GNOME Bugzilla – Bug 795529
uridecodebin3: Segfault when pad of decodebin3 is removed
Last modified: 2018-05-01 07:56:03 UTC
Dear All. I have run the 'fast_backward' test scenario using gst-validate. During the test scene, segfault is observed when sinkpad of decodebin3 is removed in uridecodebin3. ===================================================== DISPLAY=':0' GST_GL_XINITTHREADS='1' GST_VALIDATE_SCENARIOS_PATH='/home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/scenarios' GST_VALIDATE_SCENARIO='fast_backward' gst-validate-1.0 playbin3 uri=file:///home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/assets/medias/codecs/PS/%5BU1_30004_VOB%5D%20MPEG-2PS_MPEG-2%20Video_MPEG-1%20Audio%20layer%202_720x480.vob audio-sink=alsasink video-sink=autovideosink --set-media-info "/home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/assets/media_infos/codecs/PS/[U1_30004_VOB] MPEG-2PS_MPEG-2 Video_MPEG-1 Audio layer 2_720x480.vob.media_info" ===================================================== ===================================================== Program received signal SIGSEGV, Segmentation fault. 0x00007fffed83f525 in db_pad_removed_cb (element=0x864020, pad=0x80e360, dec=0x810300) at gsturidecodebin3.c:572 572 OutputPad *cand = (OutputPad *) tmp->data; (gdb) bt
+ Trace 238585
$1 = {object = {object = {g_type_instance = {g_class = 0x862400}, ref_count = 2, qdata = 0x869d20}, lock = {p = 0x0, i = {0, 0}}, name = 0x866980 "decodebin3-0", parent = 0x0, flags = 32768, control_bindings = 0x0, control_rate = 100000000, last_sync = 18446744073709551615, _gst_reserved = 0x0}, state_lock = {p = 0x863fc0, i = {0, 0}}, state_cond = {p = 0x0, i = {28, 0}}, state_cookie = 6, target_state = GST_STATE_NULL, current_state = GST_STATE_NULL, next_state = GST_STATE_VOID_PENDING, pending_state = GST_STATE_VOID_PENDING, last_return = GST_STATE_CHANGE_SUCCESS, bus = 0x0, clock = 0x0, base_time = 1801746031, start_time = 0, numpads = 0, pads = 0x0, numsrcpads = 0, srcpads = 0x0, numsinkpads = 0, sinkpads = 0x0, pads_cookie = 6, contexts = 0x0, _gst_reserved = {0x0, 0x0, 0x0}} (gdb) p *pad $2 = {object = {object = {g_type_instance = {g_class = 0x80bed0}, ref_count = 2, qdata = 0x6c9590}, lock = {p = 0x0, i = {0, 0}}, name = 0x8606c0 "sink", parent = 0x864020, flags = 28960, control_bindings = 0x0, control_rate = 100000000, last_sync = 18446744073709551615, _gst_reserved = 0x0}, element_private = 0x0, padtemplate = 0x0, direction = GST_PAD_SINK, stream_rec_lock = { p = 0x803980, i = {0, 0}}, task = 0x0, block_cond = {p = 0x0, i = {7, 0}}, probes = {seq_id = 1, hook_size = 72, is_setup = 1, hooks = 0x0, dummy3 = 0x0, finalize_hook = 0x7ffff6f86890 <default_finalize_hook>, dummy = {0x0, 0x0}}, mode = GST_PAD_MODE_NONE, activatefunc = 0x7ffff7550490 <gst_pad_activate_default>, activatedata = 0x0, activatenotify = 0x0, activatemodefunc = 0x7ffff753ac30 <gst_ghost_pad_activate_mode_default>, activatemodedata = 0x0, activatemodenotify = 0x0, peer = 0x0, linkfunc = 0x7fffed82e370 <gst_decodebin3_input_pad_link>, linkdata = 0x0, linknotify = 0x0, unlinkfunc = 0x7fffed82e66d <gst_decodebin3_input_pad_unlink>, unlinkdata = 0x0, unlinknotify = 0x0, chainfunc = 0x7ffff753a140 <gst_proxy_pad_chain_default>, chaindata = 0x0, chainnotify = 0x0, chainlistfunc = 0x7ffff753a220 <gst_proxy_pad_chain_list_default>, chainlistdata = 0x0, chainlistnotify = 0x0, getrangefunc = 0x0, getrangedata = 0x0, getrangenotify = 0x0, eventfunc = 0x7ffff7550e80 <gst_pad_event_default>, eventdata = 0x0, eventnotify = 0x0, offset = 0, queryfunc = 0x7ffff7550fc0 <gst_pad_query_default>, querydata = 0x0, querynotify = 0x0, iterintlinkfunc = 0x7ffff753a080 <gst_proxy_pad_iterate_internal_links_default>, iterintlinkdata = 0x0, iterintlinknotify = 0x0, num_probes = 0, num_blocked = 0, priv = 0x80e320, ABI = {_gst_reserved = {0xfffffffe, 0x0, 0x0, 0x0}, abi = {last_flowret = GST_FLOW_FLUSHING, eventfullfunc = 0x0}}} (gdb) p *dec $3 = {parent_instance = {element = {object = {object = {g_type_instance = {g_class = 0xaaaaaaaaaaaaaaaa}, ref_count = 2863311530, qdata = 0xaaaaaaaaaaaaaaaa}, lock = {p = 0xaaaaaaaaaaaaaaaa, i = { 2863311530, 2863311530}}, name = 0xaaaaaaaaaaaaaaaa <error: Cannot access memory at address 0xaaaaaaaaaaaaaaaa>, parent = 0xaaaaaaaaaaaaaaaa, flags = 2863311530, control_bindings = 0xaaaaaaaaaaaaaaaa, control_rate = 12297829382473034410, last_sync = 12297829382473034410, _gst_reserved = 0xaaaaaaaaaaaaaaaa}, state_lock = {p = 0xaaaaaaaaaaaaaaaa, i = { 2863311530, 2863311530}}, state_cond = {p = 0xaaaaaaaaaaaaaaaa, i = {2863311530, 2863311530}}, state_cookie = 2863311530, target_state = 2863311530, current_state = 2863311530, next_state = 2863311530, pending_state = 2863311530, last_return = 2863311530, bus = 0xaaaaaaaaaaaaaaaa, clock = 0xaaaaaaaaaaaaaaaa, base_time = -6148914691236517206, start_time = 12297829382473034410, numpads = 43690, pads = 0xaaaaaaaaaaaaaaaa, numsrcpads = 43690, srcpads = 0xaaaaaaaaaaaaaaaa, numsinkpads = 43690, sinkpads = 0xaaaaaaaaaaaaaaaa, pads_cookie = 2863311530, contexts = 0xaaaaaaaaaaaaaaaa, _gst_reserved = {0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa}}, numchildren = -1431655766, children = 0xaaaaaaaaaaaaaaaa, children_cookie = 2863311530, child_bus = 0xaaaaaaaaaaaaaaaa, messages = 0xaaaaaaaaaaaaaaaa, polling = -1431655766, state_dirty = -1431655766, clock_dirty = -1431655766, provided_clock = 0xaaaaaaaaaaaaaaaa, clock_provider = 0xaaaaaaaaaaaaaaaa, priv = 0xaaaaaaaaaaaaaaaa, _gst_reserved = {0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa}}, lock = {p = 0xaaaaaaaaaaaaaaaa, i = {2863311530, 2863311530}}, source = 0xaaaaaaaaaaaaaaaa, connection_speed = 12297829382473034410, caps = 0xaaaaaaaaaaaaaaaa, buffer_duration = 12297829382473034410, buffer_size = 2863311530, download = -1431655766, use_buffering = -1431655766, ring_buffer_max_size = 12297829382473034410, play_items = 0xaaaaaaaaaaaaaaaa, current = 0xaaaaaaaaaaaaaaaa, main_handler = 0xaaaaaaaaaaaaaaaa, sub_handler = 0xaaaaaaaaaaaaaaaa, uri = 0xaaaaaaaaaaaaaaaa <error: Cannot access memory at address 0xaaaaaaaaaaaaaaaa>, uri_changed = -1431655766, suburi = 0xaaaaaaaaaaaaaaaa <error: Cannot access memory at address 0xaaaaaaaaaaaaaaaa>, suburi_changed = -1431655766, decodebin = 0xaaaaaaaaaaaaaaaa, db_pad_added_id = 12297829382473034410, db_pad_removed_id = 12297829382473034410, db_select_stream_id = 12297829382473034410, db_about_to_finish_id = 12297829382473034410, output_pads = 0xaaaaaaaaaaaaaaaa, source_handlers = 0xaaaaaaaaaaaaaaaa, posted_about_to_finish = -1431655766} (gdb) info locals cand = 0x7ffff7298d19 <g_object_ref+121> tmp = 0xaaaaaaaaaaaaaaaa output = 0x0 __PRETTY_FUNCTION__ = "db_pad_removed_cb" (gdb) =========================================================
Created attachment 371355 [details] [review] uridecodebin3: don't segfault if a pad is not a source pad when it is removed Dear All Please check my patch. Thanks.
Created attachment 371359 [details] [review] uridecodebin3: don't segfault if a pad is not a source pad when it is removed
That was indeed unfortunate, forgot to re-add that check when I did the uridecodebin3 refactoring. I removed the debug message from your patch since we don't care about sink pads anyway. Thanks ! commit 5b01f9bbc27d02470f15b2c717d0db749e1f4ce6 (HEAD -> master, origin/master, origin/HEAD) Author: hoonhee.lee <hoonhee.lee@lge.com> Date: Wed Apr 25 09:28:53 2018 +0900 uridecodebin3: don't segfault if a pad is not a source pad when it is removed Ignore to handling a pad of decodebin3 which doesn't have corresponding output when it is removed. https://bugzilla.gnome.org/show_bug.cgi?id=795529
And backported to 1.14