Use-after-free when rename job races with folder monitor
Version information
27c1c796 compiled on Arch Linux
Steps to reproduce
I haven't been able to reproduce this issue.
I think I was renaming folders similar to this:
- .ssh -> .ssh_gh
- .ssh_xfce -> .ssh
I'm running Thunar with ASan + UBSan instrumentation inside of a virtual machine, so weird thread interleavings are possible.
Current behavior
A use-after-free is triggered
Expected outcome
No memory errors
Backtrace
ERROR: AddressSanitizer: heap-use-after-free on address 0x7be1b160ac70 at pc 0x7fc1b7aff8c1 bp 0x7bc1ab0e0250 sp 0x7bc1ab0e0248
READ of size 1 at 0x7be1b160ac70 thread T19
#0 0x7fc1b7aff8c0 in g_path_is_absolute glib/glib/gfileutils.c:2476:7
#1 0x7fc1b15cc168 in canonicalize_filename gvfs/metadata/metatree.c:2669:8
#2 0x7fc1b15ca673 in expand_parents gvfs/metadata/metatree.c:3290:15
#3 0x7fc1b15ca673 in meta_lookup_cache_lookup_path gvfs/metadata/metatree.c:3356:14
#4 0x7fc1b15b7624 in g_daemon_vfs_local_file_moved gvfs/client/gdaemonvfs.c:1388:11
#5 0x7fc1b8ab1106 in g_local_file_set_display_name glib/gio/glocalfile.c:1223:5
#6 0x7fc1b875af80 in g_file_set_display_name glib/gio/gfile.c:4922:10
#7 0x55cf81ac78ce in thunar_file_rename thunar/thunar/thunar-file.c:2017:18
#8 0x55cf81b08fe2 in _thunar_io_jobs_rename thunar/thunar/thunar-io-jobs.c:1464:7
#9 0x55cf81bc1199 in thunar_simple_job_execute thunar/thunar/thunar-simple-job.c:121:13
#10 0x55cf81b1608a in thunar_job_scheduler_job_func thunar/thunar/thunar-job.c:458:13
#11 0x7fc1b87c0d12 in io_job_thread glib/gio/gioscheduler.c:75:16
#12 0x7fc1b88960d1 in g_task_thread_pool_thread glib/gio/gtask.c:1585:3
#13 0x7fc1b7c47235 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
#14 0x7fc1b7c40a7e in g_thread_proxy glib/glib/gthread.c:893:20
#15 0x7fc1b8e9d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:239:43
#16 0x7fc1b56d57ea in start_thread /usr/src/debug/glibc/glibc/nptl/pthread_create.c:448:8
#17 0x7fc1b575918b in __GI___clone3 /usr/src/debug/glibc/glibc/misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
0x7be1b160ac70 is located 0 bytes inside of 16-byte region [0x7be1b160ac70,0x7be1b160ac80)
freed by thread T0 here:
#0 0x7fc1b8f7205d in free /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_malloc_linux.cpp:51:3
#1 0x7fc1b7b98968 in g_free glib/glib/gmem.c:208:3
#2 0x7fc1b8aafeb3 in g_local_file_finalize glib/gio/glocalfile.c:135:3
#3 0x7fc1b7f226ae in g_object_unref glib/gobject/gobject.c:4903:3
#4 0x55cf81abf32b in thunar_file_replace_file thunar/thunar/thunar-file.c:807:3
#5 0x55cf81ae1d21 in thunar_folder_monitor thunar/thunar/thunar-folder.c:1050:7
#6 0x7fc1b87cdc68 in _g_cclosure_marshal_VOID__OBJECT_OBJECT_ENUMv glib/gio/gmarshal-internal.c:1382:3
#7 0x7fc1b7f081ff in _g_closure_invoke_va glib/gobject/gclosure.c:980:7
#8 0x7fc1b7f74079 in signal_emit_valist_unlocked glib/gobject/gsignal.c:3438:8
#9 0x7fc1b7f76ac0 in g_signal_emit_valist glib/gobject/gsignal.c:3277:7
#10 0x7fc1b7f76ac0 in g_signal_emit glib/gobject/gsignal.c:3597:3
#11 0x7fc1b8795e4f in g_file_monitor_emit_event glib/gio/gfilemonitor.c:307:3
#12 0x7fc1b8acb361 in g_file_monitor_source_dispatch glib/gio/glocalfilemonitor.c:582:9
#13 0x7fc1b7b72fbc in g_main_dispatch glib/glib/gmain.c:3524:27
#14 0x7fc1b7b72fbc in g_main_context_dispatch_unlocked glib/glib/gmain.c:4375:7
#15 0x7fc1b7b741dd in g_main_context_iterate_unlocked glib/glib/gmain.c:4440:5
#16 0x7fc1b7b745bb in g_main_context_iteration glib/glib/gmain.c:4505:12
#17 0x7fc1b894310e in g_application_run glib/gio/gapplication.c:2715:7
#18 0x55cf81a340ef in main thunar/thunar/main.c:86:3
#19 0x7fc1b56676b4 in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7fc1b5667768 in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
#21 0x55cf81a0d964 in _start (/usr/local/bin/thunar+0x308964) (BuildId: 0cceb831450f5fc641aad3c33d917f81c58c406e)
previously allocated by thread T6 here:
#0 0x7fc1b8f72fc5 in malloc /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_malloc_linux.cpp:67:3
#1 0x7fc1b7b98852 in g_malloc glib/glib/gmem.c:100:13
#2 0x7fc1b7c15fa4 in g_strdup glib/glib/gstrfuncs.c:323:17
#3 0x7fc1b7b04c75 in g_strdup_inline glib/glib/gstrfuncs.h:321:10
#4 0x7fc1b7b04c75 in g_canonicalize_filename glib/glib/gfileutils.c:2838:15
#5 0x7fc1b8aac799 in _g_local_file_new glib/gio/glocalfile.c:234:21
#6 0x7fc1b8ab0c93 in g_local_file_resolve_relative_path glib/gio/glocalfile.c:538:11
#7 0x7fc1b8747593 in g_file_resolve_relative_path glib/gio/gfile.c:1044:10
#8 0x7fc1b8747325 in g_file_get_child glib/gio/gfile.c:908:10
#9 0x55cf81b0d580 in thunar_io_scan_directory thunar/thunar/thunar-io-scan-directory.c:187:24
#10 0x55cf81b08627 in _thunar_io_jobs_ls thunar/thunar/thunar-io-jobs.c:1364:15
#11 0x55cf81bc1199 in thunar_simple_job_execute thunar/thunar/thunar-simple-job.c:121:13
#12 0x55cf81b1608a in thunar_job_scheduler_job_func thunar/thunar/thunar-job.c:458:13
#13 0x7fc1b87c0d12 in io_job_thread glib/gio/gioscheduler.c:75:16
#14 0x7fc1b88960d1 in g_task_thread_pool_thread glib/gio/gtask.c:1585:3
#15 0x7fc1b7c47235 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
#16 0x7fc1b7c40a7e in g_thread_proxy glib/glib/gthread.c:893:20
#17 0x7fc1b8e9d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:239:43
Thread T19 created by T1 here:
#0 0x7fc1b8f69c94 in pthread_create /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:250:3
#1 0x7fc1b7c3f134 in g_system_thread_new glib/glib/gthread-posix.c:762:9
#2 0x7fc1b7c40f69 in g_thread_new_internal glib/glib/gthread.c:997:22
#3 0x7fc1b7c40f69 in g_thread_try_new glib/glib/gthread.c:981:10
#4 0x7fc1b7c44202 in g_thread_pool_spawn_thread glib/glib/gthreadpool.c:298:16
#5 0x7fc1b7c40a7e in g_thread_proxy glib/glib/gthread.c:893:20
#6 0x7fc1b8e9d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:239:43
Thread T1 created by T0 here:
#0 0x7fc1b8f69c94 in pthread_create /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:250:3
#1 0x7fc1b7c3f134 in g_system_thread_new glib/glib/gthread-posix.c:762:9
#2 0x7fc1b7c40dcc in g_thread_new_internal glib/glib/gthread.c:997:22
#3 0x7fc1b7c40dcc in g_thread_new glib/glib/gthread.c:950:12
#4 0x7fc1b7c43a7d in g_thread_pool_new_full glib/glib/gthreadpool.c:632:22
#5 0x7fc1b7c43692 in g_thread_pool_new glib/glib/gthreadpool.c:548:10
#6 0x7fc1b888d2b6 in g_task_thread_pool_init glib/gio/gtask.c:2413:15
#7 0x7fc1b888d2b6 in g_task_get_type_once glib/gio/gtask.c:629:1
#8 0x7fc1b888d154 in g_task_get_type glib/gio/gtask.c:629:1
#9 0x7fc1b8a4a8a0 in ensure_required_types glib/gio/gdbusprivate.c:255:16
#10 0x7fc1b8a4a8a0 in _g_dbus_initialize glib/gio/gdbusprivate.c:1994:7
#11 0x7fc1b89f9757 in g_bus_get_sync glib/gio/gdbusconnection.c:8075:3
#12 0x7fc1b808fff3 in xfconf_init xfconf/xfconf/xfconf.c:121:13
#13 0x55cf81a34038 in main thunar/thunar/main.c:67:8
#14 0x7fc1b56676b4 in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7fc1b5667768 in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
#16 0x55cf81a0d964 in _start (/usr/local/bin/thunar+0x308964) (BuildId: 0cceb831450f5fc641aad3c33d917f81c58c406e)
Thread T6 created by T1 here:
#0 0x7fc1b8f69c94 in pthread_create /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:250:3
#1 0x7fc1b7c3f134 in g_system_thread_new glib/glib/gthread-posix.c:762:9
#2 0x7fc1b7c40f69 in g_thread_new_internal glib/glib/gthread.c:997:22
#3 0x7fc1b7c40f69 in g_thread_try_new glib/glib/gthread.c:981:10
#4 0x7fc1b7c44202 in g_thread_pool_spawn_thread glib/glib/gthreadpool.c:298:16
#5 0x7fc1b7c40a7e in g_thread_proxy glib/glib/gthread.c:893:20
#6 0x7fc1b8e9d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_interceptors.cpp:239:43