After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 682099 - Crash occurs destroying an GUPnPContextManager object after expiry of resources
Crash occurs destroying an GUPnPContextManager object after expiry of resources
Status: RESOLVED FIXED
Product: gssdp
Classification: Other
Component: General
0.12.x
Other Linux
: Normal major
: ---
Assigned To: GUPnP Maintainers
GUPnP Maintainers
Depends on:
Blocks:
 
 
Reported: 2012-08-17 13:09 UTC by Mark Ryan
Modified: 2019-02-22 09:29 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch to prevent signals with NULL parameters being emitted by GSSDP (1.85 KB, patch)
2012-08-17 13:09 UTC, Mark Ryan 		committed Details | Review

Description Mark Ryan 2012-08-17 13:09:08 UTC 
Created attachment 221602 [details] [review]
Patch to prevent signals with NULL parameters being emitted by GSSDP

Hi All,

I sometimes get a crash in gupnp when I close down my application.  This happens when unreffing my GUPnPContextManager.  I'm using the linux context manager but I'm not sure the particular context manager in use is important.  Here is the backtrace.

+ Trace 230687

  • #0 parse_usn
    at gupnp-control-point.c line 645
  • #1 gupnp_control_point_resource_unavailable
    at gupnp-control-point.c line 753
  • #2 g_cclosure_marshal_VOID__STRINGv
    at /build/buildd/glib2.0-2.32.3/./gobject/gmarshal.c line 1004
  • #3 g_type_class_meta_marshalv
    at /build/buildd/glib2.0-2.32.3/./gobject/gclosure.c line 997
  • #4 _g_closure_invoke_va
    at /build/buildd/glib2.0-2.32.3/./gobject/gclosure.c line 840
  • #5 g_signal_emit_valist
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c line 3207
  • #6 g_signal_emit
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c line 3352
  • #7 clear_cache_helper
    at gssdp-resource-browser.c line 968
  • #8 g_hash_table_foreach_remove_or_steal
    at /build/buildd/glib2.0-2.32.3/./glib/ghash.c line 1408
  • #9 clear_cache
    at gssdp-resource-browser.c line 983
  • #10 gssdp_resource_browser_set_active
    at gssdp-resource-browser.c line 565
  • #11 gupnp_control_point_dispose
    at gupnp-control-point.c line 152
  • #12 g_object_unref
    at /build/buildd/glib2.0-2.32.3/./gobject/gobject.c line 2981
  • #13 on_context_unavailable
    at gupnp-context-manager.c line 106
  • #14 g_cclosure_marshal_VOID__OBJECTv
    at /build/buildd/glib2.0-2.32.3/./gobject/gmarshal.c line 1312
  • #15 _g_closure_invoke_va
    at /build/buildd/glib2.0-2.32.3/./gobject/gclosure.c line 840
  • #16 g_signal_emit_valist
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c line 3207
  • #17 g_signal_emit_by_name
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c line 3389
  • #18 network_device_free
    at gupnp-linux-context-manager.c line 229
  • #19 g_hash_table_remove_all_nodes
    at /build/buildd/glib2.0-2.32.3/./glib/ghash.c line 536
  • #20 g_hash_table_remove_all
    at /build/buildd/glib2.0-2.32.3/./glib/ghash.c line 1345
  • #21 g_hash_table_destroy
    at /build/buildd/glib2.0-2.32.3/./glib/ghash.c line 1049
  • #22 gupnp_linux_context_manager_dispose
    at gupnp-linux-context-manager.c line 705
  • #23 g_object_unref
    at /build/buildd/glib2.0-2.32.3/./gobject/gobject.c line 2981 


Although the crash is happening in GUPnP I think the bug is actually in GSSDP.  The crash seems to occur after a Resource object expires.  When this happens a signal is emitted, the Resource object's USN is deleted and set to NULL and attempt is made to remove the Resource object from the resource_browser->priv->resources hash table.  This all happens in resource_expire.  

The problem seems to be that there is a bug in resource_expire which sometimes prevents the Resource object being removed from the resource_browser->priv->resources hash table.  This causes a problem later on when the ContextManager is deleted.   During the destruction of the ContextManager a signal is emitted with the USN of each resource left in resource_browser->priv->resources.  The problem is that the expired resources are still in this list and their USN is set to NULL.  The signal results in the passing of a NULL usn parameter to parse_usn in GUPnP which crashes as it is not expecting to receive NULL parameters.

I hope this analysis is correct.  Assuming that it is, please find attached a patch that should fix the problem.
Comment 1 Jens Georg 2012-08-17 13:27:53 UTC 
Ah, dread, that's fallout from 4ad03d. Fix looks ok; I'll write a test for this and apply the patch later. Thank you.