Bug 546971 - rhythmbox crashed when ejecting an ipod device
rhythmbox crashed when ejecting an ipod device
Status: RESOLVED FIXED
Product: gvfs
Classification: Core
Component: [obsolete] hal volume monitor
0.99.x
Other Linux
: Normal critical
: ---
Assigned To: gvfs-maint
gvfs-maint
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-08-08 17:31 UTC by Sebastien Bacher
Modified: 2008-09-02 21:13 UTC (History)
1 user (show)

See Also:
GNOME target: ---
GNOME version: 2.23/2.24

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Sebastien Bacher 2008-08-08 17:31:58 UTC 
rhythmbox crasher after clicking on the eject button

+ Trace 204861

Thread 1 (process 28004)

  • #0 strcmp
    from /lib/tls/i686/cmov/libc.so.6
  • #1 g_proxy_volume_update
    at gproxyvolume.c line 227
  • #2 filter_function
    at gproxyvolumemonitor.c line 512
  • #3 dbus_connection_dispatch
    from /lib/libdbus-1.so.3
  • #4 dbus_source_dispatch
    at gdbusutils.c line 868
  • #5 IA__g_main_context_dispatch
    at /build/buildd/glib2.0-2.17.6/glib/gmain.c line 2072
  • #6 g_main_context_iterate
    at /build/buildd/glib2.0-2.17.6/glib/gmain.c line 2705
  • #7 IA__g_main_loop_run
    at /build/buildd/glib2.0-2.17.6/glib/gmain.c line 2928
  • #8 IA__gtk_main
    at /build/buildd/gtk+2.0-2.13.6/gtk/gtkmain.c line 1172
  • #9 main
    at main.c line 330 

    


      




        
          Comment 1
        

        
          Sebastien Bacher

        

        
        

        
          2008-09-02 15:07:06 UTC
        
      





valgrind log errors:

==14017== Invalid read of size 4
==14017==    at 0x74C7142: g_proxy_volume_update (gproxyvolume.c:250)
==14017==    by 0x74CB1DD: filter_function (gproxyvolumemonitor.c:512)
==14017==    by 0x4498094: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0)
==14017==    by 0x74CEAC8: dbus_source_dispatch (gdbusutils.c:868)
==14017==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==14017==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==14017==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==14017==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==14017==    by 0x806315F: main (main.c:330)
==14017==  Address 0x71761c4 is 44 bytes inside a block of size 60 free'd
==14017==    at 0x4023B4A: free (vg_replace_malloc.c:323)
==14017==    by 0x511CD35: g_free (gmem.c:190)
==14017==    by 0x4DA78C7: pango_layout_line_unref (in /usr/lib/libpango-1.0.so.0.2101.2)
==14017==    by 0x4DA8F22: (within /usr/lib/libpango-1.0.so.0.2101.2)
==14017==    by 0x4833E25: gtk_cell_renderer_text_render (gtkcellrenderertext.c:1679)
==14017==    by 0x482BC2D: gtk_cell_renderer_render (gtkcellrenderer.c:578)
==14017==    by 0x4A0682A: gtk_tree_view_column_cell_process_action (gtktreeviewcolumn.c:2802)
==14017==    by 0x4A0764B: _gtk_tree_view_column_cell_render (gtktreeviewcolumn.c:3135)
==14017==    by 0x4A01540: gtk_tree_view_bin_expose (gtktreeview.c:4701)
==14017==    by 0x4A02C61: gtk_tree_view_expose (gtktreeview.c:4941)
==14017==    by 0x48EA371: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==14017==    by 0x4F543E8: g_type_class_meta_marshal (gclosure.c:878)
==14017==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==14017==    by 0x4F6D13C: signal_emit_unlocked_R (gsignal.c:3282)
==14017==    by 0x4F6EA7A: g_signal_emit_valist (gsignal.c:2987)
==14017==    by 0x4F6F085: g_signal_emit (gsignal.c:3034)
==14017==    by 0x4A185BD: gtk_widget_event_internal (gtkwidget.c:4745)
==14017==    by 0x48E37D2: gtk_main_do_event (gtkmain.c:1525)
==14017==    by 0x4BB60B2: gdk_window_process_updates_internal (gdkwindow.c:2598)
==14017==    by 0x4BB6AF6: gdk_window_process_all_updates (gdkwindow.c:2664)
==14017==    by 0x4BB6B1A: gdk_window_update_idle (gdkwindow.c:2508)
==14017==    by 0x4B998BA: gdk_threads_dispatch (gdk.c:473)
==14017==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==14017==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==14017==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==14017==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==14017==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==14017==    by 0x806315F: main (main.c:330)

(rhythmbox:14017): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GObject'

(rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed

(rhythmbox:14017): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GObject'

(rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed
--14017-- memcheck GC: 65536 nodes, 59843 survivors ( 91.3%)
--14017-- memcheck GC: increase table size to 131072

(rhythmbox:14017): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(rhythmbox:14017): GLib-GObject-CRITICAL **: g_signal_emit_by_name: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(rhythmbox:14017): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
==14017== 
==14017== Conditional jump or move depends on uninitialised value(s)
==14017==    at 0x4F5A754: g_value_object_collect_value (gobject.c:2692)
==14017==    by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952)
==14017==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==14017==    by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396)
==14017==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==14017==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==14017==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==14017==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==14017==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==14017==    by 0x806315F: main (main.c:330)
==14017== 
==14017== Use of uninitialised value of size 4
==14017==    at 0x4F5A75A: g_value_object_collect_value (gobject.c:2696)
==14017==    by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952)
==14017==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==14017==    by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396)
==14017==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==14017==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==14017==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==14017==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==14017==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==14017==    by 0x806315F: main (main.c:330)
==14017== 
==14017== Conditional jump or move depends on uninitialised value(s)
==14017==    at 0x4F73C31: g_type_check_is_value_type (gtype.c:3837)
==14017==    by 0x4F7A5B7: g_value_type_compatible (gvalue.c:441)
==14017==    by 0x4F5A76F: g_value_object_collect_value (gobject.c:2701)
==14017==    by 0x4F6E921: g_signal_emit_valist (gsignal.c:2952)
==14017==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==14017==    by 0x74CABE1: signal_emit_in_idle_do (gproxyvolumemonitor.c:396)
==14017==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==14017==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==14017==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==14017==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==14017==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==14017==    by 0x806315F: main (main.c:330)


    


      




        
          Comment 2
        

        
          Sebastien Bacher

        

        
        

        
          2008-09-02 15:11:30 UTC
        
      





another valgrind lod:

==28479== Invalid read of size 4
==28479==    at 0x4F57DDB: g_object_unref (gobject.c:2360)
==28479==    by 0x74C9356: g_proxy_mount_get_drive (gproxymount.c:299)
==28479==    by 0x74C95E7: g_proxy_mount_can_eject (gproxymount.c:341)
==28479==    by 0x4CE294B: g_mount_can_eject (gmount.c:324)
==28479==    by 0x8080496: rb_removable_media_manager_set_property (rb-removable-media-manager.c:745)
==28479==    by 0x4F5B3C5: g_object_set_valist (gobject.c:938)
==28479==    by 0x4F5B845: g_object_set (gobject.c:1527)
==28479==    by 0x8065037: rb_shell_select_source (rb-shell.c:2064)
==28479==    by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6F085: g_signal_emit (gsignal.c:3034)
==28479==    by 0x808B7F8: rb_sourcelist_selection_changed_cb (rb-sourcelist.c:1407)
==28479==    by 0x4F63B53: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6F085: g_signal_emit (gsignal.c:3034)
==28479==    by 0x49DE264: _gtk_tree_selection_internal_select_node (gtktreeselection.c:1427)
==28479==    by 0x49F912D: gtk_tree_view_real_set_cursor (gtktreeview.c:12542)
==28479==    by 0x4A03BEC: gtk_tree_view_button_press (gtktreeview.c:2742)
==28479==    by 0x40AED37: rb_tree_dnd_button_press_event_cb (rb-tree-dnd.c:929)
==28479==    by 0x48EA371: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EA7A: g_signal_emit_valist (gsignal.c:2987)
==28479==    by 0x4F6F085: g_signal_emit (gsignal.c:3034)
==28479==    by 0x4A185BD: gtk_widget_event_internal (gtkwidget.c:4745)
==28479==    by 0x48E1F99: gtk_propagate_event (gtkmain.c:2363)
==28479==    by 0x48E3536: gtk_main_do_event (gtkmain.c:1568)
==28479==    by 0x4BD2EF9: gdk_event_dispatch (gdkevents-x11.c:2365)
==28479==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==28479==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==28479==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==28479==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==28479==    by 0x806315F: main (main.c:330)
==28479==  Address 0xac6da18 is 0 bytes inside a block of size 60 free'd
==28479==    at 0x4023B4A: free (vg_replace_malloc.c:323)
==28479==    by 0x511CD35: g_free (gmem.c:190)
==28479==    by 0x4F77611: g_type_free_instance (gtype.c:1717)
==28479==    by 0x807FAD8: rb_removable_media_manager_add_mount (rb-removable-media-manager.c:582)
==28479==    by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==28479==    by 0x4CEA7ED: child_mount_added (gunionvolumemonitor.c:280)
==28479==    by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==28479==    by 0x74CABBA: signal_emit_in_idle_do (gproxyvolumemonitor.c:391)
==28479==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==28479==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==28479==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==28479==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==28479==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==28479==    by 0x806315F: main (main.c:330)

    


      




        
          Comment 3
        

        
          Sebastien Bacher

        

        
        

        
          2008-09-02 15:20:22 UTC
        
      





another valgrind log:

==28479== Invalid read of size 4
==28479==    at 0x74C7142: g_proxy_volume_update (gproxyvolume.c:250)
==28479==    by 0x74CB1DD: filter_function (gproxyvolumemonitor.c:512)
==28479==    by 0x4498094: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0)
==28479==    by 0x74CEAC8: dbus_source_dispatch (gdbusutils.c:868)
==28479==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==28479==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==28479==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==28479==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==28479==    by 0x806315F: main (main.c:330)
==28479==  Address 0xac6da44 is 44 bytes inside a block of size 60 free'd
==28479==    at 0x4023B4A: free (vg_replace_malloc.c:323)
==28479==    by 0x511CD35: g_free (gmem.c:190)
==28479==    by 0x4F77611: g_type_free_instance (gtype.c:1717)
==28479==    by 0x807FAD8: rb_removable_media_manager_add_mount (rb-removable-media-manager.c:582)
==28479==    by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==28479==    by 0x4CEA7ED: child_mount_added (gunionvolumemonitor.c:280)
==28479==    by 0x4F63CD9: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636)
==28479==    by 0x4F55C72: g_closure_invoke (gclosure.c:767)
==28479==    by 0x4F6D4B4: signal_emit_unlocked_R (gsignal.c:3244)
==28479==    by 0x4F6EBD5: g_signal_emit_valist (gsignal.c:2977)
==28479==    by 0x4F6EF2C: g_signal_emit_by_name (gsignal.c:3071)
==28479==    by 0x74CABBA: signal_emit_in_idle_do (gproxyvolumemonitor.c:391)
==28479==    by 0x5112880: g_idle_dispatch (gmain.c:4178)
==28479==    by 0x51147E0: g_main_context_dispatch (gmain.c:2073)
==28479==    by 0x5117E82: g_main_context_iterate (gmain.c:2706)
==28479==    by 0x51183A1: g_main_loop_run (gmain.c:2929)
==28479==    by 0x48E3A38: gtk_main (gtkmain.c:1172)
==28479==    by 0x806315F: main (main.c:330)

seems that gvfs is trying to use a GVolume which has already freed

    


      




        
          Comment 4
        

        
          David Zeuthen (not reading bugmail)

        

        
        

        
          2008-09-02 19:37:09 UTC
        
      





Should be fixed in trunk - Seb, any chance you can test this? Thanks!

2008-09-02  David Zeuthen  <davidz@redhat.com>

        * monitor/hal/ghaldrive.c: (g_hal_drive_eject_do):
        * monitor/hal/ghalmount.c: (unmount_cb), (unmount_do),
        (eject_wrapper_callback), (g_hal_mount_eject):
        * monitor/proxy/gproxymount.c: (eject_wrapper_callback),
        (g_proxy_mount_eject):
        * monitor/proxy/gproxyvolume.c: (eject_wrapper_callback):
        Remember to refcount objects (#546971).


    


      




        
          Comment 5
        

        
          Sebastien Bacher

        

        
        

        
          2008-09-02 20:25:24 UTC
        
      





the change doesn't fix the crash

    


      




        
          Comment 6
        

        
          David Zeuthen (not reading bugmail)

        

        
        

        
          2008-09-02 21:10:46 UTC
        
      





If it works with Nautilus this looks like a RB bug... any chance you can see if it works from e.g. the drive applet? 

(I *think* it's ported to gio nowadays - it's kinda malfunctioning on my box hence why I can't test myself)


    


      




        
          Comment 7
        

        
          Sebastien Bacher

        

        
        

        
          2008-09-02 21:13:03 UTC
        
      





there was also a rhythmbox bug, seems to work correctly now using the svn versions so closing this bug

    



  






  


    

      

        

          
            

              Note
              You need to
              log in
              before you can comment on or make changes to this bug.