Bug 656715 – playbin2, playsink: reference count ts_offset to avoid crashes

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 656715 - playbin2, playsink: reference count ts_offset to avoid crashes


Summary:	playbin2, playsink: reference count ts_offset to avoid crashes


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	0.10.34
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	0.10.36
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	657209 (view as bug list)
Depends on:
Blocks:

Reported:	2011-08-17 02:35 UTC by Jasper St. Pierre (not reading bugmail)
Modified:	2011-08-25 22:03 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch (4.06 KB, patch) 2011-08-21 21:58 UTC, David Schleef	none	Details \| Review

Description Jasper St. Pierre (not reading bugmail) 2011-08-17 02:35:53 UTC

See https://bugzilla.redhat.com/show_bug.cgi?id=706744

While tracking down that bug, I found that the crash is due to improper refcounting in gstreamer. Unless I'm missing something, the code path is all gstreamer. It never hits totem.

See the test here at:
  http://p.mecheye.net/refcount/0

Notice how it incorrectly gets decremented to 0 during a message free, and is then used later. (After its memory has been replaced by various pango stuff)

The gdb commands I used:
  http://p.mecheye.net/refcount-commands/1

Comment 1 Vincent Penquerc'h 2011-08-17 09:30:58 UTC

I think this might be fixed by the patch in https://bugzilla.gnome.org/show_bug.cgi?id=653840.

Comment 2 Vincent Penquerc'h 2011-08-17 14:20:35 UTC

Actually, no, that patch is bad, sorry.

Comment 3 David Schleef 2011-08-18 03:21:13 UTC

Jasper, how did you reproduce this?  Is it random?

Comment 4 Jasper St. Pierre (not reading bugmail) 2011-08-18 03:26:39 UTC

(In reply to comment #3)
> Jasper, how did you reproduce this?  Is it random?

It's "random", but it happens a lot of the time for me.

1. $ totem ~/thing.mp3
2. Sometimes the file won't play (no visualizer, "00:00 / 00:00")
3. Open a file from the Recent Files list.
4. Boom.

You sometimes get an assert on something like "g_type_instance", you sometimes get a segfault. It's just trying to access memory it thinks it has but doesn't.

Additionally, it might be related to threading sync issues: I forget it now, but while debugging this with gdb I found a breakpoint I could set that would make the issue go away (I tested six or seven times with that breakpoint, and it never failed once)

Comment 5 David Schleef 2011-08-21 21:58:13 UTC

Created attachment 194337 [details] [review]
patch

A potential fix.  This seems to decrease the probability of seeing the bug to ~0, but I'd like to get some confirmation from other people.

Comment 6 Sebastian Dröge (slomo) 2011-08-24 05:58:47 UTC

*** Bug 657209 has been marked as a duplicate of this bug. ***

Comment 7 Sebastian Dröge (slomo) 2011-08-24 06:00:20 UTC

Looks correct to me and should prevent all crashes caused by the ts-offset elements disappearing because we now really own a reference. Please push, it can't hurt even though I can't guarantee that it fixes this bug either :)

Comment 8 David Schleef 2011-08-25 21:15:21 UTC

commit a91237434271ed17d59bf95e0762dc9161c09864
Author: David Schleef <ds@schleef.org>
Date:   Sun Aug 21 14:51:45 2011 -0700

    playback: reference count ts_offset
    
    Apparently this object is being used after it's freed.  This is one
    way to fix it, although perhaps not the best way.  Fixes: #656715.


I will assume it fixes this bug and close it.