From 83619110f22f83c50384d78ca7d1381481a3eb25 Mon Sep 17 00:00:00 2001 From: Lucas De Marchi Date: Thu, 20 Dec 2012 14:52:21 +0000 Subject: [PATCH] edbus: Do not modify cn->names hash while walking it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug triggered by Lucas Jóia: ==10042== Invalid read of size 8 ==10042==    at 0x6B86626: _eina_rbtree_iterator_next (eina_rbtree.c:165) ==10042==    by 0x6B7228D: _eina_hash_iterator_next (eina_hash.c:622) ==10042==    by 0x6FE41DC: edbus_connection_unref (edbus_core.c:1015) ==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136) ==10042==    by 0x434F25: main (e_main.c:1074) ==10042==  Address 0x15c1b958 is 40 bytes inside a block of size 96 free'd ==10042==    at 0x4C2A739: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10042==    by 0x6B71CB7: _eina_hash_del_by_hash_el (eina_hash.c:441) ==10042==    by 0x6FE2A1E: edbus_connection_name_gc.isra.2 (edbus_core.c:385) ==10042==    by 0x6FE4217: edbus_connection_unref (edbus_core.c:1026) ==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136) ==10042==    by 0x434F25: main (e_main.c:1074) SVN revision: 81462 --- legacy/edbus/src/lib/edbus_core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/legacy/edbus/src/lib/edbus_core.c b/legacy/edbus/src/lib/edbus_core.c index d9991037f3..0fdaf733a8 100644 --- a/legacy/edbus/src/lib/edbus_core.c +++ b/legacy/edbus/src/lib/edbus_core.c @@ -989,6 +989,7 @@ _edbus_connection_unref(EDBus_Connection *conn) EDBus_Pending *p; Eina_Iterator *iter; EDBus_Connection_Name *cn; + Eina_Array *cns; DBG("Connection %p: unref (currently at %d refs)", conn, conn->refcount); @@ -1006,6 +1007,7 @@ _edbus_connection_unref(EDBus_Connection *conn) EINA_INLIST_FOREACH_SAFE(conn->pendings, list, p) edbus_pending_cancel(p); + cns = eina_array_new(eina_hash_population(conn->names)); iter = eina_hash_iterator_data_new(conn->names); EINA_ITERATOR_FOREACH(iter, cn) { @@ -1017,11 +1019,16 @@ _edbus_connection_unref(EDBus_Connection *conn) cn->event_handlers.list = eina_inlist_remove(cn->event_handlers.list, cn->event_handlers.list); free(ctx); - } - edbus_connection_name_gc(conn, cn); + } + eina_array_push(cns, cn); } eina_iterator_free(iter); + + while ((cn = eina_array_pop(cns))) + edbus_connection_name_gc(conn, cn); + eina_hash_free(conn->names); + eina_array_free(cns); conn->refcount = 0;