Bug#927162: gnome-shell segfaults in libst-1.0.so

Tue Apr 16 23:13:56 BST 2019

After looking at the TopIcons code at the line indicated in journalctl, I am
able to reproduce the crash with the following:

1. Open Looking Glass (lg)
2. Run the following:

	a = new St.Widget();
	a.destroy();
	a.get_theme_node();

After running the third line, gnome-shell will crash.

The second line was borrowed from the TopIcons code at line 121 of
/usr/share/gnome-shell/extensions/TopIcons at phocean.net/extension.js

On Tue, 2019-04-16 at 22:00 +0100, Simon McVittie wrote:
> Control: retitle -1 gnome-shell: intermittent segfault in
> st_widget_get_theme_node() at st-widget.c:603
> Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/issues/1018
>
> On Mon, 15 Apr 2019 at 12:12:36 -0700, Eloston wrote:
> > Just using GNOME normally causes the crash to happen.
>
> This is probably going to make it hard to fix the crash or know whether
> it's been fixed, unfortunately. Is there anything you can do that seems
> to make it more likely to happen?
>
> Roughly how often is this happening, in how much use of GNOME?
>
> Is there anything (for instance an upgrade of a package or some packages)
> that coincides with this starting to happen?
>
> >         It seems to happen randomly, more so on Wayland. I haven't been able
> > to
> > pinpoint any specific application, extension, or setting.
>
> Does this still happen if you disable all Shell extensions?
>
> What extensions are you normally using?
>
> > I have had this crash happen multiple times on Wayland and X11; this is the
> > first crash where I was able to get a coredump.
>
> Are you using a core-dump-capturing service like systemd-coredump? If
> not, please install systemd-coredump, gdb, gnome-shell-dbgsym (see
> <https://wiki.debian.org/HowToGetABacktrace>;) and debug symbols for any
> libraries that appear in the stack trace after you get one. After a crash,
> you should be able to use "coredumpctl gdb" to inspect the core dump,
> and "bt" to get a C-level backtrace (not the same as the Javascript
> backtrace that was logged).
>
> > different each time the crash occurs, e.g. this is the first time I've
> > seen TopIcons show up in the trace. Everything else looks the same.
>
> Please could you quote a few of these things that look the same so that
> we have an overview of what's happening, how the crashes are similar and
> how they're different?
>
> There's a limit to how much information I can extract from the core
> dump, because I'm not running the same versions of everything that you
> are, but this is a start:
>
> (gdb) bt
> #0  0x00007f1af86f5ae8 in st_widget_get_theme_node (widget=<optimized out>) at
> ../src/st/st-widget.c:603
> #1  0x00007ffdf9b077e0 in  ()
> #2  0x00007ffdf9b07908 in  ()
> #3  0x00007ffdf9b077e0 in  ()
> #4  0x0000000000000000 in  ()
>
> Line 603 is this:
>
> StThemeNode *
> st_widget_get_theme_node (StWidget *widget)
> {
>   StWidgetPrivate *priv = st_widget_get_instance_private (widget);
>
>   if (priv->theme_node == NULL)                <----------- 603
>     {
>       StThemeContext *context;
>
> so presumably something is calling st_widget_get_theme_node() on a widget
> that has been freed or is an invalid pointer - but gdb couldn't decode the
> rest of the stack, so I can't tell what called it.
>
> There's an upstream patch
> <https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/438> that
> should make this less likely to crash, although it isn't really a full
> solution (something somewhere is still wrong, but we can't tell what).
>
>     smcv