https://bugzilla.xfce.org/show_bug.cgi?id=14122
afdw <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from afdw <[email protected]> --- I think I have finally understood the problem here. I suppose is it a use after free. So here is what I think happens: 1. The Queue method of Tumbler is called: https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L475 2. It returns 0, which is wrong 3. This causes the `job->handle` field to remain at 0: https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L350 4. Next, some other job starts, but does not receive a handle yet. This results in 2 jobs having their `job->handle` field set to 0 5. During this time, the job with handle 0 finishes executing, so it gets deallocated (`handle` function argument here is 0): https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L873 But instead of real job with the handle 0, the one started on step 4 is found (one without a handle assigned), so it gets deallocated 6. Enqueuing of the second job finally finishes: https://gitlab.xfce.org/xfce/thunar/-/blob/112a0753c90a0fe5259f540cf0d6b5fc262bca82/thunar/thunar-thumbnailer.c#L327 But this job is already deallocated on step 4 7. So already freed memory is accessed and everything goes wrong I am not sure if these steps are exactly correct. Here is how it looks in the debugger: after setting these breakpoints in GDB (line numbers as of Thunar commit 112a0753c90a0fe5259f540cf0d6b5fc262bca82): > break thunar-thumbnailer.c:330 > command > silent > printf "thunar_thumbnailer_queue_async_reply: %p\n", job > continue > end > break thunar-thumbnailer.c:865 > command > silent > printf "thunar_thumbnailer_thumbnailer_finished: %p %d\n", job, job->handle > continue > end > break thunar-thumbnailer.c:306 > command > silent > printf "thunar_thumbnailer_free_job: %p\n", job > continue > end This is a possible output: > thunar_thumbnailer_thumbnailer_finished: 0x555555a12e40 0 > thunar_thumbnailer_free_job: 0x555555a12e40 > thunar_thumbnailer_queue_async_reply: 0x555555a12e40 > > (thunar:1339130): GLib-GObject-WARNING **: 00:09:57.296: invalid > uninstantiatable type '(null)' in cast to 'ThunarThumbnailer' > > (thunar:1339130): thunar-CRITICAL **: 00:09:57.296: > thunar_thumbnailer_queue_async_reply: assertion '(((__extension__ ({ > GTypeInstance *__inst = (GTypeInstance*) ((thumbnailer)); GType __t = > ((thunar_thumbnailer_get_type ())); gboolean __r; if (!__inst) __r = (0); > else if (__inst->g_class && __inst->g_class->g_type == __t) __r = (!(0)); > else __r = g_type_check_instance_is_a (__inst, __t); __r; }))))' failed I am not really sure not to reproduce the issue, but what I did was repetitively navigating between folders with many files in Thunar and terminating Tumbler; this way the chance of reproducing was fairly high. I think that just making Tumbler follow the specification should be enough to fix this issue, so here is the bug report (fix included): https://bugzilla.xfce.org/show_bug.cgi?id=16814 Hopefully, all of this makes some sense. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ Xfce-bugs mailing list [email protected] https://mail.xfce.org/mailman/listinfo/xfce-bugs
