Bug#932767: gnome-shell: Segmentation fault in js engine

Felipe Sateler fsateler at debian.org
Tue Jul 23 15:06:52 BST 2019 

Control: retitle -1 gnome-shell: crash on monitor unplug

On Tue, Jul 23, 2019 at 9:58 AM Felipe Sateler <fsateler at debian.org> wrote:

>
>
> On Mon, Jul 22, 2019 at 5:02 PM Simon McVittie <smcv at debian.org> wrote:
>
>> I think this is the actual crash:
>>
>> On Mon, 22 Jul 2019 at 16:31:43 -0400, Felipe Sateler wrote:
>> > #24 0x00007f1624226c1a in malloc_printerr (str=str at entry=0x7f162432943b
>> "free(): invalid pointer") at malloc.c:5341
>> > #25 0x00007f162422842c in _int_free (av=<optimized out>, p=<optimized
>> out>, have_lock=<optimized out>) at malloc.c:4165
>> > #26 0x00007f1621ef35cd in js::jit::MCallGetProperty::name() const
>> (this=<optimized out>) at ./js/src/jit/shared/Assembler-shared.h:253
>>
>> Unfortunately this is often a result of prior memory corruption, so
>> it's unlikely to be feasible to debug without knowing how to reproduce it.
>>
>> Are there any interesting assertion messages from gnome-shell in the
>> system log?
>>
>
> So, I think there are more interesting logs without filtering for
> gnome-shell. It appears the cause is unplugging my usb C hub, which in turn
> has the HDMI connector for the external monitor.
>

This suspicion appears correct. I have just crashed gnome-shell by
unplugging the hub, and then just unplugging the HDMI cable. Same
`malloc_printerr`, but this time it is a SIGABRT though:

Core was generated by `/usr/bin/gnome-shell'.
Program terminated with signal SIGABRT, Aborted.
#0  raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fe809d891c0 (LWP 18208))]
(gdb) bt
#0  0x00007fe8109b85cb in raise (sig=6) at
../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00005643279b2e2b in  ()
#2  0x00007fe8109b8730 in <signal handler called> () at
/lib/x86_64-linux-gnu/libpthread.so.0
#3  0x00007fe81081c7bb in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:50
#4  0x00007fe810807535 in __GI_abort () at abort.c:79
#5  0x00007fe81085e508 in __libc_message (action=action at entry=do_abort,
fmt=fmt at entry=0x7fe81096928d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#6  0x00007fe810864c1a in malloc_printerr (str=str at entry=0x7fe81096743b
"free(): invalid pointer") at malloc.c:5341
#7  0x00007fe81086642c in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=<optimized out>) at malloc.c:4165
#8  0x00007fe810c763f1 in clutter_text_set_font_description_internal
(is_default_font=0, desc=0x564328791690, self=0x5643287eb070) at
clutter-text.c:757
#9  0x00007fe810c763f1 in clutter_text_set_font_description
(self=0x5643287eb070, font_desc=0x564328791690) at clutter-text.c:5219
#10 0x00007fe8107a582e in _st_set_text_from_style () at
/usr/lib/gnome-shell/libst-1.0.so
#11 0x00007fe8107a49f7 in  () at /usr/lib/gnome-shell/libst-1.0.so
#12 0x00007fe8116850c6 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007fe8116a157d in g_signal_emit_valist () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00007fe8116a1b6f in g_signal_emit () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00007fe8107be443 in  () at /usr/lib/gnome-shell/libst-1.0.so
#16 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x56432be23fc0,
mapped=<optimized out>) at clutter-actor.c:1285
#17 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x56432be23fc0, change=<optimized out>) at clutter-actor.c:1468
#18 0x00007fe810c0e480 in clutter_actor_real_map (self=<optimized out>) at
clutter-actor.c:1532
#19 0x00007fe8107bf4e9 in  () at /usr/lib/gnome-shell/libst-1.0.so
#20 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x56432a393540,
mapped=<optimized out>) at clutter-actor.c:1285
#21 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x56432a393540, change=<optimized out>) at clutter-actor.c:1468
#22 0x00007fe810c0e480 in clutter_actor_real_map (self=<optimized out>) at
clutter-actor.c:1532
#23 0x00007fe8107bf4e9 in  () at /usr/lib/gnome-shell/libst-1.0.so
#24 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x564329d80550,
mapped=<optimized out>) at clutter-actor.c:1285
#25 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x564329d80550, change=<optimized out>) at clutter-actor.c:1468
#26 0x00007fe810c0e480 in clutter_actor_real_map (self=<optimized out>) at
clutter-actor.c:1532
#27 0x00007fe8107bf4e9 in  () at /usr/lib/gnome-shell/libst-1.0.so
#28 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x56432cf88510,
mapped=<optimized out>) at clutter-actor.c:1285
#29 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x56432cf88510, change=<optimized out>) at clutter-actor.c:1468
#30 0x00007fe810c0e480 in clutter_actor_real_map (self=<optimized out>) at
clutter-actor.c:1532
#31 0x00007fe8107bf4e9 in  () at /usr/lib/gnome-shell/libst-1.0.so
#32 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x564328395930,
mapped=<optimized out>) at clutter-actor.c:1285
#33 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x564328395930, change=<optimized out>) at clutter-actor.c:1468
#34 0x00007fe810c0e480 in clutter_actor_real_map (self=<optimized out>) at
clutter-actor.c:1532
#35 0x00007fe8107bf4e9 in  () at /usr/lib/gnome-shell/libst-1.0.so
#36 0x00007fe810c0b3bd in clutter_actor_set_mapped (self=0x56432865c630,
mapped=<optimized out>) at clutter-actor.c:1285
#37 0x00007fe810c0e1a2 in clutter_actor_update_map_state
(self=0x56432865c630, change=<optimized out>) at clutter-actor.c:1468
#38 0x00007fe810c1a0fa in clutter_actor_real_show (self=0x56432865c630) at
clutter-actor.c:1685
#39 0x00007fe811684e8d in g_closure_invoke () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#40 0x00007fe8116986a4 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
--Type <RET> for more, q to quit, c to continue without paging--c
#41 0x00007fe8116a14ae in g_signal_emit_valist () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#42 0x00007fe8116a1b6f in g_signal_emit () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#43 0x00007fe810c1b8fa in clutter_actor_show (self=0x56432865c630) at
clutter-actor.c:1776
#44 0x00007fe810c1b8fa in clutter_actor_show (self=0x56432865c630) at
clutter-actor.c:1739
#45 0x00007fe810c1e170 in clutter_actor_add_child_internal (data=0x0,
add_func=0x7fe810c0ab90 <insert_child_at_depth>,
flags=ADD_CHILD_DEFAULT_FLAGS, child=0x56432865c630, self=0x56432871a920)
at clutter-actor.c:12972
#46 0x00007fe810c1e170 in clutter_actor_add_child (self=0x56432871a920,
child=0x56432865c630) at clutter-actor.c:13047
#47 0x00007fe80f98a8ee in ffi_call_unix64 () at
/lib/x86_64-linux-gnu/libffi.so.6
#48 0x00007fe80f98a2bf in ffi_call () at /lib/x86_64-linux-gnu/libffi.so.6
#49 0x00007fe810d657b9 in  () at /lib/libgjs.so.0
#50 0x00007fe810d66f46 in  () at /lib/libgjs.so.0
#51 0x00007fe80e650be4 in js::CallJSNative(JSContext*, bool (*)(JSContext*,
unsigned int, JS::Value*), JS::CallArgs const&) (args=...,
native=0x7fe810d66e20, cx=0x564328192d40) at
./debian/build/dist/include/js/CallArgs.h:286
#52 0x00007fe80e650be4 in js::InternalCallOrConstruct(JSContext*,
JS::CallArgs const&, js::MaybeConstruct) (cx=0x564328192d40, args=...,
construct=<optimized out>) at ./js/src/vm/Interpreter.cpp:450
#53 0x00007fe80e643e51 in js::CallFromStack(JSContext*, JS::CallArgs
const&) (args=..., cx=<optimized out>) at ./js/src/vm/Interpreter.cpp:3115
#54 0x00007fe80e643e51 in Interpret(JSContext*, js::RunState&)
(cx=0x564328192d40, state=...) at ./js/src/vm/Interpreter.cpp:3115
#55 0x00007fe80e650466 in js::RunScript(JSContext*, js::RunState&)
(cx=0x564328192d40, state=...) at ./js/src/vm/Interpreter.cpp:418
#56 0x00007fe80e650b41 in js::InternalCallOrConstruct(JSContext*,
JS::CallArgs const&, js::MaybeConstruct) (cx=0x564328192d40, args=...,
construct=<optimized out>) at ./js/src/vm/Interpreter.cpp:490
#57 0x00007fe80e650da9 in js::Call(JSContext*, JS::Handle<JS::Value>,
JS::Handle<JS::Value>, js::AnyInvokeArgs const&,
JS::MutableHandle<JS::Value>) (cx=cx at entry=0x564328192d40, fval=...,
fval at entry=..., thisv=..., thisv at entry=..., args=..., rval=rval at entry=...)
at ./js/src/vm/Interpreter.cpp:536
#58 0x00007fe80e90c770 in js::jit::InvokeFunction(JSContext*,
JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*,
JS::MutableHandle<JS::Value>) (cx=0x564328192d40, obj=..., obj at entry=...,
constructing=<optimized out>,
ignoresReturnValue=ignoresReturnValue at entry=false,
argc=<optimized out>, argv=<optimized out>, rval=...) at
./debian/build/dist/include/js/RootingAPI.h:1128
#59 0x00007fe80e90cb74 in js::jit::InvokeFromInterpreterStub(JSContext*,
js::jit::InterpreterStubExitFrameLayout*) (cx=<optimized out>,
frame=0x7ffdce858be8) at ./debian/build/dist/include/js/RootingAPI.h:1128
#60 0x00001ee499843f87 in  ()
#61 0x0000000000000008 in  ()
#62 0x00007ffdce858be8 in  ()
#63 0x0000000000000000 in  ()

-- 

Saludos,
Felipe Sateler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190723/32b4f83a/attachment-0001.html>

More information about the pkg-gnome-maintainers mailing list