After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 670591 - nautilus crashed with SIGSEGV in g_object_get() (real_slot_set_short_status)
nautilus crashed with SIGSEGV in g_object_get() (real_slot_set_short_status)
Status: RESOLVED FIXED
Product: nautilus
Classification: Core
Component: Crashers
3.3.x
Other Linux
: Normal critical
: ---
Assigned To: Nautilus Maintainers
Nautilus Maintainers
: 670648 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2012-02-22 09:59 UTC by Sebastien Bacher
Modified: 2012-08-01 18:36 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Proposed patch (774 bytes, patch)
2012-02-28 15:33 UTC, Michael Terry 		committed Details | Review

Description Sebastien Bacher 2012-02-22 09:59:36 UTC 
The bug is collecting quite some duplicates on launchpad since this cycle,
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/929031

"#0  0x00007f70ea4e6c53 in g_object_get (_object=0xaaaaaaaaaaaaaaaa, first_property_name=0x506358 "disable-chrome") at /build/buildd/glib2.0-2.31.16/./gobject/gobject.c:2091
        __inst = 0xaaaaaaaaaaaaaaaa
        __r = <optimized out>
        _g_boolean_var_ = <optimized out>
        object = 0xaaaaaaaaaaaaaaaa
        var_args = {{gp_offset = 3724847072, fp_offset = 32767, overflow_arg_area = 0x515a57, reg_save_area = 0x1}}
        __PRETTY_FUNCTION__ = "g_object_get"

+ Trace 229710

  • #1 real_slot_set_short_status
  • #2 set_status_timeout_cb
    at nautilus-window-slot.c line 515
  • #3 g_timeout_dispatch
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 3854
  • #4 g_main_dispatch
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 2510
  • #5 g_main_context_dispatch
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 3047
  • #6 g_main_context_iterate
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 3118
  • #7 g_main_context_iterate
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 3055
  • #8 g_main_context_iteration
    at /build/buildd/glib2.0-2.31.16/./glib/gmain.c line 3179
  • #9 g_application_run
    at /build/buildd/glib2.0-2.31.16/./gio/gapplication.c line 1496
  • #10 main
    at nautilus-main.c line 101 


the descriptions are not giving useful details on how to trigger the bug but it's still an issue in 3.3.90
Comment 1 André Klapper 2012-02-22 10:16:34 UTC 
crash => critical
Comment 2 Michael Terry 2012-02-28 15:33:05 UTC 
Created attachment 208589 [details] [review]
Proposed patch

This is a race, so it's hard to reproduce, but code analysis makes me think I've found the problem.

For background: WindowSlots and WindowPanes are closely coupled life-cycle wise.  For example, the Pane pointer in a Slot isn't even ref'd because the assumption is that they will be destroyed together.

But in set_floating_bar_status(), Slot adds a ref to itself that lasts during a timeout.  This ref is unnecessary, since (A) the Slot will kill the timeout safely during its dispose and (B) it's not important for the timeout to finish if the Slot would normally die.

This ref breaks the normal assumption in Pane that all slots are properly destroyed when removed as children from the Pane during its own destruction.  When the timeout callback function is finally called, the internal Pane pointer of the Slot will be garbage and you get this crash.

The attached patch fixes the extraneous ref.  I have not actually run with this patch, but it seems trivial and safe.
Comment 3 Cosimo Cecchi 2012-02-29 04:53:16 UTC 
Review of attachment 208589 [details] [review]:

Thanks, I think your analysis is right.
Comment 4 Cosimo Cecchi 2012-03-05 17:05:42 UTC 
Pushed this to master now.
Comment 5 Cosimo Cecchi 2012-08-01 18:36:47 UTC 
*** Bug 670648 has been marked as a duplicate of this bug. ***