Invalid memory access in MetaSoundPlayer
This is something I noticed in valgrind:
==15872== Invalid write of size 8
==15872== at 0x58BDDE2: play_sound (meta-sound-player.c:143)
==15872== by 0x4D44ABC: g_thread_pool_thread_proxy (gthreadpool.c:354)
==15872== by 0x4D44214: g_thread_proxy (gthread.c:807)
==15872== by 0x6697431: start_thread (in /usr/lib64/libpthread-2.31.so)
==15872== by 0x5AF1832: clone (in /usr/lib64/libc-2.31.so)
==15872== Address 0x96e43e0 is 16 bytes inside a block of size 40 free'd
==15872== at 0x483B9F5: free (vg_replace_malloc.c:540)
==15872== by 0x17A9E7F7: pulse_driver_cancel (in /usr/lib64/libcanberra-0.30/libcanberra-pulse.so)
==15872== by 0x87DE15B: ca_context_cancel (in /usr/lib64/libcanberra.so.0.2.5)
==15872== by 0x4AFA1E4: g_cancellable_connect (gcancellable.c:576)
==15872== by 0x58BDDE1: play_sound (meta-sound-player.c:144)
==15872== by 0x4D44ABC: g_thread_pool_thread_proxy (gthreadpool.c:354)
==15872== by 0x4D44214: g_thread_proxy (gthread.c:807)
==15872== by 0x6697431: start_thread (in /usr/lib64/libpthread-2.31.so)
==15872== by 0x5AF1832: clone (in /usr/lib64/libc-2.31.so)
==15872== Block was alloc'd at
==15872== at 0x483CAE9: calloc (vg_replace_malloc.c:762)
==15872== by 0x4D20C38: g_malloc0 (gmem.c:132)
==15872== by 0x58BE2E0: meta_play_request_new (meta-sound-player.c:69)
==15872== by 0x58BE2E0: meta_sound_player_play_from_theme (meta-sound-player.c:257)
==15872== by 0x66B6AEF: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==15872== by 0x66B62AA: ffi_call (in /usr/lib64/libffi.so.6.0.2)
What I suspect is happening is that finish_cb
gets called from a different thread before play_sound
can connect the cancellable. And since finish_cb
frees the request, writing cancel_id
is an invalid write at that point. I guess the request has to be protected by a mutex at the beginning of play_sound
and finish_cb
.
Edited by Sebastian Keller