603817614d8612f1a289cd9ceb369616e

which now seems to be the cause of bug 1974293. We should remove that 'if' statement to fix this bug.

This might also explain one of the most frequent gnome-shell crashes we are seeing (but missing the stack trace for):

  https://errors.ubuntu.com/problem/256d1c0d1aad03bb024b525f4c80868e8f6a85b4

Changed in gnome-shell (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

That also means gnome-shell is trying to shut down cleanly when the crash happens. So a second bug might be to find out why gnome-shell is trying to shut down.

description: updated
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 js::gc::Cell::storeBuffer (this=<optimized out>, this=<optimized out>) at .././js/src/gc/Cell.h:357
 js::gc::PostWriteBarrierImpl<JSObject> (next=<optimized out>, prev=<optimized out>, cellp=<optimized out>) at .././js/src/gc/StoreBuffer.h:654
 js::gc::PostWriteBarrier<js::SavedFrame> (next=<optimized out>, prev=<optimized out>, vp=<optimized out>) at .././js/src/gc/StoreBuffer.h:666
 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (next=<optimized out>, prev=<optimized out>, vp=0x558a251d1210) at .././js/src/gc/Barrier.h:333
 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (vp=0x558a251d1210, prev=<optimized out>, next=<optimized out>) at .././js/src/gc/Barrier.h:332

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: gnome-shell crashed with SIGSEGV in js::gc::Cell::storeBuffer() from js::gc::PostWriteBarrierImpl<JSObject>()

A few days late, but that confirms it's the same as bug 1964458.

Andy Chi (andch)
tags: added: originate-from-1967555
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Seems rare now, but still crashing occasionally in the latest gnome-shell on jammy.

Since we know the fix we may as well get it done...

Changed in gnome-shell (Ubuntu):
assignee: nobody → Daniel van Vugt (vanvugt)
status: Triaged → In Progress
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Fix proposed in:
https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/63

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

This crash seems to have gone almost silent in gnome-shell 42.2:

https://errors.ubuntu.com/problem/256d1c0d1aad03bb024b525f4c80868e8f6a85b4

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

The crash is now "Won't Fix" as discussed in https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/63

Seems the crash is almost never happening now. But it remains unexplained as to why the above "Steps to reproduce" would lead to a clean shutdown of gnome-shell. So if this is still a problem then please open a new bug about the shell shutting down without mentioning the crash that happens during shutdown.

Changed in gnome-shell (Ubuntu):
status: In Progress → Won't Fix
Revision history for this message
Daniel van Vugt (vanvugt) wrote (last edit ):

It's back, now the 9th most common gnome-shell crash in jammy:
https://errors.ubuntu.com/problem/b1669e114babda005eb5a6414867a0eb7293f7e7

description: updated
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Reopened. This isn't going away and is now being reported in kinetic.

tags: added: kinetic
Changed in gnome-shell (Ubuntu):
status: Won't Fix → Confirmed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Also please make the bug public.

Revision history for this message
Andy Chi (andch) wrote :

Opps, I thought I leave my comment in the public one. Will leave a comment there as well.

Revision history for this message
Andy Chi (andch) wrote :

Ohohohoh!! I'm so sorry, I comment in this wrong bug...

Revision history for this message
Andy Chi (andch) wrote :

I was talking about Bug #1969422

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Bug 1969422 isn't related to this, although there's always a chance both might occur on the same machine.

Revision history for this message
Andy Chi (andch) wrote :

Yes, I figured out I comment on the wrong one.
Sorry for the noise.

Daniel van Vugt (vanvugt)
Changed in gnome-shell (Ubuntu):
assignee: Daniel van Vugt (vanvugt) → nobody
Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Description of problem:
This seems to happen during user switching [1], but I'm not quite sure when exactly. But I do get crash reports on my next user login, and there are multiple crashes present. However, I didn't see any negative effect of this, just the crash report.

[1] https://fedoraproject.org/wiki/QA:Testcase_desktop_user_switching

Version-Release number of selected component:
gnome-shell-44~beta-2.fc38

Additional info:
reporter: libreport-2.17.8
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=f14ac85b1ea64de087f79c5fe57e0ea5;i=11e456;b=e47cd77d619d4efbad547129c7282b81;m=28e6422c;t=5f63ae6e57d96;x=24808710e95e2b09
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.2-300.fc38.x86_64
package: gnome-shell-44~beta-2.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer

Truncated backtrace:
Thread no. 0 (13 frames)
 #0 js::gc::Cell::storeBuffer at /usr/src/debug/mozjs102-102.8.0-1.fc38.x86_64/gc/Cell.h:357
 #1 js::gc::PostWriteBarrierImpl<JSObject> at /usr/src/debug/mozjs102-102.8.0-1.fc38.x86_64/gc/StoreBuffer.h:646
 #2 js::gc::PostWriteBarrier<js::SavedFrame> at /usr/src/debug/mozjs102-102.8.0-1.fc38.x86_64/gc/StoreBuffer.h:658
 #3 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier at /usr/src/debug/mozjs102-102.8.0-1.fc38.x86_64/gc/Barrier.h:350
 #5 js::BarrierMethods<JSObject*, void>::postWriteBarrier at /usr/include/mozjs-102/js/RootingAPI.h:795
 #6 JS::Heap<JSObject*>::postWriteBarrier at /usr/include/mozjs-102/js/RootingAPI.h:376
 #7 JS::Heap<JSObject*>::~Heap at /usr/include/mozjs-102/js/RootingAPI.h:338
 #8 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy at /usr/include/mozjs-102/mozilla/Vector.h:65
 #9 mozilla::Vector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~Vector at /usr/include/mozjs-102/mozilla/Vector.h:901
 #10 JS::GCVector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~GCVector at /usr/include/mozjs-102/js/GCVector.h:43
 #11 GjsContextPrivate::~GjsContextPrivate at ../gjs/context.cpp:487
 #12 gjs_context_finalize at ../gjs/context.cpp:500
 #14 _shell_global_destroy_gjs_context at ../src/shell-global.c:738

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948335
File: proc_pid_status

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948336
File: maps

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948337
File: limits

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948338
File: environ

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948339
File: open_fds

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948340
File: mountinfo

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948341
File: os_info

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948342
File: cpuinfo

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948343
File: core_backtrace

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948344
File: exploitable

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948345
File: dso_list

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948346
File: var_log_messages

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1948347
File: backtrace

Revision history for this message
In , vbenes (vbenes-redhat-bugs) wrote :

reloggin

reporter: libreport-2.17.8
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=13f16def098948d8b9bd1e957507912f;i=19ef0e;b=644716e6455440c7984221d8c1a01300;m=14404d5dce;t=5f6dbf2e5bae6;x=a2dcc95bc3d5cb12
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.5-300.fc38.x86_64
package: gnome-shell-44~rc-1.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: reloggin

Revision history for this message
In , vbenes (vbenes-redhat-bugs) wrote :

Created attachment 1950612
File: backtrace

Daniel van Vugt (vanvugt)
tags: added: lunar
Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

I logged out. After next login, the crash was there.

reporter: libreport-2.17.8
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=f14ac85b1ea64de087f79c5fe57e0ea5;i=20e220;b=5c083c075d034c0a8a6f312331f58140;m=1f4f6a04d;t=5f77d1d51f69c;x=89fd27c6cf1827c2
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.7-300.fc38.x86_64
package: gnome-shell-44~rc-2.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: I logged out. After next login, the crash was there.

Revision history for this message
In , kparal (kparal-redhat-bugs) wrote :

Created attachment 1952775
File: backtrace

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

@andch, can you make this bug public? We're getting duplicate reports and the public can't access this page at the moment.

Revision history for this message
Andy Chi (andch) wrote :

Hi @vanvugt,
Sure, I changed this bug to public.

information type: Private → Public
Revision history for this message
In , rogerio.s.machado (rogerio.s.machado-redhat-bugs) wrote :

on start session and set monitors

reporter: libreport-2.17.8
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=606b0b394b4a48b39e9d4ad62bd37f01;i=1508dd;b=fce9e0c81baf450f876e92e4a06d6fb1;m=950627445;t=5f7e8595b538f;x=d61e54532aeb66cc
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.6-300.fc38.x86_64
package: gnome-shell-44~rc-1.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: on start session and set monitors

Revision history for this message
In , rogerio.s.machado (rogerio.s.machado-redhat-bugs) wrote :

Created attachment 1954028
File: backtrace

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

I think the [Summary] and [Steps to reproduce] should be removed because they're not relevant to most people hitting this crash.

tags: added: rls-ll-incoming
Daniel van Vugt (vanvugt)
summary: - gnome-shell crashed with SIGSEGV in js::gc::Cell::storeBuffer() from
+ gnome-shell crashed on logout with SIGSEGV in
+ js::gc::Cell::storeBuffer() from
js::gc::PostWriteBarrierImpl<JSObject>()
Changed in gjs (Ubuntu):
status: New → Confirmed
Changed in mozjs102 (Ubuntu):
status: New → Confirmed
Changed in mozjs91 (Ubuntu):
status: New → Confirmed
Changed in gjs (Ubuntu):
importance: Undecided → High
Changed in mozjs102 (Ubuntu):
importance: Undecided → High
Changed in mozjs91 (Ubuntu):
importance: Undecided → High
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in gjs:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in gnome-shell (Fedora):
importance: Unknown → Undecided
status: Unknown → Confirmed
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
https://iso.qa.ubuntu.com/qatracker/reports/bugs/1974293

tags: added: iso-testing
Daniel van Vugt (vanvugt)
Changed in gnome-shell (Ubuntu):
assignee: nobody → Daniel van Vugt (vanvugt)
milestone: none → ubuntu-23.04
Daniel van Vugt (vanvugt)
Changed in gnome-shell (Ubuntu):
status: Confirmed → In Progress
tags: added: dt-469
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Debugging the release binaries in lunar is the only way I can capture the crash:

Thread 1 "gnome-shell" received signal SIGSEGV, Segmentation fault.
0x00007fd27998d344 in js::gc::Cell::storeBuffer (this=<optimised out>,
    this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
357 inline StoreBuffer* Cell::storeBuffer() const { return chunk()->storeBuffer; }
(gdb) bt
#0 0x00007fd27998d344 in js::gc::Cell::storeBuffer() const
    (this=<optimised out>, this=<optimised out>)
    at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
#1 js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*)
    (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>)
    at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
#2 js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*)
    (next=<optimised out>, prev=<optimised out>, vp=<optimised out>)
    at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#3 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*)
    (next=<optimised out>, prev=<optimised out>, vp=0x5647cc6bff20)
    at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#4 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*)
    (vp=0x5647cc6bff20, prev=<optimised out>, next=<optimised out>)
    at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
(gdb) frame 5
No frame at level 5.
(gdb) frame 6
No frame at level 6.
(gdb)

Not sure why I only get 4 frames in gdb.

Revision history for this message
Daniel van Vugt (vanvugt) wrote (last edit ):
Download full text (4.5 KiB)

And from a core file on lunar:

(gdb) bt -full
#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
        tid = <optimised out>
        ret = 0
        pd = <optimised out>
        old_mask = {__val = {11}}
        ret = <optimised out>
#1  __pthread_kill_internal (signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
#3  0x00007f464d03c406 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
        ret = <optimised out>
#4  0x000056282c4afaea in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:495
        sa = {__sigaction_handler = {sa_handler = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>, sa_sigaction = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
        i = <optimised out>
#5  0x00007f464d03c4b0 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#6  0x00007f464ad8d344 in js::gc::Cell::storeBuffer() const (this=<optimised out>, this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
        buffer = 0x0
#7  js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
        buffer = 0x0
#8  js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#9  js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=0x7f4630022da0) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#10 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (vp=0x7f4630022da0, prev=<optimised out>, next=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
#11 0x00007f464d91f721 in js::BarrierMethods<JSObject*, void>::postWriteBarrier(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimised out>, vp=0x7f4630022da0) at /usr/include/mozjs-102/js/RootingAPI.h:795
        p = 0x7f4630022da0
#12 JS::Heap<JSObject*>::postWriteBarrier(JSObject* const&, JSObject* const&) (next=<optimised out>, prev=@0x7f4630022da0: 0x1c8a30a483a0, this=0x7f4630022da0, this=<optimised out>, prev=<optimised out>, next=<optimised out>)
    at /usr/include/mozjs-102/js/RootingAPI.h:376
        p = 0x7f4630022da0
#13 JS::Heap<JSObject*>::~Heap() (this=0x7f4630022da0, this=<optimised out>) at /usr/include/mozjs-102/js/RootingAPI.h:338
        p = 0x7f4630022da0
#14 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy(JS::Heap<JSObject*>*, JS::Heap<JSObject*>*) (aEnd=0x7f4630022da8, aBegin=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:65
        p = 0x7f4630022da0
#15 mozilla::Vector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~Vector() (this=0x56282d2db9d...

Read more...

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Looks closest to:

  https://bugzilla.mozilla.org/show_bug.cgi?id=1508618
  https://bugzilla.mozilla.org/show_bug.cgi?id=1511580

which were resolved several years ago by https://hg.mozilla.org/releases/mozilla-beta/rev/ef2cd013fe73 so that doesn't really help us now.

Revision history for this message
In , Daniel van Vugt (vanvugt) wrote :
Download full text (4.7 KiB)

Steps to reproduce:

1. Log into gnome-shell (currently version 44 using mozjs102).
2. Wait or use it for a while (long enough for some GC to have occurred I guess).
3. Log out.

https://launchpad.net/bugs/1974293
https://gitlab.gnome.org/GNOME/gjs/-/issues/472

Actual results:

#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
        tid = <optimised out>
        ret = 0
        pd = <optimised out>
        old_mask = {__val = {11}}
        ret = <optimised out>
#1 __pthread_kill_internal (signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
#3 0x00007f464d03c406 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
        ret = <optimised out>
#4 0x000056282c4afaea in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:495
        sa = {__sigaction_handler = {sa_handler = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>, sa_sigaction = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
        i = <optimised out>
#5 0x00007f464d03c4b0 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#6 0x00007f464ad8d344 in js::gc::Cell::storeBuffer() const (this=<optimised out>, this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
        buffer = 0x0
#7 js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
        buffer = 0x0
#8 js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#9 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=0x7f4630022da0) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#10 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (vp=0x7f4630022da0, prev=<optimised out>, next=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
#11 0x00007f464d91f721 in js::BarrierMethods<JSObject*, void>::postWriteBarrier(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimised out>, vp=0x7f4630022da0) at /usr/include/mozjs-102/js/RootingAPI.h:795
        p = 0x7f4630022da0
#12 JS::Heap<JSObject*>::postWriteBarrier(JSObject* const&, JSObject* const&) (next=<optimised out>, prev=@0x7f4630022da0: 0x1c8a30a483a0, this=0x7f4630022da0, this=<optimised out>, prev=<optimised out>, next=<optimised out>)
    at /usr/include/mozjs-102/js/RootingAPI.h:376
        p = 0x7f4630022da0
#13 JS::Heap<JSObject*>::~Heap() (this=0x7f4630022da0, this=<optimised out>) at /usr/include/mozjs-102/js/RootingAPI.h:338
        p = 0x7f4630022da0
#14 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy(JS::Heap<JSObject*>*, JS::He...

Read more...

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Tracking upstream in https://bugzilla.mozilla.org/show_bug.cgi?id=1826512

Bug Watch Updater (bug-watch-updater)
Changed in mozjs:
status: Unknown → New
Revision history for this message
In , Jcoppeard (jcoppeard) wrote :

Your comment in the linked issue identifies the problem:

> Basically I'm wondering if it's safe that JS::GCVector::~GCVector happens after JS_DestroyContext.

It's not safe. The vector (and anything else containing a JS::Heap) must be destroyed before the JS context is destroyed.

Daniel van Vugt (vanvugt)
Changed in gjs (Ubuntu):
assignee: nobody → Daniel van Vugt (vanvugt)
status: Confirmed → In Progress
Changed in mozjs102 (Ubuntu):
status: Confirmed → Invalid
Changed in mozjs91 (Ubuntu):
status: Confirmed → Invalid
Changed in gjs (Ubuntu):
milestone: none → ubuntu-23.04
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

This seems to fix it: https://gitlab.gnome.org/GNOME/gjs/-/merge_requests/834

Bug Watch Updater (bug-watch-updater)
Changed in mozjs:
status: New → Invalid
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Also: https://salsa.debian.org/gnome-team/gjs/-/merge_requests/21

Changed in gnome-shell (Ubuntu):
status: In Progress → Invalid
assignee: Daniel van Vugt (vanvugt) → nobody
milestone: ubuntu-23.04 → none
Daniel van Vugt (vanvugt)
Changed in gjs (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gjs - 1.76.0-3

---------------
gjs (1.76.0-3) experimental; urgency=medium

  * debian/patches: Drop patch causing GNOME Characters not to show emojis
    (LP: #2015948)

gjs (1.76.0-2) experimental; urgency=medium

  [ Daniel van Vugt ]
  * Add context-Clear-all-vectors-of-JS-Heap-on-dispose.patch (LP: #1974293)

  [ Marco Trevisan (Treviño) ]
  * debian/patches: Do not leak GVariants and other handled objects
    (LP: #1991709, #2012978)

 -- Marco Trevisan (Treviño) <email address hidden> Wed, 12 Apr 2023 05:40:15 +0200

Changed in gjs (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Raymond Kimathi (rmkimathi) wrote (last edit ):

Daniel van Vugt (vanvugt) - Thanks for the gjs fix. It works!

sudo apt install --reinstall gjs gnome-shell

Bug Watch Updater (bug-watch-updater)
Changed in gjs:
status: New → Fix Released
Daniel van Vugt (vanvugt)
no longer affects: gnome-shell (Ubuntu)
no longer affects: gnome-shell (Ubuntu Jammy)
Changed in gjs (Ubuntu Jammy):
assignee: nobody → Daniel van Vugt (vanvugt)
importance: Undecided → Medium
status: New → Triaged
Changed in gjs (Ubuntu Kinetic):
assignee: nobody → Daniel van Vugt (vanvugt)
importance: Undecided → Medium
status: New → Triaged
no longer affects: gnome-shell (Ubuntu Kinetic)
no longer affects: gnome-shell (Ubuntu Lunar)
no longer affects: mozjs102 (Ubuntu)
no longer affects: mozjs102 (Ubuntu Jammy)
no longer affects: mozjs102 (Ubuntu Kinetic)
no longer affects: mozjs102 (Ubuntu Lunar)
no longer affects: mozjs91 (Ubuntu)
no longer affects: mozjs91 (Ubuntu Jammy)
no longer affects: mozjs91 (Ubuntu Kinetic)
no longer affects: mozjs91 (Ubuntu Lunar)
no longer affects: mozjs
Revision history for this message
In , ayhamk (ayhamk-redhat-bugs) wrote :

First wake up after Fedora 37 -> 38 update.

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=fb229d6898d04b7085ab2dac0dd8e4e8;i=1d877;b=64e06eedba0d44059147896973df6c78;m=31180d94;t=5f9b14646fc9f;x=7c98ec3ac77dcc58
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: First wake up after Fedora 37 -> 38 update.

Revision history for this message
In , bediamrit105 (bediamrit105-redhat-bugs) wrote :

logged out, logged back in

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=e6d72a92b13c40d7a06b6dde31ccf2e0;i=e80f6;b=f3b0275ee9134b5fa851c46e136fed76;m=44c2775;t=5f9c5e1742002;x=23850da3adbcf0b4
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
dso_list: /usr/bin/gnome-shell gnome-shell-44.0-4.fc38.x86_64 (Fedora Project) 1681835747
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: logged out, logged back in

Revision history for this message
In , eclipseliving (eclipseliving-redhat-bugs) wrote :

I opened my computer, and lo and behold...

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=ca99d194b38841949c02756ab9945ab8;i=e092;b=02fba006000c4cae9b5c12e51c7700cf;m=458258ea;t=5f9cf2f25b8e4;x=bd88fc2621f6e40f
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: I opened my computer, and lo and behold...

Revision history for this message
In , david (david-redhat-bugs-1) wrote :

Restart after Fedora38 upgrade process.

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=48494ce3d31d44b6bf62d07f4e449f62;i=1423d;b=be2da266a31c463fbc93932abd856f95;m=44db4cc;t=5f9e404d4e539;x=b0edb8d74707a3d2
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: Restart after Fedora38 upgrade process.

Revision history for this message
In , mzsbulbul (mzsbulbul-redhat-bugs) wrote :

I upgraded from version 37 to 38. After reboot this problem occured.

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=031346981ba64905bd45a2e05af7e101;i=58313;b=d4613060896a493f81f803bafc64e7c8;m=9b6bdbe;t=5f9e60016180c;x=f50d37feb188e997
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
cgroup: 0::/user.slice/user-1000.slice/user@<email address hidden>
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: I upgraded from version 37 to 38. After reboot this problem occured.

Revision history for this message
In , redhat.flyover852 (redhat.flyover852-redhat-bugs) wrote :

Restart of Machine from Gnome GUI

reporter: libreport-2.17.9
type: CCpp
reason: gnome-shell killed by SIGSEGV
journald_cursor: s=7408fec33697489ba0d84b047d4af05f;i=3151d;b=add65378fdf048e7a75d3b5b1d08bfc7;m=3cfd4af25;t=5fa06da3c3b33;x=3098f70e215cd70
executable: /usr/bin/gnome-shell
cmdline: /usr/bin/gnome-shell
rootdir: /
uid: 1000
kernel: 6.2.11-300.fc38.x86_64
package: gnome-shell-44.0-4.fc38
runlevel: N 5
dso_list: /usr/bin/gnome-shell gnome-shell-44.0-4.fc38.x86_64 (Fedora Project) 1681681130
backtrace_rating: 4
crash_function: js::gc::Cell::storeBuffer
comment: Restart of Machine from Gnome GUI

Revision history for this message
Roman Shipovskij (roman-shipovskij) wrote :

What about 22.04 LTS? This bug fixed for 23.04 but not for 22.04.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Yes 22.04 will get the fix eventually. We just wanted to be sure it was fixed for sure in 23.04 first.

Daniel van Vugt (vanvugt)
description: updated
Daniel van Vugt (vanvugt)
Changed in gjs (Ubuntu Jammy):
assignee: Daniel van Vugt (vanvugt) → Jeremy Bícha (jbicha)
Changed in gjs (Ubuntu Kinetic):
assignee: Daniel van Vugt (vanvugt) → Jeremy Bícha (jbicha)
Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :

This is the back port of the fix for jammy

Daniel van Vugt (vanvugt)
Changed in gjs (Ubuntu Jammy):
assignee: Jeremy Bícha (jbicha) → Ghadi Rahme (ghadi-rahme)
status: Triaged → In Progress
Mauricio Faria de Oliveira (mfo)
tags: added: se-sponsor-dgadomski
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Ghadi,

Please create a merge request at https://salsa.debian.org/gnome-team/gjs/-/merge_requests targeting the ubuntu/jammy branch

Although if it lands in proposed first, we can do that afterwards.

Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :

Sure thing, I am still waiting for my account to be approved to get access to debian salsa. Once I get access I'll create the merge request.

Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :

Here is the Merge request: https://salsa.debian.org/gnome-team/gjs/-/merge_requests/22

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Andy, or anyone else affected,

Accepted gjs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gjs/1.72.2-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gjs (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :

Hi Steve,

I was able to confirm the fix for Jammy in a VM:

1. ghadi@ghadi-Standard-PC-Q35-ICH9-2009:~$ sudo apt list gjs
Listing... Done
gjs/jammy-proposed,now 1.72.2-0ubuntu2 amd64 [installed]
gjs/jammy-proposed 1.72.2-0ubuntu2 i386

2. Used the desktop for around 15 minutes. Opened browser tabs, scrolled through the calendar for over 30s and scrolled through the launcher

3. Logged out of the session and logged back in.

4. ghadi@ghadi-Standard-PC-Q35-ICH9-2009:~$ ls /var/crash
ghadi@ghadi-Standard-PC-Q35-ICH9-2009:~$

Hope this helps.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Jeremy Bícha (jbicha)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Won't Fix for kinetic because it's only a couple of weeks to EOL.

Changed in gjs (Ubuntu Kinetic):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gjs - 1.72.2-0ubuntu2

---------------
gjs (1.72.2-0ubuntu2) jammy; urgency=medium

  [ Daniel van Vugt ]
  * Add context-Clear-all-vectors-of-JS-Heap-on-dispose.patch (LP: #1974293)

 -- Ghadi Elie Rahme <email address hidden> Fri, 19 May 2023 11:12:55 +0000

Changed in gjs (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gjs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Andy Chi (andch)
Changed in oem-priority:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.