Here is better backtraces. Opus found a pattern in them. I would take a look and carefully see another points it proposed...
An AI generated, Google translated: That is, each drop is a navigation between folders: the user opens a new location → load_directory synchronously “cleans” the current view model → g_list_store_remove_all(N) → GTK ListView/GridView recursively dismantles all visible cached rows — and somewhere in this dismantling it encounters a corrupted pointer. What it really says Two of the six samples point to nautilus-grid-cell.c:243 (that's dispose in Nautilus). The two different points fall on the same object - the GtkATContext of the GridCell. The remaining four fall in the child structures of the same GridCell: controllers (gtk_widget_remove_controller), CSS cache, GtkPropertyExpression-watch on list item. The key "proof" that this is software, not memory: the repeating pattern of pointer beatings 0x555500000000 and 0x7fff000000000. This is the canonical form of "zeroed lower 4 bytes of a 64-bit pointer": there was a real address of type 0x000055555661aa88, then someone wrote a 32-bit zero over its lower half and it turned out 0x000055550000_0000. So the memory "in itself" does not get corrupted - it is either a confusion of 32 ↔ 64-bit types in the structure, or (most likely) use-after-free, where the freed slot is reallocated to a smaller structure with int = 0 on top. Memtest will never catch this. The stack is the same until the last frame in the navigation "corridor", but breaks on the destruction of the GridCell. That is, this is not a coincidence - this is a specific bug of the destruction of Nautilus GridCell during g_list_store_remove_all in GTK4 ListView/GridView. Conclusion: this is almost certainly a UAF in Nautilus 50 in the path nautilus_grid_cell_dispose → gtk_widget_dispose_template → destruction of accessibility/CSS/closures in GridCell, which is triggered precisely when the list model is completely zeroed out at once (remove_all from 21–30 items). ** Attachment added: "crash_2026-04-25_2.zip" https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2150297/+attachment/5965476/+files/crash_2026-04-25_2.zip -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to nautilus in Ubuntu. https://bugs.launchpad.net/bugs/2150297 Title: nautilus have frequent crashes while moving-copying files on 26.04 release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2150297/+subscriptions -- desktop-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
