GNOME Bugzilla – Bug 787996
nautilus segfaults in libtotem-properties/gstreamer code when closing nautilus info
Last modified: 2017-09-22 10:40:07 UTC
Using Ubuntu artful with GNOME 3.26 and gstreamer 1.12.2 - open nautilus - open the file properties of a mp3 - close the dialog nautilus segfault, valgrind shows an invalid read in totem/gstreamer code ==1107== Invalid read of size 8 ==1107== at 0x1CEB4F2B: discovered_cb (totem-properties-view.c:287) ==1107== by 0xDB1EE17: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==1107== by 0xDB1E879: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==1107== by 0x70DF798: g_cclosure_marshal_generic (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70DEF9C: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F1D5D: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FAF4E: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x1D4D912B: discoverer_collect (gstdiscoverer.c:1344) ==1107== by 0x1D4D9560: discoverer_bus_cb (gstdiscoverer.c:1682) ==1107== by 0xDB1EE17: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==1107== by 0xDB1E879: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==1107== by 0x70DF798: g_cclosure_marshal_generic (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70DEF9C: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F1D5D: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FAF4E: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x1D732DA1: gst_bus_async_signal_func (in /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0.1202.0) ==1107== by 0x1D733BD5: ??? (in /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0.1202.0) ==1107== by 0x5090DE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x50911AF: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x509123B: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x6DD5BEC: g_application_run (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.5400.0) ==1107== by 0x14FF7B: main (in /usr/bin/nautilus) ==1107== Address 0x1ff642c0 is 384 bytes inside a block of size 400 free'd ==1107== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1107== by 0x7103B62: g_type_free_instance (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x55B79E7: gtk_notebook_forall (gtknotebook.c:4578) ==1107== by 0x54C4AAD: gtk_container_destroy (gtkcontainer.c:1700) ==1107== by 0x70DEEB0: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F1ED1: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FAF4E: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x56E0CBB: gtk_widget_dispose (gtkwidget.c:12070) ==1107== by 0x70E5707: g_object_run_dispose (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x5479A1B: gtk_box_forall (gtkbox.c:2671) ==1107== by 0x54C4AAD: gtk_container_destroy (gtkcontainer.c:1700) ==1107== by 0x70DEEB0: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F1ED1: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FAF4E: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x56E0CBB: gtk_widget_dispose (gtkwidget.c:12070) ==1107== by 0x70E5707: g_object_run_dispose (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x56ECFC8: gtk_window_forall (gtkwindow.c:8503) ==1107== by 0x54C4AAD: gtk_container_destroy (gtkcontainer.c:1700) ==1107== by 0x70DEF9C: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F1ED1: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FAF4E: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x56E0CBB: gtk_widget_dispose (gtkwidget.c:12070) ==1107== by 0x56F48D7: gtk_window_dispose (gtkwindow.c:3154) ==1107== by 0x70E5707: g_object_run_dispose (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70DEF9C: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70F17D7: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70FA534: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== Block was alloc'd at ==1107== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1107== by 0x5096538: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x50AE0B5: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x50AE548: g_slice_alloc0 (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x7103865: g_type_create_instance (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70E4357: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70E5E04: g_object_new_with_properties (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x70E6880: g_object_new (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5400.0) ==1107== by 0x1CEB553A: totem_properties_view_new (totem-properties-view.c:383) ==1107== by 0x1CEB497E: totem_properties_get_pages (totem-properties-main.c:117) ==1107== by 0x15BD03: ??? (in /usr/bin/nautilus) ==1107== by 0x15FE05: ??? (in /usr/bin/nautilus) ==1107== by 0x1F1D4A: ??? (in /usr/bin/nautilus) ==1107== by 0x5090DE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x50911AF: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x509123B: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5400.0) ==1107== by 0x6DD5BEC: g_application_run (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.5400.0) ==1107== by 0x14FF7B: main (in /usr/bin/nautilus)
Line 287 in totem-properties-view.c is: gtk_label_set_text (GTK_LABEL (props->priv->label), _(label)); so it looks like the callback is being called after the notebook was destroyed. Looks like the GstDiscoverer instance was not stopped/destroyed when the widget used in the callback went away. Looks like a bug in totem properties view at first glance.
Created attachment 360209 [details] [review] properties: Fix crash when properties are closed fast Cancel the GstDiscoverer process when closing the window.
(In reply to Tim-Philipp Müller from comment #1) > Line 287 in totem-properties-view.c is: > > gtk_label_set_text (GTK_LABEL (props->priv->label), _(label)); > > so it looks like the callback is being called after the notebook was > destroyed. > > Looks like the GstDiscoverer instance was not stopped/destroyed when the > widget used in the callback went away. It's destroyed, but I'm guessing the async process keeps a reference to itself. > Looks like a bug in totem properties view at first glance. If what I say above is true, then it's possible that there's also a bug in GstDiscoverer, as we do unref our only reference to it when closing the window. Please test and see whether you can reproduce the problem.
The patch seems to fix the segfault but there are still those warnings displayed * bacon_video_widget_properties_reset: assertion 'props != NULL' failed which corresponding bt
+ Trace 237998
Review of attachment 360209 [details] [review]: ::: src/totem-properties-view.c @@ +347,3 @@ if (props->priv != NULL) { + if (props->priv->disco) { + gst_discoverer_stop (props->priv->disco); I’d also disconnect discovered_cb() from its `discovered` signal, to be absolutely tidy about things.
bugzilla mangled the comment which had several warnings comment, e.g bacon_video_widget_properties_set_label: assertion 'props != NULL' failed
+ Trace 237999
(the warnings are displayed when opening the properties dialog)
Created attachment 360233 [details] [review] properties: Fix crash when properties are closed fast Cancel the GstDiscoverer process when closing the window.
Review of attachment 360233 [details] [review]: ::: src/totem-properties-view.c @@ +347,3 @@ if (props->priv != NULL) { + if (props->priv->disco) { + g_signal_handlers_disconnect_by_func (object, s/object/props->priv->disco/, surely?
sorry for the noise but you can ignore my comments from yesterday night about the warnings, when I tested the patch I didn't set the prefix correctly to /usr and it was a side effect of not finding the .ui which was installed in the standard location. the patch fixes the segfault and no warning is displayed
Created attachment 360250 [details] [review] properties: Fix crash when properties are closed fast Cancel the GstDiscoverer process when closing the window.
Attachment 360250 [details] pushed as 57ceb48 - properties: Fix crash when properties are closed fast