gnome-shell crashes on deferencing a destroyed wrapper object
I've noticed this using an extension that that will crash when setting a property to an object on callback.
At that point the wrapper has been already deleted (as per commit c0003eb5) and the object is disposed (but not finalized).
#0 0x00007ffff6fcf164 in GjsMaybeOwned<JSObject*>::get (this=0x555559105910)
at ../../gjs/gjs/jsapi-util-root.h:181
#1 0x00007ffff6fcebaa in GjsMaybeOwned<JSObject*>::operator JSObject* const (this=0x555559105910)
at ../../gjs/gjs/jsapi-util-root.h:183
#2 0x00007ffff6fce8ee in ObjectInstance::wrapper (this=0x555559105900) at ../../gjs/gi/object.h:335
#3 0x00007ffff6fe1ff5 in ObjectInstance::wrapper_from_gobject (cx=0x555555b463b0, gobj=0x555555f730c0)
at ../../gjs/gi/object.cpp:2446
#4 0x00007ffff7009a15 in gjs_value_from_g_value_internal (context=0x555555b463b0, value_p=...,
gvalue=0x7fffffff9400, no_copy=false, signal_query=0x0, arg_n=0) at ../../gjs/gi/value.cpp:836
#5 0x00007ffff700a62a in gjs_value_from_g_value (context=0x555555b463b0, value_p=..., gvalue=0x7fffffff9400)
at ../../gjs/gi/value.cpp:1042
#6 0x00007ffff6fd89c4 in ObjectInstance::prop_getter_impl (this=0x555557fc6620, cx=0x555555b463b0, name=...,
rval=...) at ../../gjs/gi/object.cpp:356
#7 0x00007ffff6fd871c in ObjectBase::prop_getter (cx=0x555555b463b0, argc=0, vp=0x7fffffff9698)
at ../../gjs/gi/object.cpp:325
#8 0x00007ffff4ec424b in CallJSNative (args=..., reason=js::CallReason::Getter,
native=0x7ffff6fd83ba <ObjectBase::prop_getter(JSContext*, unsigned int, JS::Value*)>, cx=0x555555b463b0)
at ./js/src/vm/Interpreter.cpp:493
#9 js::InternalCallOrConstruct (cx=0x555555b463b0, args=..., construct=<optimized out>,
reason=js::CallReason::Getter) at ./js/src/vm/Interpreter.cpp:585
#10 0x00007ffff4ec5021 in InternalCall (reason=js::CallReason::Getter, args=..., cx=0x555555b463b0)
at ./js/src/vm/Interpreter.cpp:648
#11 js::Call (reason=js::CallReason::Getter, rval=..., args=..., thisv=..., fval=..., cx=0x555555b463b0)
at ./js/src/vm/Interpreter.cpp:665
#12 js::CallGetter (cx=0x555555b463b0, thisv=..., getter=..., getter@entry=..., rval=...)
at ./js/src/vm/Interpreter.cpp:789
#13 0x00007ffff50c49a3 in CallGetter (cx=<optimized out>, obj=..., receiver=..., shape=..., vp=...)
at ./js/src/vm/NativeObject.cpp:2262
#14 0x00007ffff50c8fdf in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=...,
cx=0x555555b463b0) at ./js/src/vm/NativeObject.cpp:2313
#15 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=...,
cx=0x555555b463b0) at ./js/src/vm/NativeObject.cpp:2453
#16 js::NativeGetProperty (cx=0x555555b463b0, obj=..., receiver=..., id=..., vp=...)
at ./js/src/vm/NativeObject.cpp:2490
#17 0x00007ffff4ea5355 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x555555b463b0)
at ./debian/build/dist/include/js/RootingAPI.h:654
#18 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x555555b463b0)
at ./js/src/vm/ObjectOperations-inl.h:124
#19 js::GetProperty (cx=0x555555b463b0, v=..., name=..., vp=...) at ./js/src/vm/Interpreter.cpp:4701
#20 0x00007ffff4eb6bcb in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=...,
fp=<optimized out>, cx=<optimized out>) at ./js/src/vm/Interpreter.cpp:224
#21 Interpret (cx=0x555555b463b0, state=...) at ./js/src/vm/Interpreter.cpp:2992
#22 0x00007ffff4ec3c6e in js::RunScript (cx=0x555555b463b0, state=...) at ./js/src/vm/Interpreter.cpp:465
#23 0x00007ffff4ec4047 in js::InternalCallOrConstruct (cx=0x555555b463b0, args=..., construct=js::NO_CONSTRUCT,
reason=<optimized out>) at ./js/src/vm/Interpreter.cpp:620
#24 0x00007ffff4ec5193 in InternalCall (reason=js::CallReason::Call, args=..., cx=0x555555b463b0)
at ./js/src/vm/Interpreter.cpp:648
#25 js::Call (cx=cx@entry=0x555555b463b0, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=...,
rval=rval@entry=..., reason=reason@entry=js::CallReason::Call) at ./js/src/vm/Interpreter.cpp:665
#26 0x00007ffff54a6a1f in js::jit::InvokeFunction (cx=0x555555b463b0, obj=..., constructing=<optimized out>,
ignoresReturnValue=<optimized out>, argc=1, argv=0x7fffffffa1a0, rval=...) at ./js/src/jit/VMFunctions.cpp:269
#27 0x00007ffff54a6eca in js::jit::InvokeFromInterpreterStub (cx=<optimized out>, frame=0x7fffffffa178)
at ./js/src/jit/VMFunctions.cpp:289
On Js side:
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: == Stack trace for context 0x55dafb3661d0 ==
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #0 55dafcddc040 i extensions/appindicatorsupport@rgcjonas.gmail.com/appIndicator.js:723 (76159d8790 @ 74)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #1 55dafcddbfb0 i extensions/appindicatorsupport@rgcjonas.gmail.com/appIndicator.js:755 (76159d86f0 @ 52)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #2 55dafcddbee0 i self-hosted:850 (2f396a724380 @ 423)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #3 7fff457a7d20 b resource:///org/gnome/gjs/modules/core/_signals.js:114 (18940c90e830 @ 439)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #4 55dafcddbd48 i extensions/appindicatorsupport@rgcjonas.gmail.com/appIndicator.js:328 (76159d8f10 @ 22)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #5 55dafcddbc90 i extensions/appindicatorsupport@rgcjonas.gmail.com/statusNotifierWatcher.js:124 (76159d8420 @ 132)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #6 55dafcddbbe8 i extensions/appindicatorsupport@rgcjonas.gmail.com/statusNotifierWatcher.js:186 (76159d82e0 @ 659)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #7 55dafcddbb00 i resource:///org/gnome/gjs/modules/core/overrides/Gio.js:354 (10f9160a4560 @ 955)
mar 23 15:10:57 Vanaheimr gnome-shell[31911]: #8 55dafcddba48 i resource:///org/gnome/gjs/modules/core/overrides/Gio.js:387 (10f9160a4420 @ 34)