From 80bdcca7edbe39a693d6399abaac4293ca576414 Mon Sep 17 00:00:00 2001 From: Lucas De Marchi Date: Thu, 20 Dec 2012 14:52:27 +0000 Subject: [PATCH] edbus: avoid cyclic unref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we are freeing a EDBUS_Connection_Name its name_owner_changed signal handler may hold a pointer and try to unref it when deleting the signal handler. We can't simply make the signal handler hold a reference to the connection name, otherwise edbus_connection_name_gc will never be triggered because of cyclic references. Thus, just set the cn->name_owner_changed->bus to NULL before trying to delete the signal handler. Related log found by Lucas Jóia: ==20607== Invalid read of size 4 ==20607== at 0x6FE29EE: edbus_connection_name_gc.isra.3 (edbus_core.c:375) ==20607== by 0x6FE4287: edbus_connection_unref (edbus_core.c:1028) ==20607== by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==20607== by 0x436194: _e_main_shutdown (e_main.c:1136) ==20607== by 0x434F25: main (e_main.c:1074) ==20607== Address 0x1461ba68 is 24 bytes inside a block of size 64 free'd ==20607== at 0x4C2A739: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==20607== by 0x6FF0E78: edbus_signal_handler_unref (edbus_signal_handler.c:269) ==20607== by 0x6FE2A48: edbus_connection_name_gc.isra.3 (edbus_core.c:384) ==20607== by 0x6FE4287: edbus_connection_unref (edbus_core.c:1028) ==20607== by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==20607== by 0x436194: _e_main_shutdown (e_main.c:1136) ==20607== by 0x434F25: main (e_main.c:1074) SVN revision: 81463 --- legacy/edbus/src/lib/edbus_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/legacy/edbus/src/lib/edbus_core.c b/legacy/edbus/src/lib/edbus_core.c index 0fdaf733a8..f28a38a724 100644 --- a/legacy/edbus/src/lib/edbus_core.c +++ b/legacy/edbus/src/lib/edbus_core.c @@ -381,7 +381,10 @@ edbus_connection_name_gc(EDBus_Connection *conn, EDBus_Connection_Name *cn) eina_hash_del(conn->names, cn->name, cn); if (cn->name_owner_changed) - edbus_signal_handler_del(cn->name_owner_changed); + { + cn->name_owner_changed->bus = NULL; + edbus_signal_handler_del(cn->name_owner_changed); + } if (cn->objects) eina_hash_free(cn->objects); eina_stringshare_del(cn->name);