Bug 15684

Summary: timer leak in dbus_connection_send_with_reply
Product: dbus Reporter: Dirk Mueller <mueller>
Component: coreAssignee: Havoc Pennington <hp>
Status: RESOLVED FIXED QA Contact: John (J5) Palmieri <johnp>
Severity: normal    
Priority: medium CC: walters
Version: 1.2.x   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: patch

Description Dirk Mueller 2008-04-23 15:59:13 UTC 
Created attachment 16142 [details] [review]
patch

there is a race in send_with_reply_and_block, which can cause a timer leak. 

the path is as follows: 

send_with_reply creates a pending call around dbus-connection.c 3193, which registers a timer callback for timeout_miliseconds

send_with_reply_and_block calls pending_call_block which calls _dbus_connection_block_pending_call. 

this function does its own timeout handling, so it can happen that the function considers that a timeout happens, even though the timeout callback was never executed. (around line 2390)


  /* unlock and call user code */
  complete_pending_call_and_unlock (connection, pending, NULL);



..

  dbus_pending_call_unref (pending);


in this case, pending is destroyed without the added timer being removed, because _dbus_connection_detach_pending_call_and_unlock() removes it from the pending_replies hash table, but not calls back the user callback to remove the timer. 

it can therefore happen that the timeout occurs shortly after, the reply_timeout is called, which then operates on the already unref'ed pending call and crashes. 

it seems most correct to me to check for timeout_added and remove the timeout in _dbus_connection_detach_pending_call_and_unlock()

I cannot provide an easy testcase as the crash happened in a rather complex application that ran into a dbus call timeout using the Qt4 bindings. 

let me know if I'm missing something.
Comment 1 Colin Walters 2008-07-25 10:33:18 UTC 
This appears to have been applied as:

commit cdca6dbce88fd1e1195e2a81eb6619c782df2fac
Author: Thiago Macieira <thiago@kde.org>
Date:   Sat May 17 10:09:20 2008 +0200

    Prevent a crash in some applications due to timers leaking after the
    DVusPendingCall object was freed.
    
        * dbus-connection.c: Remove the timer for the pending call's timeout in
          case the reply has timed out in blocking code. This fixes bug 15684.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.