Closed Bug 1826512 Opened 1 year ago Closed 1 year ago

gnome-shell crashes on exit in js::gc::Cell::storeBuffer() from js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) ...


(Core :: JavaScript: GC, defect)

Firefox 102





(Reporter: daniel.van.vugt, Unassigned)


Steps to reproduce:

  1. Log into gnome-shell (currently version 44 using mozjs102).
  2. Wait or use it for a while (long enough for some GC to have occurred I guess).
  3. Log out.

Actual results:

#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
tid = <optimised out>
ret = 0
pd = <optimised out>
old_mask = {__val = {11}}
ret = <optimised out>
#1 __pthread_kill_internal (signo=11, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
#3 0x00007f464d03c406 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
ret = <optimised out>
#4 0x000056282c4afaea in dump_gjs_stack_on_signal_handler (signo=11) at ../src/main.c:495
sa = {__sigaction_handler = {sa_handler = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>, sa_sigaction = 0x56282c4af730 <dump_gjs_stack_alarm_sigaction>}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
i = <optimised out>
#5 0x00007f464d03c4b0 in <signal handler called> () at /lib/x86_64-linux-gnu/
#6 0x00007f464ad8d344 in js::gc::Cell::storeBuffer() const (this=<optimised out>, this=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Cell.h:357
buffer = 0x0
#7 js::gc::PostWriteBarrierImpl<JSObject>(void*, JSObject*, JSObject*) (next=<optimised out>, prev=<optimised out>, cellp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:646
buffer = 0x0
#8 js::gc::PostWriteBarrier<js::SavedFrame>(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/StoreBuffer.h:658
#9 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (next=<optimised out>, prev=<optimised out>, vp=0x7f4630022da0) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:350
#10 js::InternalBarrierMethods<js::SavedFrame*, void>::postBarrier(js::SavedFrame**, js::SavedFrame*, js::SavedFrame*) (vp=0x7f4630022da0, prev=<optimised out>, next=<optimised out>) at /usr/src/mozjs102-102.9.0-1/js/src/gc/Barrier.h:349
#11 0x00007f464d91f721 in js::BarrierMethods<JSObject*, void>::postWriteBarrier(JSObject**, JSObject*, JSObject*) (next=0x0, prev=<optimised out>, vp=0x7f4630022da0) at /usr/include/mozjs-102/js/RootingAPI.h:795
p = 0x7f4630022da0
#12 JS::Heap<JSObject*>::postWriteBarrier(JSObject* const&, JSObject* const&) (next=<optimised out>, prev=@0x7f4630022da0: 0x1c8a30a483a0, this=0x7f4630022da0, this=<optimised out>, prev=<optimised out>, next=<optimised out>)
at /usr/include/mozjs-102/js/RootingAPI.h:376
p = 0x7f4630022da0
#13 JS::Heap<JSObject*>::~Heap() (this=0x7f4630022da0, this=<optimised out>) at /usr/include/mozjs-102/js/RootingAPI.h:338
p = 0x7f4630022da0
#14 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy(JS::Heap<JSObject*>, JS::Heap<JSObject>) (aEnd=0x7f4630022da8, aBegin=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:65
p = 0x7f4630022da0
#15 mozilla::Vector<JS::Heap<JSObject
>, 0ul, js::SystemAllocPolicy>::~Vector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/mozilla/Vector.h:901
#16 JS::GCVector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~GCVector() (this=0x56282d2db9d8, this=<optimised out>) at /usr/include/mozjs-102/js/GCVector.h:43
#17 GjsContextPrivate::~GjsContextPrivate() (this=0x56282d2db960, this=<optimised out>) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:487
#18 0x00007f464d9211e3 in gjs_context_finalize(GObject*) (object=0x56282d2dbae0) at /usr/src/gjs-1.76.0-1/obj-x86_64-linux-gnu/../gjs/context.cpp:500
gjs = <optimised out>
#19 0x00007f464e02ee4c in g_object_unref (_object=0x56282d2dbae0) at ../../../gobject/gobject.c:3938
weak_locations = <optimised out>
nqueue = 0x56282d8fc5c0
object = 0x56282d2dbae0
old_ref = <optimised out>
func = "g_object_unref"
#20 0x00007f464dc2508d in _shell_global_destroy_gjs_context (self=<optimised out>) at ../src/shell-global.c:752
_pp = <optimised out>
_ptr = <optimised out>
#21 0x000056282c4af00f in main (argc=<optimised out>, argv=<optimised out>) at ../src/main.c:776
context = 0x56282cd4e780
debug_flags_string = 0x56282d06c7b0 "backtrace-aborts:backtrace-math-errors:backtrace-crashes-all:backtrace-all"
error = 0x0
shell_debug = <optimised out>
ecode = 0

Expected results:

No crash.

Your comment in the linked issue identifies the problem:

Basically I'm wondering if it's safe that JS::GCVector::~GCVector happens after JS_DestroyContext.

It's not safe. The vector (and anything else containing a JS::Heap) must be destroyed before the JS context is destroyed.

Closed: 1 year ago
Resolution: --- → FIXED
Resolution: FIXED → INVALID
You need to log in before you can comment on or make changes to this bug.