Segfault in `meta_x11_display_get_xdisplay` from `detach_pixmap` from `meta_surface_actor_x11_dispose`
If I start gnome-shell on Xorg, open a terminal and then terminate the shell, it leaves a core dump (from mutter and gnome-shell master):
Program terminated with signal SIGSEGV, Segmentation fault.
(gdb) bt
#0 0x00007f55fae74416 in meta_x11_display_get_xdisplay (x11_display=0x0)
at ../src/x11/meta-x11-display.c:1399
#1 0x00007f55fae17f4d in detach_pixmap (self=0x563bdd53a750)
at ../src/compositor/meta-surface-actor-x11.c:89
#2 0x00007f55fae187a4 in meta_surface_actor_x11_dispose
(object=0x563bdd53a750) at ../src/compositor/meta-surface-actor-x11.c:351
#3 0x00007f55fbaf6253 in g_object_unref ()
at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#4 0x00007f55fb1c8f8c in ObjectInstance::release_native_object()
(this=this@entry=0x563bdfaedcc0) at gi/object.cpp:1249
#5 0x00007f55fb1cbace in ObjectInstance::disassociate_js_gobject()
(this=0x563bdfaedcc0) at gi/object.cpp:1437
#6 0x00007f55fb1cbace in ObjectInstance::disassociate_js_gobject()
(this=0x563bdfaedcc0) at gi/object.cpp:1416
#7 0x00007f55fb1c9a8c in std::function<void (ObjectInstance*)>::operator()(ObjectInstance*) const (__args#0=<optimised out>, this=0x7fffae4b8fa0)
at /usr/include/c++/8/bits/std_function.h:682
#8 0x00007f55fb1c9a8c in ObjectInstance::remove_wrapped_gobjects_if(std::function<bool (ObjectInstance*)>, std::function<void (ObjectInstance*)>)
(predicate=..., action=...) at gi/object.cpp:1058
#9 0x00007f55fb1c9b64 in ObjectInstance::update_heap_wrapper_weak_pointers(JSContext*, JSCompartment*, void*) () at /usr/include/c++/8/new:169
#10 0x00007f55f9495fda in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#11 0x00007f55f946f094 in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#12 0x00007f55f9479e3a in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#13 0x00007f55f947a975 in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#14 0x00007f55f949db89 in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#15 0x00007f55f949eb08 in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#16 0x00007f55f949efd8 in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#17 0x00007f55f949f15b in () at /lib/x86_64-linux-gnu/libmozjs-60.so.0
#18 0x00007f55fb1e44fa in GjsContextPrivate::dispose() (this=0x563bdaff6050)
at gjs/context.cpp:364
#19 0x00007f55fb1e44fa in GjsContextPrivate::dispose() (this=0x563bdaff6050)
at gjs/context.cpp:347
#20 0x00007f55fbaf6253 in g_object_unref ()
at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00007f55fbd4741e in _shell_global_destroy_gjs_context
(self=0x563bdab9bae0) at ../src/shell-global.c:544
#22 0x0000563bd913d1da in main (argc=1, argv=0x7fffae4b97f8)
at ../src/main.c:502
(gdb)
An un-consistent way to reproduce the issue is running something like this in a terminal:
active=$(wmctrl -l | head -n1 | cut -f1 -d' '); while true; do wmctrl -ir $active -b remove,maximized_vert,maximized_horz && sleep 0.4 && wmctrl -ir $active -b add,maximized_vert,maximized_horz; sleep 0.4; done
While a window is maximizing/unmaximizing (animating) it's enough to do alt+f2
-> debugexit
.
Depending on garbage collector state the crash happens.
Edited by Marco Trevisan