After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 696479 - gvfsmonitor.c: backend_died needs to take a ref while unsubscribing subscribers
gvfsmonitor.c: backend_died needs to take a ref while unsubscribing subscribers
Status: RESOLVED FIXED
Product: gvfs
Classification: Core
Component: daemon
1.15.x
Other Linux
: Normal major
: ---
Assigned To: Philip Langdale
gvfs-maint
Depends on:
Blocks:
 
 
Reported: 2013-03-24 05:57 UTC by Philip Langdale
Modified: 2013-04-02 10:12 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch to fix bug (1.12 KB, patch)
2013-03-24 05:57 UTC, Philip Langdale 		committed Details | Review

Description Philip Langdale 2013-03-24 05:57:36 UTC 
Created attachment 239662 [details] [review]
Patch to fix bug

Although this code hasn't changed in a long time, when exercised in 1.15.x in the mtp backend, it will reliably fail in the following way.

When you unmount the MTP backend, a monitor happens to be in existence, for whatever reason, and the monitor has a weak ref on the backend that now fires. That monitor has one subscriber. It then turns out that the subscriber is holding the last ref to the monitor, so the act of unsubscribing it, releases the last ref on the monitor, causing it to be finalised. The code in backend_died then attempts to dereference the priv struct again and segfaults.

This can easily be avoided by having backend_died hold a ref to the monitor while doing the unsubscribing.
Comment 1 Tomas Bzatek 2013-04-02 10:12:34 UTC 
Comment on attachment 239662 [details] [review]
Patch to fix bug

Right, looks good.