[mythtv-commits] Ticket #11940: Segfault mythbackend (misrefcounting MythSocket)

MythTV noreply at mythtv.org
Fri Nov 8 06:55:58 UTC 2013


#11940: Segfault mythbackend (misrefcounting MythSocket)
--------------------------------------+------------------------
     Reporter:  abudovski@…           |      Owner:
         Type:  Bug Report - General  |     Status:  new
     Priority:  major                 |  Milestone:
    Component:  MythTV - General      |    Version:  0.27-fixes
     Severity:  high                  |   Keywords:
Ticket locked:  0                     |
--------------------------------------+------------------------
 I get a segfault/AV after a few mins of no activity, reproes consistenly.

 AV stack:
 {{{
 void MainServer::customEvent(QEvent *e)
 {
 ...
         while (!decrRefSocketList.empty())
         {
             (*decrRefSocketList.begin())->DecrRef();  // here

 *decrRefSocketList.begin() points to a deallocated MythSocket.

 Stack:

 #0  0x000000000045f477 in MainServer::customEvent (this=0x8b2830,
 e=0x7fff3c0012a0) at mainserver.cpp:900
 #1  0x00007ffff3fd4e5d in QObject::event(QEvent*) () from /usr/lib/x86_64
 -linux-gnu/libQtCore.so.4
 #2  0x00007ffff3fbc8bd in QCoreApplication::notifyInternal(QObject*,
 QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 #3  0x00007ffff3fbfe1f in
 QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
 from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 #4  0x00007ffff3fea073 in ?? () from /usr/lib/x86_64-linux-
 gnu/libQtCore.so.4
 #5  0x00007fffec62d3a6 in g_main_context_dispatch () from /lib/x86_64
 -linux-gnu/libglib-2.0.so.0
 #6  0x00007fffec62d6f8 in ?? () from /lib/x86_64-linux-
 gnu/libglib-2.0.so.0
 #7  0x00007fffec62d79c in g_main_context_iteration () from /lib/x86_64
 -linux-gnu/libglib-2.0.so.0
 #8  0x00007ffff3fe9a55 in
 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
 () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 #9  0x00007ffff3fbb5ef in
 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 #10 0x00007ffff3fbb8e5 in
 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 #11 0x00007ffff3fc0e5b in QCoreApplication::exec() () from /usr/lib/x86_64
 -linux-gnu/libQtCore.so.4
 #12 0x0000000000522cae in run_backend (cmdline=...) at
 main_helpers.cpp:696
 #13 0x00000000004584f6 in main (argc=3, argv=0x7fffffffdf88) at
 main.cpp:135

 Some traces of the socket: (socket ptr is 8b6870)

 2649 2013-11-08 16:46:37.036703 E  MythSocket(8b6870:25): ReadStringList:
 Error, timed out after 30000 ms.
 2727 2013-11-08 16:46:37.036966 I  (0x8b6880)::IncrRef() -> 2  // pushed
 to decrRefSocketList list
 2767 2013-11-08 16:46:37.923067 I  (0x8b6880)::DecrRef() -> 1 // see [1]
 2787 2013-11-08 16:46:37.923168 E  MythSocket(8b6870:-1): No response.
 2807 2013-11-08 16:46:38.154256 I  (0x8b6880)::DecrRef() -> 0  // see [2]

 Now the object is destroyed, but still on the decrRefSocketList list,
 which means MainServer::customEvent will blow up!

 [1] ref dropping to 1 (I think this is wrong. PlaybackSock never took a
 ref)
 2653 #0  ReferenceCounter::DecrRef (this=0x8b6880) at
 referencecounter.cpp:128 // 1
 2654 #1  0x00000000004a8697 in PlaybackSock::~PlaybackSock
 (this=0x7fff3000c7f0, __in_chrg=<optimised out>) at playbacksock.cpp:44
 2655 #2  0x00000000004a8776 in PlaybackSock::~PlaybackSock
 (this=0x7fff3000c7f0, __in_chrg=<optimised out>) at playbacksock.cpp:46
 2656 #3  0x00007ffff6a93572 in ReferenceCounter::DecrRef
 (this=0x7fff3000c7f0) at referencecounter.cpp:158
 2657 #4  0x0000000000490b43 in MainServer::connectionClosed
 (this=0x8b2830, socket=0x8b6870) at mainserver.cpp:5888
 2658 #5  0x00007ffff69dda8f in MythSocket::DisconnectHandler
 (this=0x8b6870) at mythsocket.cpp:259
 2659 #6  0x00007ffff6aec497 in MythSocket::qt_static_metacall
 (_o=0x8b6870, _c=QMetaObject::InvokeMetaMethod, _id=4, _a=0x7fff46ffbbf0)
 at moc_mythsocket.cpp


 [2] dropping ref to 0 and freeing object:

 88 Breakpoint 2, ReferenceCounter::DecrRef (this=0x8b6880) at
 referencecounter.cpp:128
 2689 128     in referencecounter.cpp
 2690 #0  ReferenceCounter::DecrRef (this=0x8b6880) at
 referencecounter.cpp:128
 2691 #1  0x0000000000493cae in MainServer::reconnectTimeout
 (this=0x8b2830) at mainserver.cpp:6253
 2692 #2  0x0000000000564e0f in MainServer::qt_static_metacall
 (_o=0x8b2830, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd520)
 at moc_mainserver.cpp     :54
 2693 #3  0x00007ffff3fd0a58 in QMetaObject::activate(QObject*, QMetaObject
 const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2694 #4  0x00007ffff3fd4be1 in QObject::event(QEvent*) () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2695 #5  0x00007ffff3fbc8bd in QCoreApplication::notifyInternal(QObject*,
 QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2696 #6  0x00007ffff3fec403 in ?? () from /usr/lib/x86_64-linux-
 gnu/libQtCore.so.4
 2697 #7  0x00007ffff3fe97a1 in ?? () from /usr/lib/x86_64-linux-
 gnu/libQtCore.so.4
 2698 #8  0x00007fffec62d3a6 in g_main_context_dispatch () from /lib/x86_64
 -linux-gnu/libglib-2.0.so.0
 2699 #9  0x00007fffec62d6f8 in ?? () from /lib/x86_64-linux-
 gnu/libglib-2.0.so.0
 2700 #10 0x00007fffec62d79c in g_main_context_iteration () from
 /lib/x86_64-linux-gnu/libglib-2.0.so.0
 2701 #11 0x00007ffff3fe9a55 in
 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
 () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2702 #12 0x00007ffff3fbb5ef in
 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2703 #13 0x00007ffff3fbb8e5 in
 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2704 #14 0x00007ffff3fc0e5b in QCoreApplication::exec() () from
 /usr/lib/x86_64-linux-gnu/libQtCore.so.4
 2705 #15 0x0000000000522cae in run_backend (cmdline=...) at
 main_helpers.cpp:696

 }}}

 I think this is because PlaybackSock doesn't take a ref in the ctor, but
 unconditionally releases one in its dtor. If it didn't do that, we'd still
 have a valid object in MainServer::decrRefSocketList.

--
Ticket URL: <http://code.mythtv.org/trac/ticket/11940>
MythTV <http://www.mythtv.org>
MythTV Media Center


More information about the mythtv-commits mailing list