Bug 782692 – Crash in get_object_qdata → handle_toggle_down → clutter_actor_iter_destroy

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 782692 - Crash in get_object_qdata → handle_toggle_down → clutter_actor_iter_destroy


Summary:	Crash in get_object_qdata → handle_toggle_down → clutter_actor_iter_destroy


Status:	RESOLVED INCOMPLETE

Product:	gjs
Classification:	Bindings
Component:	general
Version:	1.48.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gjs-maint
QA Contact:	gjs-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-05-16 14:22 UTC by Jeremy Bicha
Modified:	2017-08-07 15:06 UTC

See Also:	https://launchpad.net/bugs/1691117
GNOME target:	---
GNOME version:	---

Description Jeremy Bicha 2017-05-16 14:22:06 UTC

Ubuntu has received a few error reports from Ubuntu 17.04 with this crash signature. The crash appears new to gnome-shell 3.24.1.

This error is one of several keeping gnome-shell 3.24.1 from reaching all Ubuntu 17.04 users because Ubuntu has a phased-update system for users who install updates using Ubuntu's update-manager tool.

More specifically, there are currently 3 reports, one each from users using GDM, LightDM and SDDM (KDE's Display Manager). The GDM user is using the proprietary NVIDIA graphics driver. The SDDM user is using GNOME Classic. It does not appear like other GNOME Shell extensions are being used.

gnome-shell (6) g_assertion_message → g_assertion_message_expr → get_object_qdata → handle_toggle_down → clutter_actor_iter_destroy

+ Trace 237485

#0 __GI_raise
at ../sysdeps/unix/sysv/linux/raise.c line 58
#1 __GI_abort
at abort.c line 89
#2 g_assertion_message
#3 g_assertion_message_expr
#4 get_object_qdata
at gi/object.cpp line 220
#5 handle_toggle_down
at gi/object.cpp line 1031
#6 clutter_actor_iter_destroy
at clutter-actor.c line 18916
#7 clutter_actor_real_destroy
at clutter-actor.c line 6235
#8 g_closure_invoke
at ../../../../gobject/gclosure.c line 804
#9 signal_emit_unlocked_R
at ../../../../gobject/gsignal.c line 3751
#10 g_signal_emit_valist
at ../../../../gobject/gsignal.c line 3391
#11 g_signal_emit
at ../../../../gobject/gsignal.c line 3447
#12 clutter_actor_dispose
at clutter-actor.c line 5903
#13 g_object_run_dispose
at ../../../../gobject/gobject.c line 1084
#14 clutter_actor_destroy
at clutter-actor.c line 8585
#15 ffi_call_unix64
at ../src/x86/unix64.S line 76
#16 ffi_call
at ../src/x86/ffi64.c line 525
#17 gjs_invoke_c_function
at gi/function.cpp line 1021
#18 function_call
at gi/function.cpp line 1341
#19 ??
#20 ??
#21 ??
#22 ??

Comment 1 Jeremy Bicha 2017-05-16 14:23:23 UTC

As I filed this bug, GNOME's bug tracker suggested that this may be a duplicate of bug 782464.

.

+ Trace 237486

Thread 1 (Thread 0x7fe0fc411ac0 (LWP 2647))

#0 __GI_raise
at ../sysdeps/unix/sysv/linux/raise.c line 58
#1 __GI_abort
at abort.c line 89
#2 g_assertion_message
#3 g_assertion_message_expr
#4 get_object_qdata
at gi/object.cpp line 220
#5 handle_toggle_down
at gi/object.cpp line 1031
#6 clutter_actor_iter_destroy
at clutter-actor.c line 18916
#7 clutter_actor_real_destroy
at clutter-actor.c line 6235
#8 g_closure_invoke
at ../../../../gobject/gclosure.c line 804
#9 signal_emit_unlocked_R
at ../../../../gobject/gsignal.c line 3751
#10 g_signal_emit_valist
at ../../../../gobject/gsignal.c line 3391
#11 g_signal_emit
at ../../../../gobject/gsignal.c line 3447
#12 clutter_actor_dispose
at clutter-actor.c line 5903
#13 g_object_run_dispose
at ../../../../gobject/gobject.c line 1084
#14 clutter_actor_destroy
at clutter-actor.c line 8585
#15 ffi_call_unix64
at ../src/x86/unix64.S line 76
#16 ffi_call
at ../src/x86/ffi64.c line 525
#17 gjs_invoke_c_function
at gi/function.cpp line 1021
#18 function_call
at gi/function.cpp line 1341
#19 ??
#20 ??
#21 ??
#22 ??

Comment 2 Florian Müllner 2017-05-16 15:48:04 UTC

It is in any case a bug in gjs, not in gnome-shell.

Comment 3 Philip Chimento 2017-05-17 04:31:13 UTC

Not entirely sure of that; note that the error message printed before the failing assertion is "Object %p (a %s) resurfaced after the JS wrapper was finalized. This is some library doing dubious memory management inside dispose()"

https://github.com/GNOME/gjs/blob/gnome-3-24/gi/object.cpp#L216-L220

It looks from the stack trace that JS code is calling clutter_actor_destroy() directly, which it should not do. Of course, GJS should also not crash in that case, so maybe adding that assertion there was a bad idea.

In any case I don't think it's a duplicate of bug 782464.

However, without a reproducer or a gjs_dumpstack(), it's hard to tell whether removing the assertion will help, or just crash somewhere else.

Comment 4 Philip Chimento 2017-06-16 01:12:22 UTC

This may have been solved with the patches released in GJS 1.48.4. Without `gjs_dumpstack()` or some reproducer info I can't really tell, though. Feel free to reopen this if the problem reoccurs with 1.48.4.