After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 762849 - bus: GSource can access GPollFD after the bus was destroyed
bus: GSource can access GPollFD after the bus was destroyed
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gstreamer (core)
git master
Other Linux
: Normal blocker
: 1.7.90
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-02-29 04:14 UTC by Vineeth
Modified: 2016-02-29 21:35 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
fix bus signal memory mishandling (854 bytes, patch)
2016-02-29 04:15 UTC, Vineeth
rejected Details | Review
bus: Make sure to remove the GPollFD from the GSources when destroying the bus (3.44 KB, patch)
2016-02-29 08:04 UTC, Sebastian Dröge (slomo)
none Details | Review
bus: Make sure to remove the GPollFD from the GSources when destroying the bus (3.47 KB, patch)
2016-02-29 11:43 UTC, Sebastian Dröge (slomo)
committed Details | Review

Description Vineeth 2016-02-29 04:14:21 UTC
Fix for below valgrind issue

==31484== Invalid write of size 2
==31484==    at 0x4328D06: g_main_context_check (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==31484==    by 0x4329379: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==31484==    by 0x432976A: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==31484==    by 0x804AEB0: _test_negotiation (videoscale.c:641)
==31484==    by 0x804B24E: test_negotiation (videoscale.c:659)
==31484==    by 0x413DEFA: tcase_run_tfun_fork (check_run.c:450)
==31484==    by 0x413DEFA: srunner_iterate_tcase_tfuns (check_run.c:222)
==31484==    by 0x413DEFA: srunner_run_tcase (check_run.c:362)
==31484==    by 0x413DEFA: srunner_iterate_suites (check_run.c:195)
==31484==    by 0x413DEFA: srunner_run (check_run.c:706)
==31484==    by 0x413DFB2: srunner_run_all (check_run.c:674)
==31484==    by 0x4130BD7: gst_check_run_suite (gstcheck.c:824)
==31484==    by 0x804A1D1: main (videoscale.c:1046)
==31484==  Address 0x4edf21a is 58 bytes inside a block of size 144 free'd
==31484==    at 0x402D3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31484==    by 0x432ED2F: g_free (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==31484==    by 0x434587A: g_slice_free1 (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==31484==    by 0x42BEDF0: g_type_free_instance (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0)
==31484==    by 0x42A12CF: g_object_unref (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0)
==31484==    by 0x4169ABC: gst_object_unref (gstobject.c:282)
==31484==    by 0x4169C2F: gst_object_replace (gstobject.c:356)
==31484==    by 0x4197DA1: gst_element_dispose (gstelement.c:2988)
==31484==    by 0x417461B: gst_bin_dispose (gstbin.c:534)
==31484==    by 0x41C17C4: gst_pipeline_dispose (gstpipeline.c:251)
==31484==    by 0x42A1237: g_object_unref (in /usr/lib/i386-linux-gnu/libgobject-2.0.so.0.4002.0)
==31484==    by 0x4169ABC: gst_object_unref (gstobject.c:282)
==31484==    by 0x804AF00: _test_negotiation (videoscale.c:648)
==31484==    by 0x804B223: test_negotiation (videoscale.c:655)
==31484==    by 0x413DEFA: tcase_run_tfun_fork (check_run.c:450)
==31484==    by 0x413DEFA: srunner_iterate_tcase_tfuns (check_run.c:222)
==31484==    by 0x413DEFA: srunner_run_tcase (check_run.c:362)
==31484==    by 0x413DEFA: srunner_iterate_suites (check_run.c:195)
==31484==    by 0x413DEFA: srunner_run (check_run.c:706)
==31484==    by 0x413DFB2: srunner_run_all (check_run.c:674)
==31484==    by 0x4130BD7: gst_check_run_suite (gstcheck.c:824)
==31484==    by 0x804A1D1: main (videoscale.c:1046)
Comment 1 Vineeth 2016-02-29 04:15:18 UTC
Created attachment 322623 [details] [review]
fix bus signal memory mishandling
Comment 2 Sebastian Dröge (slomo) 2016-02-29 07:36:59 UTC
This is probably caused by the patch in bug #762552. It shouldn't have changed behaviour.

Please check if reverting that commit makes the problem go away, and also why exactly there is a invalid memory access. There shouldn't
Comment 3 Sebastian Dröge (slomo) 2016-02-29 07:55:18 UTC
The problem is that the GSource always has reference to GstBus memory still:
g_source_add_poll ((GSource *) source, &bus->priv->pollfd)
Comment 4 Sebastian Dröge (slomo) 2016-02-29 08:04:54 UTC
Created attachment 322628 [details] [review]
bus: Make sure to remove the GPollFD from the GSources when destroying the bus

Otherwise the GSource can look into our already destroyed bus where the
GPollFD is stored.
Comment 5 Sebastian Dröge (slomo) 2016-02-29 11:43:06 UTC
Created attachment 322650 [details] [review]
bus: Make sure to remove the GPollFD from the GSources when destroying the bus

Otherwise the GSource can look into our already destroyed bus where the
GPollFD is stored.
Comment 6 Sebastian Dröge (slomo) 2016-02-29 15:09:40 UTC
Comment on attachment 322650 [details] [review]
bus: Make sure to remove the GPollFD from the GSources when destroying the bus

Let's get it in then
Comment 7 Sebastian Dröge (slomo) 2016-02-29 21:35:58 UTC
Both commits were reverted now, let's track this for 1.9 in https://bugzilla.gnome.org/show_bug.cgi?id=762552