Crashes on gcm::GCMClientImpl::StartGCM() ()

[hjri]

Describe the bug Ungoogled-chromium gcm::GCMClientImpl::StartGCM() () with SIGSEGV

To Reproduce Steps to reproduce the behavior:

1. Go to any pleroma instance you can log in i.e. https://cdrom.tokyo/
2. Register / Log in
3. Open settings
4. Scroll down and enable "enable web push notifications" (only works when logged in)
5. Wait or Refresh page -> Crash

Expected behavior No crashes

Screenshots

Thread 9 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe59c7700 (LWP 190671)]
0x000055555b16ed6d in gcm::GCMClientImpl::StartGCM() ()

Environment (please complete the following information):

• OS/Platform and version: Debian Linux x86 bullseye/sid
• ungoogled-chromium version: 89.0.4389.114-1.buster1

Additional context Root cause is that webpage tries to use WebPush which relies on centralized servers GCM and whatever apple/mozilla uses, but GCM isn't properly removed and trying to use it causes a crash. Doesn't happen with that setting disabled, doesn't happen on stock (as debian's one can get) chromium.

[Eloston]

I'm running 90.0.4430.85-1.sid1 on bullseye and I don't have this issue (but I skipped the register/login step). I also tried this but I don't know if this would test the same thing: https://www.bennish.net/web-notifications.html

Can you confirm if upgrading solves the issue?

[hjri]

I also tried this but I don't know if this would test the same thing

that looks like regular desktop notifications, WebPush is a big different thing and it seems crash happens way before notifications are involved. It's seems related to this https://developer.mozilla.org/en-US/docs/Web/API/Push_API which is why GCM is invovled.

Can you confirm if upgrading solves the issue?

I'm gonna try it this weekend, if I can even install it given that I don't really run sid besides a handful of packages.

[PF4Public]

Is this still an issue?

[hjri]

need to check

[hjri]

can't really test because ungoogled-chromium just crashes ~2 seconds after starting

Gtk-Message: 11:39:28.149: Failed to load module "appmenu-gtk-module"
[4786:4786:1004/113928.430441:ERROR:gpu_init.cc(441)] Passthrough is not supported, GL is desktop
[4786:4786:1004/113928.474178:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
[4746:4797:1004/113929.091043:ERROR:ev_root_ca_metadata.cc(841)] Failed to register OID: 0
Received signal 11 SEGV_MAPERR 000000000000
#0 0x55b63a941023 (/usr/lib/chromium/chromium+0x4f86022)
#1 0x55b63a9d8d41 (/usr/lib/chromium/chromium+0x501dd40)
#2 0x7f731b5e58e0 (/lib/x86_64-linux-gnu/libpthread-2.32.so+0x138df)
#3 0x55b63c31b90d (/usr/lib/chromium/chromium+0x696090c)
#4 0x55b63c31fdfe (/usr/lib/chromium/chromium+0x6964dfd)
#5 0x55b63c356632 (/usr/lib/chromium/chromium+0x699b631)
#6 0x55b63c358553 (/usr/lib/chromium/chromium+0x699d552)
#7 0x55b63c357ed0 (/usr/lib/chromium/chromium+0x699cecf)
#8 0x55b63a99b2d9 (/usr/lib/chromium/chromium+0x4fe02d8)
#9 0x55b63a9ad2f9 (/usr/lib/chromium/chromium+0x4ff22f8)
#10 0x55b63a9acfb9 (/usr/lib/chromium/chromium+0x4ff1fb8)
#11 0x55b63a9ad962 (/usr/lib/chromium/chromium+0x4ff2961)
#12 0x55b63aa08be4 (/usr/lib/chromium/chromium+0x504dbe3)
#13 0x55b63a9adc26 (/usr/lib/chromium/chromium+0x4ff2c25)
#14 0x55b63a9811be (/usr/lib/chromium/chromium+0x4fc61bd)
#15 0x55b63a9c50a5 (/usr/lib/chromium/chromium+0x500a0a4)
#16 0x55b63870bd9d (/usr/lib/chromium/chromium+0x2d50d9c)
#17 0x55b63a9c5243 (/usr/lib/chromium/chromium+0x500a242)
#18 0x55b63a9eafcf (/usr/lib/chromium/chromium+0x502ffce)
#19 0x7f731b5daeae start_thread
  r8: 00001661df7054f0  r9: 0000000000000000 r10: 00007f730bfa57dc r11: 00007f730bfa5738
 r12: 00007f730bfa5990 r13: 00001661df7054f0 r14: 00007f730bfa5a08 r15: 00001661de7a7000
  di: 0000000000000000  si: 410f490555de26bb  bp: 00007f730bfa5900  bx: 0000000000000000
  dx: 337d645c0aa15778  ax: 0000000000000000  cx: 00007f730bfa5990  sp: 00007f730bfa58c0
  ip: 000055b63c31b0cd efl: 0000000000010206 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
zsh: segmentation fault  chromium

doesn't happen with regular chromium

[github-actions[bot]]

This issue has been automatically closed as sufficient information hasn't been provided on the issue for further actions to be taken. Feel free to add more information.

[3c0]

Still crashing on keepa.com: macOS Chromium Version 96.0.4664.110 (Official Build, ungoogled-chromium) (x86_64) See https://github.com/Eloston/ungoogled-chromium/issues/1482#issuecomment-957313670

[github-actions[bot]]

This issue has been automatically marked as stale as there has been no recent activity in response to our request for more information. Please respond so that we can proceed with this issue.

[3c0]

Still crashing on keepa.com: macOS Chromium Version 97.0.4692.71 (Official Build, ungoogled-chromium) (x86_64) See #1482

[htfy96]

The crash still happens on my Arch Linux distribution of archlinuxcn/ungoogled-chromium 106.0.5249.119-2. Here's the full stack trace:

#0  0x0000556441058f3d in gcm::MCSClient::Login(unsigned long, unsigned long) ()
#1  0x000055644100b88b in gcm::GCMClientImpl::StartGCM() ()
#2  0x000055644100c2c5 in gcm::GCMClientImpl::OnLoadCompleted(std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >) ()
#3  0x000055644101220d in base::internal::Invoker<base::internal::BindState<void (gcm::GCMClientImpl::*)(std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >), base::WeakPtr<gcm::GCMClientImpl> >, void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)>::RunOnce(base::internal::BindStateBase*, std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >&&) [clone .cfi] ()
#4  0x0000556441051868 in gcm::GCMStoreImpl::LoadContinuation(base::OnceCallback<void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)>, std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >) ()
#5  0x0000556441054265 in base::internal::Invoker<base::internal::BindState<void (gcm::GCMStoreImpl::*)(base::OnceCallback<void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)>, std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >), base::WeakPtr<gcm::GCMStoreImpl>, base::OnceCallback<void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)> >, void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)>::RunOnce(base::internal::BindStateBase*, std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >&&) [clone .cfi] ()
#6  0x0000556441053d6d in base::internal::Invoker<base::internal::BindState<base::OnceCallback<void (std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> >)>, std::unique_ptr<gcm::GCMStore::LoadResult, std::default_delete<gcm::GCMStore::LoadResult> > >, void ()>::RunOnce(base::internal::BindStateBase*) [clone .cfi] ()
#7  0x000055643f1a635a in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) ()
#8  0x000055643f1c2e66 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ()
#9  0x000055643f1c3825 in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ()
#10 0x000055643f2233f5 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ()
#11 0x000055643f1c3c9d in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ()
#12 0x000055643f186c86 in base::RunLoop::Run(base::Location const&) ()
#13 0x000055643c392084 in content::BrowserProcessIOThread::Run(base::RunLoop*) ()
#14 0x000055643f1e5c9e in base::Thread::ThreadMain() ()
#15 0x000055643f210531 in base::(anonymous namespace)::ThreadFunc(void*) [clone .40eb33ad012c024f6902bbb4bfb7b7da] [clone .cfi] ()
#16 0x00007fa25fa7f8fd in  () at /usr/lib/libc.so.6
#17 0x00007fa25fb01a60 in  () at /usr/lib/libc.so.6

[htfy96]

Looks like it's because MCSClient isn't initialized:

(gdb) disassemble 
Dump of assembler code for function _ZN3gcm9MCSClient5LoginEmm:
   0x0000556441058f30 <+0>:	push   %rbp
   0x0000556441058f31 <+1>:	mov    %rsp,%rbp
   0x0000556441058f34 <+4>:	push   %r15
   0x0000556441058f36 <+6>:	push   %r14
   0x0000556441058f38 <+8>:	push   %rbx
   0x0000556441058f39 <+9>:	push   %rax
   0x0000556441058f3a <+10>:	mov    %rdi,%rbx
=> 0x0000556441058f3d <+13>:	cmp    %rsi,0x50(%rdi)
   0x0000556441058f41 <+17>:	je     0x556441058f51 <_ZN3gcm9MCSClient5LoginEmm+33>
   0x0000556441058f43 <+19>:	cmp    %rdx,0x58(%rbx)
   0x0000556441058f47 <+23>:	je     0x556441058f51 <_ZN3gcm9MCSClient5LoginEmm+33>
   0x0000556441058f49 <+25>:	mov    %rsi,0x50(%rbx)
   0x0000556441058f4d <+29>:	mov    %rdx,0x58(%rbx)
   0x0000556441058f51 <+33>:	movabs $0xfffffffc00000000,%r15
...
(gdb) info registers rdi
rdi            0x0                 0

void MCSClient::Login(uint64 android_id, uint64 security_token) {
--
  | DCHECK_EQ(state_, LOADED);
  | DCHECK(android_id_ == 0 \|\| android_id_ == android_id); // crashes here because "this" is nullptr
  | DCHECK(security_token_ == 0 \|\| security_token_ == security_token);

[htfy96]

To fix this, I believe https://github.com/ungoogled-software/ungoogled-chromium/blob/f1ae4578c808f0e7e28b188ee4ed5a458fe54d11/patches/core/ungoogled-chromium/disable-gcm.patch needs to be updated:

void GCMClientImpl::StartGCM() {
--
  | DCHECK(io_task_runner_->RunsTasksInCurrentSequence());
  |  
  | // Taking over the value of account_mappings before passing the ownership of
  | // load result to InitializeMCSClient.
  | std::vector<AccountMapping> account_mappings;
  | account_mappings.swap(load_result_->account_mappings);
  | base::Time last_token_fetch_time = load_result_->last_token_fetch_time;
  |  
  | InitializeMCSClient(); // The patch early returned to skip this function
  |  
  | if (device_checkin_info_.IsValid()) {
  | SchedulePeriodicCheckin(); // The patch removed the function body
  | OnReady(account_mappings, last_token_fetch_time); // <----- however, the patch didn't update this
  | return;
  | }
  |  
  | state_ = INITIAL_DEVICE_CHECKIN;
  | device_checkin_info_.Reset();
  |  
  | DVLOG(1) << "Starting initial GCM checkin.";
  | StartCheckin();
  | }



void GCMClientImpl::OnReady(const std::vector<AccountMapping>& account_mappings,
--
  | const base::Time& last_token_fetch_time) {
  | state_ = READY;
  | StartMCSLogin(); // <---- and eventually calling this function, yielding the null dereferencing error
  |  
  | delegate_->OnGCMReady(account_mappings, last_token_fetch_time);
  | }

[networkException]

Feel free to submit a pr for that

[PF4Public]

This is an old issue, that didn't show much activity recently — closing. If you have any more information to add, let us know.