Bug 1316766 - Segmentation fault occurs in nautilus on RHEL7.2.
Segmentation fault occurs in nautilus on RHEL7.2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nautilus (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Carlos Soriano
Desktop QE
Depends On:
  Show dependency treegraph
Reported: 2016-03-10 22:00 EST by kyoneyama
Modified: 2018-03-01 21:01 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
coredump (4.50 MB, application/octet-stream)
2016-03-10 22:00 EST, kyoneyama
no flags Details

  None (edit)
Description kyoneyama 2016-03-10 22:00:55 EST
Created attachment 1135090 [details]

Description of problem:

Segfault occurs in nautilus on RHEL7.2.

  nautilus[3991]: segfault at 100000016 ip 00007efdb0581f6b sp 00007fff1f3dd6a0 error 4 in libgobject-2.0.so.0.4200.2[7efdb0550000+4e000]

The below is a backtrace when gdm was terminated.

  (gdb) bt
  #0  0x00007efdb0581f6b in g_type_check_instance_cast (type_instance=0x1c7f930, iface_type=iface_type@entry=26964144) at gtype.c:4014
  #1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x1a48d80) at nautilus-window.c:1512
  #2  0x00007efdb055fe38 in g_closure_invoke (closure=0x1e40c00, return_value=return_value@entry=0x0, n_param_values=1, 
      param_values=param_values@entry=0x7fff1f3dd890, invocation_hint=invocation_hint@entry=0x7fff1f3dd830) at gclosure.c:768
  #3  0x00007efdb0571a01 in signal_emit_unlocked_R (node=node@entry=0x19b5310, detail=detail@entry=0, instance=instance@entry=0x1964ea0, 
      emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fff1f3dd890) at gsignal.c:3623

As a result of casting type of a variable, it has access to out-of-range address.

  (gdb) l
  4009		{
  4010		  TypeNode *node, *iface;
  4011		  gboolean is_instantiatable, check;
  4013		  node = lookup_type_node_I (type_instance->g_class->g_type);		**
  4014		  is_instantiatable = node && node->is_instantiatable;			**

  (gdb) p type_instance->g_class->g_type
  $23 = 4294967297
  (gdb) p node
  $24 = (TypeNode *) 0x100000000

Version-Release number of selected component (if applicable):

  - kernel-3.10.0-327.4.4.el7.x86_64
  - nautilus-3.14.3-7.el7.x86_64 
  - glib2-2.42.2-5.el7

How reproducible:


Steps to Reproduce:

  No reproducer.

Actual results:

  Segfault occured. Opend files are closed suddenly on the desktop.

Expected results:

  Segfault does not occur.

Additional info:

It seems to be similar to the following problems.

Comment 3 siwu 2017-03-14 03:36:44 EDT
Another customer encounter the similar issue.

The issue is very similar as bug 1252434, but the version is higher than the errata. 


nautilus killed by SIGSEGV

(gdb) bt
#0  0x00007f5153334f6b in g_type_check_instance_cast (type_instance=0x1898950, iface_type=iface_type@entry=23397216) at gtype.c:4014
#1  0x0000000000474a16 in nautilus_window_on_undo_changed (manager=<optimized out>, window=0x16d46f0) at nautilus-window.c:1512
#2  0x00007f5153312e38 in g_closure_invoke (closure=0x18a43f0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7ffdfa920880, 
    invocation_hint=invocation_hint@entry=0x7ffdfa920820) at gclosure.c:768
#3  0x00007f5153324a01 in signal_emit_unlocked_R (node=node@entry=0x1656e70, detail=detail@entry=0, instance=instance@entry=0x15f86a0, 
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffdfa920880) at gsignal.c:3623
#4  0x00007f515332c4c1 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffdfa920a00)
    at gsignal.c:3309
#5  0x00007f515332c77f in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
#6  0x00000000004d2d78 in nautilus_file_undo_manager_set_action (info=<optimized out>) at nautilus-file-undo-manager.c:245
#7  0x00000000004a81b4 in finalize_common (common=common@entry=0x1bfef90) at nautilus-file-operations.c:974
#8  0x00000000004a8d7b in copy_job_done (user_data=0x1bfef90) at nautilus-file-operations.c:4587
#9  0x00007f51535b2a2f in mainloop_proxy_func (data=0x7f50f8003110) at gioscheduler.c:200
#10 0x00007f515301579a in g_main_dispatch (context=0x136c6d0) at gmain.c:3109
#11 g_main_context_dispatch (context=context@entry=0x136c6d0) at gmain.c:3708
#12 0x00007f5153015ae8 in g_main_context_iterate (context=context@entry=0x136c6d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3779
#13 0x00007f5153015b9c in g_main_context_iteration (context=0x136c6d0, context@entry=0x0, may_block=may_block@entry=1) at gmain.c:3840
#14 0x00007f51535f8f24 in g_application_run (application=0x1342120, argc=argc@entry=3, argv=argv@entry=0x7ffdfa920da8) at gapplication.c:2282
#15 0x000000000042a0fb in main (argc=3, argv=0x7ffdfa920da8) at nautilus-main.c:103

(gdb) list g_type_check_instance_cast
4013		  node = lookup_type_node_I (type_instance->g_class->g_type);
4014		  is_instantiatable = node && node->is_instantiatable;

(gdb) p type_instance->g_class->g_type
$9 = 8589934593
(gdb) p node
$10 = (TypeNode *) 0x200000000
(gdb) p node->is_instantiatable
Cannot access memory at address 0x200000000


Uploaded coredump-13738 for reference.
Comment 5 kyoneyama 2017-03-30 02:25:32 EDT
The problem still occurs even in the latest version of nautilus.

- kernel-3.10.0-327.el7.x86_64
- nautilus-3.14.3-12.el7
- glib2-2.46.2-4.el7

Note You need to log in before you can comment on or make changes to this bug.