Use-after-free when hiding hidden items with side pane tree visible

Version information

6651aa3a on Arch Linux

Steps to reproduce

  1. thunar ~
  2. Make sure View > Side Pane > Tree is checked
  3. Make sure View > Show Hidden Files is checked
  4. Toggle View > Show Hidden Files to hide hidden files

Current behavior

Memory errors in valgrind and ASan

Expected outcome

No memory errors

Backtrace

ERROR: AddressSanitizer: heap-use-after-free on address 0x504000813430 at pc 0x789b5a5de9c8 bp 0x7ffea7500d50 sp 0x7ffea7500d48
READ of size 8 at 0x504000813430 thread T0
    #0 0x789b5a5de9c7 in g_node_traverse_pre_order glib/gnode.c:500:21
    #1 0x789b5a5de97a in g_node_traverse_pre_order glib/gnode.c:507:8
    #2 0x789b5a5de97a in g_node_traverse_pre_order glib/gnode.c:507:8
    #3 0x6434e5d80d3d in thunar_tree_model_refilter thunar/thunar/thunar-tree-model.c:1872:3
    #4 0x6434e5da9687 in thunar_tree_view_set_show_hidden thunar/thunar/thunar-tree-view.c:1992:7
    #5 0x6434e5da3523 in thunar_tree_view_set_property thunar/thunar/thunar-tree-view.c:515:7
    #6 0x789b5a787c59 in object_set_property gobject/gobject.c:2172:7
    #7 0x789b5a78764f in g_object_setv gobject/gobject.c:3083:7
    #8 0x789b5a78ab76 in g_object_set_property gobject/gobject.c:3383:3
    #9 0x789b5a768372 in on_source_notify gobject/gbinding.c:553:7
    #10 0x789b5a775d30 in g_closure_invoke gobject/gclosure.c:833:7
    #11 0x789b5a7b012e in signal_emit_unlocked_R gobject/gsignal.c:3887:8
    #12 0x789b5a7ad98c in signal_emit_valist_unlocked gobject/gsignal.c:3519:7
    #13 0x789b5a7ae910 in g_signal_emit_valist gobject/gsignal.c:3262:7
    #14 0x789b5a7ae910 in g_signal_emit gobject/gsignal.c:3582:3
    #15 0x789b5a791099 in g_object_dispatch_properties_changed gobject/gobject.c:1819:5
    #16 0x789b5a78468b in g_object_notify_by_spec_internal gobject/gobject.c:1924:11
    #17 0x6434e5d9eed2 in thunar_tree_pane_set_show_hidden thunar/thunar/thunar-tree-pane.c:277:7
    #18 0x6434e5cf44e6 in thunar_side_pane_set_show_hidden thunar/thunar/thunar-side-pane.c:117:5
    #19 0x6434e5e4a2f8 in thunar_window_action_show_hidden thunar/thunar/thunar-window.c:4892:5
[...snip...]

0x504000813430 is located 32 bytes inside of 40-byte region [0x504000813410,0x504000813438)
freed by thread T0 here:
    #0 0x6434e59beaf2 in free.part.0 (/usr/asan/bin/thunar+0x497af2)
    #1 0x789b5a5dd55c in g_nodes_free glib/gnode.c:86:7
    #2 0x6434e5d81ebf in thunar_tree_model_node_traverse_visible thunar/thunar/thunar-tree-model.c:1732:11
    #3 0x789b5a5de931 in g_node_traverse_pre_order glib/gnode.c:497:4
    #4 0x789b5a5de97a in g_node_traverse_pre_order glib/gnode.c:507:8
    #5 0x789b5a5de97a in g_node_traverse_pre_order glib/gnode.c:507:8
    #6 0x6434e5d80d3d in thunar_tree_model_refilter thunar/thunar/thunar-tree-model.c:1872:3
    #7 0x6434e5da9687 in thunar_tree_view_set_show_hidden thunar/thunar/thunar-tree-view.c:1992:7
    #8 0x6434e5da3523 in thunar_tree_view_set_property thunar/thunar/thunar-tree-view.c:515:7
    #9 0x789b5a787c59 in object_set_property gobject/gobject.c:2172:7
    #10 0x789b5a78764f in g_object_setv gobject/gobject.c:3083:7
    #11 0x789b5a78ab76 in g_object_set_property gobject/gobject.c:3383:3
    #12 0x789b5a768372 in on_source_notify gobject/gbinding.c:553:7
    #13 0x789b5a775d30 in g_closure_invoke gobject/gclosure.c:833:7
    #14 0x789b5a7b012e in signal_emit_unlocked_R gobject/gsignal.c:3887:8
    #15 0x789b5a7ad98c in signal_emit_valist_unlocked gobject/gsignal.c:3519:7
    #16 0x789b5a7ae910 in g_signal_emit_valist gobject/gsignal.c:3262:7
    #17 0x789b5a7ae910 in g_signal_emit gobject/gsignal.c:3582:3
    #18 0x789b5a791099 in g_object_dispatch_properties_changed gobject/gobject.c:1819:5
    #19 0x789b5a78468b in g_object_notify_by_spec_internal gobject/gobject.c:1924:11
    #20 0x6434e5d9eed2 in thunar_tree_pane_set_show_hidden thunar/thunar/thunar-tree-pane.c:277:7
    #21 0x6434e5cf44e6 in thunar_side_pane_set_show_hidden thunar/thunar/thunar-side-pane.c:117:5
    #22 0x6434e5e4a2f8 in thunar_window_action_show_hidden thunar/thunar/thunar-window.c:4892:5
[...snip...]

previously allocated by thread T0 here:
    #0 0x6434e59bfa99 in malloc (/usr/asan/bin/thunar+0x498a99)
    #1 0x789b5a5d5062 in g_malloc glib/gmem.c:100:13
    #2 0x789b5a5dd123 in g_node_new glib/gnode.c:73:17
    #3 0x6434e5d82915 in thunar_tree_model_node_traverse_visible thunar/thunar/thunar-tree-model.c:1751:32
    #4 0x789b5a5de931 in g_node_traverse_pre_order glib/gnode.c:497:4
    #5 0x789b5a5de97a in g_node_traverse_pre_order glib/gnode.c:507:8
    #6 0x6434e5d80d3d in thunar_tree_model_refilter thunar/thunar/thunar-tree-model.c:1872:3
    #7 0x6434e5da9687 in thunar_tree_view_set_show_hidden thunar/thunar/thunar-tree-view.c:1992:7
    #8 0x6434e5da3523 in thunar_tree_view_set_property thunar/thunar/thunar-tree-view.c:515:7
    #9 0x789b5a787c59 in object_set_property gobject/gobject.c:2172:7
    #10 0x789b5a78764f in g_object_setv gobject/gobject.c:3083:7
    #11 0x789b5a78ab76 in g_object_set_property gobject/gobject.c:3383:3
    #12 0x789b5a768372 in on_source_notify gobject/gbinding.c:553:7
    #13 0x789b5a775d30 in g_closure_invoke gobject/gclosure.c:833:7
    #14 0x789b5a7b012e in signal_emit_unlocked_R gobject/gsignal.c:3887:8
    #15 0x789b5a7ad98c in signal_emit_valist_unlocked gobject/gsignal.c:3519:7
    #16 0x789b5a7ae910 in g_signal_emit_valist gobject/gsignal.c:3262:7
    #17 0x789b5a7ae910 in g_signal_emit gobject/gsignal.c:3582:3
    #18 0x789b5a791099 in g_object_dispatch_properties_changed gobject/gobject.c:1819:5
    #19 0x789b5a78468b in g_object_notify_by_spec_internal gobject/gobject.c:1924:11
    #20 0x6434e5d9eed2 in thunar_tree_pane_set_show_hidden thunar/thunar/thunar-tree-pane.c:277:7
    #21 0x6434e5cf44e6 in thunar_side_pane_set_show_hidden thunar/thunar/thunar-side-pane.c:117:5
    #22 0x6434e5e4a2f8 in thunar_window_action_show_hidden thunar/thunar/thunar-window.c:4892:5
[...snip...]