[pulseaudio-discuss] [PATCH] Plug some memory leaks and an invalid read

Maarten Bosmans mkbosmans at gmail.com
Mon Aug 15 11:52:39 PDT 2011 

2011/8/12 Maarten Bosmans <mkbosmans at gmail.com>:
> There's still another invalid read reported by valgrind. The location
> is the same as it was for the protocol-dbus.c error of the patch: the
> hasmap_entry->key points to already freed memory.
>
>  Invalid read of size 1
>    at 0x41070CE: pa_idxset_string_hash_func (idxset.c:69)
>    by 0x4106064: remove_entry (hashmap.c:94)
>    by 0x41061FD: pa_hashmap_free (hashmap.c:111)
>    by 0x69C4626: pa_dbusiface_card_free (iface-card.c:548)
>    by 0x69D1CEA: free_card_cb (iface-core.c:2054)
>    by 0x4106215: pa_hashmap_free (hashmap.c:114)
>    by 0x69D2105: pa_dbusiface_core_free (iface-core.c:2103)
>    by 0x69E7169: module_dbus_protocol_LTX_pa__done (module-dbus-protocol.c:595)
>    by 0x406DC51: pa_module_free (module.c:162)
>    by 0x406E01D: pa_module_unload_all (module.c:210)
>    by 0x4068842: core_free (core.c:169)
>    by 0x406FD5D: pa_object_unref (object.c:64)
>  Address 0x581edd8 is 0 bytes inside a block of size 21 free'd
>    at 0x4025BF0: free (vg_replace_malloc.c:366)
>    by 0x40F128C: pa_xfree (xmalloc.c:131)
>    by 0x4063F4B: pa_card_profile_free (card.c:59)
>    by 0x40649D7: pa_card_free (card.c:202)
>    by 0x5051C75: module_alsa_card_LTX_pa__done (module-alsa-card.c:466)
>    by 0x406DC51: pa_module_free (module.c:162)
>    by 0x406E01D: pa_module_unload_all (module.c:210)
>    by 0x4068842: core_free (core.c:169)
>    by 0x406FD5D: pa_object_unref (object.c:64)
>    by 0x805224D: pa_core_unref (core.h:184)
>    by 0x805560B: main (main.c:1159)
>
> This one is more difficult to solve though, because the card.profile
> is used in the hashmaps of two modules (alsa-card and dbus-protocol)

I dug a bit further into this.

pa_dbusiface_card_new loops over all the pa_card_profiles of a card
and calls pa_dbusiface_card_profile_new to add a
pa_dbusiface_card_profile to its own profiles hashmap.
(modules/dbus/iface-card.c 524)
The pa_dbusiface_card_profile stores a pointer to the pa_card_profile
and uses its ->name as hasmap key.
Upon unloading the module-dbus-protocol, the profiles hashmap is
freed, but in the process the hashmap key is read while that string
(profile->profile->name) is already freed by the module that initially
constructed the pa_card_profile (module-alsa-card), triggering the
invalid read.

So one solution would be to make profiles refcounted and another to
make sure module-dbus-protocol is unloaded first, but I have no idea
how to do that.

> Any suggestions?

> Maarten

More information about the pulseaudio-discuss mailing list