playbin3/decodebin3: use after free
Valgrind reports two invalid reads after restarting a playbin3
pipeline. Observed with version c47255d1 on main branch.
How to reproduce:
- Create a
playbin3
pipeline. - Play three streams in a row, setting the pipeline's
uri
property in theabout-to-finish
handler. - After the third
uri
has been set, stop the pipeline. - Set another
uri
(I don't know if this step is important, but that's what my player is doing). - Set the pipeline to playing state to trigger the bug. For me, it is 100% reproducible.
Both, gst_decodebin3_handle_message()
and gst_play_bin3_handle_message()
, are handling the same GST_MESSAGE_STREAM_COLLECTION
message in this instance (traces are the same up to gst_decodebin3_handle_message()
):
==111639== Thread 7 id3demux2:sink:
==111639== Invalid read of size 1
==111639== at 0x483FED7: strcmp (vg_replace_strmem.c:849)
==111639== by 0x5B33D36: stream_in_list (gstdecodebin3.c:1176)
==111639== by 0x5B3455E: update_requested_selection (gstdecodebin3.c:1245)
==111639== by 0x5B39FBD: gst_decodebin3_handle_message (gstdecodebin3.c:1684)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x5B524BA: gst_parse_bin_expose (gstparsebin.c:3587)
==111639== by 0x5B56DBE: pad_added_cb (gstparsebin.c:2480)
==111639== by 0x5B57006: caps_notify_cb (gstparsebin.c:2588)
==111639== by 0x4BA0801: g_closure_invoke (gclosure.c:810)
==111639== by 0x4BB4813: signal_emit_unlocked_R (gsignal.c:3743)
==111639== by 0x4BBFBBD: g_signal_emit_valist (gsignal.c:3499)
==111639== by 0x4BC00F2: g_signal_emit (gsignal.c:3555)
==111639== by 0x4BA5283: g_object_dispatch_properties_changed (gobject.c:1206)
==111639== by 0x4C70267: gst_object_dispatch_properties_changed (gstobject.c:455)
==111639== by 0x4BA7821: g_object_notify_by_spec_internal (gobject.c:1299)
==111639== by 0x4BA7821: g_object_notify_by_pspec (gobject.c:1409)
==111639== by 0x4CB93CC: store_sticky_event (gstpad.c:5361)
==111639== by 0x4CC4857: gst_pad_push_event (gstpad.c:5660)
==111639== by 0x4C0C47A: gst_tag_demux_element_find (gsttagdemux.c:1396)
==111639== by 0x4C0D704: gst_tag_demux_element_loop (gsttagdemux.c:1457)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)
==111639== Address 0x28249ad0 is 0 bytes inside a block of size 65 free'd
==111639== at 0x483CA3F: free (vg_replace_malloc.c:540)
==111639== by 0x4CE4E1E: gst_stream_finalize (gststreams.c:193)
==111639== by 0x4BA5D0D: g_object_unref (gobject.c:3499)
==111639== by 0x4BA5D0D: g_object_unref (gobject.c:3391)
==111639== by 0x48E4E8E: g_queue_foreach (gqueue.c:281)
==111639== by 0x4CE4680: gst_stream_collection_dispose (gststreamcollection.c:154)
==111639== by 0x4BA5C92: g_object_unref (gobject.c:3461)
==111639== by 0x4BA5C92: g_object_unref (gobject.c:3391)
==111639== by 0x4C6FD7A: gst_object_replace (gstobject.c:368)
==111639== by 0x5B675E8: gst_play_bin3_handle_message (gstplaybin3.c:2515)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x4C755D0: gst_bin_handle_message_func (gstbin.c:4023)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x4C755D0: gst_bin_handle_message_func (gstbin.c:4023)
==111639== by 0x5B39FAC: gst_decodebin3_handle_message (gstdecodebin3.c:1680)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x5B524BA: gst_parse_bin_expose (gstparsebin.c:3587)
==111639== by 0x5B56DBE: pad_added_cb (gstparsebin.c:2480)
==111639== by 0x5B57006: caps_notify_cb (gstparsebin.c:2588)
==111639== by 0x4BA0801: g_closure_invoke (gclosure.c:810)
==111639== by 0x4BB4813: signal_emit_unlocked_R (gsignal.c:3743)
==111639== by 0x4BBFBBD: g_signal_emit_valist (gsignal.c:3499)
==111639== by 0x4BC00F2: g_signal_emit (gsignal.c:3555)
==111639== by 0x4BA5283: g_object_dispatch_properties_changed (gobject.c:1206)
==111639== by 0x4C70267: gst_object_dispatch_properties_changed (gstobject.c:455)
==111639== by 0x4BA7821: g_object_notify_by_spec_internal (gobject.c:1299)
==111639== by 0x4BA7821: g_object_notify_by_pspec (gobject.c:1409)
==111639== by 0x4CB93CC: store_sticky_event (gstpad.c:5361)
==111639== by 0x4CC4857: gst_pad_push_event (gstpad.c:5660)
==111639== by 0x4C0C47A: gst_tag_demux_element_find (gsttagdemux.c:1396)
==111639== by 0x4C0D704: gst_tag_demux_element_loop (gsttagdemux.c:1457)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)
==111639== Block was alloc'd at
==111639== at 0x483B7F3: malloc (vg_replace_malloc.c:309)
==111639== by 0x48D9E98: g_malloc (gmem.c:102)
==111639== by 0x48F4153: g_strdup (gstrfuncs.c:363)
==111639== by 0x4CE508C: gst_stream_set_stream_id (gststreams.c:236)
==111639== by 0x4CE508C: gst_stream_set_property (gststreams.c:484)
==111639== by 0x4BA6680: object_set_property (gobject.c:1565)
==111639== by 0x4BA6680: g_object_new_internal (gobject.c:1971)
==111639== by 0x4BA8377: g_object_new_valist (gobject.c:2262)
==111639== by 0x4BA86CC: g_object_new (gobject.c:1780)
==111639== by 0x4CE51AF: gst_stream_new (gststreams.c:219)
==111639== by 0x5B532D1: gst_parse_pad_stream_start_event (gstparsebin.c:4059)
==111639== by 0x5B5350A: copy_sticky_events (gstparsebin.c:1215)
==111639== by 0x4CB941B: foreach_dispatch_function (gstpad.c:6166)
==111639== by 0x4CB941B: foreach_dispatch_function (gstpad.c:6158)
==111639== by 0x4CB8C6F: events_foreach (gstpad.c:605)
==111639== by 0x4CC5807: gst_pad_sticky_events_foreach (gstpad.c:6197)
==111639== by 0x5B53CA9: analyze_new_pad (gstparsebin.c:1342)
==111639== by 0x5B56BB4: type_found (gstparsebin.c:2418)
==111639== by 0x53B1FF4: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0)
==111639== by 0x53B1409: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0)
==111639== by 0x4BA130C: g_cclosure_marshal_generic (gclosure.c:1500)
==111639== by 0x4BA0801: g_closure_invoke (gclosure.c:810)
==111639== by 0x4BB4813: signal_emit_unlocked_R (gsignal.c:3743)
==111639== by 0x4BBFBBD: g_signal_emit_valist (gsignal.c:3499)
==111639== by 0x4BC00F2: g_signal_emit (gsignal.c:3555)
==111639== by 0x84D490C: gst_type_find_element_loop (gsttypefindelement.c:1195)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)
There is another use-after-free bug, probably referring to the same freed string as above:
==111639== Thread 9 multiqueue1:src_:
==111639== Invalid read of size 1
==111639== at 0x483FED7: strcmp (vg_replace_strmem.c:849)
==111639== by 0x5B33D36: stream_in_list (gstdecodebin3.c:1176)
==111639== by 0x5B3AB77: is_selection_done (gstdecodebin3.c:1831)
==111639== by 0x5B3AB77: is_selection_done (gstdecodebin3.c:1815)
==111639== by 0x5B3BACC: multiqueue_src_probe (gstdecodebin3.c:2017)
==111639== by 0x4CB97BD: probe_hook_marshal (gstpad.c:3661)
==111639== by 0x48C3995: g_hook_list_marshal (ghook.c:672)
==111639== by 0x4CB7C75: do_probe_callbacks (gstpad.c:3845)
==111639== by 0x4CBB426: gst_pad_push_event_unchecked (gstpad.c:5506)
==111639== by 0x4CBB9D9: push_sticky (gstpad.c:4044)
==111639== by 0x4CB8C6F: events_foreach (gstpad.c:605)
==111639== by 0x4CC45B0: check_sticky (gstpad.c:4103)
==111639== by 0x4CC45B0: gst_pad_push_event (gstpad.c:5672)
==111639== by 0x84B95BC: gst_single_queue_push_one (gstmultiqueue.c:2017)
==111639== by 0x84B95BC: gst_multi_queue_loop (gstmultiqueue.c:2297)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)
==111639== Address 0x28249ad0 is 0 bytes inside a block of size 65 free'd
==111639== at 0x483CA3F: free (vg_replace_malloc.c:540)
==111639== by 0x4CE4E1E: gst_stream_finalize (gststreams.c:193)
==111639== by 0x4BA5D0D: g_object_unref (gobject.c:3499)
==111639== by 0x4BA5D0D: g_object_unref (gobject.c:3391)
==111639== by 0x48E4E8E: g_queue_foreach (gqueue.c:281)
==111639== by 0x4CE4680: gst_stream_collection_dispose (gststreamcollection.c:154)
==111639== by 0x4BA5C92: g_object_unref (gobject.c:3461)
==111639== by 0x4BA5C92: g_object_unref (gobject.c:3391)
==111639== by 0x4C6FD7A: gst_object_replace (gstobject.c:368)
==111639== by 0x5B675E8: gst_play_bin3_handle_message (gstplaybin3.c:2515)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x4C755D0: gst_bin_handle_message_func (gstbin.c:4023)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x4C755D0: gst_bin_handle_message_func (gstbin.c:4023)
==111639== by 0x5B39FAC: gst_decodebin3_handle_message (gstdecodebin3.c:1680)
==111639== by 0x4C72B2B: bin_bus_handler (gstbin.c:3252)
==111639== by 0x4C84D4A: gst_bus_post (gstbus.c:357)
==111639== by 0x4C99FF9: gst_element_post_message_default (gstelement.c:2117)
==111639== by 0x4C75271: gst_bin_post_message (gstbin.c:2781)
==111639== by 0x4C9D5C9: gst_element_post_message (gstelement.c:2160)
==111639== by 0x5B524BA: gst_parse_bin_expose (gstparsebin.c:3587)
==111639== by 0x5B56DBE: pad_added_cb (gstparsebin.c:2480)
==111639== by 0x5B57006: caps_notify_cb (gstparsebin.c:2588)
==111639== by 0x4BA0801: g_closure_invoke (gclosure.c:810)
==111639== by 0x4BB4813: signal_emit_unlocked_R (gsignal.c:3743)
==111639== by 0x4BBFBBD: g_signal_emit_valist (gsignal.c:3499)
==111639== by 0x4BC00F2: g_signal_emit (gsignal.c:3555)
==111639== by 0x4BA5283: g_object_dispatch_properties_changed (gobject.c:1206)
==111639== by 0x4C70267: gst_object_dispatch_properties_changed (gstobject.c:455)
==111639== by 0x4BA7821: g_object_notify_by_spec_internal (gobject.c:1299)
==111639== by 0x4BA7821: g_object_notify_by_pspec (gobject.c:1409)
==111639== by 0x4CB93CC: store_sticky_event (gstpad.c:5361)
==111639== by 0x4CC4857: gst_pad_push_event (gstpad.c:5660)
==111639== by 0x4C0C47A: gst_tag_demux_element_find (gsttagdemux.c:1396)
==111639== by 0x4C0D704: gst_tag_demux_element_loop (gsttagdemux.c:1457)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)
==111639== Block was alloc'd at
==111639== at 0x483B7F3: malloc (vg_replace_malloc.c:309)
==111639== by 0x48D9E98: g_malloc (gmem.c:102)
==111639== by 0x48F4153: g_strdup (gstrfuncs.c:363)
==111639== by 0x4CE508C: gst_stream_set_stream_id (gststreams.c:236)
==111639== by 0x4CE508C: gst_stream_set_property (gststreams.c:484)
==111639== by 0x4BA6680: object_set_property (gobject.c:1565)
==111639== by 0x4BA6680: g_object_new_internal (gobject.c:1971)
==111639== by 0x4BA8377: g_object_new_valist (gobject.c:2262)
==111639== by 0x4BA86CC: g_object_new (gobject.c:1780)
==111639== by 0x4CE51AF: gst_stream_new (gststreams.c:219)
==111639== by 0x5B532D1: gst_parse_pad_stream_start_event (gstparsebin.c:4059)
==111639== by 0x5B5350A: copy_sticky_events (gstparsebin.c:1215)
==111639== by 0x4CB941B: foreach_dispatch_function (gstpad.c:6166)
==111639== by 0x4CB941B: foreach_dispatch_function (gstpad.c:6158)
==111639== by 0x4CB8C6F: events_foreach (gstpad.c:605)
==111639== by 0x4CC5807: gst_pad_sticky_events_foreach (gstpad.c:6197)
==111639== by 0x5B53CA9: analyze_new_pad (gstparsebin.c:1342)
==111639== by 0x5B56BB4: type_found (gstparsebin.c:2418)
==111639== by 0x53B1FF4: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0)
==111639== by 0x53B1409: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0)
==111639== by 0x4BA130C: g_cclosure_marshal_generic (gclosure.c:1500)
==111639== by 0x4BA0801: g_closure_invoke (gclosure.c:810)
==111639== by 0x4BB4813: signal_emit_unlocked_R (gsignal.c:3743)
==111639== by 0x4BBFBBD: g_signal_emit_valist (gsignal.c:3499)
==111639== by 0x4BC00F2: g_signal_emit (gsignal.c:3555)
==111639== by 0x84D490C: gst_type_find_element_loop (gsttypefindelement.c:1195)
==111639== by 0x4CF3776: gst_task_func (gsttask.c:384)
==111639== by 0x48FE373: g_thread_pool_thread_proxy (gthreadpool.c:354)
==111639== by 0x48FDAD0: g_thread_proxy (gthread.c:807)
==111639== by 0x5058608: start_thread (pthread_create.c:477)
==111639== by 0x5192162: clone (clone.S:95)