GNOME Bugzilla – Bug 546971
rhythmbox crashed when ejecting an ipod device
Last modified: 2008-09-02 21:13:03 UTC
rhythmbox crasher after clicking on the eject button
+ Trace 204861
Thread 1 (process 28004)
valgrind log errors: ==14017== Invalid read of size 4 ==14017== at 0x74C7142: g_proxy_volume_update (gproxyvolume.c:250) ==14017== by 0x74CB1DD: filter_function (gproxyvolumemonitor.c:512) ==14017== by 0x4498094: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0) ==14017== by 0x74CEAC8: dbus_source_dispatch (gdbusutils.c:868) ==14017== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==14017== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==14017== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==14017== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==14017== by 0x806315F: main (main.c:330) ==14017== Address 0x71761c4 is 44 bytes inside a block of size 60 free'd ==14017== at 0x4023B4A: free (vg_replace_malloc.c:323) ==14017== by 0x511CD35: g_free (gmem.c:190) ==14017== by 0x4DA78C7: pango_layout_line_unref (in /usr/lib/libpango-1.0.so.0.2101.2) ==14017== by 0x4DA8F22: (within /usr/lib/libpango-1.0.so.0.2101.2) ==14017== by 0x4833E25: gtk_cell_renderer_text_render (gtkcellrenderertext.c:1679) ==14017== by 0x482BC2D: gtk_cell_renderer_render (gtkcellrenderer.c:578) ==14017== by 0x4A0682A: gtk_tree_view_column_cell_process_action (gtktreeviewcolumn.c:2802) ==14017== by 0x4A0764B: _gtk_tree_view_column_cell_render (gtktreeviewcolumn.c:3135) ==14017== by 0x4A01540: gtk_tree_view_bin_expose (gtktreeview.c:4701) ==14017== by 0x4A02C61: gtk_tree_view_expose (gtktreeview.c:4941) ==14017== by 0x48EA371: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84) ==14017== by 0x4F543E8: g_type_class_meta_marshal (gclosure.c:878) ==14017== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==14017== by 0x4F6D13C: signal_emit_unlocked_R (gsignal.c:3282) ==14017== by 0x4F6EA7A: g_signal_emit_valist (gsignal.c:2987) ==14017== by 0x4F6F085: g_signal_emit (gsignal.c:3034) ==14017== by 0x4A185BD: gtk_widget_event_internal (gtkwidget.c:4745) ==14017== by 0x48E37D2: gtk_main_do_event (gtkmain.c:1525) ==14017== by 0x4BB60B2: gdk_window_process_updates_internal (gdkwindow.c:2598) ==14017== by 0x4BB6AF6: gdk_window_process_all_updates (gdkwindow.c:2664) ==14017== by 0x4BB6B1A: gdk_window_update_idle (gdkwindow.c:2508) ==14017== by 0x4B998BA: gdk_threads_dispatch (gdk.c:473) ==14017== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==14017== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==14017== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==14017== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==14017== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==14017== by 0x806315F: main (main.c:330) (rhythmbox:14017): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GObject' (rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed (rhythmbox:14017): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GObject' (rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed --14017-- memcheck GC: 65536 nodes, 59843 survivors ( 91.3%) --14017-- memcheck GC: increase table size to 131072 (rhythmbox:14017): GLib-GObject-WARNING **: invalid (NULL) pointer instance (rhythmbox:14017): GLib-GObject-CRITICAL **: g_signal_emit_by_name: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed ==14017== ==14017== Conditional jump or move depends on uninitialised value(s) ==14017== at 0x4F5A754: g_value_object_collect_value (gobject.c:2692) ==14017== by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952) ==14017== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==14017== by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396) ==14017== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==14017== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==14017== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==14017== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==14017== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==14017== by 0x806315F: main (main.c:330) ==14017== ==14017== Use of uninitialised value of size 4 ==14017== at 0x4F5A75A: g_value_object_collect_value (gobject.c:2696) ==14017== by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952) ==14017== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==14017== by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396) ==14017== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==14017== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==14017== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==14017== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==14017== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==14017== by 0x806315F: main (main.c:330) ==14017== ==14017== Conditional jump or move depends on uninitialised value(s) ==14017== at 0x4F73C31: g_type_check_is_value_type (gtype.c:3837) ==14017== by 0x4F7A5B7: g_value_type_compatible (gvalue.c:441) ==14017== by 0x4F5A76F: g_value_object_collect_value (gobject.c:2701) ==14017== by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952) ==14017== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==14017== by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396) ==14017== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==14017== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==14017== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==14017== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==14017== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==14017== by 0x806315F: main (main.c:330)
another valgrind lod: ==28479== Invalid read of size 4 ==28479== at 0x4F57DDB: g_object_unref (gobject.c:2360) ==28479== by 0x74C9356: g_proxy_mount_get_drive (gproxymount.c:299) ==28479== by 0x74C95E7: g_proxy_mount_can_eject (gproxymount.c:341) ==28479== by 0x4CE294B: g_mount_can_eject (gmount.c:324) ==28479== by 0x8080496: rb_removable_media_manager_set_property (rb-removable-media-manager.c:745) ==28479== by 0x4F5B3C5: g_object_set_valist (gobject.c:938) ==28479== by 0x4F5B845: g_object_set (gobject.c:1527) ==28479== by 0x8065037: rb_shell_select_source (rb-shell.c:2064) ==28479== by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6F085: g_signal_emit (gsignal.c:3034) ==28479== by 0x808B7F8: rb_sourcelist_selection_changed_cb (rb-sourcelist.c:1407) ==28479== by 0x4F63B53: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6F085: g_signal_emit (gsignal.c:3034) ==28479== by 0x49DE264: _gtk_tree_selection_internal_select_node (gtktreeselection.c:1427) ==28479== by 0x49F912D: gtk_tree_view_real_set_cursor (gtktreeview.c:12542) ==28479== by 0x4A03BEC: gtk_tree_view_button_press (gtktreeview.c:2742) ==28479== by 0x40AED37: rb_tree_dnd_button_press_event_cb (rb-tree-dnd.c:929) ==28479== by 0x48EA371: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EA7A: g_signal_emit_valist (gsignal.c:2987) ==28479== by 0x4F6F085: g_signal_emit (gsignal.c:3034) ==28479== by 0x4A185BD: gtk_widget_event_internal (gtkwidget.c:4745) ==28479== by 0x48E1F99: gtk_propagate_event (gtkmain.c:2363) ==28479== by 0x48E3536: gtk_main_do_event (gtkmain.c:1568) ==28479== by 0x4BD2EF9: gdk_event_dispatch (gdkevents-x11.c:2365) ==28479== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==28479== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==28479== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==28479== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==28479== by 0x806315F: main (main.c:330) ==28479== Address 0xac6da18 is 0 bytes inside a block of size 60 free'd ==28479== at 0x4023B4A: free (vg_replace_malloc.c:323) ==28479== by 0x511CD35: g_free (gmem.c:190) ==28479== by 0x4F77611: g_type_free_instance (gtype.c:1717) ==28479== by 0x807FAD8: rb_removable_media_manager_add_mount (rb-removable-media-manager.c:582) ==28479== by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==28479== by 0x4CEA7ED: child_mount_added (gunionvolumemonitor.c:280) ==28479== by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==28479== by 0x74CABBA: signal_emit_in_idle_do (gproxyvolumemonitor.c:391) ==28479== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==28479== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==28479== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==28479== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==28479== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==28479== by 0x806315F: main (main.c:330)
another valgrind log: ==28479== Invalid read of size 4 ==28479== at 0x74C7142: g_proxy_volume_update (gproxyvolume.c:250) ==28479== by 0x74CB1DD: filter_function (gproxyvolumemonitor.c:512) ==28479== by 0x4498094: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0) ==28479== by 0x74CEAC8: dbus_source_dispatch (gdbusutils.c:868) ==28479== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==28479== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==28479== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==28479== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==28479== by 0x806315F: main (main.c:330) ==28479== Address 0xac6da44 is 44 bytes inside a block of size 60 free'd ==28479== at 0x4023B4A: free (vg_replace_malloc.c:323) ==28479== by 0x511CD35: g_free (gmem.c:190) ==28479== by 0x4F77611: g_type_free_instance (gtype.c:1717) ==28479== by 0x807FAD8: rb_removable_media_manager_add_mount (rb-removable-media-manager.c:582) ==28479== by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==28479== by 0x4CEA7ED: child_mount_added (gunionvolumemonitor.c:280) ==28479== by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==28479== by 0x4F55C72: g_closure_invoke (gclosure.c:767) ==28479== by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244) ==28479== by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977) ==28479== by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071) ==28479== by 0x74CABBA: signal_emit_in_idle_do (gproxyvolumemonitor.c:391) ==28479== by 0x5112880: g_idle_dispatch (gmain.c:4178) ==28479== by 0x51147E0: g_main_context_dispatch (gmain.c:2073) ==28479== by 0x5117E82: g_main_context_iterate (gmain.c:2706) ==28479== by 0x51183A1: g_main_loop_run (gmain.c:2929) ==28479== by 0x48E3A38: gtk_main (gtkmain.c:1172) ==28479== by 0x806315F: main (main.c:330) seems that gvfs is trying to use a GVolume which has already freed
Should be fixed in trunk - Seb, any chance you can test this? Thanks! 2008-09-02 David Zeuthen <davidz@redhat.com> * monitor/hal/ghaldrive.c: (g_hal_drive_eject_do): * monitor/hal/ghalmount.c: (unmount_cb), (unmount_do), (eject_wrapper_callback), (g_hal_mount_eject): * monitor/proxy/gproxymount.c: (eject_wrapper_callback), (g_proxy_mount_eject): * monitor/proxy/gproxyvolume.c: (eject_wrapper_callback): Remember to refcount objects (#546971).
the change doesn't fix the crash
If it works with Nautilus this looks like a RB bug... any chance you can see if it works from e.g. the drive applet? (I *think* it's ported to gio nowadays - it's kinda malfunctioning on my box hence why I can't test myself)
there was also a rhythmbox bug, seems to work correctly now using the svn versions so closing this bug