nautilus crashed due to nested update_node() calls

Bug #1053862 reported by Laura Czajkowski on 2012-09-21
642
This bug affects 82 people
Affects Status Importance Assigned to Milestone
GTK+
Won't Fix
Medium
gtk+3.0 (Ubuntu)
High
Michael Terry
Quantal
High
Michael Terry

Bug Description

Was using machine have browser open and terminal plus thunderbird, alt tabbing between things, nothing heavy running and the crash report appeared.

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: nautilus 1:3.5.90.really.3.4.2-0ubuntu2
ProcVersionSignature: Ubuntu 3.5.0-15.22-generic 3.5.4
Uname: Linux 3.5.0-15-generic x86_64
ApportVersion: 2.5.2-0ubuntu4
Architecture: amd64
Date: Fri Sep 21 08:31:26 2012
ExecutablePath: /usr/bin/nautilus
GsettingsChanges: b'org.gnome.nautilus.window-state' b'geometry' b"'658x716+706+24'"
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
ProcCmdline: nautilus -n
SegvAnalysis:
 Segfault happened at: 0x7fe7f0885ba0 <g_list_foreach+16>: mov 0x8(%rdi),%rbx
 PC (0x7fe7f0885ba0) ok
 source "0x8(%rdi)" (0x005f6574) not located in a known VMA region (needed readable region)!
 destination "%rbx" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: nautilus
StacktraceTop:
 g_list_foreach () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 g_list_free_full () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
 ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
 ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
Title: nautilus crashed with SIGSEGV in g_list_foreach()
UpgradeStatus: Upgraded to quantal on 2012-09-08 (12 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Laura Czajkowski (czajkowski) wrote :

StacktraceTop:
 g_list_foreach (list=0x5f656c, list@entry=0x2ad0de0, func=func@entry=0x7fe7f330de40 <node_ui_reference_free>, user_data=user_data@entry=0x0) at /build/buildd/glib2.0-2.33.14/./glib/glist.c:941
 g_list_free_full (list=0x2ad0de0, free_func=free_func@entry=0x7fe7f330de40 <node_ui_reference_free>) at /build/buildd/glib2.0-2.33.14/./glib/glist.c:183
 free_node (node=node@entry=0x2af5350) at /build/buildd/gtk+3.0-3.5.18/./gtk/gtkuimanager.c:1400
 update_node (manager=manager@entry=0x256f9e0, node=0x2af5350, in_popup=<optimized out>, in_popup@entry=0, popup_accels=popup_accels@entry=0) at /build/buildd/gtk+3.0-3.5.18/./gtk/gtkuimanager.c:3118
 update_node (manager=manager@entry=0x256f9e0, node=0x7fe7e0014550, in_popup=in_popup@entry=0, popup_accels=popup_accels@entry=0) at /build/buildd/gtk+3.0-3.5.18/./gtk/gtkuimanager.c:3096

Changed in nautilus (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nautilus (Ubuntu):
status: New → Confirmed
tags: added: bugpattern-needed
visibility: private → public
Changed in nautilus (Ubuntu):
importance: Medium → High
Sebastien Bacher (seb128) wrote :

bug #1054297 and bug #1054297 are likely the same issue

Changed in nautilus (Ubuntu Quantal):
assignee: nobody → Michael Terry (mterry)
Michael Terry (mterry) wrote :

I believe I've found why this happens. Or at least, one way it *could* happen. With a very similar stacktrace.

While a GtkUIManager is updating its dynamic elements, and it destroys a menu item, any signal handlers for that destruction might further modify the UIManager. And the current code is poorly equipped to handle the node structure changing out from under it while it is in update_node.

See attached test program. It triggers two similar bugs: (1) deleting the next sibling in the destruction handler and (2) deleting the parent node in the destruction handler.

I haven't confirmed that either of these issues is this same exact crash in nautilus yet. But it sounds reasonable, and has a similar stacktrace.

Run the program like so:
valac --pkg gtk+-3.0 test.vala && G_SLICE=debug-blocks ./test

The first bug you hit will be the sibling one. Unless you comment out that function call in the test, you won't ever get to the parent bug because you'll keep crashing.

Michael Terry (mterry) on 2012-10-15
affects: nautilus → gtk
affects: nautilus (Ubuntu Quantal) → gtk+3.0 (Ubuntu Quantal)
Changed in gtk:
importance: Unknown → Medium
status: Unknown → New
Michael Terry (mterry) wrote :

I've got a patch in the upstream bug for comment. I'm going to mark the similar bugs as duplicates. Which might be a heavy hammer. But there are many ways to get to the same crash here, which seem to be having nested ui manager updates, which causes memory to be freed twice in a couple ways.

If after patching, we still see some similar-but-not-quite crashes, we can investigate those separately.

summary: - nautilus crashed with SIGSEGV in g_list_foreach()
+ nautilus crashed due to nested update_node() calls
Changed in gtk+3.0 (Ubuntu Quantal):
status: Confirmed → In Progress
milestone: none → quantal-updates
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+3.0 - 3.8.2-0ubuntu3

---------------
gtk+3.0 (3.8.2-0ubuntu3) saucy; urgency=low

  * debian/patches/uimanager-guard-against-nested-node-updates.patch:
    - Avoid crashing due to nested update_node calls in GtkUIManager.
      LP: #1053862
 -- Michael Terry <email address hidden> Tue, 30 Apr 2013 15:38:37 -0700

Changed in gtk+3.0 (Ubuntu):
status: In Progress → Fix Released
Michael Terry (mterry) on 2014-07-23
Changed in gtk+3.0 (Ubuntu Quantal):
status: In Progress → Won't Fix
Changed in gtk:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.