[Xfce-bugs] [Bug 14122] Deadlock during loading of folder contents
bugzilla-daemon at xfce.org
bugzilla-daemon at xfce.org
Fri May 8 01:57:26 CEST 2020
https://bugzilla.xfce.org/show_bug.cgi?id=14122
afdw <afdw at yandex.ru> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |afdw at yandex.ru
--- Comment #1 from afdw <afdw at yandex.ru> ---
I think I have finally understood the problem here.
I suppose is it a use after free. So here is what I think happens:
1. The Queue method of Tumbler is called:
https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L475
2. It returns 0, which is wrong
3. This causes the `job->handle` field to remain at 0:
https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L350
4. Next, some other job starts, but does not receive a handle yet. This results
in 2 jobs having their `job->handle` field set to 0
5. During this time, the job with handle 0 finishes executing, so it gets
deallocated (`handle` function argument here is 0):
https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L873
But instead of real job with the handle 0, the one started on step 4 is found
(one without a handle assigned), so it gets deallocated
6. Enqueuing of the second job finally finishes:
https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L327
But this job is already deallocated on step 4
7. So already freed memory is accessed and everything goes wrong
I am not sure if these steps are exactly correct.
Here is how it looks in the debugger: after setting these breakpoints in GDB
(line numbers as of Thunar commit 112a0753c90a0fe5259f540cf0d6b5fc262bca82):
> break thunar-thumbnailer.c:330
> command
> silent
> printf "thunar_thumbnailer_queue_async_reply: %p\n", job
> continue
> end
> break thunar-thumbnailer.c:865
> command
> silent
> printf "thunar_thumbnailer_thumbnailer_finished: %p %d\n", job, job->handle
> continue
> end
> break thunar-thumbnailer.c:306
> command
> silent
> printf "thunar_thumbnailer_free_job: %p\n", job
> continue
> end
This is a possible output:
> thunar_thumbnailer_thumbnailer_finished: 0x555555a12e40 0
> thunar_thumbnailer_free_job: 0x555555a12e40
> thunar_thumbnailer_queue_async_reply: 0x555555a12e40
>
> (thunar:1339130): GLib-GObject-WARNING **: 00:09:57.296: invalid uninstantiatable type '(null)' in cast to 'ThunarThumbnailer'
>
> (thunar:1339130): thunar-CRITICAL **: 00:09:57.296: thunar_thumbnailer_queue_async_reply: assertion '(((__extension__ ({ GTypeInstance *__inst = (GTypeInstance*) ((thumbnailer)); GType __t = ((thunar_thumbnailer_get_type ())); gboolean __r; if (!__inst) __r = (0); else if (__inst->g_class && __inst->g_class->g_type == __t) __r = (!(0)); else __r = g_type_check_instance_is_a (__inst, __t); __r; }))))' failed
I am not really sure not to reproduce the issue, but what I did was
repetitively navigating between folders with many files in Thunar and
terminating Tumbler; this way the chance of reproducing was fairly high.
I think that just making Tumbler follow the specification should be enough to
fix this issue, so here is the bug report (fix included):
https://bugzilla.xfce.org/show_bug.cgi?id=16814
Hopefully, all of this makes some sense.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Xfce-bugs
mailing list