GNOME Bugzilla – Bug 762849
bus: GSource can access GPollFD after the bus was destroyed
Last modified: 2016-02-29 21:35:58 UTC
Fix for below valgrind issue ==31484== Invalid write of size 2 ==31484== at 0x4328D06: g_main_context_check (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0) ==31484== by 0x4329379: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0) ==31484== by 0x432976A: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0) ==31484== by 0x804AEB0: _test_negotiation (videoscale.c:641) ==31484== by 0x804B24E: test_negotiation (videoscale.c:659) ==31484== by 0x413DEFA: tcase_run_tfun_fork (check_run.c:450) ==31484== by 0x413DEFA: srunner_iterate_tcase_tfuns (check_run.c:222) ==31484== by 0x413DEFA: srunner_run_tcase (check_run.c:362) ==31484== by 0x413DEFA: srunner_iterate_suites (check_run.c:195) ==31484== by 0x413DEFA: srunner_run (check_run.c:706) ==31484== by 0x413DFB2: srunner_run_all (check_run.c:674) ==31484== by 0x4130BD7: gst_check_run_suite (gstcheck.c:824) ==31484== by 0x804A1D1: main (videoscale.c:1046) ==31484== Address 0x4edf21a is 58 bytes inside a block of size 144 free'd ==31484== at 0x402D3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==31484== by 0x432ED2F: g_free (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0) ==31484== by 0x434587A: g_slice_free1 (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0) ==31484== by 0x42BEDF0: g_type_free_instance (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0) ==31484== by 0x42A12CF: g_object_unref (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0) ==31484== by 0x4169ABC: gst_object_unref (gstobject.c:282) ==31484== by 0x4169C2F: gst_object_replace (gstobject.c:356) ==31484== by 0x4197DA1: gst_element_dispose (gstelement.c:2988) ==31484== by 0x417461B: gst_bin_dispose (gstbin.c:534) ==31484== by 0x41C17C4: gst_pipeline_dispose (gstpipeline.c:251) ==31484== by 0x42A1237: g_object_unref (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0) ==31484== by 0x4169ABC: gst_object_unref (gstobject.c:282) ==31484== by 0x804AF00: _test_negotiation (videoscale.c:648) ==31484== by 0x804B223: test_negotiation (videoscale.c:655) ==31484== by 0x413DEFA: tcase_run_tfun_fork (check_run.c:450) ==31484== by 0x413DEFA: srunner_iterate_tcase_tfuns (check_run.c:222) ==31484== by 0x413DEFA: srunner_run_tcase (check_run.c:362) ==31484== by 0x413DEFA: srunner_iterate_suites (check_run.c:195) ==31484== by 0x413DEFA: srunner_run (check_run.c:706) ==31484== by 0x413DFB2: srunner_run_all (check_run.c:674) ==31484== by 0x4130BD7: gst_check_run_suite (gstcheck.c:824) ==31484== by 0x804A1D1: main (videoscale.c:1046)
Created attachment 322623 [details] [review] fix bus signal memory mishandling
This is probably caused by the patch in bug #762552. It shouldn't have changed behaviour. Please check if reverting that commit makes the problem go away, and also why exactly there is a invalid memory access. There shouldn't
The problem is that the GSource always has reference to GstBus memory still: g_source_add_poll ((GSource *) source, &bus->priv->pollfd)
Created attachment 322628 [details] [review] bus: Make sure to remove the GPollFD from the GSources when destroying the bus Otherwise the GSource can look into our already destroyed bus where the GPollFD is stored.
Created attachment 322650 [details] [review] bus: Make sure to remove the GPollFD from the GSources when destroying the bus Otherwise the GSource can look into our already destroyed bus where the GPollFD is stored.
Comment on attachment 322650 [details] [review] bus: Make sure to remove the GPollFD from the GSources when destroying the bus Let's get it in then
Both commits were reverted now, let's track this for 1.9 in https://bugzilla.gnome.org/show_bug.cgi?id=762552