Bug 1373196

Summary: [abrt] gnome-shell: meta_wayland_surface_get_toplevel(): gnome-shell killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: gnome-shellAssignee: Owen Taylor <otaylor>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: bugzilla, dima, fmuellner, jadahl, mclasen, otaylor
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/4ad7e1121b1b4efdc34d7c33d87320503f187811
Whiteboard: abrt_hash:d109f9f095bed462936d5da82e4b1009f3597690;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-08 13:27:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277927, 1372055    
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Kamil Páral 2016-09-05 13:12:35 UTC 
Description of problem:
This seems to happen *sometimes* when you press Shift+F10 in Nautilus to display a context menu for the selected file (not sure if right mouse click can trigger the same crash). This exact crash happened to me twice already just today. The whole session dies just because of that, and all my unsaved work in all apps is lost.

Version-Release number of selected component:
gnome-shell-3.21.90.1-1.fc25

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell
crash_function: meta_wayland_surface_get_toplevel
executable:     /usr/bin/gnome-shell
global_pid:     8377
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
pkg_fingerprint: 4089 D8F2 FDB1 9C98
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 meta_wayland_surface_get_toplevel at wayland/meta-wayland-surface.c:1750
 #1 meta_wayland_surface_get_toplevel_window at wayland/meta-wayland-surface.c:1761
 #2 meta_surface_actor_wayland_get_scale at compositor/meta-surface-actor-wayland.c:104
 #3 meta_surface_actor_wayland_sync_state at compositor/meta-surface-actor-wayland.c:196
 #4 actor_surface_commit at wayland/meta-wayland-surface.c:2010
 #5 xdg_popup_role_commit at wayland/meta-wayland-xdg-shell.c:603
 #6 meta_wayland_surface_role_commit at wayland/meta-wayland-surface.c:1891
 #7 apply_pending_state at wayland/meta-wayland-surface.c:700
 #8 ffi_call_unix64 at ../src/x86/unix64.S:76
 #9 ffi_call at ../src/x86/ffi64.c:525
Comment 1 Kamil Páral 2016-09-05 13:12:40 UTC 
Created attachment 1197943 [details]
File: backtrace
Comment 2 Kamil Páral 2016-09-05 13:12:42 UTC 
Created attachment 1197944 [details]
File: cgroup
Comment 3 Kamil Páral 2016-09-05 13:12:43 UTC 
Created attachment 1197945 [details]
File: core_backtrace
Comment 4 Kamil Páral 2016-09-05 13:12:45 UTC 
Created attachment 1197946 [details]
File: dso_list
Comment 5 Kamil Páral 2016-09-05 13:12:46 UTC 
Created attachment 1197947 [details]
File: environ
Comment 6 Kamil Páral 2016-09-05 13:12:48 UTC 
Created attachment 1197948 [details]
File: exploitable
Comment 7 Kamil Páral 2016-09-05 13:12:49 UTC 
Created attachment 1197949 [details]
File: limits
Comment 8 Kamil Páral 2016-09-05 13:12:52 UTC 
Created attachment 1197950 [details]
File: maps
Comment 9 Kamil Páral 2016-09-05 13:12:53 UTC 
Created attachment 1197951 [details]
File: mountinfo
Comment 10 Kamil Páral 2016-09-05 13:12:55 UTC 
Created attachment 1197952 [details]
File: namespaces
Comment 11 Kamil Páral 2016-09-05 13:12:56 UTC 
Created attachment 1197953 [details]
File: open_fds
Comment 12 Kamil Páral 2016-09-05 13:12:58 UTC 
Created attachment 1197954 [details]
File: proc_pid_status
Comment 13 Kamil Páral 2016-09-05 13:12:59 UTC 
Created attachment 1197955 [details]
File: var_log_messages
Comment 14 Jonas Ådahl 2016-09-06 14:37:17 UTC 
Does this still happen with 3.21.91? The changes between 3.21.90 and 3.21.91 changes a lot of things where the backtrace shows it crashed.
Comment 15 Chris Murphy 2016-09-06 19:26:41 UTC 
Interesting, I do this often, but on Fedora 24/gnome-shell 3.20.4 (on Wayland). Could be a regression?
Comment 16 Jonas Ådahl 2016-09-07 01:13:13 UTC 
Could have, at some point during 3.21.x, but I believe its likely that its fixed by 3.21.91.
Comment 17 Kamil Páral 2016-09-07 10:04:44 UTC 
(In reply to Jonas Ådahl from comment #14)
> Does this still happen with 3.21.91? 

Unfortunately bug 1373372 prevents from from updating gtk3, which prevents me from updating mutter (causes other issues), which prevents me from updating gnome-shell. Will test once I'm able to update gnome-shell.
Comment 18 Kamil Páral 2016-09-08 13:27:46 UTC 
Seems to be working now with:
gtk3-3.21.5-1.fc25.x86_64
mutter-3.21.91-2.fc25.x86_64

Will reopen if it happens again.
Comment 19 Dima Ryazanov 2016-09-15 09:51:56 UTC 
I'm seeing a similar crash, and I can reproduce it almost 100% of the time in 3.21.91 as well as mutter and gnome-shell that I built from the latest git:

- Open gnome-terminal
- Press left and right mouse buttons simultaneously (they need to be handled as separate buttons - i.e., middle button emulation needs to be OFF)

This crashes gnome-shell immediately.

The backtrace in gdb looks bizarre:

Thread 1 "gnome-shell" received signal SIGSEGV, Segmentation fault.
meta_wayland_surface_get_toplevel (surface=0x0, surface@entry=0xb5a790) at wayland/meta-wayland-surface.c:1689
1689	  if (surface->role)

See the "surface" and "surface@entry": the correct value was passed into the function, but it somehow became NULL, even before the first line of the function got executed.

I set a breakpoint in "meta_wayland_surface_get_toplevel" to see what happens before the crash. It gets called lots of times; usually, surface and surface@entry are equal - but not always, e.g.:

Thread 1 "gnome-shell" hit Breakpoint 1, meta_wayland_surface_get_toplevel (surface=0xb5ace0, surface@entry=0xfe6370)
    at wayland/meta-wayland-surface.c:1689
1689	  if (surface->role)

I have no explanation for what's happening. Memory corruption? Concurrency issue? I'm guessing it's some kind of race condition given that it happens only when two events happen at almost the same time, but they're all processed by the main thread, right?
Comment 20 Kamil Páral 2016-09-15 12:50:00 UTC 
(In reply to Dima Ryazanov from comment #19)
> I'm seeing a similar crash, and I can reproduce it almost 100% of the time
> in 3.21.91 as well as mutter and gnome-shell that I built from the latest
> git:
> 
> - Open gnome-terminal
> - Press left and right mouse buttons simultaneously (they need to be handled
> as separate buttons - i.e., middle button emulation needs to be OFF)

I can reproduce that 100%, I filed a new bug 1376447. Please continue the discussion in that bug, thanks.