GNOME Bugzilla – Bug 680529
wrong reference count in g_async_queue_unref calls on exit
Last modified: 2012-08-01 22:14:24 UTC
The ephy_history_service_execute_quit function is called twice when the browser is closed by user. First call is made from "ephy_history_service_process_message" when exit message is catched, "ephy_history_service_execute_quit" will be called. Second call is made from the "run_history_service_thread" function where there is a function call to "ephy_history_service_execute_quit" after a do-while message loop. In both cases "ephy_history_service_execute_quit" is called and in the end, "g_async_queue_unref" will be called for the same object. Because of the wrong reference count, reference object in the queue is already freed, and it leads to an invalid access to the freed object. In most of the case, this is not a problem, because it will not lead to a program crash or anything. In my case, I was using different memory allocator than regular glibc allocator, and that was the reason why I could catch this bug.
Created attachment 220037 [details] [review] ephy-history-service: prevent double call to execute_quit() execute_quit() is called already when the QUIT message is received, there is no need to call it after the thread loop quits.
Slightly related, I noticed that anyone leaking a reference to the global EphyShell will prevent the service to be shutdown correctly (which might lead to pending database commits not happening), so we probably need an explicit shutdown method to call on app quit.
Review of attachment 220037 [details] [review]: Make it so.
Attachment 220037 [details] pushed as bf64be0 - ephy-history-service: prevent double call to execute_quit()