[Spice-devel] [PATCH] fixup! DCC: change how fill_bits() marshalls data by reference

Jonathon Jongsma jjongsma at redhat.com
Fri Dec 16 21:55:02 UTC 2016 

This is a possible fix for Frediano's crash. We discussed this on IRC a
bit and I could not actually reproduce this issue. But I have a possible
theory about why the drawable may be being kept alive longer than
expected. In the past, we unreffed the pipe item directly in
red_channel_client_on_out_msg_done(). Now we rely on the marshaller to
free/unref the data, but this only happens when spice_marshaller_reset()
is called. At the moment, this function is not called until right before
the next message is sent (in red_channel_client_send_item()). To make
sure that the data is cleaned up after being sent, I've added a reset
call to _on_out_msg_done() as well.
---
 server/red-channel-client.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/red-channel-client.c b/server/red-channel-client.c
index 23c9ad4..01bfe17 100644
--- a/server/red-channel-client.c
+++ b/server/red-channel-client.c
@@ -547,13 +547,12 @@ static void red_channel_client_restore_main_sender(RedChannelClient *rcc)
     rcc->priv->send_data.header.data = rcc->priv->send_data.main.header_data;
 }
 
+static void red_channel_client_clear_sent_item(RedChannelClient *rcc);
 void red_channel_client_on_out_msg_done(void *opaque)
 {
     RedChannelClient *rcc = RED_CHANNEL_CLIENT(opaque);
     int fd;
 
-    rcc->priv->send_data.size = 0;
-
     if (spice_marshaller_get_fd(rcc->priv->send_data.marshaller, &fd)) {
         if (reds_stream_send_msgfd(rcc->priv->stream, fd) < 0) {
             perror("sendfd");
@@ -578,6 +577,7 @@ void red_channel_client_on_out_msg_done(void *opaque)
         spice_assert(rcc->priv->send_data.header.data != NULL);
         red_channel_client_begin_send_message(rcc);
     } else {
+        red_channel_client_clear_sent_item(rcc);
         if (rcc->priv->latency_monitor.timer
             && !rcc->priv->send_data.blocked
             && g_queue_is_empty(&rcc->priv->pipe)) {
@@ -1575,6 +1575,7 @@ static void red_channel_client_clear_sent_item(RedChannelClient *rcc)
 {
     rcc->priv->send_data.blocked = FALSE;
     rcc->priv->send_data.size = 0;
+    spice_marshaller_reset(rcc->priv->send_data.marshaller);
 }
 
 // TODO: again - what is the context exactly? this happens in channel disconnect. but our
-- 
2.7.4

More information about the Spice-devel mailing list