Bug 18573

Summary: Need to cancel priv->name_call in dbus-gproxy.c::unassociate_proxies()
Product: dbus Reporter: Dan Williams <dcbw>
Component: GLibAssignee: Colin Walters <walters>
Status: RESOLVED FIXED QA Contact: John (J5) Palmieri <johnp>
Severity: normal    
Priority: medium CC: walters
Version: 1.2.x   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: cancel inflight name_call

Description Dan Williams 2008-11-17 10:18:19 UTC 
If the GetNameOwner call hasn't completed by the time that the service goes away (if it's crashed, or whatever), and then the service gets restarted, then the the original GetNameOwner call isn't canceled when the proxy is replaced by the proxy for the new service instance.  Thus, the g_assert (priv->associated == TRUE); will fail and abort the dbus-glib user.
Comment 1 Dan Williams 2008-11-17 10:22:23 UTC 
Maybe something like:

	  if (!priv->for_owner)
	    {
	      if (priv->name_call)
		{
		  dbus_g_proxy_cancel_call (manager->bus_proxy, priv->name_call);
		  priv->name_call = NULL;
		}
	      else
		g_assert (priv->associated);

	      g_assert (priv->name_call == NULL);

	      priv->associated = FALSE;
	      manager->unassociated_proxies = g_slist_prepend (manager->unassociated_proxies, proxy);
	    }
Comment 2 Colin Walters 2008-11-17 10:38:03 UTC 
That was my initial analysis, but I'm not so sure about it now.  I think now this may happen if there are multiple proxies outstanding, with their NameOwnerChanged callbacks in different states.  Still investigating...
Comment 3 Colin Walters 2008-11-17 10:53:11 UTC 
Created attachment 20386 [details] [review]
cancel inflight name_call

Ok, I re-convinced myself that was the bug.  Here's a provisional patch, still looking at writing a test case.
Comment 4 Dan Williams 2008-11-17 14:45:47 UTC 
Your patch appears to fix the issue.  I can't get my reproducer to crash with the patch applied to current F10 dbus-glib 0.76 rpms.
Comment 5 Colin Walters 2008-11-17 15:40:29 UTC 
commit 3ca014ea6b55cd843f1c80b04a4e0ec41af6210e
Author: Colin Walters <walters@verbum.org>
Date:   Mon Nov 17 18:30:32 2008 -0500

    Bug 18573 - Fix race when service appears and disappears quickly
    
    We can't assert that a for_name_owner proxy is associated when
    we disassociate; if a service appears and disappears quickly, we
    won't be associated yet.  So remove the assertion.
    Correspondingly we need to cancel any inflight GetNameOwner call
    when disassociating proxies to avoid leaking.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.