[Bug 795529] New: Segfault is observed when pad of decodebin3 is removed in uridecodebin3

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Wed Apr 25 00:39:32 UTC 2018 

https://bugzilla.gnome.org/show_bug.cgi?id=795529

            Bug ID: 795529
           Summary: Segfault is observed when pad of decodebin3 is removed
                    in uridecodebin3
    Classification: Platform
           Product: GStreamer
           Version: 1.14.0
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: Normal
         Component: gst-plugins-base
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: hoonh83.lee at gmail.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Dear All.
I have run the 'fast_backward' test scenario using gst-validate.
During the test scene, segfault is observed when sinkpad of decodebin3 is
removed in uridecodebin3.

=====================================================
DISPLAY=':0' GST_GL_XINITTHREADS='1'
GST_VALIDATE_SCENARIOS_PATH='/home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/scenarios'
GST_VALIDATE_SCENARIO='fast_backward' gst-validate-1.0 playbin3
uri=file:///home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/assets/medias/codecs/PS/%5BU1_30004_VOB%5D%20MPEG-2PS_MPEG-2%20Video_MPEG-1%20Audio%20layer%202_720x480.vob
audio-sink=alsasink video-sink=autovideosink --set-media-info
"/home/hoonheelee/work/jhbuild-gstreamer/build-1.14.gld4tv/gst-auto-verification/assets/media_infos/codecs/PS/[U1_30004_VOB]
MPEG-2PS_MPEG-2 Video_MPEG-1 Audio layer 2_720x480.vob.media_info"
=====================================================

=====================================================
Program received signal SIGSEGV, Segmentation fault.
0x00007fffed83f525 in db_pad_removed_cb (element=0x864020, pad=0x80e360,
dec=0x810300) at gsturidecodebin3.c:572
572        OutputPad *cand = (OutputPad *) tmp->data;
(gdb) bt
#0  0x00007fffed83f525 in db_pad_removed_cb (element=0x864020, pad=0x80e360,
dec=0x810300) at gsturidecodebin3.c:572
#1  0x00007ffff7297107 in g_cclosure_marshal_VOID__OBJECTv (closure=0x866ae0,
return_value=<optimized out>, instance=<optimized out>, args=<optimized out>,
marshal_data=0x0, n_params=<optimized out>, 
    param_types=0x620050) at gmarshal.c:2102
#2  0x00007ffff7294267 in _g_closure_invoke_va (closure=0x866ae0,
return_value=0x0, instance=0x864020, args=0x7fffffffcb68, n_params=1,
param_types=0x620050) at gclosure.c:831
#3  0x00007ffff72ad1e8 in g_signal_emit_valist (instance=0x864020,
signal_id=<optimized out>, detail=0, var_args=var_args at entry=0x7fffffffcb68) at
gsignal.c:3214
#4  0x00007ffff72ade32 in g_signal_emit (instance=instance at entry=0x864020,
signal_id=<optimized out>, detail=detail at entry=0) at gsignal.c:3361
#5  0x00007ffff7530607 in gst_element_remove_pad (element=<optimized out>,
pad=0x80e360) at gstelement.c:829
#6  0x00007fffed82edea in free_input (dbin=0x864020, input=0x803910) at
gstdecodebin3.c:927
#7  0x00007fffed82db3b in gst_decodebin3_dispose (object=0x864020) at
gstdecodebin3.c:638
#8  0x00007ffff7298853 in g_object_unref (_object=0x864020) at gobject.c:3133
#9  0x00007ffff7506491 in gst_object_unref (object=<optimized out>) at
gstobject.c:266
#10 0x00007ffff754190c in _gst_message_free (message=0x7fffc406d300) at
gstmessage.c:211
#11 0x00007ffff6f925f8 in g_list_foreach (list=<optimized out>,
list at entry=0x7fffcc527d80, func=0x7ffff7519640 <gst_message_unref>,
user_data=user_data at entry=0x0) at glist.c:994
#12 0x00007ffff6f9261b in g_list_free_full (list=0x7fffcc527d80,
free_func=<optimized out>) at glist.c:217
#13 0x00007ffff751a96a in gst_bus_set_flushing (bus=<optimized out>,
flushing=<optimized out>) at gstbus.c:478
#14 0x0000000000402b98 in main (argc=5, argv=0x7fffffffd0c8) at
gst-validate.c:523
(gdb) p *element
$1 = {object = {object = {g_type_instance = {g_class = 0x862400}, ref_count =
2, qdata = 0x869d20}, lock = {p = 0x0, i = {0, 0}}, name = 0x866980
"decodebin3-0", parent = 0x0, flags = 32768, 
    control_bindings = 0x0, control_rate = 100000000, last_sync =
18446744073709551615, _gst_reserved = 0x0}, state_lock = {p = 0x863fc0, i = {0,
0}}, state_cond = {p = 0x0, i = {28, 0}}, 
  state_cookie = 6, target_state = GST_STATE_NULL, current_state =
GST_STATE_NULL, next_state = GST_STATE_VOID_PENDING, pending_state =
GST_STATE_VOID_PENDING, last_return = GST_STATE_CHANGE_SUCCESS, 
  bus = 0x0, clock = 0x0, base_time = 1801746031, start_time = 0, numpads = 0,
pads = 0x0, numsrcpads = 0, srcpads = 0x0, numsinkpads = 0, sinkpads = 0x0,
pads_cookie = 6, contexts = 0x0, 
  _gst_reserved = {0x0, 0x0, 0x0}}
(gdb) p *pad
$2 = {object = {object = {g_type_instance = {g_class = 0x80bed0}, ref_count =
2, qdata = 0x6c9590}, lock = {p = 0x0, i = {0, 0}}, name = 0x8606c0 "sink",
parent = 0x864020, flags = 28960, 
    control_bindings = 0x0, control_rate = 100000000, last_sync =
18446744073709551615, _gst_reserved = 0x0}, element_private = 0x0, padtemplate
= 0x0, direction = GST_PAD_SINK, stream_rec_lock = {
    p = 0x803980, i = {0, 0}}, task = 0x0, block_cond = {p = 0x0, i = {7, 0}},
probes = {seq_id = 1, hook_size = 72, is_setup = 1, hooks = 0x0, dummy3 = 0x0, 
    finalize_hook = 0x7ffff6f86890 <default_finalize_hook>, dummy = {0x0,
0x0}}, mode = GST_PAD_MODE_NONE, activatefunc = 0x7ffff7550490
<gst_pad_activate_default>, activatedata = 0x0, 
  activatenotify = 0x0, activatemodefunc = 0x7ffff753ac30
<gst_ghost_pad_activate_mode_default>, activatemodedata = 0x0,
activatemodenotify = 0x0, peer = 0x0, 
  linkfunc = 0x7fffed82e370 <gst_decodebin3_input_pad_link>, linkdata = 0x0,
linknotify = 0x0, unlinkfunc = 0x7fffed82e66d
<gst_decodebin3_input_pad_unlink>, unlinkdata = 0x0, unlinknotify = 0x0, 
  chainfunc = 0x7ffff753a140 <gst_proxy_pad_chain_default>, chaindata = 0x0,
chainnotify = 0x0, chainlistfunc = 0x7ffff753a220
<gst_proxy_pad_chain_list_default>, chainlistdata = 0x0, 
  chainlistnotify = 0x0, getrangefunc = 0x0, getrangedata = 0x0, getrangenotify
= 0x0, eventfunc = 0x7ffff7550e80 <gst_pad_event_default>, eventdata = 0x0,
eventnotify = 0x0, offset = 0, 
  queryfunc = 0x7ffff7550fc0 <gst_pad_query_default>, querydata = 0x0,
querynotify = 0x0, iterintlinkfunc = 0x7ffff753a080
<gst_proxy_pad_iterate_internal_links_default>, iterintlinkdata = 0x0, 
  iterintlinknotify = 0x0, num_probes = 0, num_blocked = 0, priv = 0x80e320,
ABI = {_gst_reserved = {0xfffffffe, 0x0, 0x0, 0x0}, abi = {last_flowret =
GST_FLOW_FLUSHING, eventfullfunc = 0x0}}}
(gdb) p *dec
$3 = {parent_instance = {element = {object = {object = {g_type_instance =
{g_class = 0xaaaaaaaaaaaaaaaa}, ref_count = 2863311530, qdata =
0xaaaaaaaaaaaaaaaa}, lock = {p = 0xaaaaaaaaaaaaaaaa, i = {
            2863311530, 2863311530}}, name = 0xaaaaaaaaaaaaaaaa <error: Cannot
access memory at address 0xaaaaaaaaaaaaaaaa>, parent = 0xaaaaaaaaaaaaaaaa,
flags = 2863311530, 
        control_bindings = 0xaaaaaaaaaaaaaaaa, control_rate =
12297829382473034410, last_sync = 12297829382473034410, _gst_reserved =
0xaaaaaaaaaaaaaaaa}, state_lock = {p = 0xaaaaaaaaaaaaaaaa, i = {
          2863311530, 2863311530}}, state_cond = {p = 0xaaaaaaaaaaaaaaaa, i =
{2863311530, 2863311530}}, state_cookie = 2863311530, target_state =
2863311530, current_state = 2863311530, 
      next_state = 2863311530, pending_state = 2863311530, last_return =
2863311530, bus = 0xaaaaaaaaaaaaaaaa, clock = 0xaaaaaaaaaaaaaaaa, base_time =
-6148914691236517206, 
      start_time = 12297829382473034410, numpads = 43690, pads =
0xaaaaaaaaaaaaaaaa, numsrcpads = 43690, srcpads = 0xaaaaaaaaaaaaaaaa,
numsinkpads = 43690, sinkpads = 0xaaaaaaaaaaaaaaaa, 
      pads_cookie = 2863311530, contexts = 0xaaaaaaaaaaaaaaaa, _gst_reserved =
{0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa}}, numchildren =
-1431655766, children = 0xaaaaaaaaaaaaaaaa, 
    children_cookie = 2863311530, child_bus = 0xaaaaaaaaaaaaaaaa, messages =
0xaaaaaaaaaaaaaaaa, polling = -1431655766, state_dirty = -1431655766,
clock_dirty = -1431655766, 
    provided_clock = 0xaaaaaaaaaaaaaaaa, clock_provider = 0xaaaaaaaaaaaaaaaa,
priv = 0xaaaaaaaaaaaaaaaa, _gst_reserved = {0xaaaaaaaaaaaaaaaa,
0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa, 0xaaaaaaaaaaaaaaaa}}, 
  lock = {p = 0xaaaaaaaaaaaaaaaa, i = {2863311530, 2863311530}}, source =
0xaaaaaaaaaaaaaaaa, connection_speed = 12297829382473034410, caps =
0xaaaaaaaaaaaaaaaa, buffer_duration = 12297829382473034410, 
  buffer_size = 2863311530, download = -1431655766, use_buffering =
-1431655766, ring_buffer_max_size = 12297829382473034410, play_items =
0xaaaaaaaaaaaaaaaa, current = 0xaaaaaaaaaaaaaaaa, 
  main_handler = 0xaaaaaaaaaaaaaaaa, sub_handler = 0xaaaaaaaaaaaaaaaa, uri =
0xaaaaaaaaaaaaaaaa <error: Cannot access memory at address 0xaaaaaaaaaaaaaaaa>,
uri_changed = -1431655766, 
  suburi = 0xaaaaaaaaaaaaaaaa <error: Cannot access memory at address
0xaaaaaaaaaaaaaaaa>, suburi_changed = -1431655766, decodebin =
0xaaaaaaaaaaaaaaaa, db_pad_added_id = 12297829382473034410, 
  db_pad_removed_id = 12297829382473034410, db_select_stream_id =
12297829382473034410, db_about_to_finish_id = 12297829382473034410, output_pads
= 0xaaaaaaaaaaaaaaaa, 
  source_handlers = 0xaaaaaaaaaaaaaaaa, posted_about_to_finish = -1431655766}
(gdb) info locals
cand = 0x7ffff7298d19 <g_object_ref+121>
tmp = 0xaaaaaaaaaaaaaaaa
output = 0x0
__PRETTY_FUNCTION__ = "db_pad_removed_cb"
(gdb) 

=========================================================

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list