Skip to content

multiqueue: Do not unref the query we get in pad->query

We do not own any ref to queries when running them.

If we end up processing the query from the streaming thread, it means that it was a serialized query, and the query is being waited to be processed on the sinkpad streaming thread, thread which owns the reference.

This is the asan report we got:

ERROR: AddressSanitizer: heap-use-after-free on address 0x000121b0b970 at pc 0x00010529ad50 bp 0x00017c6718f0 sp 0x00017c6718e8

READ of size 4 at 0x000121b0b970 thread T49
    #0 0x10529ad4c in gst_pad_query gstpad.c:4243
    #1 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #2 0x105298714 in query_forward_func gstpad.c:3484
    #3 0x105296510 in gst_pad_forward gstpad.c:3110
    #4 0x105297914 in gst_pad_query_default gstpad.c:3555
    #5 0x116f7c758 in gst_parse_pad_query gstparsebin.c:4334
    #6 0x105299b1c in gst_pad_query gstpad.c:4239
    #7 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #8 0x105298714 in query_forward_func gstpad.c:3484
    #9 0x105296510 in gst_pad_forward gstpad.c:3110
    #10 0x105297914 in gst_pad_query_default gstpad.c:3555
    #11 0x105299b1c in gst_pad_query gstpad.c:4239
    #12 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #13 0x105298714 in query_forward_func gstpad.c:3484
    #14 0x105296510 in gst_pad_forward gstpad.c:3110
    #15 0x105297914 in gst_pad_query_default gstpad.c:3555
    #16 0x116f82760 in sink_query_function gstparsebin.c:872
    #17 0x105299b1c in gst_pad_query gstpad.c:4239
    #18 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #19 0x105298714 in query_forward_func gstpad.c:3484
    #20 0x105296510 in gst_pad_forward gstpad.c:3110
    #21 0x105297914 in gst_pad_query_default gstpad.c:3555
    #22 0x105299b1c in gst_pad_query gstpad.c:4239
    #23 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #24 0x105298714 in query_forward_func gstpad.c:3484
    #25 0x105296510 in gst_pad_forward gstpad.c:3110
    #26 0x105297914 in gst_pad_query_default gstpad.c:3555
    #27 0x105299b1c in gst_pad_query gstpad.c:4239
    #28 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #29 0x105298714 in query_forward_func gstpad.c:3484
    #30 0x105296510 in gst_pad_forward gstpad.c:3110
    #31 0x105297914 in gst_pad_query_default gstpad.c:3555
    #32 0x116f7c758 in gst_parse_pad_query gstparsebin.c:4334
    #33 0x105299b1c in gst_pad_query gstpad.c:4239
    #34 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #35 0x105298714 in query_forward_func gstpad.c:3484
    #36 0x105296510 in gst_pad_forward gstpad.c:3110
    #37 0x105297914 in gst_pad_query_default gstpad.c:3555
    #38 0x105299b1c in gst_pad_query gstpad.c:4239
    #39 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #40 0x105298714 in query_forward_func gstpad.c:3484
    #41 0x105296510 in gst_pad_forward gstpad.c:3110
    #42 0x105297914 in gst_pad_query_default gstpad.c:3555
    #43 0x116f82760 in sink_query_function gstparsebin.c:872
    #44 0x105299b1c in gst_pad_query gstpad.c:4239
    #45 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #46 0x105298714 in query_forward_func gstpad.c:3484
    #47 0x105296510 in gst_pad_forward gstpad.c:3110
    #48 0x105297914 in gst_pad_query_default gstpad.c:3555
    #49 0x105299b1c in gst_pad_query gstpad.c:4239
    #50 0x105294f28 in gst_pad_peer_query gstpad.c:4376
    #51 0x104bc87b0 in gst_base_src_negotiate_unlocked gstbasesrc.c:3511
    #52 0x104bd19f8 in gst_base_src_loop gstbasesrc.c:2920
    #53 0x105313ae0 in gst_task_func gsttask.c:399
    #54 0x105bfa950 in g_thread_pool_thread_proxy gthreadpool.c:350
    #55 0x105bf7f3c in g_thread_proxy gthread.c:831
    #56 0x198195f90 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6f90)
    #57 0x198190d30 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d30)

0x000121b0b970 is located 64 bytes inside of 80-byte region [0x000121b0b930,0x000121b0b980)
freed by thread T57 here:
    #0 0x10719b260 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53260)
    #1 0x119cb7c9c in gst_multi_queue_loop gstmultiqueue.c:2350
    #2 0x105313ae0 in gst_task_func gsttask.c:399
    #3 0x105bfa950 in g_thread_pool_thread_proxy gthreadpool.c:350
    #4 0x105bf7f3c in g_thread_proxy gthread.c:831
    #5 0x198195f90 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6f90)
    #6 0x198190d30 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d30)

previously allocated by thread T49 here:
    #0 0x10719b4f0 in wrap_calloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x534f0)
    #1 0x105ba66c4 in g_malloc0 gmem.c:163
    #2 0x1052cd1f8 in gst_query_new_custom gstquery.c:670
    #3 0x104bc8798 in gst_base_src_negotiate_unlocked gstbasesrc.c:3511
    #4 0x104bd19f8 in gst_base_src_loop gstbasesrc.c:2920
    #5 0x105313ae0 in gst_task_func gsttask.c:399
    #6 0x105bfa950 in g_thread_pool_thread_proxy gthreadpool.c:350
    #7 0x105bf7f3c in g_thread_proxy gthread.c:831
    #8 0x198195f90 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6f90)
    #9 0x198190d30 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d30)
Edited by Tim-Philipp Müller

Merge request reports

Loading