Fix memory corruption

- Fix use after free
- Fix double free

Change-Id: I1279fdbd06b0f4e3a7e04b304461ffbc1aca0214
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>

diff --git a/tests/tizen-core_unittests/tizen_core_test.cc b/tests/tizen-core_unittests/tizen_core_test.cc
index b10ff2d0df75d8b635bdfd95db1900d1e4a4df16..f67997dece5f8d68c51ee1ef558e4b1df086b6d6 100644 (file)
--- a/tests/tizen-core_unittests/tizen_core_test.cc
+++ b/tests/tizen-core_unittests/tizen_core_test.cc
@@ -623,6 +623,7 @@ TEST_F(TizenCoreTest, tizen_core_source_create_N) {
 TEST_F(TizenCoreTest, tizen_core_source_destroy_P) {
   int ret = tizen_core_source_destroy(source_);
   ASSERT_EQ(ret, TIZEN_CORE_ERROR_NONE);
+  source_ = nullptr;
 }
 
 TEST_F(TizenCoreTest, tizen_core_source_destroy_N) {

diff --git a/tizen_base/stub.cc b/tizen_base/stub.cc
index dc14c8145e00d1aeb93cbce63fd5cd5851f2cb85..556bf30e78ddd23abb6d3433bb1226aeef585a19 100644 (file)
--- a/tizen_base/stub.cc
+++ b/tizen_base/stub.cc
@@ -136,6 +136,7 @@ API int tizen_core_task_create(const char* name, bool use_thread,
       return TIZEN_CORE_ERROR_OUT_OF_MEMORY;  // LCOV_EXCL_LINE
     }
 
+    handle->RefSelf();
     *task = static_cast<tizen_core_task_h>(handle.get());
   } catch (const std::invalid_argument& e) {
     _E("Exception occurs. error(%s)", e.what());
@@ -153,6 +154,7 @@ API int tizen_core_task_destroy(tizen_core_task_h task) {
 
   auto* handle = static_cast<tizen_base::tizen_core::Task*>(task);
   handle->Dispose();
+  handle->UnrefSelf();
   return TIZEN_CORE_ERROR_NONE;
 }
 

diff --git a/tizen_base/task.cc b/tizen_base/task.cc
index 900d13505253178793e905457450baf7c0eaa820..f97fe218529c9d994a78addce241eaf239ff7906 100644 (file)
--- a/tizen_base/task.cc
+++ b/tizen_base/task.cc
@@ -87,7 +87,7 @@ class ChannelSource : public Source {
         receiver_(std::move(receiver)),
         cb_(std::move(cb)) {
     receiver_->ReceiveAsync([=](channel::ChannelObject<T> obj) {
-      task_->AddIdleJob([&]() {
+      task_->AddIdleJob([=]() {
         cb_(obj);
         return false;
       });
@@ -381,6 +381,10 @@ void Task::RemoveEventSource(std::shared_ptr<ISource> source) {
   event_sources_.remove(source);
 }
 
+void Task::RefSelf() { self_ = shared_from_this(); }
+
+void Task::UnrefSelf() { self_.reset(); }
+
 template std::shared_ptr<ISource> Task::AddChannel<void*>(
     std::shared_ptr<channel::Receiver<void*>> receiver,
     std::function<void(const channel::ChannelObject<void*>&)> cb);

diff --git a/tizen_base/task.h b/tizen_base/task.h
index e2ce1539d3e52c5e0105f4cae1d3d509d83bbfc5..cf8d3e61f4e59f82bee3f67635854cda3f6ce7d5 100644 (file)
--- a/tizen_base/task.h
+++ b/tizen_base/task.h
@@ -80,6 +80,9 @@ class EXPORT_API Task : public ILoop,
   void AddEventSource(std::shared_ptr<ISource> source);
   void RemoveEventSource(std::shared_ptr<ISource> source);
 
+  void RefSelf();
+  void UnrefSelf();
+
  private:
   void ThreadLoop();
 
@@ -97,6 +100,7 @@ class EXPORT_API Task : public ILoop,
   bool idle_entered_ = false;
   std::list<std::shared_ptr<ISource>> event_sources_;
   mutable std::recursive_mutex mutex_;
+  std::shared_ptr<Task> self_;
 };
 
 }  // namespace tizen_core