GstElement::request_new_pad() is racy
Submitted by Sebastian Dröge @slomo
Link to original bug (#791193)
Description
Currently the subclass is expected to return an unowned (transfer none) pad reference, which is assumed to be owned by the element. The caller (gst_element_get_request_pad() / gst_element_request_pad()) is directly calling gst_object_ref().
But there's a small window in which the pad could be removed from the element again before the gst_object_ref(), causing an invalid pointer to freed memory to be returned to the caller.
I don't see how we can fix this in 1.0 without adding a new vfunc that has the return value as (transfer full).