GNOME Bugzilla – Bug 594107
[gstbin] : use of freed message : valgrind Invalid read
Last modified: 2009-09-04 07:52:18 UTC
valgrind complains about invalid read in gst_bin_handle_message_func. The message used in get_seqnum has been released in bin_remove_message (bin going to PAUSED) ==00:04:00:10.996 17362== Invalid read of size 4 ==00:04:00:10.996 17362== at 0x439BCB7: gst_message_get_seqnum (gstmessage.c:337) ==00:04:00:10.996 17362== by 0x437ABB8: gst_bin_handle_message_func (gstbin.c:2863) ==00:04:00:10.996 17362== by 0x4374E17: bin_bus_handler (gstbin.c:2545) ==00:04:00:10.996 17362== by 0x437F0DD: gst_bus_post (gstbus.c:353) ==00:04:00:10.996 17362== by 0x43894EA: gst_element_post_message (gstelement.c:1567) ==00:04:00:10.996 17362== by 0x4B06D7F: gst_base_sink_render_object (gstbasesink.c:2390) ==00:04:00:10.996 17362== by 0x4B076B4: gst_base_sink_queue_object_unlocked (gstbasesink.c:2546) ==00:04:00:10.996 17362== by 0x4B0859D: gst_base_sink_event (gstbasesink.c:2699) ==00:04:00:10.996 17362== by 0x439F0A7: gst_pad_send_event (gstpad.c:4634) ==00:04:00:10.996 17362== by 0x439F7A3: gst_pad_push_event (gstpad.c:4490) ==00:04:00:10.996 17362== by 0x4394D18: gst_proxy_pad_do_event (gstghostpad.c:128) ==00:04:00:10.996 17362== by 0x439F0A7: gst_pad_send_event (gstpad.c:4634) ==00:04:00:10.996 17362== by 0x439F7A3: gst_pad_push_event (gstpad.c:4490) ==00:04:00:10.996 17362== by 0x7611888: gst_rtp_session_send_rtcp (gstrtpsession.c:1184) ==00:04:00:10.996 17362== by 0x7606017: rtp_session_on_timeout (rtpsession.c:2535) ==00:04:00:10.996 17362== by 0x7610173: rtcp_thread (gstrtpsession.c:949) ==00:04:00:10.996 17362== by 0x460FA2E: g_thread_create_proxy (gthread.c:635) ==00:04:00:10.996 17362== by 0x481932E: start_thread (in /lib/libpthread-2.8.so) ==00:04:00:10.996 17362== by 0x490A20D: clone (in /lib/libc-2.8.so) ==00:04:00:10.996 17362== Address 0x5893380 is 0 bytes inside a block of size 60 free'd ==00:04:00:10.996 17362== at 0x402390A: free (vg_replace_malloc.c:323) ==00:04:00:10.996 17362== by 0x45EDD35: g_free (gmem.c:190) ==00:04:00:10.996 17362== by 0x442CCA8: g_type_free_instance (gtype.c:1608) ==00:04:00:10.996 17362== by 0x439CF1F: gst_mini_object_unref (gstminiobject.c:328) ==00:04:00:10.996 17362== by 0x43790A4: bin_remove_messages (gstbin.c:857) ==00:04:00:10.996 17362== by 0x437C41E: gst_bin_change_state_func (gstbin.c:2246) ==00:04:00:10.996 17362== by 0x43899B6: gst_element_change_state (gstelement.c:2427) ==00:04:00:10.996 17362== by 0x438C593: gst_element_set_state_func (gstelement.c:2377) ==00:04:00:10.996 17362== by 0x4388C66: gst_element_set_state (gstelement.c:2280) ==00:04:00:10.996 17362== by 0x437BDBE: gst_bin_change_state_func (gstbin.c:2018) ==00:04:00:10.996 17362== by 0x43AB019: gst_pipeline_change_state (gstpipeline.c:465) ==00:04:00:10.996 17362== by 0x43899B6: gst_element_change_state (gstelement.c:2427) ==00:04:00:10.996 17362== by 0x438C593: gst_element_set_state_func (gstelement.c:2377) ==00:04:00:10.996 17362== by 0x4388C66: gst_element_set_state (gstelement.c:2280) ==00:04:00:10.996 17362== by 0x46CB914: GstUtilChangeState(_GstElement*, GstState, bool) (GstreamerUtil.cc:143) ==00:04:00:10.997 17362== by 0x40FBF02: RTPBChannel::Delete() (RTPBChannel.cc:671) ==00:04:00:10.997 17362== by 0x4100C86: RTPBChannel::destroy(std::string const&) (RTPBChannel.cc:2305) ==00:04:00:10.997 17362== by 0x41039D1: _audio_wait_end_thread(void*) (RTPBChannel.cc:5233) ==00:04:00:10.997 17362== by 0x42AA557: omni_thread_wrapper (posix.cc:441) ==00:04:00:10.997 17362== by 0x481932E: start_thread (in /lib/libpthread-2.8.so) ==00:04:00:10.997 17362== by 0x490A20D: clone (in /lib/libc-2.8.so) Note that message may also be released in bin_replace_message if it had no source.
Created attachment 142454 [details] [review] ref message before releasing the lock and before bin_replace_message
commit c5b703b96bb5f7e122d3edeb8ace7e585bda33ac Author: Aurelien Grimaud <gstelzz@yahoo.fr> Date: Fri Sep 4 09:51:26 2009 +0200 bin: Only unref EOS message after it is not used anymore Fixes bug #594107.