GNOME Bugzilla – Bug 733499
rhythmbox crashes with SIGSEGV due to double free in rb_podcast_parse_channel_free
Last modified: 2014-07-22 22:17:53 UTC
Trace1 : First call to rb_podcast_parse_channel_free() from parse_finished(..) Trace2 : Second call to rb_podcast_parse_channel_free() from remove_all_feeds_cb(..) Note both calls to rb_podcast_parse_channel_free are for the same podcast channel - 0x2216cd0 The first one succeeds, but the second one sefaults as expected. Trace1: ======= Breakpoint 1, rb_podcast_parse_channel_free (data=0x2216cd0) at rb-podcast-parse.c:279 279 g_return_if_fail (data != NULL); $323 = { url = 0x7fffbc05d260 "https://itunes.apple.com/us/podcast/global-news/id135067274?mt=2&uo=4", title = 0x7fffbc0a9bb0 "Global News", lang = 0x7fffbc0a9bd0 "en", description = 0x7fffbc0a9c30 "The best stories, interviews and on the spot reporting from around the world. \r\r\n\r\r\nListen to up to 30 minutes of highlights from Newshour, Newsday and The Newsroom. Compiled twice a day from the 24 hour News coverage from BBC World Service.", author = 0x7fffbc0a9b90 "BBC World Service", contact = 0x0, img = 0x7fffbc0a9b40 "http://www.bbc.co.uk/podcasts/assets/artwork/globalnews.jpg", pub_date = 1405872017, copyright = 0x7fffbc0a9bf0 "(C) BBC 2014", is_opml = 0, posts = 0x22058a0, num_posts = 0 }
+ Trace 233849
Program received signal SIGSEGV, Segmentation fault. g_list_foreach (list=0x2900, func=func@entry=0x7ffff7b1ee70 <rb_podcast_parse_item_free>, user_data=user_data@entry=0x0) at /tmp/buildd/glib2.0-2.40.0/./glib/glist.c:992 992 GList *next = list->next;
I can't reproduce this. How are you triggering it?
I quickly went through the code path of the segfault ( this was different failure instance from the one reported in bug description ). Added function print_all_feeds_cb() to rb-podcast-add-dialog.c, to check what was in the feed list, when remove_all_feeds_cb() was invoked. static gboolean print_all_feeds_cb (GtkTreeModel *model, GtkTreePath *path, GtkTreeIter *iter, RBPodcastAddDialog *dialog) { RBPodcastChannel *channel; gtk_tree_model_get (model, iter, FEED_COLUMN_PARSED_FEED, &channel, -1); printf( "print_all_feeds_cb: 0x%x\n", channel); return FALSE; } static void remove_all_feeds (RBPodcastAddDialog *dialog) { /* remove all feeds from the model and free associated data */ gtk_tree_model_foreach (GTK_TREE_MODEL (dialog->priv->feed_model), (GtkTreeModelForeachFunc) print_all_feeds_cb, dialog); /* remove all feeds from the model and free associated data */ gtk_tree_model_foreach (GTK_TREE_MODEL (dialog->priv->feed_model), (GtkTreeModelForeachFunc) remove_all_feeds_cb, dialog); ... ... } Below are the details: 1. There were totally 9 podcast search results. 2. The first podcast channel address was "0x1ca33c0" ( not sure about 0x1a4a050 ) 3. The last podcast channel address was "0x1cd68c0". parse_finished: 2 0x1a4a050 rb_podcast_parse_channel_free: 0x1a4a050 parse_finished: 3 0x1ca33c0 rb_podcast_parse_channel_free: 0x1ca33c0 print_all_feeds_cb: 0x1ca33c0 print_all_feeds_cb: 0x1cd4f80 print_all_feeds_cb: 0x14e0ee0 print_all_feeds_cb: 0x1cc3d70 print_all_feeds_cb: 0x1d16290 print_all_feeds_cb: 0x1cb11c0 print_all_feeds_cb: 0x1cdf4a0 print_all_feeds_cb: 0x1ce4210 print_all_feeds_cb: 0x1cd68c0 remove_all_feeds_cb: 0x1ca33c0 rb_podcast_parse_channel_free: 0x1ca33c0 *** Error in `./rhythmbox': free(): invalid pointer: 0x0000000001d1ff60 *** Aborted (core dumped) The thing is that 9 podcast results are expected to be cleared as part of remove_all_feeds_cb(). But, the call to rb_podcast_parse_channel_free() from parse_finished() creates an issue here. Not sure which call is not expected here.
Steps to reproduce: 1. Search for "BBC" in podcast search. 2. Select an entry from the results. 3. Now click on one of the episodes in the below window ( window focus shifts to podcast view screen, and download starts ). 4. Quickly press 'Add' now. I repeat these steps quickly ( albiet in some random order ), but I was able to get a crash within 1 minute in most cases. The crash occurs when I press the 'Add' button, when rhythmbox freezes for a couple of seconds and crashes.
(In reply to comment #3) > Steps to reproduce: > > 1. Search for "BBC" in podcast search. > 2. Select an entry from the results. > 3. Now click on one of the episodes in the below window ( window focus shifts > to podcast view screen, and download starts ). that's not what I'm seeing here.. > 4. Quickly press 'Add' now. so I can't do this part. Are you already subscribed to the podcast you click on, or something like that? > > I repeat these steps quickly ( albiet in some random order ), but I was able to > get a crash within 1 minute in most cases. The crash occurs when I press the > 'Add' button, when rhythmbox freezes for a couple of seconds and crashes. It would really help if you could include information like this when you open a bug.
Steps to reproduce ( Modified ): 1. Search for "BBC" in podcast search. 2. Double-click on an entry from the results ( I clicked on the second entry with 301 episodes ) 3. Window focus shifts to podcast view screen. Wait for a few seconds ( < 15 ), when the view is populated with the listing. 4. Press 'Add' now.
This was fixed in commit df6a04a. Reopening bugs without adding any further information is not helpful.
I was expecting a "fixed in commit" message, at the least.
*** Bug 733516 has been marked as a duplicate of this bug. ***