review.tizen.org Git - platform/upstream/efl.git/commit

eldbus: Fix crash when removing the last reference of the message container inside of the message callback

If user try to remove the last reference of proxy, object, connection
or eldbus(lib) inside of message callback it was causing the
eldbus_pending_dispatch() being called 2 times, one because of the
eldbus_cancel() that is triggered when the last reference of the
message parent is removed and another after the return of the user
callback.

==6545== Invalid read of size 8
==6545==    at 0x52F784E: eldbus_cbs_free_dispatch (eldbus_core.c:266)
==6545==    by 0x53064AA: eldbus_pending_dispatch (eldbus_pending.c:227)
==6545==    by 0x5305961: cb_pending (eldbus_pending.c:74)
==6545==    by 0x6B29DB1: ??? (in /usr/lib/libdbus-1.so.3.8.9)
==6545==    by 0x6B2D280: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.8.9)
==6545==    by 0x52F93B4: eldbus_idler (eldbus_core.c:773)
==6545==    by 0x4E4B300: _ecore_call_task_cb (ecore_private.h:305)
==6545==    by 0x4E4B78F: _ecore_idler_all_call (ecore_idler.c:143)
==6545==    by 0x4E4EA73: _ecore_main_loop_spin_core (ecore_main.c:1768)
==6545==    by 0x4E4EAF1: _ecore_main_loop_spin_timers (ecore_main.c:1802)
==6545==    by 0x4E4ED01: _ecore_main_loop_iterate_internal (ecore_main.c:1925)
==6545==    by 0x4E4D03B: ecore_main_loop_begin (ecore_main.c:983)
==6545==  Address 0x701aa78 is 104 bytes inside a block of size 128 free'd
==6545==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6545==    by 0x530655B: eldbus_pending_dispatch (eldbus_pending.c:241)
==6545==    by 0x5306763: eldbus_pending_cancel (eldbus_pending.c:259)
==6545==    by 0x52F29DB: _eldbus_proxy_clear (eldbus_proxy.c:146)
==6545==    by 0x52F3057: _eldbus_proxy_unref (eldbus_proxy.c:244)
==6545==    by 0x52F3393: eldbus_proxy_unref (eldbus_proxy.c:264)
==6545==    by 0x401039: on_get_playlists (banshee.c:53)
==6545==    by 0x5306493: eldbus_pending_dispatch (eldbus_pending.c:225)
==6545==    by 0x5305961: cb_pending (eldbus_pending.c:74)
==6545==    by 0x6B29DB1: ??? (in /usr/lib/libdbus-1.so.3.8.9)
==6545==    by 0x6B2D280: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.8.9)
==6545==    by 0x52F93B4: eldbus_idler (eldbus_core.c:773)

Now we will remove the pending from parent pending list before
call the user callback, this way only the pending messages will
be canceled.

Also we need increase the eldbus reference before call
dbus_connection_dispatch() or user could remove the last reference of
eldbus inside of a message callback when we still are
holding one reference of the connection.

@fix
ref T1908

author	José Roberto de Souza <jose.souza@intel.com>
	Wed, 17 Dec 2014 18:57:03 +0000 (16:57 -0200)
committer	José Roberto de Souza <jose.souza@intel.com>
	Wed, 17 Dec 2014 19:05:35 +0000 (17:05 -0200)
commit	63abe9b00cc02940361372cb0881d3f7fbb682f2
tree	d8153706cb6489e608573dc80203894a96d1e8a3	tree \| snapshot
parent	78d5bb17d700f25e84abd5fb3eb4d42590c73474	commit \| diff

src/lib/eldbus/eldbus_core.c		diff \| blob \| history
src/lib/eldbus/eldbus_object.c		diff \| blob \| history
src/lib/eldbus/eldbus_pending.c		diff \| blob \| history
src/lib/eldbus/eldbus_proxy.c		diff \| blob \| history