From: Lucas De Marchi Date: Thu, 20 Dec 2012 14:52:21 +0000 (+0000) Subject: edbus: Do not modify cn->names hash while walking it X-Git-Tag: upstream/1.7.8~49 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=29d42f4f44dc8bf52e4932949972807694dd1c92;p=platform%2Fupstream%2Feldbus.git edbus: Do not modify cn->names hash while walking it Bug triggered by Lucas Jóia: ==10042== Invalid read of size 8 ==10042==    at 0x6B86626: _eina_rbtree_iterator_next (eina_rbtree.c:165) ==10042==    by 0x6B7228D: _eina_hash_iterator_next (eina_hash.c:622) ==10042==    by 0x6FE41DC: edbus_connection_unref (edbus_core.c:1015) ==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136) ==10042==    by 0x434F25: main (e_main.c:1074) ==10042==  Address 0x15c1b958 is 40 bytes inside a block of size 96 free'd ==10042==    at 0x4C2A739: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10042==    by 0x6B71CB7: _eina_hash_del_by_hash_el (eina_hash.c:441) ==10042==    by 0x6FE2A1E: edbus_connection_name_gc.isra.2 (edbus_core.c:385) ==10042==    by 0x6FE4217: edbus_connection_unref (edbus_core.c:1026) ==10042==    by 0x4C8D94: e_msgbus_shutdown (e_msgbus.c:167) ==10042==    by 0x436194: _e_main_shutdown (e_main.c:1136) ==10042==    by 0x434F25: main (e_main.c:1074) SVN revision: 81462 --- diff --git a/src/lib/edbus_core.c b/src/lib/edbus_core.c index d999103..0fdaf73 100644 --- a/src/lib/edbus_core.c +++ b/src/lib/edbus_core.c @@ -989,6 +989,7 @@ _edbus_connection_unref(EDBus_Connection *conn) EDBus_Pending *p; Eina_Iterator *iter; EDBus_Connection_Name *cn; + Eina_Array *cns; DBG("Connection %p: unref (currently at %d refs)", conn, conn->refcount); @@ -1006,6 +1007,7 @@ _edbus_connection_unref(EDBus_Connection *conn) EINA_INLIST_FOREACH_SAFE(conn->pendings, list, p) edbus_pending_cancel(p); + cns = eina_array_new(eina_hash_population(conn->names)); iter = eina_hash_iterator_data_new(conn->names); EINA_ITERATOR_FOREACH(iter, cn) { @@ -1017,11 +1019,16 @@ _edbus_connection_unref(EDBus_Connection *conn) cn->event_handlers.list = eina_inlist_remove(cn->event_handlers.list, cn->event_handlers.list); free(ctx); - } - edbus_connection_name_gc(conn, cn); + } + eina_array_push(cns, cn); } eina_iterator_free(iter); + + while ((cn = eina_array_pop(cns))) + edbus_connection_name_gc(conn, cn); + eina_hash_free(conn->names); + eina_array_free(cns); conn->refcount = 0;