After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 729508 - gnome-shell crashed with SIGABRT in g_assertion_message()
gnome-shell crashed with SIGABRT in g_assertion_message()
Status: RESOLVED INCOMPLETE
Product: gjs
Classification: Bindings
Component: general
unspecified
Other Linux
: Normal critical
: ---
Assigned To: gjs-maint
gjs-maint
Depends on:
Blocks:
 
 
Reported: 2014-05-04 14:56 UTC by Cristian Aravena Romero
Modified: 2017-01-02 00:49 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Cristian Aravena Romero 2014-05-04 14:56:04 UTC 
Open bug in launchpad.net:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1302752

"Random crash regardless of any program I'm using."

+ Trace 233550

  • #0 __GI_raise
    at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
  • #1 __GI_abort
    at abort.c line 89
  • #2 g_assertion_message
  • #3 g_assertion_message_expr
    at /build/buildd/glib2.0-2.40.0/./glib/gtestutils.c line 2306
  • #4 g_base_info_unref
    at girepository/gibaseinfo.c line 256
  • #5 boxed_finalize
    at gi/boxed.cpp line 535
  • #6 finalize
    at /build/buildd/mozjs24-24.2.0/js/src/jsobjinlines.h line 213
  • #7 finalize<JSObject>
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 331
  • #8 FinalizeTypedArenas<JSObject>
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 395
  • #9 FinalizeArenas
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 432
  • #10 backgroundFinalize
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 1358
  • #11 SweepBackgroundThings
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 2143
  • #12 js::GCHelperThread::doSweep
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 2425
  • #13 js::GCHelperThread::threadLoop
    at /build/buildd/mozjs24-24.2.0/js/src/jsgc.cpp line 2269
  • #14 _pt_root
    at ptthread.c line 204
  • #15 start_thread
    at pthread_create.c line 312
  • #16 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111 






Comment 1


Matthias Clasen





          2014-05-05 23:43:14 UTC
        



this is almost certainly not a glib issue, but a problem of gjs running garbage collection in a thread






Comment 2


Giovanni Campagna





          2014-05-06 10:05:42 UTC
        



Mh when did we start finalizing boxed types in background? And who thought it was a good idea?

Btw, this is still a glib issue: it means gobject-introspection stuff does not use atomic refcounting.






Comment 3


Jasper St. Pierre (not reading bugmail)





          2014-05-06 12:58:24 UTC
        



No, I've seen this crash before our recent gjs changes. Also:

void
g_base_info_unref (GIBaseInfo *info)
{
  GIRealInfo *rinfo = (GIRealInfo*)info;

  g_assert (rinfo->ref_count > 0 && rinfo->ref_count != INVALID_REFCOUNT);

  if (!g_atomic_int_dec_and_test (&rinfo->ref_count))
    return;

  ...
}

It's not a threading issue. There's a mismatched ref / unref somewhere. I don't know why I put it into the introspection category instead of gjs, though. If anybody can find a consistent reproducer, please post it on the bug.






Comment 4


Giovanni Campagna





          2014-05-06 13:33:41 UTC
        



(In reply to comment #3)
> No, I've seen this crash before our recent gjs changes.

Don't know about that, but the backtrace is inequivocable in telling us the finalize is happening on the background thread.

And yet, checking the gjs code, we did not flag the class for background finalize...

(In reply to comment #3)
> It's not a threading issue. There's a mismatched ref / unref somewhere. I don't
> know why I put it into the introspection category instead of gjs, though. If
> anybody can find a consistent reproducer, please post it on the bug.

How would a mismatched ref/unref cause a corruption of the JSObject* structure? Because that's the only way I'd explain a boxed wrapper getting put in the OBJECT4_BACKGROUND arena, without having the JSCLASS_BACKGROUND_FINALIZE flag.

(The proper arena for a boxed wrapper is OBJECT2, btw)






Comment 5


Philip Chimento





          2016-11-17 07:59:51 UTC
        



I've seen SpiderMonkey structs get "corrupted" when there's a mismatch between the debug flags that SpiderMonkey was compiled with, and the debug flags that GJS was compiled with. It's particularly dangerous that some struct members in SpiderMonkey header files have "#ifdef DEBUG" around them...

In any case I'd say we have to find a consistent way to reproduce this before we can do anything about it.






Comment 6


Philip Chimento





          2017-01-02 00:49:33 UTC
        



Closing this bug report as no further information has been provided. Please feel free to reopen this bug report if you can provide the information that was asked for in a previous comment.
Thanks!