OEM Priority Project

Bug #1974293
Comment #52

Comment 52 for bug 1974293

Revision history for this message

In Mozilla Bugzilla #1826512, Daniel van Vugt (vanvugt) wrote on 2023-04-05:

#52

Steps to reproduce:

1. Log into gnome-shell (currently version 44 using mozjs102).
2. Wait or use it for a while (long enough for some GC to have occurred I guess).
3. Log out.

https://launchpad.net/bugs/1974293
https://gitlab.gnome.org/GNOME/gjs/-/issues/472

Actual results:

#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
        tid = <optimised out>
        ret = 0
        pd = <optimised out>
        old_mask = {__val = {11}}
        ret = <optimised out>
#1 __pthread_kill_internal (signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
#3 0x00007f464d03c406 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
        ret = <optimised out>
#4 0x000056282c4afaea in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:495
        sa = {__sigaction_handler = {sa_handler = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>, sa_sigaction = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
        i = <optimised out>
#5 0x00007f464d03c4b0 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#6 0x00007f464ad8d344 in js::gc::Cell::storeBuffer() const (this=<optimised out>, this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
        buffer = 0x0
#7 js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
        buffer = 0x0
#8 js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#9 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=0x7f4630022da0) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#10 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (vp=0x7f4630022da0, prev=<optimised out>, next=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
#11 0x00007f464d91f721 in js::BarrierMethods<JSObject*, void>::postWriteBarrier(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimised out>, vp=0x7f4630022da0) at /usr/include/mozjs-102/js/RootingAPI.h:795
        p = 0x7f4630022da0
#12 JS::Heap<JSObject*>::postWriteBarrier(JSObject* const&, JSObject* const&) (next=<optimised out>, prev=@0x7f4630022da0: 0x1c8a30a483a0, this=0x7f4630022da0, this=<optimised out>, prev=<optimised out>, next=<optimised out>)
    at /usr/include/mozjs-102/js/RootingAPI.h:376
        p = 0x7f4630022da0
#13 JS::Heap<JSObject*>::~Heap() (this=0x7f4630022da0, this=<optimised out>) at /usr/include/mozjs-102/js/RootingAPI.h:338
        p = 0x7f4630022da0
#14 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy(JS::Heap<JSObject*>*, JS::Heap<JSObject*>*) (aEnd=0x7f4630022da8, aBegin=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:65
        p = 0x7f4630022da0
#15 mozilla::Vector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~Vector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:901
#16 JS::GCVector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~GCVector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/js/GCVector.h:43
#17 GjsContextPrivate::~GjsContextPrivate() (this=0x56282d2db960, this=<optimised out>) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:487
#18 0x00007f464d9211e3 in gjs_context_finalize(GObject*) (object=0x56282d2dbae0) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:500
        gjs = <optimised out>
#19 0x00007f464e02ee4c in g_object_unref (_object=0x56282d2dbae0) at ../../../gobject/gobject.c:3938
        weak_locations = <optimised out>
        nqueue = 0x56282d8fc5c0
        object = 0x56282d2dbae0
        old_ref = <optimised out>
        __func__ = "g_object_unref"
#20 0x00007f464dc2508d in _shell_global_destroy_gjs_context (self=<optimised out>) at ../src/shell-global.c:752
        _pp = <optimised out>
        _ptr = <optimised out>
#21 0x000056282c4af00f in main (argc=<optimised out>, argv=<optimised out>) at ../src/main.c:776
        context = 0x56282cd4e780
        debug_flags_string = 0x56282d06c7b0 "backtrace-aborts:backtrace-math-errors:backtrace-crashes-all:backtrace-all"
        error = 0x0
        shell_debug = <optimised out>
        ecode = 0
(gdb)

Expected results:

No crash.

Steps to reproduce:

1. Log into gnome-shell (currently version 44 using mozjs102).
2. Wait or use it for a while (long enough for some GC to have occurred I guess).
3. Log out.

https://launchpad.net/bugs/1974293
https://gitlab.gnome.org/GNOME/gjs/-/issues/472

Actual results:

#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
        tid = <optimised out>
        ret = 0
        pd = <optimised out>
        old_mask = {__val = {11}}
        ret = <optimised out>
#1  __pthread_kill_internal (signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
#3  0x00007f464d03c406 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
        ret = <optimised out>
#4  0x000056282c4afaea in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:495
        sa = {__sigaction_handler = {sa_handler = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>, sa_sigaction = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
        i = <optimised out>
#5  0x00007f464d03c4b0 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#6  0x00007f464ad8d344 in js::gc::Cell::storeBuffer() const (this=<optimised out>, this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
        buffer = 0x0
#7  js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
        buffer = 0x0
#8  js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#9  js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=0x7f4630022da0) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#10 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (vp=0x7f4630022da0, prev=<optimised out>, next=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
#11 0x00007f464d91f721 in js::BarrierMethods<JSObject*, void>::postWriteBarrier(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimised out>, vp=0x7f4630022da0) at /usr/include/mozjs-102/js/RootingAPI.h:795
        p = 0x7f4630022da0
#12 JS::Heap<JSObject*>::postWriteBarrier(JSObject* const&, JSObject* const&) (next=<optimised out>, prev=@0x7f4630022da0: 0x1c8a30a483a0, this=0x7f4630022da0, this=<optimised out>, prev=<optimised out>, next=<optimised out>)
    at /usr/include/mozjs-102/js/RootingAPI.h:376
        p = 0x7f4630022da0
#13 JS::Heap<JSObject*>::~Heap() (this=0x7f4630022da0, this=<optimised out>) at /usr/include/mozjs-102/js/RootingAPI.h:338
        p = 0x7f4630022da0
#14 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy(JS::Heap<JSObject*>*, JS::Heap<JSObject*>*) (aEnd=0x7f4630022da8, aBegin=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:65
        p = 0x7f4630022da0
#15 mozilla::Vector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~Vector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:901
#16 JS::GCVector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~GCVector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/js/GCVector.h:43
#17 GjsContextPrivate::~GjsContextPrivate() (this=0x56282d2db960, this=<optimised out>) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:487
#18 0x00007f464d9211e3 in gjs_context_finalize(GObject*) (object=0x56282d2dbae0) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:500
        gjs = <optimised out>
#19 0x00007f464e02ee4c in g_object_unref (_object=0x56282d2dbae0) at ../../../gobject/gobject.c:3938
        weak_locations = <optimised out>
        nqueue = 0x56282d8fc5c0
        object = 0x56282d2dbae0
        old_ref = <optimised out>
        __func__ = "g_object_unref"
#20 0x00007f464dc2508d in _shell_global_destroy_gjs_context (self=<optimised out>) at ../src/shell-global.c:752
        _pp = <optimised out>
        _ptr = <optimised out>
#21 0x000056282c4af00f in main (argc=<optimised out>, argv=<optimised out>) at ../src/main.c:776
        context = 0x56282cd4e780
        debug_flags_string = 0x56282d06c7b0 "backtrace-aborts:backtrace-math-errors:backtrace-crashes-all:backtrace-all"
        error = 0x0
        shell_debug = <optimised out>
        ecode = 0
(gdb)

Expected results:

No crash.