Opened 6 years ago

Closed 5 years ago

#11940 closed Bug Report - General (Fixed)

Segfault mythbackend (misrefcounting MythSocket)

Reported by: abudovski@… Owned by:
Priority: major Milestone: 0.27.1
Component: MythTV - General Version: 0.27-fixes
Severity: high Keywords:
Cc: Ticket locked: no

Description

I get a segfault/AV after a few mins of no activity, reproes consistenly.

AV stack:

void MainServer::customEvent(QEvent *e)
{
...
        while (!decrRefSocketList.empty())
        {
            (*decrRefSocketList.begin())->DecrRef();  // here

*decrRefSocketList.begin() points to a deallocated MythSocket.

Stack:

#0  0x000000000045f477 in MainServer::customEvent (this=0x8b2830, e=0x7fff3c0012a0) at mainserver.cpp:900                                  
#1  0x00007ffff3fd4e5d in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4                                          
#2  0x00007ffff3fbc8bd in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4              
#3  0x00007ffff3fbfe1f in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4                                                                                                                                      
#4  0x00007ffff3fea073 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4                                                              
#5  0x00007fffec62d3a6 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0                                            
#6  0x00007fffec62d6f8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0                                                                
#7  0x00007fffec62d79c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0                                          
#8  0x00007ffff3fe9a55 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4                                                                                                                                  
#9  0x00007ffff3fbb5ef in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#10 0x00007ffff3fbb8e5 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4          
#11 0x00007ffff3fc0e5b in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4                                        
#12 0x0000000000522cae in run_backend (cmdline=...) at main_helpers.cpp:696                                                                
#13 0x00000000004584f6 in main (argc=3, argv=0x7fffffffdf88) at main.cpp:135

Some traces of the socket: (socket ptr is 8b6870)

2649 2013-11-08 16:46:37.036703 E  MythSocket(8b6870:25): ReadStringList: Error, timed out after 30000 ms.
2727 2013-11-08 16:46:37.036966 I  (0x8b6880)::IncrRef() -> 2  // pushed to decrRefSocketList list
2767 2013-11-08 16:46:37.923067 I  (0x8b6880)::DecrRef() -> 1 // see [1]
2787 2013-11-08 16:46:37.923168 E  MythSocket(8b6870:-1): No response.
2807 2013-11-08 16:46:38.154256 I  (0x8b6880)::DecrRef() -> 0  // see [2]

Now the object is destroyed, but still on the decrRefSocketList list, which means MainServer::customEvent will blow up!

[1] ref dropping to 1 (I think this is wrong. PlaybackSock never took a ref)
2653 #0  ReferenceCounter::DecrRef (this=0x8b6880) at referencecounter.cpp:128 // 1
2654 #1  0x00000000004a8697 in PlaybackSock::~PlaybackSock (this=0x7fff3000c7f0, __in_chrg=<optimised out>) at playbacksock.cpp:44
2655 #2  0x00000000004a8776 in PlaybackSock::~PlaybackSock (this=0x7fff3000c7f0, __in_chrg=<optimised out>) at playbacksock.cpp:46
2656 #3  0x00007ffff6a93572 in ReferenceCounter::DecrRef (this=0x7fff3000c7f0) at referencecounter.cpp:158
2657 #4  0x0000000000490b43 in MainServer::connectionClosed (this=0x8b2830, socket=0x8b6870) at mainserver.cpp:5888
2658 #5  0x00007ffff69dda8f in MythSocket::DisconnectHandler (this=0x8b6870) at mythsocket.cpp:259
2659 #6  0x00007ffff6aec497 in MythSocket::qt_static_metacall (_o=0x8b6870, _c=QMetaObject::InvokeMetaMethod, _id=4, _a=0x7fff46ffbbf0) at moc_mythsocket.cpp   


[2] dropping ref to 0 and freeing object:

88 Breakpoint 2, ReferenceCounter::DecrRef (this=0x8b6880) at referencecounter.cpp:128
2689 128     in referencecounter.cpp
2690 #0  ReferenceCounter::DecrRef (this=0x8b6880) at referencecounter.cpp:128
2691 #1  0x0000000000493cae in MainServer::reconnectTimeout (this=0x8b2830) at mainserver.cpp:6253
2692 #2  0x0000000000564e0f in MainServer::qt_static_metacall (_o=0x8b2830, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd520) at moc_mainserver.cpp     :54
2693 #3  0x00007ffff3fd0a58 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2694 #4  0x00007ffff3fd4be1 in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2695 #5  0x00007ffff3fbc8bd in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2696 #6  0x00007ffff3fec403 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2697 #7  0x00007ffff3fe97a1 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2698 #8  0x00007fffec62d3a6 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
2699 #9  0x00007fffec62d6f8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
2700 #10 0x00007fffec62d79c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
2701 #11 0x00007ffff3fe9a55 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2702 #12 0x00007ffff3fbb5ef in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2703 #13 0x00007ffff3fbb8e5 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2704 #14 0x00007ffff3fc0e5b in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
2705 #15 0x0000000000522cae in run_backend (cmdline=...) at main_helpers.cpp:696

I think this is because PlaybackSock? doesn't take a ref in the ctor, but unconditionally releases one in its dtor. If it didn't do that, we'd still have a valid object in MainServer::decrRefSocketList.

Change History (1)

comment:1 Changed 5 years ago by JYA

Milestone: 0.27.1
Resolution: Fixed
Status: newclosed
Note: See TracTickets for help on using tickets.