GNOME Bugzilla – Bug 668674
nautilus segfaults (valgrind invalid read) on duplicate lines in .hidden
Last modified: 2012-08-17 17:05:03 UTC
Using nautilus 3.3.4 stock from the tarball on Ubuntu The bug has been reported on https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/879130 "Reproduction steps: 1. create a .hidden file in any directory. 2. place a filename into the file twice (on separate lines). the filename does not have to exist. 3. browse to the folder in nautilus and press ctrl+H OR browse to the folder in nautilus and click on another folder, either a subfolder or any other folder" valgrind log: "==19723== Invalid free() / delete / delete[] / realloc() ==19723== at 0x402906C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19723== by 0x4AA481A: standard_free (gmem.c:98) ==19723== by 0x4AA498F: g_free (gmem.c:252) ==19723== by 0x4A8CE17: g_hash_table_remove_node (ghash.c:468) ==19723== by 0x4A8D45F: g_hash_table_foreach_remove_or_steal (ghash.c:1397) ==19723== by 0x80E1870: file_list_cancel (nautilus-directory-async.c:1088) ==19723== by 0x80E1908: nautilus_directory_stop_monitoring_file_list (nautilus-directory-async.c:2236) ==19723== by 0x80DFF81: nautilus_directory_async_state_changed (nautilus-directory-async.c:2247) ==19723== by 0x80E4DB8: nautilus_directory_monitor_remove_internal (nautilus-directory-async.c:1144) ==19723== by 0x8132D7F: vfs_file_monitor_remove (nautilus-vfs-directory.c:110) ==19723== by 0x80E8A38: nautilus_directory_file_monitor_remove (nautilus-directory.c:1542) ==19723== by 0x80B0CF9: disconnect_model_handlers (nautilus-view.c:9022) ==19723== Address 0x12480cb8 is 0 bytes inside a block of size 4 free'd ==19723== at 0x402906C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19723== by 0x4AA481A: standard_free (gmem.c:98) ==19723== by 0x4AA498F: g_free (gmem.c:252) ==19723== by 0x4A8D2F7: g_hash_table_insert_node (ghash.c:905) ==19723== by 0x4A8D749: g_hash_table_insert_internal (ghash.c:1140) ==19723== by 0x80E169D: nautilus_directory_async_state_changed (nautilus-directory-async.c:2037) ==19723== by 0x80E4FDE: nautilus_directory_monitor_add_internal (nautilus-directory-async.c:803) ==19723== by 0x8132E7F: vfs_file_monitor_add (nautilus-vfs-directory.c:96) ==19723== by 0x80E8978: nautilus_directory_file_monitor_add (nautilus-directory.c:1528) ==19723== by 0x80B4B46: finish_loading (nautilus-view.c:8926) ==19723== by 0x80DF857: ready_callback_call (nautilus-directory-async.c:1291) ==19723== by 0x80E3F8B: call_ready_callbacks_at_idle (nautilus-directory-async.c:1861)"
I decided to keep looking at this since I had already started. Just to be clear, the work around of removing duplicates from .hidden works fine to fix this. But here's what I found in the code (caution: I'm new to programming with linux, feel free to correct me) -The crash occurs because the GHashTable has a key_destroy_func and g_hash_table_insert_node() is called with keep_new_key = false instead of true in ghash.c -In order to fix this, g_hash_table_replace() should be used instead of g_hash_table_insert() in read_dot_hidden_file() in nautilus-directory-async.c. I ran nautilus with this change and it didn't crash anymore. -I did a quick search to see if this situation happens anywhere else in Nautilus, the only spot I found is at nautilus-view.c:3315, but I'm not sure if that's an issue or not. -If I am correct, it seems strange that the comments in ghash.c for using GHashTable as a set indicate that g_hash_table_insert should be used, when it actually causes this issue.
you might want to email the nautilus mailing list with question, not everybody keeps up with the bugzilla email and your question might stay un-noticed on the bug
Created attachment 221640 [details] [review] Don't crash when duplicate entires are in .hidden Don't insert free'd string pointers into the hash values.