[Bug 796692] bufferlist: gst_buffer_list_get() can give a writable reference to multiple threads at the same time

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Thu Jun 28 11:58:31 UTC 2018 

https://bugzilla.gnome.org/show_bug.cgi?id=796692

Sebastian Dröge (slomo) <slomo at coaxion.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|buffer: Merging memories    |bufferlist:
                   |while mapping is unsafe for |gst_buffer_list_get() can
                   |non-writable buffers        |give a writable reference
                   |                            |to multiple threads at the
                   |                            |same time

--- Comment #6 from Sebastian Dröge (slomo) <slomo at coaxion.net> ---
Ok, new insights, it is all different again and broken elsewhere :)

So the problem is actually that gst_buffer_list_get() does not increase the
reference count. A buffer can have its only reference inside the buffer list
(-> it is writable) but the buffer list has a refcount > 1 (-> is not
writable): example a tee is passing the same buffer list to two elements
downstream.

Now gst_buffer_list_get() on that non-writable buffer list gives back a
borrowed buffer, that is the buffer is still writable even if the list itself
it not writable and shared in different places. Two threads can then at the
same time get a buffer like that and map them, merge memories and break
everything. Or otherwise modify buffers because it's considered writable after
all but actually is not, however in those cases people would hopefully use
gst_buffer_list_get_writable() which does not have the problem.
With mapping it's more hidden because a read-map seems like a read-only
operation but is actually not.

So two options here:
1) We deprecate gst_buffer_list_get() and add a new gst_buffer_list_dup() that
returns a new reference
2) We never ever replace memories when doing read-mapping in a buffer, even if
the buffer was writable. This however does not solve the problem of the buffer
being considered writable because of refcount==1
3) Always increase the refcount of buffers in the buffer list twice, but that
needs some special care for gst_buffer_list_get_writable() and I'm not actually
sure how to implement that properly in that case

Any other ideas?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list