search

mate-desktop / caja

Caja, the file manager for the MATE desktop
https://mate-desktop.org/
Other
262 stars 144 forks source link

10MB SVG file crashes Caja only by one-clicking it. #1317

Open MarioMey opened 4 years ago

MarioMey commented 4 years ago

Expected behaviour

Caja should not crash

Actual behaviour

Caja crashes (you can see in this video). I dont't receive any error message, because when I run from console, it gives me prompt inmediattly.

Steps to reproduce the behaviour

What I do:

Aditional information

This bug was also in Inkscape 1.0alpha by previewing in Open dialog. I reported here but I didn't know that it had been fixed in 1.0beta bug report. Now, the problem is that this bug is also in Caja and I don't understan why. It's a SVG file (it's a XML inside) with some masked and embeded images. It's only 10MB but this is what makes the crash. With smaller file, neither Caja nor Inkscape1alpha crash.

Also, I removed (sudo apg-get remove inkscape) Inkscape 0.92 that does not have that bug... but maybe it was doing something there. But no, it didn't fix Caja's issue.

MATE general version

1.20.4

Package version

1.20.4-2~

Linux Distribution

Debian Buster

Link to downstream report of your Distribution

I still don't understand what this means.

sc0w commented 4 years ago

I can open with no problems the svg file, caja doesn't crash (caja 1.22.2 with debian testing/bullseye)

MarioMey commented 4 years ago

How can I debug Caja?

sc0w commented 4 years ago

you can see what happens in terminal:

$ killall caja && caja

rbuj commented 4 years ago

Getting caja log

To enable Caja debug create ~/caja-debug-log.conf file:

cat << EOF > ~/caja-debug-log.conf
[debug log]
max lines = 1000
enable domains = async;GLog
EOF

To write the debug log to disk immediately, send a SIGUSR1 to Caja:

kill -s SIGUSR1 $(pgrep caja)

To see Caja log:

cat ~/caja-debug-log.txt

Getting caja backtrace

debug info:

apt install build-essential fakeroot gdb
apt build-dep caja
DEB_BUILD_OPTIONS="nostrip noopt" apt source -b caja
apt build-dep libglib2.0-0
DEB_BUILD_OPTIONS="nostrip noopt nocheck nodocs" apt source -b libglib2.0-0
apt install ./*.deb
find . -name "*.deb" -exec apt install --reinstall {} \;

backtrace:

LANG=C sudo gdb -p $(pgrep caja) -ex continue -ex bt

More info: https://wiki.debian.org/HowToGetABacktrace

MarioMey commented 4 years ago

I follow your instructions, but when I try to install debs, it says this:

mario@debian:~$ sudo apt install ./*.deb
[sudo] password for mario: 
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Nota, seleccionando «caja» en lugar de «./caja_1.20.3-1_amd64.deb»
Nota, seleccionando «caja-common» en lugar de «./caja-common_1.20.3-1_all.deb»
Nota, seleccionando «gir1.2-caja» en lugar de «./gir1.2-caja_1.20.3-1_amd64.deb»
Nota, seleccionando «gir1.2-caja-2.0» en lugar de «./gir1.2-caja-2.0_1.20.3-1_amd64.deb»
Nota, seleccionando «libcaja-extension1» en lugar de «./libcaja-extension1_1.20.3-1_amd64.deb»
Nota, seleccionando «libcaja-extension-dev» en lugar de «./libcaja-extension-dev_1.20.3-1_amd64.deb»
Nota, seleccionando «libcaja-extension-doc» en lugar de «./libcaja-extension-doc_1.20.3-1_all.deb»
Nota, seleccionando «libglib2.0-0» en lugar de «./libglib2.0-0_2.58.3-2+deb10u2_amd64.deb»
Nota, seleccionando «libglib2.0-bin» en lugar de «./libglib2.0-bin_2.58.3-2+deb10u2_amd64.deb»
Nota, seleccionando «libglib2.0-data» en lugar de «./libglib2.0-data_2.58.3-2+deb10u2_all.deb»
Nota, seleccionando «libglib2.0-dev» en lugar de «./libglib2.0-dev_2.58.3-2+deb10u2_amd64.deb»
Nota, seleccionando «libglib2.0-dev-bin» en lugar de «./libglib2.0-dev-bin_2.58.3-2+deb10u2_amd64.deb»
Nota, seleccionando «libglib2.0-doc» en lugar de «./libglib2.0-doc_2.58.3-2+deb10u2_all.deb»
Nota, seleccionando «libglib2.0-tests» en lugar de «./libglib2.0-tests_2.58.3-2+deb10u2_amd64.deb»
caja-common ya está en su versión más reciente (1.20.3-1).
fijado caja-common como instalado manualmente.
libglib2.0-data ya está en su versión más reciente (2.58.3-2+deb10u2).
fijado libglib2.0-data como instalado manualmente.
Paquetes sugeridos:
  meld devhelp
Se instalarán los siguientes paquetes NUEVOS:
  gir1.2-caja libcaja-extension-doc libglib2.0-doc libglib2.0-tests
Se DESACTUALIZARÁN los siguientes paquetes:
  caja gir1.2-caja-2.0 libcaja-extension-dev libcaja-extension1 libglib2.0-0 libglib2.0-bin libglib2.0-dev libglib2.0-dev-bin
0 actualizados, 4 nuevos se instalarán, 8 desactualizados, 0 para eliminar y 0 no actualizados.
Se necesita descargar 0 B/11,9 MB de archivos.
Se utilizarán 59,9 MB de espacio de disco adicional después de esta operación.
¿Desea continuar? [S/n]

This: Se DESACTUALIZARÁN los siguientes paquetes: caja gir1.2-caja-2.0 libcaja-extension-dev libcaja-extension1 libglib2.0-0 libglib2.0-bin libglib2.0-dev libglib2.0-dev-bin

Should I downgrade all those packets?

MarioMey commented 4 years ago

I was thinking... if instead of installing this downgraded version, I compile last version of mate-desktop with caja? Would it be difficult/dangerous?

Then, I could try if the bug is still there... if yes, I would compile it "in debug mode".

sc0w commented 4 years ago

@MarioMey

I don't understand what are you doing, wich packages are you try to install?

MarioMey commented 4 years ago

$ killall caja && caja

Only shows "Segment fault".

Then, I follow @rbuj instructions. I don't completly understand every command but I think that it downloads source and compiles it. In this line "apt install ./*.deb", as I understand, it tries to downgrade some packets.

rbuj commented 4 years ago

@MarioMey, To get a suitable backtrace, you can directly install the caja debuginfo package on Debian, instead of building it from source.

MarioMey commented 4 years ago

@rbuj Ok, I installed debuginfo package and I followed instructions. But caja does something that I don't understand why. When launch caja, I get prompt again. So, when caja crashes, I don't even receive a "segment fault" message. Now, I'm trying to use gdb and, when I run caja, it automatically returns gdb propt. This:

mario@debian:~$ gdb caja
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from caja...Reading symbols from /usr/lib/debug/.build-id/63/a79014c06c6251521c5d2ab1aa7669a351280a.debug...done.
done.
(gdb) set pagination 0
(gdb) run --no-desktop --browser
Starting program: /usr/bin/caja --no-desktop --browser
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff2387700 (LWP 10197)]
[New Thread 0x7ffff1b66700 (LWP 10198)]
[New Thread 0x7ffff12ed700 (LWP 10199)]
[Thread 0x7ffff12ed700 (LWP 10199) exited]
[Thread 0x7ffff1b66700 (LWP 10198) exited]
[Thread 0x7ffff2387700 (LWP 10197) exited]
[Inferior 1 (process 10193) exited normally]
(gdb)

Now, I make caja crash... and nothing happens in gdb propt. I do "bt" and says "No stack.". I don't know what to do.

Also, I can't run caja from Terminator, I don't know why. I had to use mate-terminal to run dgb and caja.

MarioMey commented 4 years ago

Well, I could debug it with gdb, I get:

mario@debian:~$ gdb -p $(pgrep caja)
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 6689
[New LWP 6690]
[New LWP 6691]
[New LWP 6693]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fecd0cbe819 in __GI___poll (fds=0x563b35f6d7f0, nfds=5, timeout=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:29
29  ../sysdeps/unix/sysv/linux/poll.c: No existe el fichero o el directorio.
(gdb) continue
Continuing.
[New Thread 0x7fecb77fe700 (LWP 6807)]
[New Thread 0x7fecc771b700 (LWP 6808)]
[New Thread 0x7fecb67fc700 (LWP 6809)]
[New Thread 0x7fecb5ffb700 (LWP 6810)]
[Thread 0x7fecb67fc700 (LWP 6809) exited]
[Thread 0x7fecc771b700 (LWP 6808) exited]
[Thread 0x7fecb77fe700 (LWP 6807) exited]
[New Thread 0x7fecb77fe700 (LWP 6811)]
[New Thread 0x7fecb67fc700 (LWP 6812)]
[New Thread 0x7fecc771b700 (LWP 6813)]
[Thread 0x7fecc771b700 (LWP 6813) exited]
[Thread 0x7fecb67fc700 (LWP 6812) exited]
[Thread 0x7fecb77fe700 (LWP 6811) exited]
[New Thread 0x7fecb77fe700 (LWP 6814)]
[Thread 0x7fecb77fe700 (LWP 6814) exited]

Thread 1 "caja" received signal SIGSEGV, Segmentation fault.
0x00007fecc66492c0 in ?? ()
   from /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
(gdb) Quit
(gdb) bt
#0  0x00007fecc66492c0 in  ()
    at /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
#1  0x00007fecd17f7b80 in gdk_pixbuf_loader_write ()
    at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#2  0x0000563b3432a535 in get_pixbuf_for_content
    (file_contents=0x7fecb47fa010 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!-- Created with Inkscape (http://www.inkscape.org/) -->\n\n<svg\n   xmlns:dc=\"http://purl.org/dc/elements/1.1/\"\n   xmlns:cc=\"http://creativecommon"..., file_len=13484610)
    at caja-directory-async.c:4268
#3  0x0000563b3432a535 in thumbnail_read_callback
    (source_object=<optimized out>, res=<optimized out>, user_data=0x563b36db20d0)
    at caja-directory-async.c:4324
#4  0x00007fecd16c9799 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5  0x00007fecd16ca216 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6  0x00007fecd1681622 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#7  0x00007fecd169d9cd in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#8  0x00007fecd16c9799 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#9  0x00007fecd16c97d9 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007fecd14fddd8 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007fecd14fe1c8 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007fecd14fe25c in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007fecd16f4a2d in g_application_run () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#14 0x0000563b3429f218 in main (argc=1, argv=0x7fff569cdbb8) at caja-main.c:282
(gdb)

But, from #mate IRC channel, nemo says that I would need symbols for that lib.... and that I should report this bug in GDK Pixbuf, because it seems that the bug is there. I can't do it right now, maybe later.

federicomenaquintero commented 4 years ago

I think the culprit is librsvg-2.44.10 here. See my hypothesis and please try upgrading to librsvg-2.44.12 at least. There is a bug in 2.44.10 where the pixbuf loader (used by the thumbnailing machinery) will crash if the image can't be loaded.

(With this particularly big file, it doesn't load by default because the pixbuf loader doesn't use RSVG_HANDLE_FLAG_UNLIMITED, as is proper for untrusted data.)

rbuj commented 4 years ago

The SVG file contains three times the same picture. The picture can be extracted from command line.

sed -n '72, 58434 p' inkscape-01-mask-crash.svg | sed -r 's/.*xlink.*base64,//' | base64 -d -i > image1.png
sed -n '58445, 116807 p' inkscape-01-mask-crash.svg | sed -r 's/.*xlink.*base64,//' | base64 -d -i > image2.png
sed -n '116818, 175180 p' inkscape-01-mask-crash.svg | sed -r 's/.*xlink.*base64,//' | base64 -d -i > image3.png

librsvg failed to open the 3rd image, since there is a validation error using libxml due huge file size:

xmllint --noent --shell inkscape-01-mask-crash.svg 
inkscape-01-mask-crash.svg:129976: parser error : internal error: Huge input lookup