After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 696681 - shm: clients array must be last in ShmBuffer struct
shm: clients array must be last in ShmBuffer struct
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
git master
Other Linux
: Normal normal
: 1.0.7
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2013-03-27 10:12 UTC by David Svensson Fors
Modified: 2013-03-28 18:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Keep clients array last in ShmBuffer struct (856 bytes, patch)
2013-03-27 10:12 UTC, David Svensson Fors 		none Details | Review

Description David Svensson Fors 2013-03-27 10:12:31 UTC 
Created attachment 239936 [details] [review]
Keep clients array last in ShmBuffer struct

On a 32-bit machine, I get a segfault in the unit test for elements/shm. A backtrace in gdb is as follows:

+ Trace 231689

  • #0 gst_mini_object_unref
    at /home/davidsf/checkouts/p3367-01/unpacked/libs/gstreamer-72a175b7724f88f7ade2dd7f02356817c936867d/gstreamer/gst/gstminiobject.c line 437
  • #1 gst_buffer_unref
    at /home/davidsf/checkouts/p3367-01/target/host-i686/usr/include/gstreamer-1.0/gst/gstbuffer.h line 350
  • #2 pollthread_func
    at /home/davidsf/checkouts/p3367-01/libs/gst-plugins-bad/gst-plugins-bad/sys/shm/gstshmsink.c line 863
  • #3 g_thread_proxy
    at /home/davidsf/checkouts/p3367-01/unpacked/libs/glib-IR2.32.4-1/glib/glib/gthread.c line 801
  • #4 start_thread
    at pthread_create.c line 300
  • #5 clone
    at ../sysdeps/unix/sysv/linux/i386/clone.S line 130 

Further debugging shows that in pollthread_func in gstshmsink.c, the pointer tag gets the value -1 from sp_writer_recv, and the segfault comes when gst_buffer_unref is called on that pointer.

The problem is that the field "tag" has been put last in the ShmBuffer struct. It is important that the "clients" array pointer is last in that struct, because in sp_writer_send_buf memory is allocated for two blocks, where sp->clients points into the second block.

The attached patch moves the tag field before the array.
Comment 1 Tim-Philipp Müller 2013-03-28 13:45:01 UTC 
I've seen these test crashes as well.
Comment 2 Olivier Crête 2013-03-28 18:40:11 UTC 
Oops.. Strange thing that GCC doesn't warn about a zero-sized array that's not last..

Fixed in 1.0

commit 1558a45ba2451288e43e4256d22166e5cd4cfdf8
Author: Olivier Crête <olivier.crete@collabora.com>
Date:   Thu Mar 28 14:36:16 2013 -0400

    shm: Make sure the zero-sized array is always last in the struct
    
    https://bugzilla.gnome.org/show_bug.cgi?id=696681


And 1.1.x

commit 6e9ff0a160b89b6b9a87d7bd5c8c7dba68b813df
Author: Olivier Crête <olivier.crete@collabora.com>
Date:   Thu Mar 28 14:36:16 2013 -0400

    shm: Make sure the zero-sized array is always last in the struct
    
    https://bugzilla.gnome.org/show_bug.cgi?id=696681