After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 783699 - (random) Crash (SIGABRT) [double free] in gjs (gc): js::gc::Arena::finalize<JSObject>
(random) Crash (SIGABRT) [double free] in gjs (gc): js::gc::Arena::finalize<J...
Status: RESOLVED DUPLICATE of bug 781799
Product: gnome-shell
Classification: Core
Component: general
3.25.x
Other Linux
: Normal normal
: ---
Assigned To: gnome-shell-maint
gnome-shell-maint
Depends on:
Blocks:
 
 
Reported: 2017-06-12 15:44 UTC by Christian Kellner
Modified: 2017-06-12 17:38 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Christian Kellner 2017-06-12 15:44:23 UTC 
Did not do anything specific, shell just randomly crashed.

Seems to crash in pair with ibus-daemon.
Mon 2017-06-12 13:28:02 CEST   1496  1000  1000   6 present   /usr/bin/gnome-shell
Mon 2017-06-12 13:27:59 CEST   2103  1000  1000   6 present   /usr/bin/ibus-daemon

Tue 2017-05-30 17:21:29 CEST   7862  1000  1000   6 missing   /usr/bin/gnome-shell
Tue 2017-05-30 17:21:29 CEST   8382  1000  1000   6 missing   /usr/bin/ibus-daemon

Tue 2017-05-30 17:14:54 CEST   1799  1000  1000   6 missing   /usr/bin/gnome-shell
Tue 2017-05-30 17:14:51 CEST   2481  1000  1000   6 missing   /usr/bin/ibus-daemon

+ Trace 237568

Thread 1 (Thread 0x7f60d7a6bac0 (LWP 1496))

  • #0 __GI_raise
    at ../sysdeps/unix/sysv/linux/raise.c line 51
  • #1 __GI_abort
    at abort.c line 89
  • #2 __libc_message
    at ../sysdeps/posix/libc_fatal.c line 175
  • #3 malloc_printerr
  • #4 _int_free
    at malloc.c line 3874
  • #5 __GI___libc_free
    at malloc.c line 2948
  • #6 0x00007f60d63fbba0 in
  • #7 JSObject::finalize(js::FreeOp*)
    at /usr/src/debug/mozilla-esr38/js/src/jsobjinlines.h line 42
  • #8 js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 497
  • #9 FinalizeTypedArenas<JSObject>
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 557
  • #10 FinalizeArenas(js::FreeOp *, js::gc::ArenaHeader **, js::gc::SortedArenaList &, enum AllocKind, struct SliceBudget &, js::gc::ArenaLists::KeepArenasEnum)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 600
  • #11 js::gc::ArenaLists::forceFinalizeNow(js::FreeOp*, js::gc::AllocKind, js::gc::ArenaLists::KeepArenasEnum, js::gc::ArenaHeader**)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 2758
  • #12 js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind, js::gc::ArenaLists::KeepArenasEnum, js::gc::ArenaHeader**)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 2741
  • #13 js::gc::ArenaLists::queueForegroundObjectsForSweep(js::FreeOp*)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 2877
  • #14 js::gc::GCRuntime::beginSweepingZoneGroup()
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 5069
  • #15 js::gc::GCRuntime::beginSweepPhase(bool)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 5164
  • #16 js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 5889
  • #17 js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 6076
  • #18 js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason)
    at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp line 6190
  • #19 gjs_schedule_gc_if_needed
  • #20 gjs_call_function_value
  • #21 gjs_closure_invoke
  • #22 0x00007f60d640356e in
  • #23 g_closure_invoke
  • #24 source_closure_callback
  • #25 g_timeout_dispatch
  • #26 g_main_context_dispatch
  • #27 g_main_context_iterate.isra
  • #28 g_main_loop_run
  • #29 meta_run
  • #30 main 






Comment 1


Christian Kellner





          2017-06-12 16:05:46 UTC
        



Full trace of the Thread 1:




+
Trace
    237569






    

  • 
#0
__GI_raise

    
                at ../sysdeps/unix/sysv/linux/raise.c
                  line
                  51

    

    • 

  • 
#1
__GI_abort

    
                at abort.c
                  line
                  89

    

    • 

  • 
#2
__libc_message

    
                at ../sysdeps/posix/libc_fatal.c
                  line
                  175

    

    • 

  • 
#3
malloc_printerr

    • 

  • 
#4
_int_free

    
                at malloc.c
                  line
                  3874

    

    • 

  • 
#5
__GI___libc_free

    
                at malloc.c
                  line
                  2948

    

    • 

  • 
#6
operator delete(void*)

    
                at ../../../../libstdc++-v3/libsupc++/del_op.cc
                  line
                  49

    

    • 

  • 
#7
operator delete(void*, unsigned long)

    
                at ../../../../libstdc++-v3/libsupc++/del_ops.cc
                  line
                  32

    

    • 

  • 
#8
GjsMaybeOwned<JS::Value>::teardown_rooting()

    
                at ./gjs/jsapi-util-root.h
                  line
                  148

    

    • 

  • 
#9
GjsMaybeOwned<JS::Value>::reset()

    
                at ./gjs/jsapi-util-root.h
                  line
                  270

    

    • 

  • 
#10
object_instance_finalize(JSFreeOp*, JSObject*)

    
                at gi/object.cpp
                  line
                  1626

    

    • 

  • 
#11
JSObject::finalize(js::FreeOp*)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsobjinlines.h
                  line
                  42

    

    • 

  • 
#12
js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  497

    

    • 

  • 
#13
FinalizeTypedArenas<JSObject>

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  557

    

    • 

  • 
#14
FinalizeArenas(js::FreeOp *, js::gc::ArenaHeader **, js::gc::SortedArenaList &, enum AllocKind, struct SliceBudget &, js::gc::ArenaLists::KeepArenasEnum)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  600

    

    • 

  • 
#15
js::gc::ArenaLists::forceFinalizeNow(js::FreeOp*, js::gc::AllocKind, js::gc::ArenaLists::KeepArenasEnum, js::gc::ArenaHeader**)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  2758

    

    • 

  • 
#16
js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind, js::gc::ArenaLists::KeepArenasEnum, js::gc::ArenaHeader**)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  2741

    

    • 

  • 
#17
js::gc::ArenaLists::queueForegroundObjectsForSweep(js::FreeOp*)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  2877

    

    • 

  • 
#18
js::gc::GCRuntime::beginSweepingZoneGroup()

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  5069

    

    • 

  • 
#19
js::gc::GCRuntime::beginSweepPhase(bool)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  5164

    

    • 

  • 
#20
js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  5889

    

    • 

  • 
#21
js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  6076

    

    • 

  • 
#22
js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  6190

    

    • 

  • 
#23
js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  6259

    

    • 

  • 
#24
js::gc::GCRuntime::maybePeriodicFullGC()

    
                at /usr/src/debug/mozilla-esr38/js/src/jsgc.cpp
                  line
                  3246

    

    • 

  • 
#25
JS_MaybeGC(JSContext*)

    
                at /usr/src/debug/mozilla-esr38/js/src/jsapi.cpp
                  line
                  1341

    

    • 

  • 
#26
gjs_schedule_gc_if_needed(JSContext*)

    
                at gjs/jsapi-util.cpp
                  line
                  844

    

    • 

  • 
#27
gjs_call_function_value(JSContext*, JS::HandleObject, JS::HandleValue, JS::HandleValueArray const&, JS::MutableHandleValue)

    
                at gjs/jsapi-util.cpp
                  line
                  719

    

    • 

  • 
#28
gjs_closure_invoke(GClosure*, JS::HandleValueArray const&, JS::MutableHandleValue)

    
                at gi/closure.cpp
                  line
                  229

    

    • 

  • 
#29
closure_marshal(GClosure*, GValue*, guint, GValue const*, gpointer, gpointer)

    
                at gi/value.cpp
                  line
                  273

    

    • 

  • 
#30
g_closure_invoke

    
                at gclosure.c
                  line
                  804

    

    • 

  • 
#31
source_closure_callback

    
                at gsourceclosure.c
                  line
                  182

    

    • 

  • 
#32
g_timeout_dispatch

    
                at gmain.c
                  line
                  4715

    

    • 

  • 
#33
g_main_dispatch

    
                at gmain.c
                  line
                  3234

    

    • 

  • 
#34
g_main_context_dispatch

    
                at gmain.c
                  line
                  3899

    

    • 

  • 
#35
g_main_context_iterate

    
                at gmain.c
                  line
                  3972

    

    • 

  • 
#36
g_main_loop_run

    
                at gmain.c
                  line
                  4168

    

    • 

  • 
#37
meta_run

    
                at core/main.c
                  line
                  648

    

    • 

  • 
#38
main

    
                at main.c
                  line
                  454

    

    • 








One peculiar thing to note is that I got the same stack trace from Jiri (see below) and he suspected it has to do with the Dell's thunderbolt 3 dock (TB16) connected to the Dell XPS 13. And I am having the exact same configuration (TB16 with the Dell XPS13 and an external monitor connected).

Jiri's stack trace:
Stack trace of thread 9245:
#0  0x00007f4a23f27922 _ZN7mozilla17LinkedListElementIN2JS16PersistentRootedINS1_5ValueEEEED2Ev (libgjs.so.0)
#1  0x00007f4a23f30b8e n/a (libgjs.so.0)
#2  0x00007f4a19640563 _ZL14FinalizeArenasPN2js6FreeOpEPPNS_2gc11ArenaHeaderERNS2_15SortedArenaListENS2_9AllocKindERNS_11SliceBudgetENS2_10ArenaLis
#3  0x00007f4a1969b2b3 _ZN2js2gc10ArenaLists16forceFinalizeNowEPNS_6FreeOpENS0_9AllocKindENS1_14KeepArenasEnumEPPNS0_11ArenaHeaderE (libmozjs-38.so
#4  0x00007f4a19641831 _ZN2js2gc10ArenaLists30queueForegroundObjectsForSweepEPNS_6FreeOpE (libmozjs-38.so)
#5  0x00007f4a196581e9 _ZN2js2gc9GCRuntime22beginSweepingZoneGroupEv (libmozjs-38.so)
#6  0x00007f4a196589c8 _ZN2js2gc9GCRuntime15beginSweepPhaseEb (libmozjs-38.so)
#7  0x00007f4a1965abe3 _ZN2js2gc9GCRuntime23incrementalCollectSliceERNS_11SliceBudgetEN2JS8gcreason6ReasonE (libmozjs-38.so)
#8  0x00007f4a1965b5d2 _ZN2js2gc9GCRuntime7gcCycleEbRNS_11SliceBudgetEN2JS8gcreason6ReasonE (libmozjs-38.so)
#9  0x00007f4a1965b82d _ZN2js2gc9GCRuntime7collectEbNS_11SliceBudgetEN2JS8gcreason6ReasonE (libmozjs-38.so)
#10 0x00007f4a23f45739 gjs_schedule_gc_if_needed (libgjs.so.0)
#11 0x00007f4a23f457a4 gjs_call_function_value (libgjs.so.0)
#12 0x00007f4a23f20895 gjs_closure_invoke (libgjs.so.0)
#13 0x00007f4a23f3856e n/a (libgjs.so.0)
#14 0x00007f4a1ca3930d g_closure_invoke (libgobject-2.0.so.0)
#15 0x00007f4a1ca4b98e signal_emit_unlocked_R (libgobject-2.0.so.0)
#16 0x00007f4a1ca541a5 g_signal_emit_valist (libgobject-2.0.so.0)
#17 0x00007f4a1ca54b0f g_signal_emit (libgobject-2.0.so.0)
#18 0x00007f4a1982abde ffi_call_unix64 (libffi.so.6)
#19 0x00007f4a1982a54f ffi_call (libffi.so.6)
#20 0x00007f4a1c0f0a54 wl_closure_invoke (libwayland-server.so.0)
#21 0x00007f4a1c0ed2cf wl_client_connection_data (libwayland-server.so.0)
#22 0x00007f4a1c0eec52 wl_event_loop_dispatch (libwayland-server.so.0)
#23 0x00007f4a211b4317 wayland_event_source_dispatch (libmutter-0.so.0)
#24 0x00007f4a1c761277 g_main_context_dispatch (libglib-2.0.so.0)
#25 0x00007f4a1c761618 g_main_context_iterate.isra.25 (libglib-2.0.so.0)
#26 0x00007f4a1c761932 g_main_loop_run (libglib-2.0.so.0)
#27 0x00007f4a21186bbc meta_run (libmutter-0.so.0)
#28 0x000055d4436c14a7 main (gnome-shell)
#29 0x00007f4a1ab9b4da __libc_start_main (libc.so.6)
#30 0x000055d4436c15ba _start (gnome-shell)






Comment 2


Jiri Eischmann





          2017-06-12 17:24:15 UTC
        



My log at the moment of the crash:
čen 12 15:13:43 localhost.localdomain kernel: audit: type=1130 audit(1497273223.166:410): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@4-12321-0 comm="sy
čen 12 15:13:43 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@4-12321-0 comm="systemd" exe="/usr/lib/systemd
čen 12 15:13:43 localhost.localdomain systemd[1]: Started Process Core Dump (PID 12321/UID 0).
čen 12 15:13:43 localhost.localdomain kernel: audit: type=1701 audit(1497273223.153:409): auid=1000 uid=1000 gid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=9245 comm="gnome-shell" 
čen 12 15:13:43 localhost.localdomain kernel: gnome-shell[9245]: segfault at 51 ip 00007f4a23f27922 sp 00007ffda4cad598 error 6 in libgjs.so.0.0.0[7f4a23ef8000+b9000]
čen 12 15:13:43 localhost.localdomain audit[9245]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=9245 comm="gnome-shell" exe="/usr/bin/gnome-shell" s
čen 12 15:13:40 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:40 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:32 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Successfully activated service 'org.gnome.Totem'
čen 12 15:13:32 localhost.localdomain SpiderOakGroups.desktop[9854]: Cannot open file ':/images/qml/icons/spinner/16.svg', because: Unknown error
čen 12 15:13:32 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Activating service name='org.gnome.Totem' requested by ':1.388' (uid=1000 pid=12164 comm="/usr/bin/nautilus --gapplication-ser
čen 12 15:13:18 localhost.localdomain kernel: audit: type=1131 audit(1497273198.750:408): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" ex
čen 12 15:13:18 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" 
čen 12 15:13:13 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:13 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:11 localhost.localdomain totem[12244]: Drawing a gadget with negative dimensions. Did you forget to allocate a size? (node slider owner GtkScale)
čen 12 15:13:11 localhost.localdomain totem[12244]: Native Windows taller than 65535 pixels are not supported
čen 12 15:13:11 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Successfully activated service 'org.gnome.Totem'
čen 12 15:13:11 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Activating service name='org.gnome.Totem' requested by ':1.388' (uid=1000 pid=12164 comm="/usr/bin/nautilus --gapplication-ser
čen 12 15:13:06 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:06 localhost.localdomain gnome-shell[9245]: g_signal_handler_disconnect: assertion 'handler_id > 0' failed
čen 12 15:13:00 localhost.localdomain totem[12201]: Drawing a gadget with negative dimensions. Did you forget to allocate a size? (node slider owner GtkScale)
čen 12 15:13:00 localhost.localdomain totem[12201]: Native Windows taller than 65535 pixels are not supported
čen 12 15:13:00 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Successfully activated service 'org.gnome.Totem'
čen 12 15:13:00 localhost.localdomain dbus-daemon[1801]: [session uid=1000 pid=1801] Activating service name='org.gnome.Totem' requested by ':1.388' (uid=1000 pid=12164 comm="/usr/bin/nautilus --gapplication-ser






Comment 3


Florian Müllner





          2017-06-12 17:36:42 UTC
        



The first stack trace is the same as https://bugzilla.gnome.org/show_bug.cgi?id=781799#c3. The second looks somewhat different, but points to gjs' garbage collection as well (or possibly mozjs') ...






Comment 4


Florian Müllner





          2017-06-12 17:36:53 UTC
        




*** This bug has been marked as a duplicate of bug 781799 ***






Comment 5


Christian Kellner





          2017-06-12 17:38:34 UTC
        



Ahh, I was looking for a duplicate but somehow that slipped through the radar. Thanks!