GNOME Bugzilla – Bug 683404
G_CRITICALs and eventual crashes in try_run_until_read()
Last modified: 2012-09-17 17:56:56 UTC
Sometimes after a message is canceled: 1- the msg queue item is removed from the queue 2- the msg queue item ref_count becomes 0 3- a source is dispatched and read_ready_cb() is called So there are a couple of problems with that: a) the msg queue item is freed so we're dealing with invalid memory b) accessing item in try_run_until_read() might work but the function will always fail because there is nothing inside item (neither result, nor callback nor nothing) I found a pretty reliable way to reproduce this: 1- goto http://wildammo.com/2012/06/15/kodak-moment-55-perfectly-timed-hilariously-epic-photos 2- repeatedly click on the right arrow to check the next photo without letting the photo load completely BTW the criticals looks like: GLib-GIO-CRITICAL **: g_simple_async_result_take_error: assertion `G_IS_SIMPLE_ASYNC_RESULT (simple)' failed GLib-GIO-CRITICAL **: g_simple_async_result_complete: assertion `G_IS_SIMPLE_ASYNC_RESULT (simple)' failed GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed and the crashes are caused by invalid accesses to the message queue item fields.
After some bisecting it looks like that it all started with this 61b86e07
so the relevant part of that commit is presumably the part where we no longer leak SoupMessageQueueItems on redirects... must have been hiding a refcounting/cleanup bug elsewhere
Created attachment 223671 [details] [review] Temptative fix so this partial revert nukes the CRITICALs
I don't know why your patch would have fixed things (or, for that matter, why my valgrind fixes broke it), but I've committed another fix that definitely does make sense (and fixes this bug).