423215 – nullptr derefence (stale m_player?) in phonon-vlc

Bug 423215 - nullptr derefence (stale m_player?) in phonon-vlc

Summary: nullptr derefence (stale m_player?) in phonon-vlc

Status:	RESOLVED FIXED

Alias:	None

Product:	phonon-backend-vlc
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Harald Sitter

URL:
Keywords:	drkonqi

Depends on:
Blocks:

Reported:	2020-06-19 11:49 UTC by RJVB
Modified:	2020-06-24 11:43 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:	https://invent.kde.org/libraries/phonon-vlc/commit/129b03db4db5b85f31318679037fd893c510a7dc
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description RJVB 2020-06-19 11:49:25 UTC

Application: dragon (19.08.3)
 (Compiled from sources)
Qt Version: 5.9.8
Frameworks Version: 5.60.0
Operating System: Linux 4.14.23-ck1-mainline-core2-rjvb x86_64
Windowing system: X11
Distribution: Ubuntu 14.04.6 LTS

-- Information about the crash:
- What I was doing when the application crashed:

I quit Dragon5 with a video playing back. It crashed with the attached backtrace. I have not yet been able to reproduce the same situation (cf. the referenced old ticket) but it appears that the `m_player` member can be reset or a MediaObject instance created without initialising the m_player member.

The crash can be reproduced sometimes.

-- Backtrace:
Application: Dragon Player (dragon), signal: Aborted
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f8203e5d840 (LWP 4578))]

Thread 5 (Thread 0x7f81ae0be700 (LWP 6219)):
#0  0x00007f81facb37be in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f81d85d544c in vlc_cond_timedwait (p_condvar=0x7f81b004dda8, p_mutex=<optimized out>, deadline=<optimized out>) at posix/thread.c:280
#2  0x00007f81d85d544c in vout_control_Pop (ctrl=0x7f81b004dd80, cmd=0x7f81ae0bdcc0, deadline=508665579097) at video_output/control.c:189
#3  0x00007f81d85dcb04 in Thread (object=0x7f81b004dbc0) at video_output/video_output.c:1806
#4  0x00007f81facaf184 in start_thread () at /lib/x86_64-linux-gnu/libpthread.so.0
#5  0x00007f81fde1403d in clone () at /lib/x86_64-linux-gnu/libc.so.6

Thread 4 (Thread 0x7f81e44f2700 (LWP 4581)):
#0  0x00007f81facb1497 in pthread_mutex_lock () at /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f81f6294caf in g_mutex_lock (mutex=<optimized out>) at gthread-posix.c:214
#2  0x00007f81f6294caf in g_main_context_prepare (context=0x7f81dc000990, priority=0x7f81e44f1c7c) at gmain.c:3483
#3  0x00007f81f6295e97 in g_main_context_iterate (context=0x7f81dc000990, block=<optimized out>, dispatch=<optimized out>, self=<optimized out>) at gmain.c:3888
#4  0x00007f81f6296307 in g_main_context_iteration (context=0x7f81dc000990, may_block=1) at gmain.c:3969
#5  0x00007f81febfa5db in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7f81dc0008c0, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:425
#6  0x00007f81feba6472 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7f81e44f1d88, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventloop.cpp:134
#7  0x00007f81feba6472 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7f81e44f1d88, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventloop.cpp:212
#8  0x00007f81fe9fb867 in QThread::exec() (this=<optimized out>) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/thread/qthread.cpp:515
#9  0x00007f8200154630 in QDBusConnectionManager::run() (this=0x7f82003b42e0 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/dbus/qdbusconnection.cpp:178
#10 0x00007f81fe9ff423 in QThreadPrivate::start(void*) (arg=0x7f82003b42e0 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/thread/qthread_unix.cpp:368
#11 0x00007f81facaf184 in start_thread () at /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007f81fde1403d in clone () at /lib/x86_64-linux-gnu/libc.so.6

Thread 3 (Thread 0x7f81e6c63700 (LWP 4580)):
#0  0x00007f81facb3404 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f81e7588b2b in cnd_wait (cond=<optimized out>, mtx=<optimized out>) at ../mesa-18.3.3/src/../include/c11/threads_posix.h:155
#2  0x00007f81e7588b2b in util_queue_thread_func (input=<optimized out>) at ../mesa-18.3.3/src/util/u_queue.c:270
#3  0x00007f81e7589446 in impl_thrd_routine (p=<optimized out>) at ../mesa-18.3.3/src/../include/c11/threads_posix.h:87
#4  0x00007f81facaf184 in start_thread () at /lib/x86_64-linux-gnu/libpthread.so.0
#5  0x00007f81fde1403d in clone () at /lib/x86_64-linux-gnu/libc.so.6

Thread 2 (Thread 0x7f81ed987700 (LWP 4579)):
#0  0x00007f81fde06c9d in poll () at /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f81fa038ab2 in _xcb_conn_wait () at /opt/local/lib/libxcb.so.1
#2  0x00007f81fa03aeba in xcb_wait_for_event () at /opt/local/lib/libxcb.so.1
#3  0x00007f81ef8dbf49 in QXcbEventReader::run() (this=0xbd70b0) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/plugins/platforms/xcb/qxcbconnection.cpp:1330
#4  0x00007f81fe9ff423 in QThreadPrivate::start(void*) (arg=0xbd70b0) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/thread/qthread_unix.cpp:368
#5  0x00007f81facaf184 in start_thread () at /lib/x86_64-linux-gnu/libpthread.so.0
#6  0x00007f81fde1403d in clone () at /lib/x86_64-linux-gnu/libc.so.6

Thread 1 (Thread 0x7f8203e5d840 (LWP 4578)):
[KCrash Handler]
#6  0x00007f81fdd4cc37 in raise () at /lib/x86_64-linux-gnu/libc.so.6
#7  0x00007f81fdd50028 in abort () at /lib/x86_64-linux-gnu/libc.so.6
#8  0x00007f81f4cb4bbd in pa_close_pipe (fds=0x7f81b4001230) at pulsecore/core-util.c:2503
#9  0x00007f81fb728b7d in pa_mainloop_free (m=0x7f81b4001160) at pulse/mainloop.c:579
#10 0x00007f81fb73c522 in pa_threaded_mainloop_free (m=0x7f81b4001110) at pulse/thread-mainloop.c:138
#11 0x00007f81d32cd726 in Close (obj=0x7f81b40009a0) at audio_output/pulse.c:1076
#12 0x00007f81d8588a04 in vlc_module_unload (obj=0x7f81b40009a0, module=<optimized out>, deinit=0x6) at modules/modules.c:343
#13 0x00007f81d85d3970 in module_unneed (obj=0x7f81b40009a0, module=0xd83470) at modules/modules.c:378
#14 0x00007f81d85d3970 in aout_Destroy (aout=0x7f81b40009a0) at audio_output/output.c:364
#15 0x00007f81d85c6253 in input_resource_ResetAout (p_resource=<optimized out>) at input/resource.c:415
#16 0x00007f81d85c6253 in input_resource_Terminate (p_resource=0x10056e0) at input/resource.c:519
#17 0x00007f81d834cc31 in libvlc_media_player_stop (p_mi=0xf5f0b0) at media_player.c:1084
#18 0x00007f81d888ed5a in Phonon::VLC::MediaPlayer::stop() (this=0x0) at /opt/local/var/lnxports/build/_opt_local_site-ports_audio_phonon-backend-vlc/phonon-backend-vlc-qt5/work/phonon-backend-vlc-git/src/mediaplayer.cpp:151
#19 0x00007f81d888ed5a in Phonon::VLC::MediaObject::stop() (this=0xf5ed20) at /opt/local/var/lnxports/build/_opt_local_site-ports_audio_phonon-backend-vlc/phonon-backend-vlc-qt5/work/phonon-backend-vlc-git/src/mediaobject.cpp:143
#20 0x00007f8202d408c4 in Phonon::MediaObject::stop() (this=<optimized out>) at /opt/local/var/lnxports/build/_opt_local_linux-ports_audio_phonon/phonon-qt5/work/phonon-git/phonon/mediaobject.cpp:120
#21 0x00007f8202d408c4 in Phonon::MediaObject::~MediaObject() (this=0xf5e1c0) at /opt/local/var/lnxports/build/_opt_local_linux-ports_audio_phonon/phonon-qt5/work/phonon-git/phonon/mediaobject.cpp:59
#22 0x00007f8202d409e9 in Phonon::MediaObject::~MediaObject() (this=0xf5e1c0) at /opt/local/var/lnxports/build/_opt_local_linux-ports_audio_phonon/phonon-qt5/work/phonon-git/phonon/mediaobject.cpp:52
#23 0x00007f81febd1d79 in QObjectPrivate::deleteChildren() (this=<optimized out>) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qobject.cpp:1998
#24 0x00007f81ff85f8cf in QWidget::~QWidget() (this=0xd6bcd0) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/widgets/kernel/qwidget.cpp:1701
#25 0x000000000041d841 in Dragon::VideoWindow::~VideoWindow() (this=0xd6bcd0) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/videoWindow.cpp:167
#26 0x000000000041de59 in Dragon::VideoWindow::~VideoWindow() (this=0xd6bcd0) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/videoWindow.cpp:163
#27 0x000000000042f340 in Dragon::MainWindow::~MainWindow() (this=0xfdd130, vtt=0x43d0d0 <VTT for Dragon::MainWindow>) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/mainWindow.cpp:243
#28 0x000000000042f52e in Dragon::MainWindow::~MainWindow() (this=0xfdd130) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/mainWindow.cpp:240
#29 0x000000000042f52e in Dragon::MainWindow::~MainWindow() (this=0xfdd130) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/mainWindow.cpp:240
#30 0x00007f81febd23fd in qDeleteInEventHandler(QObject*) (o=0xfdd130) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qobject.cpp:4605
#31 0x00007f81febd23fd in QObject::event(QEvent*) (this=0xfdd130, e=0x11e2) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qobject.cpp:1243
#32 0x00007f81ff870fc7 in QWidget::event(QEvent*) (this=0xfdd130, event=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/widgets/kernel/qwidget.cpp:9346
#33 0x00007f81ff981d36 in QMainWindow::event(QEvent*) (this=0xfdd130, event=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/widgets/widgets/qmainwindow.cpp:1563
#34 0x00007f8203467802 in KMainWindow::event(QEvent*) (this=0xfdd130, ev=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_KF5-Frameworks/kf5-kxmlgui/work/kxmlgui-5.60.0/src/kmainwindow.cpp:877
#35 0x00007f82034a08b3 in KXmlGuiWindow::event(QEvent*) (this=0xfdd130, ev=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_KF5-Frameworks/kf5-kxmlgui/work/kxmlgui-5.60.0/src/kxmlguiwindow.cpp:125
#36 0x00007f81ff839801 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0xfdd130, e=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/widgets/kernel/qapplication.cpp:3722
#37 0x00007f81ff83ab69 in QApplication::notify(QObject*, QEvent*) (this=0x7ffd59b530e8, receiver=0xfdd130, e=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/widgets/kernel/qapplication.cpp:3093
#38 0x00007f81febaa5e6 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0xfdd130, event=0x1385780) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qcoreapplication.cpp:1031
#39 0x00007f81febab46f in QCoreApplication::sendEvent(QObject*, QEvent*) (receiver=<optimized out>, event=<optimized out>) at .moc/../../../../../qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qcoreapplication.h:233
#40 0x00007f81febab46f in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=0x0, event_type=0, data=0xbbed30) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qcoreapplication.cpp:1706
#41 0x00007f81febfab23 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (s=0xd5cf10) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:276
#42 0x00007f81f629598c in g_main_dispatch (context=<optimized out>) at gmain.c:3170
#43 0x00007f81f629598c in g_main_context_dispatch (context=<optimized out>) at gmain.c:3835
#44 0x00007f81f629609e in g_main_context_iterate (context=0x7f81e8003030, block=<optimized out>, dispatch=<optimized out>, self=<optimized out>) at gmain.c:3908
#45 0x00007f81f6296307 in g_main_context_iteration (context=0x7f81e8003030, may_block=1) at gmain.c:3969
#46 0x00007f81febfa5db in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0xd5e120, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:425
#47 0x00007f81feba6472 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffd59b53020, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventloop.cpp:134
#48 0x00007f81feba6472 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffd59b53020, flags=...) at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qeventloop.cpp:212
#49 0x00007f81febaacad in QCoreApplication::exec() () at /opt/local/var/lnxports/build/_opt_local_site-ports_aqua_qt5-kde-devel/qt5-kde-devel/work/qt-everywhere-opensource-src-5.9.8/qtbase/src/corelib/kernel/qcoreapplication.cpp:1304
#50 0x000000000042aa34 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /opt/local/var/lnxports/build/_opt_local_site-ports_kf5_kf5-dragon/kf5-dragon/work/dragon-19.08.3/src/app/main.cpp:88

The reporter indicates this bug may be a duplicate of or related to bug 266797.

Possible duplicates by query: bug 336486, bug 266797, bug 263639, bug 228324, bug 220906.

Reported using DrKonqi

Comment 1 Harald Sitter 2020-06-24 08:44:40 UTC

That makes no sense. m_player is never set to 0

Comment 2 RJVB 2020-06-24 10:44:28 UTC

It does look like a freak event, but you should never say never ;)

#18 0x00007f81d888ed5a in Phonon::VLC::MediaPlayer::stop() (this=0x0) at /opt/local/var/lnxports/build/_opt_local_site-ports_audio_phonon-backend-vlc/phonon-backend-vlc-qt5/work/phonon-backend-vlc-git/src/mediaplayer.cpp:151
#19 0x00007f81d888ed5a in Phonon::VLC::MediaObject::stop() (this=0xf5ed20) at /opt/local/var/lnxports/build/_opt_local_site-ports_audio_phonon-backend-vlc/phonon-backend-vlc-qt5/work/phonon-backend-vlc-git/src/mediaobject.cpp:143

Frame 18 can only have happened if m_player was NULL, I see no other explanation.

Comment 3 Harald Sitter 2020-06-24 11:43:48 UTC

Git commit 129b03db4db5b85f31318679037fd893c510a7dc by Harald Sitter.
Committed on 24/06/2020 at 11:43.
Pushed by sitter into branch '0.11'.

assert that m_player is allocated

M  +1    -0    src/mediaobject.cpp

https://invent.kde.org/libraries/phonon-vlc/commit/129b03db4db5b85f31318679037fd893c510a7dc