[Xfce-bugs] [Bug 14122] Deadlock during loading of folder contents
bugzilla-daemon at xfce.org
bugzilla-daemon at xfce.org
Fri May 8 10:09:47 CEST 2020
https://bugzilla.xfce.org/show_bug.cgi?id=14122
--- Comment #3 from afdw <afdw at yandex.ru> ---
(In reply to Markus Elfring from comment #2)
> (In reply to afdw from comment #1)
> > 4. Next, some other job starts, but does not receive a handle yet.
>
> I interpreted the implementation of the function
> “thunar_thumbnailer_queue_async_reply” in the way that there is a specific
> lock type applied.
> I imagined that a deadlock can only happen then if this function is executed
> once more before an unlock would be performed.
> * Does the aspect “reentrancy” matter here?
> * Is there a need to use recursive locks?
I do not think that locking is really the problem here.
https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L317-334
:
> static void
> thunar_thumbnailer_queue_async_reply (GObject *proxy,
> GAsyncResult *res,
> gpointer user_data)
> {
> ThunarThumbnailerJob *job = user_data;
> ThunarThumbnailer *thumbnailer;
> GError *error = NULL;
> guint handle;
>
> _thunar_return_if_fail (THUNAR_IS_THUMBNAILER_DBUS (proxy));
> _thunar_return_if_fail (job != NULL);
>
> thumbnailer = THUNAR_THUMBNAILER (job->thumbnailer);
>
> _thunar_return_if_fail (THUNAR_IS_THUMBNAILER (thumbnailer));
>
> _thumbnailer_lock (thumbnailer);
But the time we got to the `_thumbnailer_lock (thumbnailer);` line, the use
after free has already occurred, because the `user_data` is might be a dangling
pointer by now, so `thumbnailer = THUNAR_THUMBNAILER (job->thumbnailer);`,
which means accessing `((ThunarThumbnailerJob *) user_data)->thumbnailer`, is
already wrong.
Here is how this pointer behaves in the debugger (trying to get the type name
and trying to inspect data behind it):
> (gdb) p g_type_name(((GTypeInstance *) job)->g_class->g_type)
> $1 = (const gchar *) 0x0
> (gdb) p *((ThunarThumbnailerJob *) user_data)
> $2 = {thumbnailer = 0x7ffff7eb09c0, cancelled = 0, lazy_checks = 1,
> files = 0x555555c01700 = {0x8, <error reading variable>
Compare that to a good pointer (other argument of this function):
> (gdb) p g_type_name(((GTypeInstance *) res)->g_class->g_type)
> $3 = (const gchar *) 0x7ffff73f1279 "GTask"
> (gdb) p *((GTask *) res)
> $4 = {parent_instance = {g_type_instance = {g_class = 0x55555567fd90 [g_type: None]},
> ref_count = 2, qdata = 0x0}, source_object = 0x55555585ce20,
> source_tag = 0x7ffff730e8b0 <g_dbus_proxy_call_internal>, name = 0x0, task_data = 0x0,
> task_data_destroy = 0x0, context = 0x55555568c800, creation_time = 341128963267,
> priority = 0, cancellable = 0x0, callback = 0x5555555f76f0 <thunar_thumbnailer_queue_async_reply>,
> callback_data = 0x5555559ffae0, task_func = 0x0, lock = {p = 0x0, i = {0, 0}},
> cond = {p = 0x0, i = {0, 0}}, thread_cancelled = 0, thread_complete = 0, return_on_cancel = 0,
> completed = 0, had_error = 0, result_set = -1, ever_returned = -1, check_cancellable = -1,
> synchronous = 0, blocking_other_task = 0, error = 0x0, result = {pointer = 0x555555a4cec0,
> size = 93824997445312, boolean = 1436864192}, result_destroy = 0x7ffff7306dc0 <reply_data_free>}
I have seen 3 outcomes of the bug occurring randomly:
1. Just warning in the output
2. Freeze while loading folder contents
3. Segmentation fault
So problems with locking can occur (as this code can lock on some random data
from memory), but I think it is not the root cause of the issue.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Xfce-bugs
mailing list