1316766 – Segmentation fault occurs in nautilus on RHEL7.2.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1316766 - Segmentation fault occurs in nautilus on RHEL7.2.

Summary: Segmentation fault occurs in nautilus on RHEL7.2.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nautilus
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ondrej Holy
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1460395 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-11 03:00 UTC by kyoneyama
Modified:	2023-03-24 13:40 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-24 15:27:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
coredump (4.50 MB, application/octet-stream) 2016-03-11 03:00 UTC, kyoneyama	no flags	Details
View All

Description kyoneyama 2016-03-11 03:00:55 UTC

Created attachment 1135090 [details]
coredump

Description of problem:

Segfault occurs in nautilus on RHEL7.2.

  nautilus[3991]: segfault at 100000016 ip 00007efdb0581f6b sp 00007fff1f3dd6a0 error 4 in libgobject-2.0.so.0.4200.2[7efdb0550000+4e000]

The below is a backtrace when gdm was terminated.

  (gdb) bt
  #0  0x00007efdb0581f6b in g_type_check_instance_cast (type_instance=0x1c7f930, iface_type=iface_type@entry=26964144) at gtype.c:4014
  #1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x1a48d80) at nautilus-window.c:1512
  #2  0x00007efdb055fe38 in g_closure_invoke (closure=0x1e40c00, return_value=return_value@entry=0x0, n_param_values=1, 
      param_values=param_values@entry=0x7fff1f3dd890, invocation_hint=invocation_hint@entry=0x7fff1f3dd830) at gclosure.c:768
  #3  0x00007efdb0571a01 in signal_emit_unlocked_R (node=node@entry=0x19b5310, detail=detail@entry=0, instance=instance@entry=0x1964ea0, 
      emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fff1f3dd890) at gsignal.c:3623


As a result of casting type of a variable, it has access to out-of-range address.

  (gdb) l
  4009		{
  4010		  TypeNode *node, *iface;
  4011		  gboolean is_instantiatable, check;
  4012		  
  4013		  node = lookup_type_node_I (type_instance->g_class->g_type);		**
  4014		  is_instantiatable = node && node->is_instantiatable;			**

  (gdb) p type_instance->g_class->g_type
  $23 = 4294967297
  (gdb) p node
  $24 = (TypeNode *) 0x100000000


Version-Release number of selected component (if applicable):

  - kernel-3.10.0-327.4.4.el7.x86_64
  - nautilus-3.14.3-7.el7.x86_64 
  - glib2-2.42.2-5.el7

How reproducible:

  Sometimes.

Steps to Reproduce:

  No reproducer.

Actual results:

  Segfault occured. Opend files are closed suddenly on the desktop.

Expected results:

  Segfault does not occur.

Additional info:

It seems to be similar to the following problems.

  https://bugzilla.redhat.com/show_bug.cgi?id=1252434

Comment 3 Wu Siu Wa 2017-03-14 07:36:44 UTC

Another customer encounter the similar issue.

The issue is very similar as bug 1252434, but the version is higher than the errata. 

kernel-3.10.0-327.el7.x86_64
nautilus-3.14.3-7.el7.x86_64
glib2-2.42.2-5.el7.x86_64

-------------------------------------------------
nautilus killed by SIGSEGV

(gdb) bt
#0  0x00007f5153334f6b in g_type_check_instance_cast (type_instance=0x1898950, iface_type=iface_type@entry=23397216) at gtype.c:4014
#1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x16d46f0) at nautilus-window.c:1512
#2  0x00007f5153312e38 in g_closure_invoke (closure=0x18a43f0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7ffdfa920880, 
    invocation_hint=invocation_hint@entry=0x7ffdfa920820) at gclosure.c:768
#3  0x00007f5153324a01 in signal_emit_unlocked_R (node=node@entry=0x1656e70, detail=detail@entry=0, instance=instance@entry=0x15f86a0, 
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffdfa920880) at gsignal.c:3623
#4  0x00007f515332c4c1 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffdfa920a00)
    at gsignal.c:3309
#5  0x00007f515332c77f in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
#6  0x00000000004d2d78 in nautilus_file_undo_manager_set_action (info=<optimized out>) at nautilus-file-undo-manager.c:245
#7  0x00000000004a81b4 in finalize_common (common=common@entry=0x1bfef90) at nautilus-file-operations.c:974
#8  0x00000000004a8d7b in copy_job_done (user_data=0x1bfef90) at nautilus-file-operations.c:4587
#9  0x00007f51535b2a2f in mainloop_proxy_func (data=0x7f50f8003110) at gioscheduler.c:200
#10 0x00007f515301579a in g_main_dispatch (context=0x136c6d0) at gmain.c:3109
#11 g_main_context_dispatch (context=context@entry=0x136c6d0) at gmain.c:3708
#12 0x00007f5153015ae8 in g_main_context_iterate (context=context@entry=0x136c6d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3779
#13 0x00007f5153015b9c in g_main_context_iteration (context=0x136c6d0, context@entry=0x0, may_block=may_block@entry=1) at gmain.c:3840
#14 0x00007f51535f8f24 in g_application_run (application=0x1342120, argc=argc@entry=3, argv=argv@entry=0x7ffdfa920da8) at gapplication.c:2282
#15 0x000000000042a0fb in main (argc=3, argv=0x7ffdfa920da8) at nautilus-main.c:103


(gdb) list g_type_check_instance_cast
4013		  node = lookup_type_node_I (type_instance->g_class->g_type);
4014		  is_instantiatable = node && node->is_instantiatable;


(gdb) p type_instance->g_class->g_type
$9 = 8589934593
(gdb) p node
$10 = (TypeNode *) 0x200000000
(gdb) p node->is_instantiatable
Cannot access memory at address 0x200000000

------------------------------------------

Uploaded coredump-13738 for reference.

Comment 5 kyoneyama 2017-03-30 06:25:32 UTC

The problem still occurs even in the latest version of nautilus.

- kernel-3.10.0-327.el7.x86_64
- nautilus-3.14.3-12.el7
- glib2-2.46.2-4.el7

Comment 6 Ondrej Holy 2019-05-24 15:27:51 UTC

Nautilus 3.14 is the latest version for which I see those crashes: https://retrace.fedoraproject.org/faf/problems/?opsysreleases=71&component_names=nautilus&function_names=nautilus_window_on_undo_changed, but nautilus 3.22 has been in RHEL for some time already and now we have nautilus 3.26. The reproducer from Bug 1252434 seems doesn't work as well. So I am going to close this as WONTFIX. Please reopen if you still see those crashes.

Comment 7 Ondrej Holy 2019-05-29 09:01:35 UTC

*** Bug 1460395 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.