Crash: dbus_timeout_handle for already deleted pending calls via dbus_connection_send_with_reply_and_block()

Thiago Macieira thiago at kde.org
Thu Feb 5 23:43:01 PST 2009


Ville M. Vainio wrote:
>I have a problem. I don't understand why I have 'timeouts' for pending
>calls that don't exist anymore.
>
>I have (rare) crashes that look like this (no, I don't have a core for
> this):
>
>QQQ
>
>#0  _dbus_connection_lock (connection=0x616d6740) at
> dbus-connection.c:355 #0  _dbus_connection_lock (connection=0x616d6740)
> at dbus-connection.c:355 #1  0x41263cf8 in
> _dbus_pending_call_get_connection_and_lock (pending=0x1756c0) at
> dbus-pending-call.c:309
>#2  0x4125695c in reply_handler_timeout (data=0x616d6740) at
>dbus-connection.c:3116
>#3  0x41268910 in dbus_timeout_handle (timeout=0x1756f0) at
> dbus-timeout.c:473 #4  0x4138e9cc in timeout_handler_dispatch
> (data=<value optimized out>) at dbus-gmain.c:343
>#5  0x4119f2a8 in g_timeout_dispatch (source=0x175718,
> callback=0x4138e9bc <timeout_handler_dispatch>, user_data=0x616d6740)
> at gmain.c:3587 #6  0x4119e9dc in IA__g_main_context_dispatch
> (context=0xb3748) at gmain.c:2142 #7  0x411a2470 in
> g_main_context_iterate (context=0xb3748, block=1, dispatch=1,
> self=<value optimized out>) at gmain.c:2776
>
>QQQ

I fixed a similar bug in QtDBus a few months ago.

dbus_connection_send_with_reply_and_block creates and deletes a 
DBusTimeout object before it returns. As far as I can tell, the external 
timeout object is unnecessary, but it's a side-effect of the internal 
infrastructure.

The problem is that the implementation of timeouts and watches in Qt must 
be done in the proper thread, but libdbus-1 sends them from any thread. 
When the callback is called in the wrong thread, it queues the timeout 
addition or removal.

The problem is, there's a race condition between the wrong-thread-removal 
and the right-thread handling, usually simply asking dbus what the timeout 
is.

Now, I don't know the threading internals about dbus-glib, but it could be 
a similar condition. However, given the backtrace, it would seem to 
indicate that the timeout object did not get removed after send_and_block 
requested that it be removed.

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/dbus/attachments/20090206/e4639f06/attachment.pgp 


More information about the dbus mailing list