Package: gnome-shell
Version: 48.0-1

Dear Maintainer(s),

Starting today, gnome-shell has started crashing with a segfault when
I lock the desktop with super + L. I can reproduce consistently.
Decoded backtrace:

Core was generated by `/usr/bin/gnome-shell'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f838b901456 in gst_device_provider_device_remove (provider=0x56221e0e98d0, device=0x7f8378029c00) at ../gst/gstdeviceprovider.c:673

warning: 673 ../gst/gstdeviceprovider.c: No such file or directory
[Current thread is 1 (Thread 0x7f8447814e40 (LWP 31367))]
(gdb) bt
#0 0x00007f838b901456 in gst_device_provider_device_remove (provider=0x56221e0e98d0, device=0x7f8378029c00) at ../gst/gstdeviceprovider.c:673
#1 0x00007f838fe3033a in destroy_node (data=0x7f837801ca38) at ../src/gst/gstpipewiredeviceprovider.c:487
#2 0x00007f844bb21078 in pw_proxy_destroy (proxy=0x7f837801c9c0) at ../src/pipewire/proxy.c:233
#3 0x00007f844bb212a8 in pw_proxy_remove (proxy=0x7f837801c9c0) at ../src/pipewire/proxy.c:257
#4 0x00007f844bac1f99 in remove_proxy (object=<optimized out>, data=0x56221df2b9f0) at ../src/pipewire/core.c:185
#5 pw_map_for_each (map=0x56221df2baf0, func=<optimized out>, data=0x56221df2b9f0) at ../src/pipewire/map.h:222
#6 proxy_core_removed (data=0x56221df2b9f0) at ../src/pipewire/core.c:224
#7 proxy_core_removed (data=0x56221df2b9f0) at ../src/pipewire/core.c:205
#8 0x00007f844bb212a8 in pw_proxy_remove (proxy=0x56221df2b9f0) at ../src/pipewire/proxy.c:257
#9 0x00007f844bac3468 in pw_core_disconnect (core=0x56221df2b9f0) at ../src/pipewire/core.c:515
#10 0x00007f838fe0dc38 in gst_pipewire_core_release
(core=0x56221e31d450) at ../src/gst/gstpipewirecore.c:192
#11 0x00007f838b900f9e in gst_device_provider_stop
(provider=0x56221e0e98d0) at ../gst/gstdeviceprovider.c:535
#12 0x00007f838b91383b in gst_device_monitor_stop
(monitor=0x56221e1bd2f0) at ../gst/gstdevicemonitor.c:585
#13 0x00007f844b67560e in ffi_call_unix64 () at ../src/x86/unix64.S:104
#14 0x00007f844b674980 in ffi_call_int (cif=cif@entry=0x56221bc17010, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=closure@entry=0x0) at ../src/x86/ffi64.c:676
#15 0x00007f844b6750eb in ffi_call (cif=0x56221bc17010, fn=<optimized

, rvalue=<optimized out>, avalue=<optimized out>) at

../src/x86/ffi64.c:713
#16 0x00007f844c7a4dfe in Gjs::Function::invoke (this=0x56221bc16ff0, context=0x562219a0ccf0, args=<optimized out>, this_obj=...,
r_value=<optimized out>) at
./obj-x86_64-linux-gnu/../gi/function.cpp:1050
#17 0x00007f844c7a532e in Gjs::Function::call (context=0x562219a0ccf0, js_argc=<optimized out>, vp=<optimized out>) at ./obj-x86_64-linux-gnu/../gi/function.cpp:1232
#18 0x00007f844938d52f in CallJSNative (cx=0x562219a0ccf0, native=0x7f844c7a5260 <Gjs::Function::call(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...) at ./js/src/vm/Interpreter.cpp:481
#19 js::InternalCallOrConstruct (cx=0x562219a0ccf0, args=..., construct=<optimized out>, reason=js::CallReason::Call) at ./js/src/vm/Interpreter.cpp:561
#20 0x00007f844937f1a0 in InternalCall (cx=<optimized out>,
args=<optimized out>, reason=<optimized out>) at ./js/src/vm/Interpreter.cpp:642
#21 js::CallFromStack (cx=<optimized out>, args=<optimized out>, reason=<optimized out>) at ./js/src/vm/Interpreter.cpp:647
#22 js::Interpret (cx=0x562219a0ccf0, state=...) at ./js/src/vm/Interpreter.cpp:3190
#23 0x00007f844938d28b in MaybeEnterInterpreterTrampoline
(cx=0x562219a0ccf0, state=...) at ./js/src/vm/Interpreter.cpp:395
#24 js::RunScript (cx=cx@entry=0x562219a0ccf0, state=...) at ./js/src/vm/Interpreter.cpp:453
#25 0x00007f844938d7f0 in js::InternalCallOrConstruct (cx=cx@entry=0x562219a0ccf0, args=..., construct=construct@entry=js::NO_CONSTRUCT,
reason=js::CallReason::Call) at ./js/src/vm/Interpreter.cpp:607
#26 0x00007f844938da69 in InternalCall (cx=0x562219a0ccf0, args=..., reason=<optimized out>) at ./js/src/vm/Interpreter.cpp:642
#27 js::Call (cx=cx@entry=0x562219a0ccf0, fval=..., fval@entry=...,
thisv=..., thisv@entry=..., args=..., rval=rval@entry=..., reason=reason@entry=js::CallReason::Call) at
./js/src/vm/Interpreter.cpp:674
#28 0x00007f8449a6845f in js::jit::InvokeFunction (cx=0x562219a0ccf0,
obj=..., obj@entry=..., constructing=<optimized out>, ignoresReturnValue=ignoresReturnValue@entry=false, argc=1,
argv=0x7fff29f19240, rval=...) at ./js/src/jit/VMFunctions.cpp:546
#29 0x00007f8449a6878b in js::jit::InvokeFromInterpreterStub
(cx=<optimized out>, frame=0x7fff29f19218) at
./js/src/jit/VMFunctions.cpp:570
#30 0x00002d24b8e4de95 in ??? ()
#31 0x00007fff29f192e0 in ??? ()
#32 0x00007fff29f19218 in ??? ()
#33 0x0000562219a0cd58 in ??? ()
#34 0x000000000000000a in ??? ()
#35 0x00007fff29f19260 in ??? ()
#36 0x00002d24b9c1bf6e in ??? ()
#37 0x0000000000000022 in ??? ()
#38 0x000008ac7ca1f3f8 in ??? ()
#39 0xfffe1ef6cf7424a0 in ??? ()
#40 0xfffb3dd8d24e78f8 in ??? ()
#41 0x0000000000000002 in ??? ()
#42 0x0000562219ade830 in ??? ()
#43 0x00007fff29f19310 in ??? ()
#44 0x00002d24b8e56de1 in ??? ()
#45 0x0000000000000001 in ??? ()
#46 0xfffb3dd8d24e78f8 in ??? ()
#47 0xfffe1ef6cf7424a0 in ??? ()
#48 0xfffe08ac7ca1f3f8 in ??? ()
#49 0xfffb3dd8d24e78f8 in ??? ()
#50 0xfffe1ef7174c0900 in ??? ()
#51 0xfffe212cf8567970 in ??? ()
#52 0xfff9800000000000 in ??? ()
#53 0xfffb3dd8d24e78f8 in ??? ()
#54 0xfffe08ac7ca98d40 in ??? ()
#55 0xfffe1ef7174c0cb8 in ??? ()
#56 0x00003dd8d24f0290 in ??? ()
#57 0x000056221b874274 in ??? ()
#58 0x000056221f221db0 in ??? ()
#59 0x00001ef7174c08c8 in ??? ()
#60 0x000056221f221b88 in ??? ()
#61 0x00007fff29f19890 in ??? ()
#62 0x00002d24b8e50bef in ??? ()
#63 0xfffe091000000006 in ??? ()
#64 0x00000000000000a4 in ??? ()
#65 0x00007fff29f193a0 in ??? ()
#66 0x00002d24b9c084cc in ??? ()
#67 0x0000000000000011 in ??? ()
#68 0x000008ac7ca1f7e8 in ??? ()
#69 0xfff9800000000000 in ??? ()
#70 0xfff8800000000000 in ??? ()
#71 0xfff9800000000000 in ??? ()
#72 0xfffe08ac7ca98d98 in ??? ()
#73 0xfffe08ac7ca98d98 in ??? ()
#74 0x000056221bc509f0 in ??? ()
#75 0x0000562219a0cd08 in ??? ()
#76 0x00007f844c81acce in gjs_log_exception_uncaught
(cx=0x2d24b8e4de60) at /usr/include/mozjs-128/js/RootingAPI.h:1228
#77 0x00002d24b8e4d4e6 in ??? ()
#78 0x0000000000000033 in ??? ()
#79 0x000008ac7ca2aa10 in ??? ()
#80 0xfffe08ac7ca98d98 in ??? ()
#81 0xfff9800000000000 in ??? ()
#82 0x00007fff29f19470 in ??? ()
#83 0x00007fff29f19480 in ??? ()
#84 0x00007fff29f19660 in ??? ()
#85 0x00007fff29f19890 in ??? ()
#86 0x00002d24b9c08360 in ??? ()
#87 0x0000562219a0ccf0 in ??? ()
#88 0x00007fff29f195c0 in ??? ()
#89 0x00007f8449bdec0a in EnterJit (cx=0x7f8400000000, state=..., code=0x7fff29f19400 "\300\225\361)\377\177") at
./js/src/jit/Jit.cpp:115

The crash is at this line:

g_return_if_fail (GST_IS_DEVICE (device));

https://sources.debian.org/src/gstreamer1.0/1.26.0-3/gst/gstdeviceprovider.c/?hl=666#L673

device seems to be borked:

(gdb) p *device
$2 = {parent = {object = {g_type_instance = {g_class = <error reading
variable: Cannot access memory at address 0x732d6d756964656d>},
ref_count = 1868721529, qdata = 0x6f762d6f69647561}, lock = {p = 0x6d79732d656d756c, i = {1701672300, 1836675885}},
name = 0x75612063696c6f62 <error: Cannot access memory at address 0x75612063696c6f62>, parent = 0x626d79732d6f6964, flags = 1667853423, control_bindings = 0x6d756c6f762d6f69 = {<error reading variable:
Cannot access memory at address 0x6d756c6f762d6f69>,
priv = 0x657a69732c6f6964, _gst_reserved = {0x6c6163732c36313d, 0x6c7974732c313d65, 0x6f6c6f632c303d65, 0x66626661663d7372}}


I can provide the core file if needed. The hardware is a laptop with
AMD CPU/GPU running Debian testing.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

One more detail: this seems related to bluetooth. If I disable
bluetooth at least once (even if it's re-enabled later), the crash can
no longer be reproduced.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 28 Apr 2025 19:43:48 -0400 =?UTF-8?Q?Jeremy_B=C3=ADcha?= <jeremy.bicha@canonical.com> wrote:

On Wed, Apr 9, 2025 at 4:18 PM Luca Boccassi <bluca@debian.org>

wrote:

Starting today, gnome-shell has started crashing with a segfault

when

I lock the desktop with super + L. I can reproduce consistently.

Are you still experiencing this issue? gnome-shell was updated to

48.1

recently and bluez is a newer version than when you reported this
issue.

Well, the good news is that Gnome doesn't crash anymore. The bad news
is that's probably because Bluetooth doesn't work anymore in the first
place :-)

Clicking on the 'on' toggle in the gnome-settings panel just
immediately turns off again, and in the journal I can see:

May 18 15:10:25 p16s systemd[2230]: Started app-gnome-gnome\x2dbluetooth\x2dpanel-82800.scope - Application launched by gnome-shell.
May 18 15:10:25 p16s systemd[2230]: Starting obex.service - Bluetooth OBEX service...
May 18 15:10:25 p16s obexd[82855]: OBEX daemon 5.82
May 18 15:10:25 p16s systemd[2230]: Started obex.service - Bluetooth OBEX service.
May 18 15:10:34 p16s gnome-control-c[82800]: Failed to register object: An object is already exported for the interface org.bluez.Agent1 at /org/gnome/bluetooth/settings


I do not use bluetooth for anything, so I won't spend time digging
deeper. Please feel free to close as unreproducible if you wish to do
so.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)