GNOME Bugzilla – Bug 314803
Invalid read of size 4 in gstbin.c
Last modified: 2005-09-13 19:34:15 UTC
Valgrind complains like this: ==28182== Invalid read of size 4 ==28182== at 0x1D999D4C: gst_element_get_factory (gstelement.c:3093) ==28182== by 0x1D819228: bacon_video_widget_signal_idler (bacon-video-widget-gst.c:839) ==28182== by 0x1C88D8B7: g_idle_dispatch (gmain.c:3813) ==28182== by 0x1C88B715: g_main_context_dispatch (gmain.c:1934) ==28182== by 0x1C88E4E5: g_main_context_iterate (gmain.c:2565) ==28182== by 0x1C88E9E6: g_main_loop_run (gmain.c:2769) ==28182== by 0x1BEAEB38: gtk_main (gtkmain.c:976) ==28182== by 0x8071F09: main (nautilus-main.c:435) ==28182== Address 0x1E3BB0F8 is 0 bytes inside a block of size 22960 free'd ==28182== at 0x1B90237F: free (vg_replace_malloc.c:235) ==28182== by 0x1C891CED: g_free (gmem.c:187) ==28182== by 0x1C83AAA4: g_type_free_instance (gtype.c:1636) ==28182== by 0x1C820C6E: g_object_unref (gobject.c:1712) ==28182== by 0x1D98A956: gst_object_unref (gstobject.c:248) ==28182== by 0x1D98D19D: gst_bin_remove_func (gstbin.c:628) ==28182== by 0x1D98D337: gst_bin_remove (gstbin.c:658) ==28182== by 0x1E664A7A: remove_element_chain (gstdecodebin.c:672) ==28182== by 0x1E664DB6: unlinked (gstdecodebin.c:737) ==28182== by 0x1C82A1DC: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28182== by 0x1C81E935: g_closure_invoke (gclosure.c:492) ==28182== by 0x1C82CB06: signal_emit_unlocked_R (gsignal.c:2485) ==28182== by 0x1C82DE16: g_signal_emit_valist (gsignal.c:2244) ==28182== by 0x1C82E1B6: g_signal_emit (gsignal.c:2288) ==28182== by 0x1D9A36B4: gst_pad_unlink (gstpad.c:1065) ==28182== by 0x1D9957FF: gst_element_remove_pad (gstelement.c:1257) ==28182== by 0x1EA856D0: gst_mpeg_demux_reset (gstmpegdemux.c:1296) ==28182== by 0x1EA85CFF: gst_mpeg_demux_change_state (gstmpegdemux.c:1346) ==28182== by 0x1D9991E2: gst_element_set_state_func (gstelement.c:2853) ==28182== by 0x1D998B25: gst_element_set_state (gstelement.c:2796) ==28182== by 0x1D98DB3E: set_kid_state_func (gstbin.c:841) ==28182== by 0x1D98D9E0: gst_bin_foreach (gstbin.c:805) ==28182== by 0x1D98DDCC: gst_bin_change_state (gstbin.c:903) ==28182== by 0x1E665D7C: gst_decode_bin_change_state (gstdecodebin.c:959) ==28182== by 0x1D9991E2: gst_element_set_state_func (gstelement.c:2853) ==28182== by 0x1D98DF42: gst_bin_set_state (gstbin.c:950) ==28182== by 0x1D998B25: gst_element_set_state (gstelement.c:2796) ==28182== by 0x1D98DB3E: set_kid_state_func (gstbin.c:841) ==28182== by 0x1D98D9E0: gst_bin_foreach (gstbin.c:805) ==28182== by 0x1D98DDCC: gst_bin_change_state (gstbin.c:903) ==28182== by 0x1D9BC705: gst_thread_change_state (gstthread.c:533) ==28182== by 0x1D9991E2: gst_element_set_state_func (gstelement.c:2853) ==28182== by 0x1D98DF42: gst_bin_set_state (gstbin.c:950) ==28182== by 0x1D998B25: gst_element_set_state (gstelement.c:2796) ==28182== by 0x1E4308B7: gst_play_base_bin_change_state (gstplaybasebin.c:1899) ==28182== by 0x1E42C634: gst_play_bin_change_state (gstplaybin.c:868) ==28182== by 0x1D9991E2: gst_element_set_state_func (gstelement.c:2853) ==28182== by 0x1D998B25: gst_element_set_state (gstelement.c:2796) ==28182== by 0x1D81D6C3: bacon_video_widget_close (bacon-video-widget-gst.c:2045) ==28182== by 0x1D8172C5: on_timeout_event (totem-properties-view.c:110) ==28182== by 0x1C88D216: g_timeout_dispatch (gmain.c:3293) ==28182== by 0x1C88B715: g_main_context_dispatch (gmain.c:1934) ==28182== by 0x1C88E4E5: g_main_context_iterate (gmain.c:2565) ==28182== by 0x1C88E9E6: g_main_loop_run (gmain.c:2769) ==28182== by 0x1BEAEB38: gtk_main (gtkmain.c:976) ==28182== by 0x8071F09: main (nautilus-main.c:435) This is when right clicking on a mpg and choosing properties
This seems related too: ==4922== Invalid read of size 4 ==4922== at 0x1C8344EB: g_type_check_instance_is_a (gtype.c:3120) ==4922== by 0x1D3B6D84: gst_element_get_factory (gstelement.c:3093) ==4922== by 0x1D236234: bacon_video_widget_signal_idler (bacon-video-widget-gst.c:839) ==4922== by 0x1C88A943: g_idle_dispatch (gmain.c:3793) ==4922== by 0x1C8887A1: g_main_context_dispatch (gmain.c:1934) ==4922== by 0x1C88B575: g_main_context_iterate (gmain.c:2565) ==4922== by 0x1C88BA76: g_main_loop_run (gmain.c:2769) ==4922== by 0x1BEAF834: gtk_main (gtkmain.c:976) ==4922== by 0x8076D21: main (nautilus-main.c:435) ==4922== Address 0x1DEE3600 is 0 bytes inside a block of size 22960 free'd ==4922== at 0x1B90237F: free (vg_replace_malloc.c:235) ==4922== by 0x1C88EDA1: g_free (gmem.c:187) ==4922== by 0x1C837D90: g_type_free_instance (gtype.c:1636) ==4922== by 0x1C81DCE2: g_object_unref (gobject.c:1712) ==4922== by 0x1D3A799A: gst_object_unref (gstobject.c:248) ==4922== by 0x1D3AA1CD: gst_bin_remove_func (gstbin.c:628) ==4922== by 0x1D3AA367: gst_bin_remove (gstbin.c:658) ==4922== by 0x1E1BCA72: remove_element_chain (gstdecodebin.c:672) ==4922== by 0x1E1BCDA6: unlinked (gstdecodebin.c:737) ==4922== by 0x1C827234: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==4922== by 0x1C81B9A9: g_closure_invoke (gclosure.c:490) ==4922== by 0x1C829B5E: signal_emit_unlocked_R (gsignal.c:2487) ==4922== by 0x1C82AE6E: g_signal_emit_valist (gsignal.c:2246) ==4922== by 0x1C82B20E: g_signal_emit (gsignal.c:2290) ==4922== by 0x1D3C06B4: gst_pad_unlink (gstpad.c:1065) ==4922== by 0x1D3B2827: gst_element_remove_pad (gstelement.c:1257) ==4922== by 0x1E5DD7A4: gst_mpeg_demux_reset (gstmpegdemux.c:1296) ==4922== by 0x1E5DDDDB: gst_mpeg_demux_change_state (gstmpegdemux.c:1346) ==4922== by 0x1D3B6219: gst_element_set_state_func (gstelement.c:2853) ==4922== by 0x1D3B5B60: gst_element_set_state (gstelement.c:2796) ==4922== by 0x1D3AAB6A: set_kid_state_func (gstbin.c:841) ==4922== by 0x1D3AAA0C: gst_bin_foreach (gstbin.c:805) ==4922== by 0x1D3AADF4: gst_bin_change_state (gstbin.c:903) ==4922== by 0x1E1BDD6C: gst_decode_bin_change_state (gstdecodebin.c:959)
this appears to be a bug in bacon-video-widget-gst.c. In the got_found_tag signal handler, it should gst_object_ref the source of the tags and unref them when the message is handled in the ASYNC_FOUND_TAG switch, otherwise it's racing against the handoff signal shutting down the pipeline.
Ok, thanks for the information. Moving to totem
Created attachment 52176 [details] [review] gst-race-on-new-tag-found.patch Implement Jan's advice. Does that fix the bug?
I don't see the invalid reads any more. Good stuff.
*** Bug 315008 has been marked as a duplicate of this bug. ***
2005-09-13 Bastien Nocera <hadess@hadess.net> * src/backend/bacon-video-widget-gst.c: (bacon_video_widget_signal_idler), (got_found_tag): Ref the source in the got_found_tag, and unref it in the idle signal handler (Closes: #314803), thanks to Jan Schmidt <thaytan@mad.scientist.com> for the hint