Bug 663231 – memory corruption leading to a crash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 663231 - memory corruption leading to a crash


Summary:	memory corruption leading to a crash


Status:	RESOLVED FIXED

Product:	gnome-settings-daemon
Classification:	Core
Component:	general
Version:	3.2.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gnome-settings-daemon-maint
QA Contact:	gnome-settings-daemon-maint

URL:
Whiteboard:

Depends on:	663816
Blocks:

Reported:	2011-11-02 11:33 UTC by Christian Persch
Modified:	2015-04-03 05:51 UTC

See Also:	https://bugs.freedesktop.org/show_bug.cgi?id=42510
GNOME target:	---
GNOME version:	---

Description Christian Persch 2011-11-02 11:33:37 UTC

With gnome-settings-daemon-3.2.1-3.fc16.i686 on uptodate F16, gnome-settings-daemon crashes frequently with apparent memory corruption (crash in the gslice allocator). Happened just now again about 10 min after resume, while not changing any settings or doing anything.

[New LWP 1677]
[New LWP 1681]
[New LWP 1682]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `/usr/libexec/gnome-settings-daemon'.
Program terminated with signal 6, Aborted.

+ Trace 228967

Thread 1 (Thread 0xb7863840 (LWP 1677))

#0 __kernel_vsyscall
#1 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 64
#2 __GI_abort
at abort.c line 91
#3 mem_error
at gslice.c line 1219
#4 slab_allocator_free_chunk
at gslice.c line 1101
#5 magazine_cache_trim
at gslice.c line 632
#6 magazine_cache_push_magazine
at gslice.c line 663
#7 thread_memory_magazine2_unload
at gslice.c line 762
#8 g_slice_free1
at gslice.c line 889
#9 g_buffer_free_gfree
at gbuffer.c line 43
#10 g_buffer_unref
at gbuffer.c line 205
#11 g_variant_unref
at gvariant-core.c line 630
#12 g_hash_table_remove_all_nodes
at ghash.c line 495
#13 g_hash_table_unref
at ghash.c line 972
#14 g_dbus_message_finalize
at gdbusmessage.c line 123
#15 g_object_unref
at gobject.c line 2746
#16 signal_instance_free
at gdbusconnection.c line 3468
#17 g_source_callback_unref
at gmain.c line 1324
#18 g_source_callback_unref
at gmain.c line 1316
#19 g_source_destroy_internal
at gmain.c line 993
#20 g_main_dispatch
at gmain.c line 2450
#21 g_main_context_dispatch
at gmain.c line 2995
#22 g_main_context_iterate
at gmain.c line 3073
#23 g_main_loop_run
at gmain.c line 3281
#24 gtk_main
at gtkmain.c line 1362
#25 main
at main.c line 458

Comment 1 Bastien Nocera 2011-11-02 11:55:14 UTC

If it occurs this often, any chance you could valgrind gnome-settings-daemon? The performance impact should be fairly minimal on a recent machine.

Comment 2 Bastien Nocera 2011-11-02 11:56:15 UTC

(In reply to comment #1)
> If it occurs this often, any chance you could valgrind gnome-settings-daemon?

I say that because it certainly doesn't crash every 10 minutes for me, or the other people working on gnome-settings-daemon, otherwise we would have been hunting this bug down already.

Comment 3 Christian Persch 2011-11-02 11:59:13 UTC

'Frquently' as in at least once a day. This isn't a 'recent' machine however, so valgrinding it while using the desktop isn't feasible, unfortunately.

Comment 4 Christian Persch 2011-11-02 12:57:54 UTC

I've succeeded running just g-s-d under valgrind, but it's going slow. Hasn't crashed yet, but the log is already chock full of invalid reads, and I've already identified one possible source of the problem in packagekit-glib.

Comment 5 Bastien Nocera 2011-12-05 20:22:34 UTC

Done?

Comment 6 Christian Persch 2011-12-05 20:43:30 UTC

I guess so, yes. At least valgrinding didn't turn up anything else.

Comment 7 qwerty 2015-04-03 05:51:12 UTC

Env:
linux-kernel: 3.10
cpu: arm cortex-A15 core
gstreamer version: 1.2.3
gst-omx version: 1.0


pipeline structure:
filesrc ! typefind ! queue ! mpegvparse ! omxmpeg2dec ! (convert and scale) ! waylandsink

Operation:
1. Played a short mpeg-2 video, the length is about 6s. 
2. Playback completed.
3. Play it a again without terminating the process.

After I repeated step 2 and 3 for about 5~10 time, the program was aborted and print out this error message:
==========================================================================
***MEMORY-ERROR***: test_arm[468]: GSlice: assertion failed: sinfo->n_allocated > 0
==========================================================================

Here is the gdb backtrace info:
==========================================================================
(gdb) bt

+ Trace 234935

#0 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
#1 __GI_abort
at abort.c line 89
#2 mem_error
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 1455
#3 slab_allocator_free_chunk
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 1337
#4 magazine_cache_trim
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 685
#5 magazine_cache_push_magazine
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 716
#6 thread_memory_magazine2_unload
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 815
#7 g_slice_free1
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslice.c line 1106
#8 g_slist_delete_link
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gslist.c line 557
#9 gst_adapter_flush_unchecked
at gstadapter.c line 587
#10 gst_adapter_take_buffer
at gstadapter.c line 878
#11 gst_base_parse_finish_frame
at gstbaseparse.c line 2418
#12 gst_mpegv_parse_handle_frame
at gstmpegvideoparse.c line 701
#13 gst_base_parse_handle_buffer
at gstbaseparse.c line 1959
#14 gst_base_parse_chain
at gstbaseparse.c line 2880
#15 gst_pad_chain_data_unchecked
at gstpad.c line 3760
#16 gst_pad_push_data
at gstpad.c line 3990
#17 gst_queue_push_one
at gstqueue.c line 1115
#18 gst_queue_loop
at gstqueue.c line 1244
#19 gst_task_func
at gsttask.c line 316
#20 g_thread_pool_thread_proxy
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gthreadpool.c line 309
#21 g_thread_proxy
at /usr/src/debug/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gthread.c line 798
#22 start_thread
at pthread_create.c line 314
#23 ??
at ../ports/sysdeps/unix/sysv/linux/arm/clone.S line 92
#24 ??
at ../ports/sysdeps/unix/sysv/linux/arm/clone.S line 92


Then set the environment variable G_SLICE=always-malloc.
In this situation I could play the same video for about 50 times. No problem happened this time.

I'm not quite sure is this a gstreamer bug or a glib bug.
This is my first bug. If the info is not enough, please notice me.

Thanks,