[jammy] gnome-shell live session crashes with SIGSEGV in js::gc::Cell::storeBuffer from js::gc::PostWriteBarrierImpl<JSObject>

This is the crash that happens during jammy live sessions.

See also bug 1947130, bug 1962513.

It appears the mozjs Heap is a bogus pointer from very early on.

Next steps:

1. See if the latest gjs update has changed the situation (waiting on new live images).

2. Look into gjs to see if the problem starts in there or if the whole gjs context from gnome-shell is invalid.

Status changed to 'Confirmed' because the bug affects multiple users.

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1964458

Fresh stack trace from image 2022-03-13 with newer gjs and mozjs91 packages:

Core was generated by `gnome-shell --sm-disable --mode=ubiquity'.
Program terminated with signal SIGSEGV, Segmentation fault.

#0 0x00007f5a697c3f44 in js::gc::Cell::storeBuffer (this=<optimized out>, this=<optimized out>)
    at .././js/src/gc/Cell.h:357
#1 js::gc::PostWriteBarrierImpl<JSObject> (next=<optimized out>, prev=<optimized out>, cellp=<optimized out>)
    at .././js/src/gc/StoreBuffer.h:654
#2 js::gc::PostWriteBarrier<js::SavedFrame> (next=<optimized out>, prev=<optimized out>, vp=<optimized out>)
    at .././js/src/gc/StoreBuffer.h:666
#3 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (next=<optimized out>, prev=<optimized out>,
    vp=0x7f5a5002b200) at .././js/src/gc/Barrier.h:333
#4 js::InternalBarrierMethods<js::SavedFrame*>::postBarrier (vp=0x7f5a5002b200, prev=<optimized out>,
    next=<optimized out>) at .././js/src/gc/Barrier.h:332
#5 0x00007f5a6b637722 in js::BarrierMethods<JSObject*>::postWriteBarrier (next=<optimized out>,
    prev=<optimized out>, vp=<optimized out>, vp=<optimized out>, prev=<optimized out>, next=<optimized out>)
    at /usr/include/mozjs-91/js/RootingAPI.h:770
#6 JS::Heap<JSObject*>::postWriteBarrier (next=<optimized out>, prev=<optimized out>, this=<optimized out>,
    this=<optimized out>, prev=<optimized out>, next=<optimized out>) at /usr/include/mozjs-91/js/RootingAPI.h:361
#7 JS::Heap<JSObject*>::~Heap (this=<optimized out>, this=<optimized out>)
    at /usr/include/mozjs-91/js/RootingAPI.h:323
#8 mozilla::detail::VectorImpl<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy, false>::destroy (
    aEnd=0x7f5a5002b218, aBegin=<optimized out>) at /usr/include/mozjs-91/mozilla/Vector.h:65
#9 mozilla::Vector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~Vector (this=<optimized out>,
    this=<optimized out>) at /usr/include/mozjs-91/mozilla/Vector.h:901
#10 JS::GCVector<JS::Heap<JSObject*>, 0ul, js::SystemAllocPolicy>::~GCVector (this=<optimized out>,
    this=<optimized out>) at /usr/include/mozjs-91/js/GCVector.h:43
#11 GjsContextPrivate::~GjsContextPrivate (this=<optimized out>, this=<optimized out>) at ../gjs/context.cpp:482
#12 0x00007f5a6b638978 in gjs_context_finalize (object=0x557e2a3f7180) at ../gjs/context.cpp:495
#13 0x00007f5a6c0d2dfd in g_object_unref () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00007f5a6c31d77d in _shell_global_destroy_gjs_context (self=<optimized out>) at ../src/shell-global.c:703
#15 0x0000557e2950bece in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:659

The most suspicious part of that stack I can find so far is in gjs_context_finalize:

    GjsContextPrivate* gjs = GjsContextPrivate::from_object(object);
    gjs->~GjsContextPrivate();

Also seeking advice in https://gitlab.gnome.org/GNOME/gjs/-/issues/472

Would be possible to get the JS trace here?

> The most suspicious part of that stack I can find so far is in gjs_context_finalize:
>
> GjsContextPrivate* gjs = GjsContextPrivate::from_object(object);
> gjs->~GjsContextPrivate();

No, that's all fine... It's just calling the dtor manually because such object is manually allocated.

> Would be possible to get the JS trace here?

There is no JS trace. There is no JS running.

The fix is still awaiting review/sponsorship in https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/60

https://salsa.debian.org/gnome-team/gnome-shell/-/commit/0fb70b0603817614d8612f1a289cd9ceb369616e

This bug was fixed in the package gnome-shell - 42.0-2ubuntu1

---------------
gnome-shell (42.0-2ubuntu1) jammy; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * debian/patches: Cherry-pick upstream fixes targetting 42.1
  * debian/patches: Compute system ackground color from theme (LP: #1965727)
  * ubuntu/configure-login-screen.patch: Use bg color for initial system bg
    (LP: #1965727)
  * debian/patches: Ensure St.Entry's `selected-color` CSS property is honored
    (LP: #1878998)
  * ubuntu/support-loading-Yaru-variants: Handle dark/light variants better
  * d/p/main-Avoid-meta-finalize: Leak gjs context only on ubiquity sessions
    (LP: #1964458)
  * d/p/use-favorites-strings: Only apply this to ubuntu session
  * debian/patches: Do not hang and crash if fingerprint service fails to start
    (LP: #1962566)
  * debian: Use gnomebluetooth-3.0 as dependency and revert patches disabling it
    (LP: #1738838, #1968364, #1964600)

  [ Jeremy Bicha ]
  * Use libgweather4 instead of old libgweather (LP: #1964600)
  * Add patch to work around meson issue (Debian 1008189)
  * releasing package gnome-shell version 42.0-2
  * debian/control.in: Recommend power-profiles-daemon for power mode feature

  [ Daniel van Vugt ]
  * main-Avoid-meta-finalize.patch: Leak GJS to work around LP: #1964458

  [ Gunnar Hjalmarsson ]
  * Revert "dash: Use pin instead of favorites"

  [ Jeremy Bicha ]
  * Remaining changes with debian:
    - Replace gnome-backgrounds dep with ubuntu-wallpapers and Suggests
      gnome-themes-standard-data, gnome-backgrounds
    - Add some Recommends:
      + ubuntu-session (| gnome-session) to have the ubuntu session available
      + xserver-xorg-legacy
      + yaru-theme-gnome-shell for the default ubuntu theming
      + gnome-remote-desktop to provide remote desktop support by default
    - Moved some Recommends to Suggests:
      + chrome-gnome-shell
    - Update debian/gbp.conf with Ubuntu settings
    - gnome-shell-common.prerm: Remove deprecated ubuntu theme alternative
    - ubuntu/desktop_detect.patch:
      + add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    - ubuntu/smarter_alt_tab.patch:
      + quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    - ubuntu/lightdm-user-switching.patch:
      + Allow user switching when using LightDM.
    - ubuntu/lock_on_suspend.patch
      + Respect Ubuntu's lock-on-suspend setting.
    - ubuntu/background_login.patch
      + Change default background color as we modified the default GDM color
        for our ubuntu session.
    - ubuntu/gdm_alternatives.patch
      + Add support for GDM3 theme alternatives
    - optional-hot-corner.patch
      + enable patch proposed by upstream developer already in package (but
        not in series) to add a settings for optional hot corner activation.
    - main-show-an-error-message-on-gnome-shell-crash.patch,
      global-m...

Verified fixed in daily image 20220415:
gnome-shell = 42.0-2ubuntu1

No crash anymore. Although the transition into the live session is still ugly; it goes slowly with VT text visible in between.

Continues in bug 1974293.