After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 761736 - fba08583d causes random crashes in Rygel
fba08583d causes random crashes in Rygel
Status: RESOLVED FIXED
Product: vala
Classification: Core
Component: Code Generator
0.31.x
Other Linux
: Normal normal
: ---
Assigned To: Vala maintainers
Vala maintainers
Depends on:
Blocks:
 
 
Reported: 2016-02-08 23:25 UTC by Jens Georg
Modified: 2017-03-27 07:59 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Test case (133 bytes, text/plain)
2016-02-09 21:52 UTC, Jürg Billeter 		Details

Description Jens Georg 2016-02-08 23:25:27 UTC 
When compiling Rygel with vala including  fba08583d940af80a0d6b7045294de00c568d6a4, I get random crashes/memory corruption in the area of libxml during startup.

XPath strings containing garbage data, double frees, etc.

Reverting the commit makes it go away.
Comment 1 Jens Georg 2016-02-09 19:12:41 UTC 
To reproduce in rygel build tree, run

./autogen.sh devel (or pass --enable-uninstalled)

and then just run rygel from the source dir. (src/rygel/rygel)

This one looks like a double free:

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=av@entry=0x7ffff664fc00 <main_arena>) at malloc.c:4136
4136	malloc.c: No such file or directory.
(gdb) bt

+ Trace 235958

  • #0 malloc_consolidate
    at malloc.c line 4136
  • #1 _int_malloc
    at malloc.c line 3417
  • #2 __GI___libc_malloc
    at malloc.c line 2895
  • #3 xmlDictCreate__internal_alias
    at ../../dict.c line 557
  • #4 xmlInitParserCtxt__internal_alias
    at ../../parserInternals.c line 1585
  • #5 xmlNewParserCtxt__internal_alias
    at ../../parserInternals.c line 1855
  • #6 xmlCreateURLParserCtxt__internal_alias
    at ../../parser.c line 14266
  • #7 xmlReadFile__internal_alias
    at ../../parser.c line 15434
  • #8 gupnp_xml_doc_new_from_path
    at gupnp-xml-doc.c line 120
  • #9 rygel_root_device_factory_get_latest_doc
    at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala line 234
  • #10 rygel_root_device_factory_create_desc
    at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala line 124
  • #11 rygel_root_device_factory_create
    at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala line 109
  • #12 rygel_main_create_device_co
    at /home/jens/Source/rygel/src/rygel/rygel-main.vala line 220
  • #13 _rygel_main_create_device_co_gsource_func
    at rygel-main.c line 1329
  • #14 g_main_dispatch
    at gmain.c line 3154
  • #15 g_main_context_dispatch
    at gmain.c line 3769
  • #16 g_main_context_iterate
    at gmain.c line 3840
  • #17 g_main_loop_run
    at gmain.c line 4034
  • #18 rygel_main_run
    at /home/jens/Source/rygel/src/rygel/rygel-main.vala line 87
  • #19 rygel_main_main
    at /home/jens/Source/rygel/src/rygel/rygel-main.vala line 303
  • #20 main
    at /home/jens/Source/rygel/src/rygel/rygel-main.vala line 276 






Comment 2


Jens Georg





          2016-02-09 19:15:39 UTC
        



Another double-free from valgrind

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=av@entry=0x7ffff664fc00 <main_arena>) at malloc.c:4136
4136	malloc.c: No such file or directory.
(gdb) bt




+
Trace
    235959






    

  • 
#0
malloc_consolidate

    
                at malloc.c
                  line
                  4136

    

    • 

  • 
#1
_int_malloc

    
                at malloc.c
                  line
                  3417

    

    • 

  • 
#2
__GI___libc_malloc

    
                at malloc.c
                  line
                  2895

    

    • 

  • 
#3
xmlDictCreate__internal_alias

    
                at ../../dict.c
                  line
                  557

    

    • 

  • 
#4
xmlInitParserCtxt__internal_alias

    
                at ../../parserInternals.c
                  line
                  1585

    

    • 

  • 
#5
xmlNewParserCtxt__internal_alias

    
                at ../../parserInternals.c
                  line
                  1855

    

    • 

  • 
#6
xmlCreateURLParserCtxt__internal_alias

    
                at ../../parser.c
                  line
                  14266

    

    • 

  • 
#7
xmlReadFile__internal_alias

    
                at ../../parser.c
                  line
                  15434

    

    • 

  • 
#8
gupnp_xml_doc_new_from_path

    
                at gupnp-xml-doc.c
                  line
                  120

    

    • 

  • 
#9
rygel_root_device_factory_get_latest_doc

    
                at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala
                  line
                  234

    

    • 

  • 
#10
rygel_root_device_factory_create_desc

    
                at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala
                  line
                  124

    

    • 

  • 
#11
rygel_root_device_factory_create

    
                at /home/jens/Source/rygel/src/librygel-core/rygel-root-device-factory.vala
                  line
                  109

    

    • 

  • 
#12
rygel_main_create_device_co

    
                at /home/jens/Source/rygel/src/rygel/rygel-main.vala
                  line
                  220

    

    • 

  • 
#13
_rygel_main_create_device_co_gsource_func

    
                at rygel-main.c
                  line
                  1329

    

    • 

  • 
#14
g_main_dispatch

    
                at gmain.c
                  line
                  3154

    

    • 

  • 
#15
g_main_context_dispatch

    
                at gmain.c
                  line
                  3769

    

    • 

  • 
#16
g_main_context_iterate

    
                at gmain.c
                  line
                  3840

    

    • 

  • 
#17
g_main_loop_run

    
                at gmain.c
                  line
                  4034

    

    • 

  • 
#18
rygel_main_run

    
                at /home/jens/Source/rygel/src/rygel/rygel-main.vala
                  line
                  87

    

    • 

  • 
#19
rygel_main_main

    
                at /home/jens/Source/rygel/src/rygel/rygel-main.vala
                  line
                  303

    

    • 

  • 
#20
main

    
                at /home/jens/Source/rygel/src/rygel/rygel-main.vala
                  line
                  276

    

    • 













Comment 3


Jens Georg





          2016-02-09 21:37:37 UTC
        



Sorry, wrong paste. Valgrind log:

==30035== Invalid read of size 1
==30035==    at 0x4C2EFA2: strlen (vg_replace_strmem.c:454)
==30035==    by 0x60F65F2: g_strdup (gstrfuncs.c:362)
==30035==    by 0x4E815B5: rygel_v1_hacks_apply_on_device (rygel-v1-hacks.vala:133)
==30035==    by 0x50E7989: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:190)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf2156b0 is 0 bytes inside a block of size 48 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035== Invalid read of size 1
==30035==    at 0x4C2EFB4: strlen (vg_replace_strmem.c:454)
==30035==    by 0x60F65F2: g_strdup (gstrfuncs.c:362)
==30035==    by 0x4E815B5: rygel_v1_hacks_apply_on_device (rygel-v1-hacks.vala:133)
==30035==    by 0x50E7989: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:190)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf2156b1 is 1 bytes inside a block of size 48 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035== Invalid read of size 8
==30035==    at 0x4C306D8: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==30035==    by 0x60F660C: memcpy (string3.h:53)
==30035==    by 0x60F660C: g_strdup (gstrfuncs.c:364)
==30035==    by 0x4E815B5: rygel_v1_hacks_apply_on_device (rygel-v1-hacks.vala:133)
==30035==    by 0x50E7989: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:190)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf2156b0 is 0 bytes inside a block of size 48 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035== Invalid read of size 8
==30035==    at 0x4C306E6: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==30035==    by 0x60F660C: memcpy (string3.h:53)
==30035==    by 0x60F660C: g_strdup (gstrfuncs.c:364)
==30035==    by 0x4E815B5: rygel_v1_hacks_apply_on_device (rygel-v1-hacks.vala:133)
==30035==    by 0x50E7989: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:190)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf2156c0 is 16 bytes inside a block of size 48 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035== Invalid read of size 1
==30035==    at 0x4C30710: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==30035==    by 0x60F660C: memcpy (string3.h:53)
==30035==    by 0x60F660C: g_strdup (gstrfuncs.c:364)
==30035==    by 0x4E815B5: rygel_v1_hacks_apply_on_device (rygel-v1-hacks.vala:133)
==30035==    by 0x50E7989: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:190)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf222540 is 48 bytes inside a block of size 49 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035== Invalid free() / delete / delete[] / realloc()
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x4E822E1: _vala_array_destroy (rygel-v1-hacks.c:1550)
==30035==    by 0x4E82318: _vala_array_free (rygel-v1-hacks.c:1558)
==30035==    by 0x4E81EDD: rygel_v1_hacks_finalize (rygel-v1-hacks.vala:55)
==30035==    by 0x5E4F949: g_object_unref (gobject.c:3183)
==30035==    by 0x50E7B7B: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:183)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Address 0xf2156b0 is 0 bytes inside a block of size 48 free'd
==30035==    at 0x4C2CE2B: free (vg_replace_malloc.c:530)
==30035==    by 0x60F8048: g_strfreev (gstrfuncs.c:2487)
==30035==    by 0x5E72E0F: g_value_unset (gvalue.c:275)
==30035==    by 0x5E50109: object_set_property (gobject.c:1433)
==30035==    by 0x5E50109: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035==    by 0x40B101: rygel_main_main (rygel-main.vala:303)
==30035==    by 0x40B2A4: main (rygel-main.vala:276)
==30035==  Block was alloc'd at
==30035==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==30035==    by 0x60DD618: g_malloc (gmem.c:94)
==30035==    by 0x60F65FE: g_strdup (gstrfuncs.c:363)
==30035==    by 0x60F80C4: g_strdupv (gstrfuncs.c:2521)
==30035==    by 0x5E47877: boxed_proxy_value_copy (gboxed.c:213)
==30035==    by 0x5E738B7: g_value_transform (gvalue.c:602)
==30035==    by 0x5E500C0: object_set_property (gobject.c:1403)
==30035==    by 0x5E500C0: g_object_new_internal (gobject.c:1815)
==30035==    by 0x5E51DF4: g_object_new_valist (gobject.c:2040)
==30035==    by 0x5E52160: g_object_new (gobject.c:1624)
==30035==    by 0x4E80AD3: rygel_v1_hacks_construct (rygel-v1-hacks.vala:107)
==30035==    by 0x4E80B0B: rygel_v1_hacks_new (rygel-v1-hacks.vala:105)
==30035==    by 0x50E7944: rygel_media_server_plugin_real_apply_hacks (rygel-media-server-plugin.vala:189)
==30035==    by 0x4E78A1F: rygel_plugin_apply_hacks (rygel-plugin.vala:235)
==30035==    by 0x4E661EC: rygel_root_device_factory_create (rygel-root-device-factory.vala:116)
==30035==    by 0x409D8E: rygel_main_create_device_co (rygel-main.vala:220)
==30035==    by 0x409C82: _rygel_main_create_device_co_gsource_func (rygel-main.c:1329)
==30035==    by 0x60D7F49: g_main_dispatch (gmain.c:3154)
==30035==    by 0x60D7F49: g_main_context_dispatch (gmain.c:3769)
==30035==    by 0x60D82EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==30035==    by 0x60D8611: g_main_loop_run (gmain.c:4034)
==30035==    by 0x4080AE: rygel_main_run (rygel-main.vala:87)
==30035== 
==30035==






Comment 4


Jürg Billeter





          2016-02-09 21:52:24 UTC
        



Created attachment 320758 [details]
Test case

Double free due to incorrectly consolidated string array dup functions.






Comment 5


Jürg Billeter





          2016-02-09 21:53:56 UTC
        



commit 3806a6918b512583c37076e1a00fa3b53ed455ca
Author: Jürg Billeter <j@bitron.ch>
Date:   Tue Feb 9 22:10:32 2016 +0100

    Revert "codegen: Create only one vala-array helper function per array-type"
    
    This reverts commit fba08583d940af80a0d6b7045294de00c568d6a4.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=761736