GNOME Bugzilla – Bug 737023
tracker-bus: tracker_sparql_connection_query_async can crash if cancelled
Last modified: 2014-09-22 14:34:32 UTC
Looking at query_async in tracker-bus.vala: The code issues a bus.send_message_with_reply.begin (wrapped by send_query), and while that is running it splices together a couple of streams asynchronously. Suppose the GCancellable is used while we are waiting for the splice to yield (and the send_query is running in the background). This might cause the splice to yield before the callback for send_query is invoked. (If it happens the other way around, then we are OK.) In C, an error from splice_finish will lead to tracker_sparql_connection_query_async being completed after destroying the block that holds the scope for the send_query callback. So, when the send_query callback is invoked as a result of the same cancellation, it will try to access memory that is invalid because its scope has already been destroyed. Unfortunately, my Vala skills are limited and I am not sure of the exact Vala construct that should be used to fix this. The easiest option, ofcourse, is to not issue the send_query and splice simultaneously.
Created attachment 286726 [details] [review] libtracker-bus: Don't crash if query_async is cancelled Tested against the tracker-1.0 branch, but this also applies to master.
Created attachment 286815 [details] [review] libtracker-sparql: Add a test case
Created attachment 286817 [details] [review] libtracker-sparql: Add a test case Some cosmetic adjustments.
From #tracker on GIMPNet: 14:26 <martyn> rishi: can you apply your patches and I will start testing/releasing :) 14:27 <rishi> martyn: ok