Skip to content
GitLab

Crash when DnDing windows from overview while closing it

This is a kinda obscure edge case, but it happened to me a couple of times already. Fedora 34 with GS/Mutter/GJS master.

STR:

  • open overview
  • close overview via super
  • during the closing animation, click on a window to start a DnD operation

Observed behaviour: There will be a DnD operation started. Ending it (by either dropping the window or pressing escape) will crash the shell with the following not very helpful stacktrace:

#0  __GI_raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x0000000000402d66 in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:349
#2  <signal handler called> () at ../sysdeps/unix/sysv/linux/sigaction.c
#3  js::gc::CellHeaderWithTenuredGCPointer<js::ObjectGroup>::ptr() const (this=0x1fff100000000, this=<optimized out>)
    at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/gc/Cell.h:741
#4  JSObject::groupRaw() const (this=0x1fff100000000, this=<optimized out>) at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/vm/JSObject.h:147
#5  JSObject::isSingleton() const (this=0x1fff100000000, this=<optimized out>) at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/vm/JSObject.h:155
#6  js::TypeSet::ObjectType(JSObject const*) (obj=0x1fff100000000, obj=<optimized out>)
    at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/vm/TypeInference-inl.h:134
#7  js::TypeSet::GetValueType(JS::Value const&) (val=..., val=<optimized out>) at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/vm/TypeInference-inl.h:236
#8  js::jit::JitScript::MonitorBytecodeType(JSContext*, JSScript*, unsigned char*, js::StackTypeSet*, JS::Value const&)
    (rval=..., types=0x8737f78, pc=0x1527d43 "HL\b", script=<optimized out>, cx=0x167ed20)
    at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/vm/TypeInference-inl.h:749
#9  js::jit::TypeMonitorResult(JSContext*, js::jit::ICMonitoredFallbackStub*, js::jit::BaselineFrame*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>) (cx=0x167ed20, stub=<optimized out>, frame=0x7ffda4c6a0e8, script=..., pc=0x1527d43 "HL\b", val=...)
    at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/jit/BaselineIC.cpp:961
#10 0x00007f1baebad459 in js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*) (bailoutInfoArg=0x0)
    at /usr/src/debug/mozjs78-78.9.0-1.fc34.x86_64/dist/include/js/RootingAPI.h:1152
#11 0x0000342e0b5c30a2 in  ()
#12 0x0000000000000000 in  ()

Expected behaviour: Most likely no DnD operation at all - once the closing animation has started, there's no point of window-DnD any more.

Edited by Robert Mader