[Bug 2137078] Re: GNOME Shell crashes after CD eject - ubuntu-dock accesses disposed GProxyVolume

jdblair Tue, 23 Dec 2025 19:40:41 -0800

** Description changed:

  ## Summary
  GNOME Shell crashes with heap corruption after ejecting a CD. The ubuntu-dock 
extension attempts to access a GProxyVolume object that has already been 
disposed, causing memory corruption that leads to a crash.
  
- ## Steps to Reproduce
+ ## Steps to Reproduce (unfortunately, doesn't happen every time!)
  1. Insert an audio CD
  2. Eject the CD (via eject button, file manager, or application like whipper)
  3. GNOME Shell crashes immediately (within seconds)
  
  ## Environment
  - Ubuntu 25.10 (Questing)
  - GNOME Shell 49.0
  - gnome-shell-extension-ubuntu-dock 102ubuntu1
  
  ## Journal Log (relevant excerpts)
  
  **First CD eject (12:07) - errors but no crash:**
  ```
  Dec 23 12:07:16 lappy2 gnome-shell[5007]: glibtop(c=5007): [WARNING] statvfs 
'/run/user/1000/gvfs/cdda:host=sr0' failed: No such file or directory
  Dec 23 12:07:17 lappy2 gnome-shell[5007]: Object GProxyVolume 
(0x5b9bc9530a30), has been already disposed — impossible to access it. This 
might be caused by the object having been destroyed from C code using something 
such as destroy(), dispose(), or remove() vfuncs.
-                                           == Stack trace for context 
0x5b9bc1aeeeb0 ==
-                                           #0   5b9bc1bbb7a8 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:504
 (2794e1aff290 @ 86)
-                                           #1   5b9bc1bbb6e0 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:316
 (2794e1af8e20 @ 527)
+                                           == Stack trace for context 
0x5b9bc1aeeeb0 ==
+                                           #0   5b9bc1bbb7a8 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:504
 (2794e1aff290 @ 86)
+                                           #1   5b9bc1bbb6e0 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:316
 (2794e1af8e20 @ 527)
  Dec 23 12:07:17 lappy2 gnome-shell[5007]: Impossible to update icon for 
location:undefined: Gio.DBusError: Object does not exist at path 
"/org/gtk/vfs/mount/1"
  ```
  
  **Second CD eject (13:07) - immediate crash:**
  ```
  Dec 23 13:07:23 lappy2 gnome-shell[5007]: glibtop(c=5007): [WARNING] statvfs 
'/run/user/1000/gvfs/cdda:host=sr0' failed: No such file or directory
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: malloc(): unaligned fastbin chunk 
detected
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: GNOME Shell crashed with signal 6
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: == Stack trace for context 
0x5b9bc1aeeeb0 ==
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #0   5b9bc1bbb6c0 i   
resource:///org/gnome/shell/ui/status/network.js:1261 (1250a1e8ce20 @ 55)
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #1   5b9bc1bbb638 i   
resource:///org/gnome/shell/ui/status/network.js:1106 (1250a1e8c880 @ 16)
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #2   5b9bc1bbb5a8 i   
resource:///org/gnome/shell/ui/init.js:21 (102b2b18d8d0 @ 48)
  ```
  
  ## Analysis
  The ubuntu-dock extension's `locations.js` (lines 316, 504) accesses a 
GProxyVolume object after the CD has been ejected and gvfs has disposed of the 
volume. This use-after-free corrupts heap memory, causing an immediate crash 
(signal 6 / SIGABRT from glibc's malloc corruption detection).
  
  ## Related Bugs
  - https://github.com/micheleg/dash-to-dock/issues/2255
  - https://bugs.launchpad.net/bugs/1856032


** Description changed:

  ## Summary
  GNOME Shell crashes with heap corruption after ejecting a CD. The ubuntu-dock 
extension attempts to access a GProxyVolume object that has already been 
disposed, causing memory corruption that leads to a crash.
  
- ## Steps to Reproduce (unfortunately, doesn't happen every time!)
+ ## Steps to Reproduce (doesn't happen every time, but often enough)
  1. Insert an audio CD
  2. Eject the CD (via eject button, file manager, or application like whipper)
  3. GNOME Shell crashes immediately (within seconds)
  
  ## Environment
  - Ubuntu 25.10 (Questing)
  - GNOME Shell 49.0
  - gnome-shell-extension-ubuntu-dock 102ubuntu1
  
  ## Journal Log (relevant excerpts)
  
  **First CD eject (12:07) - errors but no crash:**
  ```
  Dec 23 12:07:16 lappy2 gnome-shell[5007]: glibtop(c=5007): [WARNING] statvfs 
'/run/user/1000/gvfs/cdda:host=sr0' failed: No such file or directory
  Dec 23 12:07:17 lappy2 gnome-shell[5007]: Object GProxyVolume 
(0x5b9bc9530a30), has been already disposed — impossible to access it. This 
might be caused by the object having been destroyed from C code using something 
such as destroy(), dispose(), or remove() vfuncs.
                                            == Stack trace for context 
0x5b9bc1aeeeb0 ==
                                            #0   5b9bc1bbb7a8 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:504
 (2794e1aff290 @ 86)
                                            #1   5b9bc1bbb6e0 i   
file:///usr/share/gnome-shell/extensions/[email protected]/locations.js:316
 (2794e1af8e20 @ 527)
  Dec 23 12:07:17 lappy2 gnome-shell[5007]: Impossible to update icon for 
location:undefined: Gio.DBusError: Object does not exist at path 
"/org/gtk/vfs/mount/1"
  ```
  
  **Second CD eject (13:07) - immediate crash:**
  ```
  Dec 23 13:07:23 lappy2 gnome-shell[5007]: glibtop(c=5007): [WARNING] statvfs 
'/run/user/1000/gvfs/cdda:host=sr0' failed: No such file or directory
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: malloc(): unaligned fastbin chunk 
detected
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: GNOME Shell crashed with signal 6
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: == Stack trace for context 
0x5b9bc1aeeeb0 ==
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #0   5b9bc1bbb6c0 i   
resource:///org/gnome/shell/ui/status/network.js:1261 (1250a1e8ce20 @ 55)
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #1   5b9bc1bbb638 i   
resource:///org/gnome/shell/ui/status/network.js:1106 (1250a1e8c880 @ 16)
  Dec 23 13:08:07 lappy2 gnome-shell[5007]: #2   5b9bc1bbb5a8 i   
resource:///org/gnome/shell/ui/init.js:21 (102b2b18d8d0 @ 48)
  ```
  
  ## Analysis
  The ubuntu-dock extension's `locations.js` (lines 316, 504) accesses a 
GProxyVolume object after the CD has been ejected and gvfs has disposed of the 
volume. This use-after-free corrupts heap memory, causing an immediate crash 
(signal 6 / SIGABRT from glibc's malloc corruption detection).
  
  ## Related Bugs
  - https://github.com/micheleg/dash-to-dock/issues/2255
  - https://bugs.launchpad.net/bugs/1856032

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2137078

Title:
  GNOME Shell crashes after CD eject - ubuntu-dock accesses disposed
  GProxyVolume

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-ubuntu-dock/+bug/2137078/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2137078] Re: GNOME Shell crashes after CD eject - ubuntu-dock accesses disposed GProxyVolume

Reply via email to