From: Hermet Park <hermetpark@gmail.com>
Date: Fri, 26 Jul 2019 07:49:45 +0000 (+0900)
Subject: ecore_evas: prevent double free evas.
X-Git-Tag: submit/tizen/20190726.075903^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F52%2F210952%2F2;p=platform%2Fupstream%2Fefl.git

ecore_evas: prevent double free evas.

When user manually free the ecore evas,
it could delete evas internally,
then evas_invalidate would be triggered,
invalidate callback would try free evas again,
this causes double free evas.

TEST SCENARIO:
   ee = ecore_evas_new(...);
   ...
   ecore_evas_free(ee);
      -> free evas
         -> invalidated cb
            -> free evas (**double free)

This is a regression bug by 5847886a3fdb7c470bd55e215b822bbbaf109080

Change-Id: I954f605e69c2c92270c4e0c17f8d2198cedac3b5
---

diff --git a/src/lib/ecore_evas/ecore_evas.c b/src/lib/ecore_evas/ecore_evas.c
index e8b88c9..8b9d359 100644
--- a/src/lib/ecore_evas/ecore_evas.c
+++ b/src/lib/ecore_evas/ecore_evas.c
@@ -3693,7 +3693,11 @@ _ecore_evas_free(Ecore_Evas *ee)
    if (ee->engine.func->fn_evas_engine_rsc_free)
      ee->engine.func->fn_evas_engine_rsc_free(ee);
    //
-   if (!ee->evas_dying) evas_free(ee->evas);
+   if (!ee->evas_dying)
+     {
+        ee->evas_dying = EINA_TRUE;
+        evas_free(ee->evas);
+     }
    ee->evas = NULL;
    ECORE_MAGIC_SET(ee, ECORE_MAGIC_NONE);
    ee->driver = NULL;
@@ -5990,6 +5994,7 @@ static void
 _ecore_evas_event_del(void *data, const Efl_Event *ev EINA_UNUSED)
 {
    Ecore_Evas *ee = data;
+   if (ee->evas_dying) return;
 
    ee->evas_dying = EINA_TRUE;
    ecore_evas_free(ee);