[PATCH wayland] wayland-client : Fix queue_release not to call proxy_destroy
Daniel Stone
daniel at fooishbar.org
Thu Aug 6 00:56:33 PDT 2015
Hi,
On 31 July 2015 at 10:02, Elvis Lee <kwangwoong.lee at lge.com> wrote:
> proxy_destroy could be called twice by wl_proxy_destroy and wl_event_queue_release.
> Then, wl_map_remove was called twice for same object id.
>
> Signed-off-by: Elvis Lee <kwangwoong.lee at lge.com>
> ---
> src/wayland-client.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/src/wayland-client.c b/src/wayland-client.c
> index 0f1405c..a593f7f 100644
> --- a/src/wayland-client.c
> +++ b/src/wayland-client.c
> @@ -256,6 +256,7 @@ wl_event_queue_release(struct wl_event_queue *queue)
> {
> struct wl_closure *closure;
> struct wl_proxy *proxy;
> + bool proxy_destroyed;
>
> while (!wl_list_empty(&queue->event_list)) {
> closure = container_of(queue->event_list.next,
> @@ -265,10 +266,11 @@ wl_event_queue_release(struct wl_event_queue *queue)
> decrease_closure_args_refcount(closure);
>
> proxy = closure->proxy;
> - if (proxy->refcount == 1)
> - proxy_destroy(proxy);
> - else
> - --proxy->refcount;
> + proxy_destroyed = !!(proxy->flags & WL_PROXY_FLAG_DESTROYED);
> +
> + proxy->refcount--;
> + if (proxy_destroyed && !proxy->refcount)
> + free(proxy);
>
> wl_closure_destroy(closure);
> }
Certainly this doesn't make things worse. From my reading:
- if wl_proxy_destroy has not already been called, then the refcount
could not be down to 1, so this change has no effect
- if wl_proxy_destroy has already been called, we skip the
object-map manipulation and just do the same as proxy_destroy's bottom
half
This does leave a potential error case where the queue is released
whilst the object holds a dangling pointer to it, but that's already
true today, so, pushed:
bbe6795..441f9bb master -> master
Cheers,
Daniel
More information about the wayland-devel
mailing list