Use-after-free when closing window with multiple search tabs open
Version information
9e3a2c95 compiled on Arch Linux
Steps to reproduce
mkdir emptythunar empty- Press Ctrl + f to activate search
- Press Ctrl + t to open a new tab
- Press Ctrl + f to activate search in the new tab
- Switch back to the first tab
- Press Ctrl + q and select 'Close Window' to trigger a use-after-free
Current behavior
A use-after-free is detected by ASan
Expected outcome
No memory errors
Backtrace
ERROR: AddressSanitizer: heap-use-after-free on address 0x5030008295a0 at pc 0x7944bf88d319 bp 0x7ffc45c99250 sp 0x7ffc45c99240
READ of size 8 at 0x5030008295a0 thread T0
#0 0x7944bf88d318 in gtk_notebook_real_switch_page gtk/gtknotebook.c:6219
#1 0x7944bf53e81d in _gtk_marshal_VOID__OBJECT_UINT gtk/gtkmarshalers.c:6497
#2 0x7944c0f5a850 in g_type_class_meta_marshal gobject/gclosure.c:1034
#3 0x7944c0f62d09 in g_closure_invoke gobject/gclosure.c:833
#4 0x7944c0fb7bb4 in signal_emit_unlocked_R gobject/gsignal.c:3942
#5 0x7944c0fbca23 in signal_emit_valist_unlocked gobject/gsignal.c:3534
#6 0x7944c0fcb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#7 0x7944c0fcb3fc in g_signal_emit gobject/gsignal.c:3597
#8 0x7944bf88bc3a in gtk_notebook_switch_page gtk/gtknotebook.c:6265
#9 0x7944bf898dae in gtk_notebook_set_current_page gtk/gtknotebook.c:6848
#10 0x5c75ee6c2bf0 in thunar_window_notebook_set_current_tab thunar/thunar-window.c:3221
#11 0x5c75ee6c3f6a in thunar_window_switch_current_view thunar/thunar-window.c:2528
#12 0x5c75ee6c4e63 in thunar_window_notebook_switch_page thunar/thunar-window.c:2552
#13 0x5c75ee6c50f7 in thunar_window_notebook_select_current_page thunar/thunar-window.c:2985
#14 0x5c75ee6d1562 in thunar_window_notebook_page_removed thunar/thunar-window.c:2673
[...snip...]
0x5030008295a0 is located 0 bytes inside of 24-byte region [0x5030008295a0,0x5030008295b8)
freed by thread T0 here:
#0 0x7944c24fc102 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7944c06c9bad in g_free_sized glib/gmem.c:238
#2 0x7944c072eb5d in g_slice_free_chain_with_offset glib/gslice.c:315
#3 0x7944c0692710 in g_list_free glib/glist.c:112
#4 0x7944bf88f3d3 in gtk_notebook_real_remove gtk/gtknotebook.c:5114
#5 0x7944bf88f3d3 in gtk_notebook_remove gtk/gtknotebook.c:4260
#6 0x7944c0f72829 in g_cclosure_marshal_VOID__OBJECTv gobject/gmarshal.c:1910
#7 0x7944c0f5a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#8 0x7944c0f638ee in _g_closure_invoke_va gobject/gclosure.c:896
#9 0x7944c0fba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#10 0x7944c0fcb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#11 0x7944c0fcb3fc in g_signal_emit gobject/gsignal.c:3597
#12 0x7944bf65569a in gtk_container_remove gtk/gtkcontainer.c:1907
#13 0x7944bfb36702 in gtk_widget_dispose gtk/gtkwidget.c:12173
#14 0x5c75ee63e4d5 in thunar_standard_view_dispose thunar/thunar-standard-view.c:1119
[...snip...]
previously allocated by thread T0 here:
#0 0x7944c24fd721 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7944c06c9abd in g_malloc glib/gmem.c:100
#2 0x7944c072e9e8 in g_slice_alloc glib/gslice.c:193
#3 0x7944c0694963 in g_list_insert glib/glist.c:299
#4 0x7944bf898490 in gtk_notebook_real_insert_page gtk/gtknotebook.c:4799
#5 0x7944bf897307 in gtk_notebook_insert_page_menu gtk/gtknotebook.c:6654
#6 0x7944bf897d42 in gtk_notebook_insert_page gtk/gtknotebook.c:6583
#7 0x5c75ee6b8811 in thunar_window_notebook_insert_page thunar/thunar-window.c:2963
#8 0x5c75ee6c69b5 in thunar_window_replace_view thunar/thunar-window.c:4371
#9 0x5c75ee6c6e57 in thunar_window_action_view_changed thunar/thunar-window.c:4403
#10 0x5c75ee6c70fe in thunar_window_reset_view_type_idle thunar/thunar-window.c:3653
#11 0x5c75ee6c7610 in thunar_window_delete thunar/thunar-window.c:1889
#12 0x5c75ee6c81a0 in thunar_window_action_close_window thunar/thunar-window.c:3887
[...snip...]Additional information
This bug report was spun off from #1454 (comment 94422)