Ubuntu
gjs package

gjs-console running Extensions Manager crashes with free(): invalid pointer

Bug #2027986 reported by errors.ubuntu.com bug bridge
38
This bug affects 3 people
Affects Status Importance Assigned to Milestone
gjs (Ubuntu)
Won't Fix
Undecided
Unassigned
gtk4 (Ubuntu)
Fix Released
High
Marco Trevisan (Treviño)
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

gnome-shell-extensions-prefs may crash during shutdown because of wrong memory access:

Jul 14 18:52:30 zerocool gjs[114030]: Attempting to run a JS callback during garbage collection. This is most likely caused by destroying a Clutter actor or GTK widget with ::destroy signal connected, or using the destroy(), dispose(), or remove() vfuncs. Because it would crash the application, it has been blocked.
Jul 14 18:52:30 zerocool gjs[114030]: The offending callback was ScaleFormatValueFunc().
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: == Stack trace for context 0x55d05b7f6170 ==
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: #0 55d05b87d5b8 i resource:///org/gnome/Shell/Extensions/js/dbusService.js:186 (3d87eaadaab0 @ 257)
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: #1 55d05b87d510 i resource:///org/gnome/Shell/Extensions/js/main.js:22 (3d87eaada4c0 @ 97)
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: #2 55d05b87d478 i resource:///org/gnome/gjs/modules/script/package.js:206 (3d87eaac82e0 @ 45)
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: #3 55d05b87d3f0 i resource:///org/gnome/gjs/modules/script/package.js:190 (3d87eaac8290 @ 37)
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: #4 55d05b87d360 i /usr/share/gnome-shell/org.gnome.Shell.Extensions:1 (3d87eaac80b0 @ 52)
Jul 14 18:52:30 zerocool gjs[114030]: Invalid UTF-8 string passed to pango_layout_set_text()
Jul 14 18:52:30 zerocool org.gnome.Shell.Extensions[114030]: free(): invalid pointer

[ Test case ]

1. Add this script to a file (i.e. /tmp/test-gtk.js)

import Gtk from 'gi://Gtk?version=4.0';
const app = new Gtk.Application();
app.connect('activate', () => {
    const scale = new Gtk.Scale({drawValue: true});
    scale.set_format_value_func(() => '');
    new Gtk.Window({application: app, child: scale}).present();
});
app.run([]);

2. Run it via:

gjs -m /tmp/test-gtk.js

A new window should snow

3. Close the window, it should exit normally with no errors.

[ Regression potential ]

None known, the fix (https://gitlab.gnome.org/GNOME/gtk/-/commit/8b76cc841) only ensures that we're using the adjustment property if really was used.

-------

Other triggers:

7月 17 20:47:01 xsc-Lenovo-R720-15IKBN <email address hidden>[6819]: unable to update icon for software-update-available
7月 17 20:47:01 xsc-Lenovo-R720-15IKBN <email address hidden>[6819]: unable to update icon for livepatch
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN gjs[7414]: Attempting to run a JS callback during garbage collection. This is most likely caused by destroying a Clutter actor or GTK widget with ::destroy signal connected, or using the destroy(), dispose(), or remove() vfuncs. Because it would crash the application, it has been blocked.
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN gjs[7414]: The offending callback was ScaleFormatValueFunc().
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: == Stack trace for context 0x55674f538170 ==
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: #0 55674f5c27f8 i resource:///org/gnome/Shell/Extensions/js/dbusService.js:186 (330fd64daab0 @ 257)
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: #1 55674f5c2750 i resource:///org/gnome/Shell/Extensions/js/main.js:22 (330fd64da4c0 @ 97)
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: #2 55674f5c26b8 i resource:///org/gnome/gjs/modules/script/package.js:206 (330fd64c82e0 @ 45)
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: #3 55674f5c2630 i resource:///org/gnome/gjs/modules/script/package.js:190 (330fd64c8290 @ 37)
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: #4 55674f5c25a0 i /usr/share/gnome-shell/org.gnome.Shell.Extensions:1 (330fd64c80b0 @ 52)
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN gjs[7414]: Invalid UTF-8 string passed to pango_layout_set_text()
7月 17 20:47:03 xsc-Lenovo-R720-15IKBN org.gnome.Shell.Extensions[7414]: free(): invalid pointer

---

The Ubuntu Error Tracker has been receiving reports about a problem regarding gjs. This problem was most recently seen with package version 1.74.0-1, the problem page at https://errors.ubuntu.com/problem/2c4ff471793184d6a5b3a47cee9dcbe517920a3a contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports.
If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/.

See original description
Marco Trevisan (Treviño) (3v1n0)
description: updated
summary: - /usr/bin/gjs-console:free(): invalid pointer
+ gjs-console crashes with free(): invalid pointer
description: updated
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

This doesn't seems something easy to understand, because `org.gnome.Shell.Extensions` could be loading *ANY* kind of javascript code that is imported from gnome extensions.

Some of this code is definitely setting a wrong pango text, and gjs thus doesn't free it properly.

It could be also an issue due to wrong JS-string -> C-string mapping in gjs but it's very hard to reproduce for me.

summary: - gjs-console crashes with free(): invalid pointer
+ gjs-console running Extensions Manager crashes with free(): invalid
+ pointer
Marco Trevisan (Treviño) (3v1n0)
Changed in gjs (Ubuntu):
status: New → Triaged
Marco Trevisan (Treviño) (3v1n0)
Changed in gjs (Ubuntu):
status: Triaged → Won't Fix
Changed in gtk4 (Ubuntu):
status: New → Triaged
no longer affects: gjs (Ubuntu Jammy)
Changed in gtk4 (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

As per further analysis it seems that this bug has always been there in 42 series, however the traces are normally caused by some extensions settings, for example:

 - https://github.com/micheleg/dash-to-dock/issues/1743
 - https://github.com/home-sweet-gnome/dash-to-panel/issues/1783

While something like this had already been fixed for some cases in GLib (included in 1.72, part of gnome 42 and so jammy): https://gitlab.gnome.org/GNOME/gjs/-/issues/445

The has been found in gtk, though. And fixed by https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/5061

Changed in gtk4 (Ubuntu):
status: Triaged → Fix Released
importance: Undecided → High
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Marco Trevisan (Treviño) (3v1n0)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello errors.ubuntu.com, or anyone else affected,

Accepted gtk4 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gtk4/4.6.9+ds-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gtk4 (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Tested new version, it works without errors

❯ apt-cache policy libgtk-4-1
libgtk-4-1:
  Installed: 4.6.9+ds-0ubuntu0.22.04.1
  Candidate: 4.6.9+ds-0ubuntu0.22.04.1
  Version table:
 *** 4.6.9+ds-0ubuntu0.22.04.1 400
        400 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.6.6+ds-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     4.6.2+ds-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Before upgrading:

❯ gjs -m /tmp/error.js

(gjs:8879): Gjs-CRITICAL **: 10:47:25.041: Attempting to run a JS callback during garbage collection. This is most likely caused by destroying a Clutter actor or GTK widget with ::destroy signal connected, or using the destroy(), dispose(), or remove() vfuncs. Because it would crash the application, it has been blocked.

(gjs:8879): Gjs-CRITICAL **: 10:47:25.041: The offending callback was ScaleFormatValueFunc().
== Stack trace for context 0x5634d50d9180 ==

(gjs:8879): Pango-WARNING **: 10:47:25.041: Invalid UTF-8 string passed to pango_layout_set_text()
free(): invalid pointer
[1] 8879 IOT instruction (core dumped) gjs -m /tmp/error.js

marco-ThinkPad-X1-Carbon-7th ~ 8s SIGIOT(6) 10:47:27
❯ apt-cache policy libgtk-4-1
libgtk-4-1:
  Installed: 4.6.6+ds-0ubuntu1
  Candidate: 4.6.6+ds-0ubuntu1
  Version table:
     4.6.9+ds-0ubuntu0.22.04.1 400
        400 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
 *** 4.6.6+ds-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.6.2+ds-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gtk4 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk4 - 4.6.9+ds-0ubuntu0.22.04.1

---------------
gtk4 (4.6.9+ds-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2028005)
  * debian/gbp.conf: Use upstream/4.6.x for upstream branch
  * debian/patches: Refresh git indexes
  * debian/patches: Properly handle gtk scale adjustment property (LP: #2027986)

 -- Marco Trevisan (Treviño) <email address hidden> Mon, 17 Jul 2023 19:53:19 +0200

Changed in gtk4 (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.