After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 673468 - SoupClientContext is accessed after being disposed
SoupClientContext is accessed after being disposed
Status: RESOLVED FIXED
Product: libsoup
Classification: Core
Component: HTTP Transport
2.38.x
Other Linux
: Normal normal
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
Depends on:
Blocks:
 
 
Reported: 2012-04-04 00:54 UTC by Jonny Lamb
Modified: 2012-04-04 17:02 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
backtrace (3.85 KB, application/octet-stream)
2012-04-04 00:54 UTC, Jonny Lamb 		  Details
server: keep a ref on the client context while clearing up (1.83 KB, patch)
2012-04-04 00:59 UTC, Jonny Lamb 		committed Details | Review

Description Jonny Lamb 2012-04-04 00:54:02 UTC 
Created attachment 211252 [details]
backtrace

We use libsoup in telepathy-salut to do OOB file transfers using the amusing iChat HTTP-based protocol. Sometimes in a file transfer test Salut will crash with the attached backtrace.

It only happens once every so often so is very hard to reproduce. Looking at the trace it seems to go something like this though:

1. Salut (Gibber) unrefs the SoupServer
2. the server goes through all its clients (SoupClientContext structs) and sets the client's message as finished
3. the message being finished means the callback to soup_message_read_request is called, 'request_finished'
4. request_finished unrefs the last ref on the client context, and so frees the struct
5. back into the dispose function loop, the client's socket gets disconnected
6. SoupSocket does some clearing up upon being disconnected and emits ::disconnected
5. SoupServer, still connected to SoupSocket::disconnected, has its 'socket_disconnected' callback called
6. this callback uses the already freed SoupClientContext struct and so kaboom.

It seems the easiest way to fix this is to hold a ref on the SoupClientContext struct for the duration of the cleanup so we can set the message as finished *and* disconnect the socket without disposing the client.

Patch on its way.
Comment 1 Jonny Lamb 2012-04-04 00:59:15 UTC 
Created attachment 211253 [details] [review]
server: keep a ref on the client context while clearing up

What do you think? Am I missing something here? I'm running the Salut test that would sometimes fail over and over again and no failures so far.
Comment 2 Dan Winship 2012-04-04 14:49:14 UTC 
Comment on attachment 211253 [details] [review]
server: keep a ref on the client context while clearing up

Makes sense (assuming that libsoup's own "make check" still passes).

One super minor nitpick:

>+		/* keep a ref on the client context so it doesn't get destroyed
>+		 * when we finish the message; the SoupSocket::disconnect
>+		 * handler will refer to client->server later when the socket is
>+		 * disconnected. */
>+		soup_client_context_ref (client);

The closing "*/" should be on the next line
Comment 3 Jonny Lamb 2012-04-04 17:02:44 UTC 
(In reply to comment #2)
> (From update of attachment 211253 [details] [review])
> Makes sense (assuming that libsoup's own "make check" still passes).

Yep.

> The closing "*/" should be on the next line

Fixed and pushed, thanks!