[SRU][regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in GetPropertyOperation() from Interpret() from js::RunScript()

Bug #1796238 reported by Daniel van Vugt on 2018-10-05
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gjs (Ubuntu)
Medium
Andrea Azzarone
Cosmic
Medium
Andrea Azzarone
mozjs60 (Ubuntu)
Medium
Unassigned
Cosmic
Medium
Unassigned

Bug Description

[Impact]
gnome-shell crashes on shutdown and on `gnome-shell --replace`. A proper fix for `gnome-shell --replace` requires mutter 3.30.2-1 too.

[Test Case]
Given https://wiki.ubuntu.com/StableReleaseUpdates/GNOME, we don't need to explicitly test this fix, but the SRU will be more generally verified by the testing outlined in bug #1804641.

[Regression Potential]
The new stable version of gjs includes changes to fix random crashes when a gjs application is closed. Possible regressions are leaks and other crashes but none has been observed until now.

[Original Bug]
https://errors.ubuntu.com/problem/f64145b51a9d0fd20bfff57836b8f743e56c50ba
https://gitlab.gnome.org/GNOME/gjs/issues/212

---

mozjs60 crashes on gnome-shell exit (didn't happen with mozjs52 which was still the latest yesterday)

Steps to reproduce:

1. Start gnome-shell (master)
2. Super+A to show applications
3. Alt+F2 and type "debugexit" to exit cleanly.

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f3bf4033a4e in GetPropertyOperation (vp=..., lval=...,
    pc=<optimised out>, script=..., fp=<optimised out>, cx=<optimised out>)
    at ./js/src/vm/JSContext.h:161
161 ./js/src/vm/JSContext.h: No such file or directory.
[Current thread is 1 (Thread 0x7f3bebd2e340 (LWP 4269))]
(gdb) bt
#0 0x00007f3bf4033a4e in GetPropertyOperation
    (vp=..., lval=..., pc=<optimised out>, script=..., fp=<optimised out>, cx=<optimised out>) at ./js/src/vm/JSContext.h:161
#1 0x00007f3bf4033a4e in Interpret(JSContext*, js::RunState&)
    (cx=0x55d07921beb0, state=...) at ./js/src/vm/Interpreter.cpp:2834
#2 0x00007f3bf403eb06 in js::RunScript(JSContext*, js::RunState&)
    (cx=0x55d07921beb0, state=...) at ./js/src/vm/Interpreter.cpp:418
#3 0x00007f3bf403f0d1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)
    (cx=0x55d07921beb0, args=..., construct=<optimised out>)
    at ./js/src/vm/Interpreter.cpp:490
#4 0x00007f3bf403f339 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)
    (cx=cx@entry=0x55d07921beb0, fval=..., fval@entry=..., thisv=...,
    thisv@entry=..., args=..., rval=...) at ./js/src/vm/Interpreter.cpp:536
#5 0x00007f3bf4372b81 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (cx=0x55d07921beb0, obj=..., fval=..., args=..., rval=...)
    at ./debian/build/dist/include/js/RootingAPI.h:1128
#6 0x00007f3bf7631310 in gjs_call_function_value () at /usr/lib/libgjs.so.0
#7 0x00007f3bf76045d5 in gjs_closure_invoke () at /usr/lib/libgjs.so.0
#8 0x00007f3bf7625573 in () at /usr/lib/libgjs.so.0
#9 0x00007f3bf7f65b6d in g_closure_invoke ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00007f3bf7f788f3 in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x00007f3bf7f81882 in g_signal_emit_valist ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#12 0x00007f3bf7f81ecf in g_signal_emit ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007f3bf74a9c33 in clutter_actor_dispose (object=0x55d0795aa5c0)
    at clutter-actor.c:5932
#14 0x00007f3bf70529b4 in st_widget_dispose (gobject=0x55d0795aa5c0)
    at ../src/st/st-widget.c:354
#15 0x00007f3bf7025d48 in st_bin_dispose (gobject=0x55d0795aa5c0)
    at ../src/st/st-bin.c:188
#16 0x00007f3bf7f6c448 in g_object_run_dispose ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00007f3bf749d023 in clutter_actor_destroy (self=0x55d0795aa5c0)
    at clutter-actor.c:8615
#18 0x00007f3bf74a4404 in clutter_actor_iter_destroy (iter=0x7fff3285e4e0)
    at clutter-actor.c:19002
#19 0x00007f3bf74a44b8 in clutter_actor_real_destroy (actor=0x55d0795a9ba0)
    at clutter-actor.c:6264
#20 0x00007f3bf7f65b6d in g_closure_invoke ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00007f3bf7f78c4a in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007f3bf7f81882 in g_signal_emit_valist ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007f3bf7f81ecf in g_signal_emit ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007f3bf74a9c33 in clutter_actor_dispose (object=0x55d0795a9ba0)
    at clutter-actor.c:5932
#25 0x00007f3bf70529b4 in st_widget_dispose (gobject=0x55d0795a9ba0)
    at ../src/st/st-widget.c:354
#26 0x00007f3bf7f6c448 in g_object_run_dispose ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007f3bf749d023 in clutter_actor_destroy (self=0x55d0795a9ba0)
    at clutter-actor.c:8615
#28 0x00007f3bf7025cf5 in st_bin_dispose (gobject=0x55d0795a8260)
    at ../src/st/st-bin.c:185
#29 0x00007f3bf7f6ac13 in g_object_unref ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#30 0x00007f3bf7610f5e in ObjectInstance::release_native_object() ()
    at /usr/lib/libgjs.so.0
#31 0x00007f3bf7618496 in ObjectInstance::disassociate_js_gobject() ()
    at /usr/lib/libgjs.so.0
#32 0x00007f3bf76140cc in ObjectInstance::remove_wrapped_gobjects_if(std::function<bool (ObjectInstance*)>, std::function<void (ObjectInstance*)>) ()
    at /usr/lib/libgjs.so.0
#33 0x00007f3bf76141a4 in () at /usr/lib/libgjs.so.0

summary: - mozjs60 crashes on gnome-shell exit (didn't happen with mozjs52)
+ [regression] mozjs60 crashes on gnome-shell exit (didn't happen with
+ mozjs52)
description: updated
description: updated
description: updated
summary: - [regression] mozjs60 crashes on gnome-shell exit (didn't happen with
- mozjs52)
+ [regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
+ GetPropertyOperation() from Interpret() from js::RunScript()

Too hard right now. If this affects regular users then the crash should start showing up soon on errors.ubuntu.com. So I will wait and see.

Changed in mozjs60 (Ubuntu):
status: New → Incomplete
Changed in gjs (Ubuntu):
status: New → Incomplete
description: updated
tags: added: rls-cc-incoming
Iain Lane (laney) wrote :

I did make this happen with 1.54.0 and 1.54.1 (about to be uploaded). But only when using "debugexit" - normal logout, reboot and fast user switching all worked without crashing. Can you confirm that?

I would like to see this forwarded to (gjs initially) upstream, please.

description: updated
Daniel van Vugt (vanvugt) wrote :
description: updated
Changed in gjs (Ubuntu):
status: Incomplete → Confirmed
Changed in mozjs60 (Ubuntu):
status: Incomplete → Confirmed
description: updated
Changed in gjs (Ubuntu):
importance: Undecided → Medium
Changed in mozjs60 (Ubuntu):
importance: Undecided → Medium
Will Cooke (willcooke) on 2018-10-09
Changed in gjs (Ubuntu):
assignee: nobody → Andrea Azzarone (azzar1)
Iain Lane (laney) on 2018-10-09
tags: removed: rls-cc-incoming
Iain Lane (laney) on 2018-10-11
Changed in mozjs60 (Ubuntu Cosmic):
status: Confirmed → Invalid
Andrea Azzarone (azzar1) wrote :
Changed in gjs (Ubuntu Cosmic):
status: Confirmed → In Progress

Please also include this change when backporting
https://gitlab.gnome.org/GNOME/gjs/merge_requests/240

Andrea Azzarone (azzar1) wrote :

Fix released in disco with gjs (1.54.3-1)

Changed in gjs (Ubuntu):
status: In Progress → Fix Released
Andrea Azzarone (azzar1) on 2018-11-21
description: updated
summary: - [regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
+ [SRU][regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
GetPropertyOperation() from Interpret() from js::RunScript()
Iain Lane (laney) on 2018-11-22
description: updated

Hello Daniel, or anyone else affected,

Accepted gjs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gjs/1.54.3-1~ubuntu18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gjs (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Daniel van Vugt (vanvugt) wrote :

Fix verified on cosmic in gjs version 1.54.3-1~ubuntu18.10.1

As an added bonus, bug 1803271 is also fixed :)

tags: added: verification-done verification-done-cosmic
removed: verification-needed verification-needed-cosmic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gjs - 1.54.3-1~ubuntu18.10.1

---------------
gjs (1.54.3-1~ubuntu18.10.1) cosmic; urgency=medium

  * No-change SRU backport from unstable / disco to cosmic (LP: #1804641)
  * Also fixes crash on `gnome-shell --replace' (LP: #1796238)

gjs (1.54.3-1) unstable; urgency=medium

  * Team upload
  * New upstream release
  * Force time zone to UTC when running tests.
    This hopefully fixes FTBFS in the pathological time zone used to test
    reproducible builds.

gjs (1.54.2-1) unstable; urgency=medium

  * Team upload
  * Upload to unstable (starts transition: #906016)
  * d/watch: Only watch for versions from a stable branch
  * New upstream release
  * Bump Standards-Version to 4.2.1 (no changes required)
  * Use dpkg's default.mk to get upstream version number for dependencies.
    This avoids relying on the differently-named variables in
    gnome-get-source.mk, and also does the right thing if gjs ever gains
    an epoch.
  * d/rules: Remove gnome-get-source.mk (please use uscan instead)

 -- Iain Lane <email address hidden> Thu, 22 Nov 2018 12:21:13 +0000

Changed in gjs (Ubuntu Cosmic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for gjs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers