Bug 1316766

Summary: Segmentation fault occurs in nautilus on RHEL7.2.
Product: Red Hat Enterprise Linux 7 Reporter: kyoneyama <kyoneyam>
Component: nautilusAssignee: Ondrej Holy <oholy>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: diamantis.karagkiaouris.dev
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-24 15:27:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
coredump none

Description kyoneyama 2016-03-11 03:00:55 UTC 
Created attachment 1135090 [details]
coredump

Description of problem:

Segfault occurs in nautilus on RHEL7.2.

  nautilus[3991]: segfault at 100000016 ip 00007efdb0581f6b sp 00007fff1f3dd6a0 error 4 in libgobject-2.0.so.0.4200.2[7efdb0550000+4e000]

The below is a backtrace when gdm was terminated.

  (gdb) bt
  #0  0x00007efdb0581f6b in g_type_check_instance_cast (type_instance=0x1c7f930, iface_type=iface_type@entry=26964144) at gtype.c:4014
  #1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x1a48d80) at nautilus-window.c:1512
  #2  0x00007efdb055fe38 in g_closure_invoke (closure=0x1e40c00, return_value=return_value@entry=0x0, n_param_values=1, 
      param_values=param_values@entry=0x7fff1f3dd890, invocation_hint=invocation_hint@entry=0x7fff1f3dd830) at gclosure.c:768
  #3  0x00007efdb0571a01 in signal_emit_unlocked_R (node=node@entry=0x19b5310, detail=detail@entry=0, instance=instance@entry=0x1964ea0, 
      emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fff1f3dd890) at gsignal.c:3623


As a result of casting type of a variable, it has access to out-of-range address.

  (gdb) l
  4009		{
  4010		  TypeNode *node, *iface;
  4011		  gboolean is_instantiatable, check;
  4012		  
  4013		  node = lookup_type_node_I (type_instance->g_class->g_type);		**
  4014		  is_instantiatable = node && node->is_instantiatable;			**

  (gdb) p type_instance->g_class->g_type
  $23 = 4294967297
  (gdb) p node
  $24 = (TypeNode *) 0x100000000


Version-Release number of selected component (if applicable):

  - kernel-3.10.0-327.4.4.el7.x86_64
  - nautilus-3.14.3-7.el7.x86_64 
  - glib2-2.42.2-5.el7

How reproducible:

  Sometimes.

Steps to Reproduce:

  No reproducer.

Actual results:

  Segfault occured. Opend files are closed suddenly on the desktop.

Expected results:

  Segfault does not occur.

Additional info:

It seems to be similar to the following problems.

  https://bugzilla.redhat.com/show_bug.cgi?id=1252434
Comment 3 Wu Siu Wa 2017-03-14 07:36:44 UTC 
Another customer encounter the similar issue.

The issue is very similar as bug 1252434, but the version is higher than the errata. 

kernel-3.10.0-327.el7.x86_64
nautilus-3.14.3-7.el7.x86_64
glib2-2.42.2-5.el7.x86_64

-------------------------------------------------
nautilus killed by SIGSEGV

(gdb) bt
#0  0x00007f5153334f6b in g_type_check_instance_cast (type_instance=0x1898950, iface_type=iface_type@entry=23397216) at gtype.c:4014
#1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x16d46f0) at nautilus-window.c:1512
#2  0x00007f5153312e38 in g_closure_invoke (closure=0x18a43f0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7ffdfa920880, 
    invocation_hint=invocation_hint@entry=0x7ffdfa920820) at gclosure.c:768
#3  0x00007f5153324a01 in signal_emit_unlocked_R (node=node@entry=0x1656e70, detail=detail@entry=0, instance=instance@entry=0x15f86a0, 
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffdfa920880) at gsignal.c:3623
#4  0x00007f515332c4c1 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffdfa920a00)
    at gsignal.c:3309
#5  0x00007f515332c77f in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
#6  0x00000000004d2d78 in nautilus_file_undo_manager_set_action (info=<optimized out>) at nautilus-file-undo-manager.c:245
#7  0x00000000004a81b4 in finalize_common (common=common@entry=0x1bfef90) at nautilus-file-operations.c:974
#8  0x00000000004a8d7b in copy_job_done (user_data=0x1bfef90) at nautilus-file-operations.c:4587
#9  0x00007f51535b2a2f in mainloop_proxy_func (data=0x7f50f8003110) at gioscheduler.c:200
#10 0x00007f515301579a in g_main_dispatch (context=0x136c6d0) at gmain.c:3109
#11 g_main_context_dispatch (context=context@entry=0x136c6d0) at gmain.c:3708
#12 0x00007f5153015ae8 in g_main_context_iterate (context=context@entry=0x136c6d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3779
#13 0x00007f5153015b9c in g_main_context_iteration (context=0x136c6d0, context@entry=0x0, may_block=may_block@entry=1) at gmain.c:3840
#14 0x00007f51535f8f24 in g_application_run (application=0x1342120, argc=argc@entry=3, argv=argv@entry=0x7ffdfa920da8) at gapplication.c:2282
#15 0x000000000042a0fb in main (argc=3, argv=0x7ffdfa920da8) at nautilus-main.c:103


(gdb) list g_type_check_instance_cast
4013		  node = lookup_type_node_I (type_instance->g_class->g_type);
4014		  is_instantiatable = node && node->is_instantiatable;


(gdb) p type_instance->g_class->g_type
$9 = 8589934593
(gdb) p node
$10 = (TypeNode *) 0x200000000
(gdb) p node->is_instantiatable
Cannot access memory at address 0x200000000

------------------------------------------

Uploaded coredump-13738 for reference.
Comment 5 kyoneyama 2017-03-30 06:25:32 UTC 
The problem still occurs even in the latest version of nautilus.

- kernel-3.10.0-327.el7.x86_64
- nautilus-3.14.3-12.el7
- glib2-2.46.2-4.el7
Comment 6 Ondrej Holy 2019-05-24 15:27:51 UTC 
Nautilus 3.14 is the latest version for which I see those crashes: https://retrace.fedoraproject.org/faf/problems/?opsysreleases=71&component_names=nautilus&function_names=nautilus_window_on_undo_changed, but nautilus 3.22 has been in RHEL for some time already and now we have nautilus 3.26. The reproducer from Bug 1252434 seems doesn't work as well. So I am going to close this as WONTFIX. Please reopen if you still see those crashes.
Comment 7 Ondrej Holy 2019-05-29 09:01:35 UTC 
*** Bug 1460395 has been marked as a duplicate of this bug. ***