Skip to content

Various GNOME Shell crashes during GC, mozjs68 regression

System information

Linux, Fedora 31

1.63.4 @ be5ca0a8 with mozjs 68.4.0

GS 3.35 @ current master

Bug information

Random crash. I just rebased my gjs version to current master after the mozjs68 work landed.

Stacktrace: (crash 1)

#3  js::gc::TenuredCell::writeBarrierPre(js::gc::TenuredCell*) (thing=0x1c17880da040, thing=<optimized out>)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/js/HeapAPI.h:155
#4  JSObject::writeBarrierPre(JSObject*) (obj=0x1c17880da040) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/vm/JSObject.h:726
#5  js::InternalBarrierMethods<JSObject*>::preBarrier(JSObject*) (v=0x1c17880da040) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/Barrier.h:325
#6  JS::HeapObjectWriteBarriers(JSObject**, JSObject*, JSObject*) (objp=objp@entry=0x23b71f8, prev=0x1c17880da040, next=next@entry=0x0)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/Barrier.cpp:190
#7  0x00007faaa3c86d67 in js::BarrierMethods<JSObject*>::writeBarriers(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimized out>, vp=0x23b71f8)
    at /usr/include/mozjs-68/js/RootingAPI.h:721
#8  JS::Heap<JSObject*>::writeBarriers(JSObject* const&, JSObject* const&) (prev=<synthetic pointer>: <optimized out>, next=@0x23b71f8: 0x0, this=0x23b71f8)
    at /usr/include/mozjs-68/js/RootingAPI.h:355
#9  JS::Heap<JSObject*>::set(JSObject* const&) (newPtr=<optimized out>, this=0x23b71f8) at /usr/include/mozjs-68/js/RootingAPI.h:351
#10 JS::Heap<JSObject*>::operator=(JSObject*&&) (p=<optimized out>, this=0x23b71f8) at /usr/include/mozjs-68/js/RootingAPI.h:320
#11 GjsMaybeOwned<JSObject*>::reset() (this=0x23b71f8) at ../gjs/jsapi-util-root.h:281
#12 ObjectInstance::discard_wrapper() (this=this@entry=0x23b71e0) at ../gi/object.h:355
#13 ObjectInstance::release_native_object() (this=this@entry=0x23b71e0) at ../gi/object.cpp:1251
#14 0x00007faaa3c8a2a4 in ObjectInstance::~ObjectInstance() (this=0x23b71e0, __in_chrg=<optimized out>) at ../gi/object.cpp:1622
#15 0x00007faaa3c8a5c5 in GIWrapperInstance<ObjectBase, ObjectPrototype, ObjectInstance, _GObject>::finalize_impl(JSFreeOp*, JSObject*) (this=0x23b71e0)
    at ../gi/wrapperutils.h:1103
#16 ObjectInstance::finalize_impl(JSFreeOp*, JSObject*) (this=0x23b71e0, fop=fop@entry=0x7ffdd8fee230, obj=obj@entry=0x1c178808cb40) at ../gi/object.cpp:1590
#17 0x00007faaa3c911ae in GIWrapperBase<ObjectBase, ObjectPrototype, ObjectInstance>::finalize(JSFreeOp*, JSObject*) (fop=0x7ffdd8fee230, obj=0x1c178808cb40)
    at ../gi/wrapperutils.h:235
...
#36 0x00007faaa3ca360f in GjsContextPrivate::trigger_gc_if_needed(void*) (data=0x126c410) at ../gjs/context.cpp:600
Full trace 
#0  0x00007faaa3761625 in raise () at /lib64/libc.so.6
#1  0x0000000000402d66 in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:394
#2  0x00007faaa37616b0 in <signal handler called> () at /lib64/libc.so.6
#3  js::gc::TenuredCell::writeBarrierPre(js::gc::TenuredCell*) (thing=0x1c17880da040, thing=<optimized out>)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/js/HeapAPI.h:155
#4  JSObject::writeBarrierPre(JSObject*) (obj=0x1c17880da040) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/vm/JSObject.h:726
#5  js::InternalBarrierMethods<JSObject*>::preBarrier(JSObject*) (v=0x1c17880da040) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/Barrier.h:325
#6  JS::HeapObjectWriteBarriers(JSObject**, JSObject*, JSObject*) (objp=objp@entry=0x23b71f8, prev=0x1c17880da040, next=next@entry=0x0)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/Barrier.cpp:190
#7  0x00007faaa3c86d67 in js::BarrierMethods<JSObject*>::writeBarriers(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimized out>, vp=0x23b71f8)
    at /usr/include/mozjs-68/js/RootingAPI.h:721
#8  JS::Heap<JSObject*>::writeBarriers(JSObject* const&, JSObject* const&) (prev=<synthetic pointer>: <optimized out>, next=@0x23b71f8: 0x0, this=0x23b71f8)
    at /usr/include/mozjs-68/js/RootingAPI.h:355
#9  JS::Heap<JSObject*>::set(JSObject* const&) (newPtr=<optimized out>, this=0x23b71f8) at /usr/include/mozjs-68/js/RootingAPI.h:351
#10 JS::Heap<JSObject*>::operator=(JSObject*&&) (p=<optimized out>, this=0x23b71f8) at /usr/include/mozjs-68/js/RootingAPI.h:320
#11 GjsMaybeOwned<JSObject*>::reset() (this=0x23b71f8) at ../gjs/jsapi-util-root.h:281
#12 ObjectInstance::discard_wrapper() (this=this@entry=0x23b71e0) at ../gi/object.h:355
#13 ObjectInstance::release_native_object() (this=this@entry=0x23b71e0) at ../gi/object.cpp:1251
#14 0x00007faaa3c8a2a4 in ObjectInstance::~ObjectInstance() (this=0x23b71e0, __in_chrg=<optimized out>) at ../gi/object.cpp:1622
#15 0x00007faaa3c8a5c5 in GIWrapperInstance<ObjectBase, ObjectPrototype, ObjectInstance, _GObject>::finalize_impl(JSFreeOp*, JSObject*) (this=0x23b71e0)
    at ../gi/wrapperutils.h:1103
#16 ObjectInstance::finalize_impl(JSFreeOp*, JSObject*) (this=0x23b71e0, fop=fop@entry=0x7ffdd8fee230, obj=obj@entry=0x1c178808cb40) at ../gi/object.cpp:1590
#17 0x00007faaa3c911ae in GIWrapperBase<ObjectBase, ObjectPrototype, ObjectInstance>::finalize(JSFreeOp*, JSObject*) (fop=0x7ffdd8fee230, obj=0x1c178808cb40)
    at ../gi/wrapperutils.h:235
#18 0x00007faaa1447d05 in js::Class::doFinalize(js::FreeOp*, JSObject*) const (this=<optimized out>, obj=0x1c178808cb40, fop=0x7ffdd8fee230)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/js/Class.h:872
#19 JSObject::finalize(js::FreeOp*) (fop=0x7ffdd8fee230, this=0x1c178808cb40) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/vm/JSObject-inl.h:40
#20 js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long)
    (thingSize=64, thingKind=js::gc::AllocKind::OBJECT4, fop=0x7ffdd8fee230, this=0x1c178808c000)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:597
#21 FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) (fop=0x7ffdd8fee230, src=0x15d1a90, dest=..., thingKind=js::gc::AllocKind::OBJECT4, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:657
#22 0x00007faaa14811a7 in FinalizeArenas(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) (fop=0x7ffdd8fee230, src=0x15d1a90, dest=..., thingKind=<optimized out>, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:689
#23 0x00007faaa145f978 in js::gc::ArenaLists::foregroundFinalize(js::FreeOp*, js::gc::AllocKind, js::SliceBudget&, js::gc::SortedArenaList&)
    (sweepList=..., sliceBudget=..., thingKind=js::gc::AllocKind::OBJECT4, fop=<optimized out>, this=0x15d1710)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/ArenaList.h:279
#24 js::gc::GCRuntime::finalizeAllocKind(js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind)
    (this=0x15b81c8, fop=<optimized out>, budget=..., zone=0x15d1690, kind=js::gc::AllocKind::OBJECT4)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:6175
--Type <RET> for more, q to quit, c to continue without paging--
#25 0x00007faaa1441430 in sweepaction::SweepActionCall<js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind) (args#3=<optimized out>, args#2=0x15d1690, args#1=..., args#0=0x7ffdd8fee230, gc=0x15b81c8, this=<optimized out>)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:6294
#26 sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned int> >, mozilla::EnumSet<js::gc::AllocKind, unsigned int>, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*)
    (this=0x1565a20, args#0=0x15b81c8, args#1=0x7ffdd8fee230, args#2=..., args#3=0x15d1690) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:6392
#27 0x00007faaa143f677 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*) (this=0x15529b0, args#0=0x15b81c8, args#1=0x7ffdd8fee230, args#2=..., args#3=0x15d1690)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/mozilla/UniquePtr.h:308
#28 0x00007faaa143f741 in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x1560ec0, args#0=0x15b81c8, args#1=0x7ffdd8fee230, args#2=...)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/PrivateIterators-inl.h:118
#29 0x00007faaa143f884 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x1561950, args#0=0x15b81c8, args#1=0x7ffdd8fee230, args#2=...)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/mozilla/UniquePtr.h:308
#30 0x00007faaa1446156 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x15527a0, args#0=0x15b81c8, args#1=0x7ffdd8fee230, args#2=...)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/mozilla/UniquePtr.h:308

#31 0x00007faaa146eadf in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) (budget=..., this=<optimized out>)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/mozilla/UniquePtr.h:308
#32 js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&)
    (this=<optimized out>, budget=..., reason=JS::GCReason::API, session=...) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:7114
#33 0x00007faaa145c425 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason)
    (this=<optimized out>, nonincrementalByAPI=<optimized out>, budget=..., reason=<optimized out>)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:7482
#34 0x00007faaa145e600 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason)
    (this=0x15b81c8, nonincrementalByAPI=<optimized out>, budget=..., reason=JS::GCReason::API) at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/gc/GC.cpp:7655
#35 0x00007faaa145f170 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) (this=0x15b81c8, gckind=<optimized out>, reason=JS::GCReason::API)
    at /usr/src/debug/mozjs68-68.4.0-1.fc32.x86_64/dist/include/js/SliceBudget.h:60
#36 0x00007faaa3ca360f in GjsContextPrivate::trigger_gc_if_needed(void*) (data=0x126c410) at ../gjs/context.cpp:600
#37 0x00007faaa4530021 in g_timeout_dispatch () at /lib64/libglib-2.0.so.0
#38 0x00007faaa452f510 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#39 0x00007faaa452f8a0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#40 0x00007faaa452fb93 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#41 0x00007faaa39aa78c in meta_run () at ../src/core/main.c:676
#42 0x00000000004027dd in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:552
Edited by Philip Chimento