edbus: Do not modify cn->names hash while walking it

Bug triggered by Lucas Jóia:

==10042== Invalid read of size 8
==10042==    at 0x6B86626: _eina_rbtree_iterator_next (eina_rbtree.c:165)
==10042==    by 0x6B7228D: _eina_hash_iterator_next (eina_hash.c:622)
==10042==    by 0x6FE41DC: edbus_connection_unref (edbus_core.c:1015)
==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167)
==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136)
==10042==    by 0x434F25: main (e_main.c:1074)
==10042==  Address 0x15c1b958 is 40 bytes inside a block of size 96 free'd
==10042==    at 0x4C2A739: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10042==    by 0x6B71CB7: _eina_hash_del_by_hash_el (eina_hash.c:441)
==10042==    by 0x6FE2A1E: edbus_connection_name_gc.isra.2 (edbus_core.c:385)
==10042==    by 0x6FE4217: edbus_connection_unref (edbus_core.c:1026)
==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167)
==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136)
==10042==    by 0x434F25: main (e_main.c:1074)

SVN revision: 81462

diff --git a/src/lib/edbus_core.c b/src/lib/edbus_core.c
index d999103..0fdaf73 100644 (file)
--- a/src/lib/edbus_core.c
+++ b/src/lib/edbus_core.c
@@ -989,6 +989,7 @@ _edbus_connection_unref(EDBus_Connection *conn)
    EDBus_Pending *p;
    Eina_Iterator *iter;
    EDBus_Connection_Name *cn;
+   Eina_Array *cns;
 
    DBG("Connection %p: unref (currently at %d refs)",
        conn, conn->refcount);
@@ -1006,6 +1007,7 @@ _edbus_connection_unref(EDBus_Connection *conn)
    EINA_INLIST_FOREACH_SAFE(conn->pendings, list, p)
      edbus_pending_cancel(p);
 
+   cns = eina_array_new(eina_hash_population(conn->names));
    iter = eina_hash_iterator_data_new(conn->names);
    EINA_ITERATOR_FOREACH(iter, cn)
      {
@@ -1017,11 +1019,16 @@ _edbus_connection_unref(EDBus_Connection *conn)
              cn->event_handlers.list = eina_inlist_remove(cn->event_handlers.list,
                                                           cn->event_handlers.list);
              free(ctx);
-           }
-        edbus_connection_name_gc(conn, cn);
+          }
+        eina_array_push(cns, cn);
      }
    eina_iterator_free(iter);
+
+   while ((cn = eina_array_pop(cns)))
+     edbus_connection_name_gc(conn, cn);
+
    eina_hash_free(conn->names);
+   eina_array_free(cns);
 
    conn->refcount = 0;