Possible UB in `get_api` function

[vnrst]

Hi,

In libpulse_binding::mainloop::api::standard::Mainloop (this line) and libpulse_binding::mainloop::api::threaded::Mainloop (this line), there is the function get_api which returns a borrow to the API vtable. I think the lifetime annotations of this function are incorrect and could lead to unexpected behavior.

pub fn get_api<'a>(&self) -> &'a ::mainloop::api::MainloopApi {
    ...
}

The returned borrow can live even after the Mainloop is freed and the Api is destroyed. As the function's docstring says, "No need to free the API as it is owned by the loop and is destroyed when the loop is freed."

I believe that something like this shouldn't be allowed to compile:

let mut mainloop = Mainloop::new().expect("Failed to create Mainoop");
let api: &MainloopApi = mainloop.get_api();
drop(mainloop); // Also frees API vtable
// Use api here

Changing the function signature to this would solve the issue and prevent the above code from compiling.

pub fn get_api(&self) -> & ::mainloop::api::MainloopApi

[jnqnfe]

Hi,

Yes, if what the reference points to is indeed dynamically allocated and is freed when the mainloop object is dropped, then the example you give presents a use-after-free vulnerability.

It's been quite a while since I put this together and I can't recall exactly why I set the lifetime up this way. I clearly chose to deliberately separate the lifetime of the returned api reference from the lifetime of the mainloop object reference, but why escapes my recollection.

I think either:

1. When I dug into the PA C code I perhaps found that it's in fact pointing to static functions (mainloop implementation specific) and thus there was no such concern and I didn't want to impose an unnecessary lifetime restriction, not knowing how people might use this and not wanting to create problems for any C codebases being converted to Rust. The documentation comment you highlight would seem to contradict this though, unless it's just badly worded, but then what else would I have meant by it?
2. Or I accepted that it was dodgy but felt that it was necessary to get around potential borrow issues - If this function was written as you suggest it should be, then if you used this function, creating an immutable borrow against the mainloop object, then that latter borrow would have to outlive the api reference, which would block use of any methods that require a mutable reference, for as long as the api reference lives. Perhaps I felt it ugly to force users to have to drop and re-obtain the reference in order to use methods requiring a mutable reference? A regrettable decision if so because the security implications should outweigh such concern of possible ugliness. Or perhaps it prevented compiling the crate somehow. I probably considered marking it as an unsafe function, but seemingly chose not to do this for some reason.
3. Or, possibly it was a result of confusion trying to get my head fully around how to use the lifetime concept.

I'm leaning towards the second possibility. With respect to it I recall that the rust borrow checker became smarter several releases ago; I believe it now can assess what attributes of an object are being borrowed, thus allowing more code to compile. So perhaps the issue of an api reference blocking use of mutable reference methods is no longer an issue?

So:

• Perhaps I should try to dig back into the PA C codebase to checkout the first possibility, though it's been a long time since I looked at it and I'm not sure my heads in the best place for doing that. If that is the case then the documentation needs to be clarified.
• If it's the second possibility above, then perhaps, especially in light of borrow checker improvements, I should now implement the change you suggest. If this doesn't work out for some reason then perhaps at very least a big fat warning should be added to this method's documentation and 'unsafe' should be reconsidered.

[vnrst]

So I looked into it a bit more, and it maybe seems like the thing that it points to is maybe not freed when the mainloop object is dropped.

I tried this code

 let mut mainloop = Mainloop::new().expect("Failed to create Mainoop");
 let api: &MainloopApi = mainloop.get_api();
 drop(mainloop);
 api.quit.unwrap()(api as *const MainloopApi, 0 as i32);

And I got the following error message:

pa_write() failed while trying to wake up the mainloop: Bad file descriptor

This is indeed an error, but not a use-after free. Looks like the API vtable object is still around, because I'm able to call api.quit without a use-after free.

[vnrst]

Another concern is, even if the API object is still around, the associated data might not be. There is a field in MainloopApi called userdata: *mut c_void - it might be possible to call one of the API functions that relies on data in that field, and if it's been freed then that would be a use-after-free.

I have no idea what that would look like from the C side though.

[powpingdone]

Taking a peek into here, ASAN and Valgrind cried foul on the sample program vrnst made.
Program was

use libpulse_binding::mainloop::{api::MainloopApi, standard::Mainloop};

fn main() {
    let mut mainloop = Mainloop::new().expect("Failed to create Mainoop");
    let api: &MainloopApi = mainloop.get_api();
    drop(mainloop);
    api.quit.unwrap()(api as *const MainloopApi, 0_i32);
}

And the angry Valgrind gave:

❯ valgrind target/debug/pulsebinding
==592008== Memcheck, a memory error detector
==592008== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==592008== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==592008== Command: target/debug/pulsebinding
==592008== 
==592008== Invalid read of size 8
==592008==    at 0x110951: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348db0 is 192 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
==592008== Invalid read of size 8
==592008==    at 0x48826FD: mainloop_quit (mainloop.c:426)
==592008==    by 0x110973: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348d48 is 88 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
==592008== Invalid read of size 1
==592008==    at 0x4882689: pa_mainloop_quit (mainloop.c:975)
==592008==    by 0x110973: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348dbc is 204 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
==592008== Invalid write of size 4
==592008==    at 0x4882690: pa_mainloop_quit (mainloop.c:976)
==592008==    by 0x110973: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348db8 is 200 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
==592008== Invalid read of size 4
==592008==    at 0x4881FA3: pa_mainloop_wakeup (mainloop.c:792)
==592008==    by 0x110973: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348dc4 is 212 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
==592008== Invalid read of size 4
==592008==    at 0x4AED4FC: pa_write (core-util.c:445)
==592008==    by 0x4881FAE: pa_mainloop_wakeup (mainloop.c:792)
==592008==    by 0x110973: pulsebinding::main (main.rs:8)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008==  Address 0x5348dc8 is 216 bytes inside a block of size 248 free'd
==592008==    at 0x484412F: free (vg_replace_malloc.c:974)
==592008==    by 0x4898E54: UnknownInlinedFun (xmalloc.c:129)
==592008==    by 0x4898E54: pa_xfree (xmalloc.c:122)
==592008==    by 0x110EA7: libpulse_binding::mainloop::standard::<impl libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>::drop_actual (standard.rs:287)
==592008==    by 0x111245: <libpulse_binding::mainloop::api::MainloopInner<T> as core::ops::drop::Drop>::drop (api.rs:97)
==592008==    by 0x1112BA: core::ptr::drop_in_place<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>> (mod.rs:497)
==592008==    by 0x110B31: <alloc::rc::Rc<T> as core::ops::drop::Drop>::drop (rc.rs:1609)
==592008==    by 0x110A49: core::ptr::drop_in_place<alloc::rc::Rc<libpulse_binding::mainloop::api::MainloopInner<libpulse_sys::mainloop::standard::pa_mainloop>>> (mod.rs:497)
==592008==    by 0x110A59: core::ptr::drop_in_place<libpulse_binding::mainloop::standard::Mainloop> (mod.rs:497)
==592008==    by 0x110CCC: core::mem::drop (mod.rs:987)
==592008==    by 0x110949: pulsebinding::main (main.rs:7)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==  Block was alloc'd at
==592008==    at 0x48469B3: calloc (vg_replace_malloc.c:1554)
==592008==    by 0x489B6D3: pa_xmalloc0 (xmalloc.c:74)
==592008==    by 0x4884695: UnknownInlinedFun (xmalloc.h:75)
==592008==    by 0x4884695: pa_mainloop_new (mainloop.c:470)
==592008==    by 0x110EBC: libpulse_binding::mainloop::standard::Mainloop::new (standard.rs:294)
==592008==    by 0x1108E1: pulsebinding::main (main.rs:5)
==592008==    by 0x110A3A: core::ops::function::FnOnce::call_once (function.rs:250)
==592008==    by 0x110CDD: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:135)
==592008==    by 0x1108B0: std::rt::lang_start::{{closure}} (rt.rs:166)
==592008==    by 0x125104: call_once<(), (dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (function.rs:284)
==592008==    by 0x125104: do_call<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panicking.rs:500)
==592008==    by 0x125104: try<i32, &(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<&(dyn core::ops::function::Fn<(), Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), i32> (panic.rs:142)
==592008==    by 0x125104: {closure#2} (rt.rs:148)
==592008==    by 0x125104: do_call<std::rt::lang_start_internal::{closure_env#2}, isize> (panicking.rs:500)
==592008==    by 0x125104: try<isize, std::rt::lang_start_internal::{closure_env#2}> (panicking.rs:464)
==592008==    by 0x125104: catch_unwind<std::rt::lang_start_internal::{closure_env#2}, isize> (panic.rs:142)
==592008==    by 0x125104: std::rt::lang_start_internal (rt.rs:148)
==592008==    by 0x110889: std::rt::lang_start (rt.rs:165)
==592008==    by 0x1109CD: main (in /var/home/powpingdone/extern/pulsebinding/target/debug/pulsebinding)
==592008== 
pa_write() failed while trying to wake up the mainloop: Bad file descriptor
==592008== 
==592008== HEAP SUMMARY:
==592008==     in use at exit: 157 bytes in 6 blocks
==592008==   total heap usage: 2,415 allocs, 2,409 frees, 257,287 bytes allocated
==592008== 
==592008== LEAK SUMMARY:
==592008==    definitely lost: 0 bytes in 0 blocks
==592008==    indirectly lost: 0 bytes in 0 blocks
==592008==      possibly lost: 0 bytes in 0 blocks
==592008==    still reachable: 157 bytes in 6 blocks
==592008==         suppressed: 0 bytes in 0 blocks
==592008== Rerun with --leak-check=full to see details of leaked memory
==592008== 
==592008== For lists of detected and suppressed errors, rerun with: -s
==592008== ERROR SUMMARY: 7 errors from 6 contexts (suppressed: 0 from 0)

@jnqnfe Something is defo wrong here.

[vnrst]

@powpingdone - thanks for the report. Just wondering, does Valgrind still complain if you remove the line with drop(mainloop);? If the error vanishes, then that pins the cause of the error specifically to the get_api function. Otherwise, it's possible that there's something weird happening independently in the api.quit call.

[powpingdone]

==61300== Memcheck, a memory error detector
==61300== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==61300== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==61300== Command: target/debug/pulse
==61300== 
==61300== 
==61300== HEAP SUMMARY:
==61300==     in use at exit: 40 bytes in 1 blocks
==61300==   total heap usage: 16 allocs, 15 frees, 2,571 bytes allocated
==61300== 
==61300== LEAK SUMMARY:
==61300==    definitely lost: 0 bytes in 0 blocks
==61300==    indirectly lost: 0 bytes in 0 blocks
==61300==      possibly lost: 0 bytes in 0 blocks
==61300==    still reachable: 40 bytes in 1 blocks
==61300==         suppressed: 0 bytes in 0 blocks
==61300== Rerun with --leak-check=full to see details of leaked memory
==61300== 
==61300== For lists of detected and suppressed errors, rerun with: -s
==61300== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

@vnrst

[Hawk777]

I think I just ran into this bug myself. I’m never actually calling get_api directly; rather, I pass the Mainloop object (I’m using the Glib one) into Context::new, then I hang onto the Context but drop the Mainloop (because I thought I didn’t need it any more because everything is refcounted, so if the Mainloop’s guts needed to stay alive for the lifetime of the Context then surely it would have been reffed internally). But then when I tried to connect the context, it entered the Connecting state but never advanced any further. Artificially hanging onto the Mainloop for to outlive the Context seems to have solved it, but I had no idea I was supposed to do that, because AFAICT it’s not documented anywhere, is it? If “hang onto an object you have no use for just to prevent it from being dropped too early, and which the language-level lifetimes don’t tell you you need to” is correct usage of this library, then IMO that needs a big notice in the docs!

I have a pretty simple example:

use libpulse_binding as pulse;
use libpulse_glib_binding as pulse_glib;
use std::cell::RefCell;
use std::rc::Rc;

fn do_stuff() {
	let ml = pulse_glib::Mainloop::new(None).expect("mainloop new failed");
	let ctx = pulse::context::Context::new(&ml, "foo").expect("context new failed");
	let ctx = Rc::new(RefCell::new(ctx));
	let ctx_clone = ctx.clone();
	ctx.borrow_mut().set_state_callback(Some(Box::new(move || {
		if let Ok(borrow) = ctx_clone.try_borrow() {
			println!("State CB: state is {:?}", borrow.get_state());
		} else {
			println!("State CB: cannot check state, context is borrowed");
		}
	})));
	let ctx_clone = ctx.clone();
	glib::source::timeout_add_local(std::time::Duration::from_secs(1), move || {
		if let Ok(borrow) = ctx_clone.try_borrow() {
			println!("Timeout CB: state is {:?}", borrow.get_state());
		} else {
			println!("Timeout CB: cannot check state, context is borrowed");
		}
		glib::ControlFlow::Continue
	});
	println!("Call connect.");
	ctx.borrow_mut().connect(None, pulse::context::FlagSet::NOFLAGS, None).expect("connect failed");
	println!("Connect returned, state is {:?}", ctx.borrow().get_state());
	//std::mem::forget(ml);
}

fn main() {
	let ml = glib::MainLoop::new(None, false);
	glib::source::idle_add_local_once(do_stuff);
	ml.run();
}

Run this as is, and the output is as follows:

Call connect.
State CB: cannot check state, context is borrowed
Connect returned, state is Connecting
Timeout CB: state is Connecting
Timeout CB: state is Connecting
Timeout CB: state is Connecting

Uncomment the std::mem::forget line to prevent ml from being dropped, and the output is as follows instead:

Call connect.
State CB: cannot check state, context is borrowed
Connect returned, state is Connecting
State CB: state is Authorizing
State CB: state is SettingName
State CB: state is Ready
Timeout CB: state is Ready
Timeout CB: state is Ready
Timeout CB: state is Ready

So, clearly the context is not hanging onto the MainLoop object internally, and just becomes randomly broken when you drop it.

[jnqnfe]

So, clearly the context is not hanging onto the MainLoop object internally, and just becomes randomly broken when you drop it.

The context object, as explained in it's documentation, is the actual communication channel between your PA client application and the PA server. The mainloop object is used by your client to react to the messages sent asynchronously from the PA server (via the context). Both objects thus need to be kept alive for the duration of communication with PA. The mainloop is not used only for init.

I've added a note to the first page of documentation to help point this out.

The reason context and mainloop are not connected in the binding as you expected is due to design constraints. I don't really remember the details well enough now to explain why exactly I implemented it, or had to implement it, this way.

[Hawk777]

That note looks good. I was surprised when I first ran into this because most things in PulseAudio itself (i.e. in the C API) are refcounted, but actually I see now that mainloops specifically are not, so that obviously makes dealing with them in the Rust binding a bit harder.