Ubuntu
mozjs60 package

[SRU][regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in GetPropertyOperation() from Interpret() from js::RunScript()

Bug #1796238 reported by Daniel van Vugt
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gjs (Ubuntu)
Fix Released
Medium
Andrea Azzarone
Cosmic
Fix Released
Medium
Andrea Azzarone
mozjs60 (Ubuntu)
Invalid
Medium
Unassigned
Cosmic
Invalid
Medium
Unassigned

Bug Description

[Impact]
gnome-shell crashes on shutdown and on `gnome-shell --replace`. A proper fix for `gnome-shell --replace` requires mutter 3.30.2-1 too.

[Test Case]
Given https://wiki.ubuntu.com/StableReleaseUpdates/GNOME, we don't need to explicitly test this fix, but the SRU will be more generally verified by the testing outlined in bug #1804641.

[Regression Potential]
The new stable version of gjs includes changes to fix random crashes when a gjs application is closed. Possible regressions are leaks and other crashes but none has been observed until now.

[Original Bug]
https://errors.ubuntu.com/problem/f64145b51a9d0fd20bfff57836b8f743e56c50ba
https://gitlab.gnome.org/GNOME/gjs/issues/212

---

mozjs60 crashes on gnome-shell exit (didn't happen with mozjs52 which was still the latest yesterday)

Steps to reproduce:

1. Start gnome-shell (master)
2. Super+A to show applications
3. Alt+F2 and type "debugexit" to exit cleanly.

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f3bf4033a4e in GetPropertyOperation (vp=..., lval=...,
    pc=<optimised out>, script=..., fp=<optimised out>, cx=<optimised out>)
    at ./js/src/vm/JSContext.h:161
161 ./js/src/vm/JSContext.h: No such file or directory.
[Current thread is 1 (Thread 0x7f3bebd2e340 (LWP 4269))]
(gdb) bt
#0 0x00007f3bf4033a4e in GetPropertyOperation
    (vp=..., lval=..., pc=<optimised out>, script=..., fp=<optimised out>, cx=<optimised out>) at ./js/src/vm/JSContext.h:161
#1 0x00007f3bf4033a4e in Interpret(JSContext*, js::RunState&)
    (cx=0x55d07921beb0, state=...) at ./js/src/vm/Interpreter.cpp:2834
#2 0x00007f3bf403eb06 in js::RunScript(JSContext*, js::RunState&)
    (cx=0x55d07921beb0, state=...) at ./js/src/vm/Interpreter.cpp:418
#3 0x00007f3bf403f0d1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)
    (cx=0x55d07921beb0, args=..., construct=<optimised out>)
    at ./js/src/vm/Interpreter.cpp:490
#4 0x00007f3bf403f339 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)
    (cx=cx@entry=0x55d07921beb0, fval=..., fval@entry=..., thisv=...,
    thisv@entry=..., args=..., rval=...) at ./js/src/vm/Interpreter.cpp:536
#5 0x00007f3bf4372b81 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (cx=0x55d07921beb0, obj=..., fval=..., args=..., rval=...)
    at ./debian/build/dist/include/js/RootingAPI.h:1128
#6 0x00007f3bf7631310 in gjs_call_function_value () at /usr/lib/libgjs.so.0
#7 0x00007f3bf76045d5 in gjs_closure_invoke () at /usr/lib/libgjs.so.0
#8 0x00007f3bf7625573 in () at /usr/lib/libgjs.so.0
#9 0x00007f3bf7f65b6d in g_closure_invoke ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00007f3bf7f788f3 in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x00007f3bf7f81882 in g_signal_emit_valist ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#12 0x00007f3bf7f81ecf in g_signal_emit ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007f3bf74a9c33 in clutter_actor_dispose (object=0x55d0795aa5c0)
    at clutter-actor.c:5932
#14 0x00007f3bf70529b4 in st_widget_dispose (gobject=0x55d0795aa5c0)
    at ../src/st/st-widget.c:354
#15 0x00007f3bf7025d48 in st_bin_dispose (gobject=0x55d0795aa5c0)
    at ../src/st/st-bin.c:188
#16 0x00007f3bf7f6c448 in g_object_run_dispose ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00007f3bf749d023 in clutter_actor_destroy (self=0x55d0795aa5c0)
    at clutter-actor.c:8615
#18 0x00007f3bf74a4404 in clutter_actor_iter_destroy (iter=0x7fff3285e4e0)
    at clutter-actor.c:19002
#19 0x00007f3bf74a44b8 in clutter_actor_real_destroy (actor=0x55d0795a9ba0)
    at clutter-actor.c:6264
#20 0x00007f3bf7f65b6d in g_closure_invoke ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00007f3bf7f78c4a in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007f3bf7f81882 in g_signal_emit_valist ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007f3bf7f81ecf in g_signal_emit ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007f3bf74a9c33 in clutter_actor_dispose (object=0x55d0795a9ba0)
    at clutter-actor.c:5932
#25 0x00007f3bf70529b4 in st_widget_dispose (gobject=0x55d0795a9ba0)
    at ../src/st/st-widget.c:354
#26 0x00007f3bf7f6c448 in g_object_run_dispose ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007f3bf749d023 in clutter_actor_destroy (self=0x55d0795a9ba0)
    at clutter-actor.c:8615
#28 0x00007f3bf7025cf5 in st_bin_dispose (gobject=0x55d0795a8260)
    at ../src/st/st-bin.c:185
#29 0x00007f3bf7f6ac13 in g_object_unref ()
    at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#30 0x00007f3bf7610f5e in ObjectInstance::release_native_object() ()
    at /usr/lib/libgjs.so.0
#31 0x00007f3bf7618496 in ObjectInstance::disassociate_js_gobject() ()
    at /usr/lib/libgjs.so.0
#32 0x00007f3bf76140cc in ObjectInstance::remove_wrapped_gobjects_if(std::function<bool (ObjectInstance*)>, std::function<void (ObjectInstance*)>) ()
    at /usr/lib/libgjs.so.0
#33 0x00007f3bf76141a4 in () at /usr/lib/libgjs.so.0

See original description
Daniel van Vugt (vanvugt)
summary: - mozjs60 crashes on gnome-shell exit (didn't happen with mozjs52)
+ [regression] mozjs60 crashes on gnome-shell exit (didn't happen with
+ mozjs52)
description: updated
Daniel van Vugt (vanvugt)
description: updated
description: updated
summary: - [regression] mozjs60 crashes on gnome-shell exit (didn't happen with
- mozjs52)
+ [regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
+ GetPropertyOperation() from Interpret() from js::RunScript()
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: [regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in GetPropertyOperation() from Interpret() from js::RunScript()

Too hard right now. If this affects regular users then the crash should start showing up soon on errors.ubuntu.com. So I will wait and see.

Changed in mozjs60 (Ubuntu):
status: New → Incomplete
Changed in gjs (Ubuntu):
status: New → Incomplete
Daniel van Vugt (vanvugt)
description: updated
Sebastien Bacher (seb128)
tags: added: rls-cc-incoming
Revision history for this message
Iain Lane (laney) wrote :

I did make this happen with 1.54.0 and 1.54.1 (about to be uploaded). But only when using "debugexit" - normal logout, reboot and fast user switching all worked without crashing. Can you confirm that?

I would like to see this forwarded to (gjs initially) upstream, please.

Revision history for this message
Iain Lane (laney) wrote :

I did that: https://gitlab.gnome.org/GNOME/gjs/issues/212

Daniel van Vugt (vanvugt)
description: updated
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Also tracking in:
https://errors.ubuntu.com/problem/f64145b51a9d0fd20bfff57836b8f743e56c50ba

description: updated
Changed in gjs (Ubuntu):
status: Incomplete → Confirmed
Changed in mozjs60 (Ubuntu):
status: Incomplete → Confirmed
Daniel van Vugt (vanvugt)
description: updated
Changed in gjs (Ubuntu):
importance: Undecided → Medium
Changed in mozjs60 (Ubuntu):
importance: Undecided → Medium
Will Cooke (willcooke)
Changed in gjs (Ubuntu):
assignee: nobody → Andrea Azzarone (azzar1)
Iain Lane (laney)
tags: removed: rls-cc-incoming
Iain Lane (laney)
Changed in mozjs60 (Ubuntu Cosmic):
status: Confirmed → Invalid
Revision history for this message
Andrea Azzarone (azzar1) wrote :

MR Upstream: https://gitlab.gnome.org/GNOME/gjs/merge_requests/247

Changed in gjs (Ubuntu Cosmic):
status: Confirmed → In Progress
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Please also include this change when backporting
https://gitlab.gnome.org/GNOME/gjs/merge_requests/240

Revision history for this message
Andrea Azzarone (azzar1) wrote :

Fix released in disco with gjs (1.54.3-1)

Changed in gjs (Ubuntu):
status: In Progress → Fix Released
Andrea Azzarone (azzar1)
description: updated
summary: - [regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
+ [SRU][regression] mozjs60 crashes with SIGSEGV on gnome-shell exit, in
GetPropertyOperation() from Interpret() from js::RunScript()
Iain Lane (laney)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Daniel, or anyone else affected,

Accepted gjs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gjs/1.54.3-1~ubuntu18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gjs (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Fix verified on cosmic in gjs version 1.54.3-1~ubuntu18.10.1

As an added bonus, bug 1803271 is also fixed :)

tags: added: verification-done verification-done-cosmic
removed: verification-needed verification-needed-cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gjs - 1.54.3-1~ubuntu18.10.1

---------------
gjs (1.54.3-1~ubuntu18.10.1) cosmic; urgency=medium

  * No-change SRU backport from unstable / disco to cosmic (LP: #1804641)
  * Also fixes crash on `gnome-shell --replace' (LP: #1796238)

gjs (1.54.3-1) unstable; urgency=medium

  * Team upload
  * New upstream release
  * Force time zone to UTC when running tests.
    This hopefully fixes FTBFS in the pathological time zone used to test
    reproducible builds.

gjs (1.54.2-1) unstable; urgency=medium

  * Team upload
  * Upload to unstable (starts transition: #906016)
  * d/watch: Only watch for versions from a stable branch
  * New upstream release
  * Bump Standards-Version to 4.2.1 (no changes required)
  * Use dpkg's default.mk to get upstream version number for dependencies.
    This avoids relying on the differently-named variables in
    gnome-get-source.mk, and also does the right thing if gjs ever gains
    an epoch.
  * d/rules: Remove gnome-get-source.mk (please use uscan instead)

 -- Iain Lane <email address hidden> Thu, 22 Nov 2018 12:21:13 +0000

Changed in gjs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for gjs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.