GNOME Bugzilla – Bug 543552
gvfs-fuse-daemon crashes when dbus is killed
Last modified: 2008-09-01 12:51:33 UTC
Steps to reproduce: 1. Have a gvfs fuse filesystem mounted 2. Kill the dbus daemon. 3. May need to retry a few times. Stack trace: Bug originally reported: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/235698 This seems to be a competition between threads as to what actually occurs. If the vfs_destroy code is called after the code in subthread_main_loop which cleans up when the things are finishing, then access to a freed memory address will occur. Here is what valgrind has to say: ==13915== Invalid read of size 4 ==13915== at 0x5929D06: g_main_loop_quit (gmain.c:2875) ==13915== by 0x403B39: vfs_destroy (gvfsfusedaemon.c:2147) ==13915== by 0x5DFA888: fuse_fs_destroy (fuse.c:1347) ==13915== by 0x5DFA8E7: fuse_lib_destroy (fuse.c:1360) ==13915== by 0x5DFFE69: fuse_ll_destroy (fuse_lowlevel.c:1254) ==13915== by 0x5E02EF2: fuse_session_destroy (fuse_session.c:96) ==13915== by 0x5DF9792: fuse_destroy (fuse.c:3251) ==13915== by 0x5E031FD: fuse_teardown_common (helper.c:303) ==13915== by 0x5E03702: fuse_main_common (helper.c:331) ==13915== by 0x685A1C3: (below main) (in /lib/libc-2.7.so) ==13915== Address 0x70e4c0c is 12 bytes inside a block of size 16 free'd ==13915== at 0x4C22B2E: free (vg_replace_malloc.c:323) ==13915== by 0x403F73: subthread_main (gvfsfusedaemon.c:2035) ==13915== by 0x5951053: g_thread_create_proxy (gthread.c:635) ==13915== by 0x66263F6: start_thread (in /lib/libpthread-2.7.so) ==13915== by 0x6913B2C: clone (in /lib/libc-2.7.so) ==13915== ==13915== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1) ==13915== malloc/free: in use at exit: 79,083 bytes in 816 blocks. ==13915== malloc/free: 1,691 allocs, 875 frees, 1,025,879 bytes allocated. ==13915== For counts of detected errors, rerun with: -v ==13915== searching for pointers to 816 not-freed blocks. ==13915== checked 291,296 bytes. ==13915== ==13915== LEAK SUMMARY: ==13915== definitely lost: 4 bytes in 2 blocks. ==13915== possibly lost: 2,592 bytes in 22 blocks. ==13915== still reachable: 76,487 bytes in 792 blocks. ==13915== suppressed: 0 bytes in 0 blocks. Other information:
Created attachment 114754 [details] [review] Patch that makes sure freed main_loop structures are not used. This patch fixes this issue for me.
I don't really see how that fixes it. Somewhat better would be to set subthread_main_loop to NULL after unreffing it, and check if it is != NULL before calling g_main_loop_quit()
Created attachment 115477 [details] [review] New patch to fix issue. Sounds good. I've done that in this new patch.
Looks good to me. I committed that patch to svn trunk. Thanks a bunch.
Can you please apply this also to gvfs-0.2* (for gnome-2.22), this seems to fix gvfs-fuse-daemon leaving unkilled after users logout from their sessions I have also tried http://bugzilla.gnome.org/show_bug.cgi?id=536614 patch but it doesn't fix my problem,while this patch seems to work ok Thanks a lot
I mean apply this to gvfs-0.2 branch for a hipotetical future gvfs-0.2.6 release that fix some of these crashes