Hi, On 31 July 2015 at 10:02, Elvis Lee <[email protected]> wrote: > proxy_destroy could be called twice by wl_proxy_destroy and > wl_event_queue_release. > Then, wl_map_remove was called twice for same object id. > > Signed-off-by: Elvis Lee <[email protected]> > --- > src/wayland-client.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/src/wayland-client.c b/src/wayland-client.c > index 0f1405c..a593f7f 100644 > --- a/src/wayland-client.c > +++ b/src/wayland-client.c > @@ -256,6 +256,7 @@ wl_event_queue_release(struct wl_event_queue *queue) > { > struct wl_closure *closure; > struct wl_proxy *proxy; > + bool proxy_destroyed; > > while (!wl_list_empty(&queue->event_list)) { > closure = container_of(queue->event_list.next, > @@ -265,10 +266,11 @@ wl_event_queue_release(struct wl_event_queue *queue) > decrease_closure_args_refcount(closure); > > proxy = closure->proxy; > - if (proxy->refcount == 1) > - proxy_destroy(proxy); > - else > - --proxy->refcount; > + proxy_destroyed = !!(proxy->flags & WL_PROXY_FLAG_DESTROYED); > + > + proxy->refcount--; > + if (proxy_destroyed && !proxy->refcount) > + free(proxy); > > wl_closure_destroy(closure); > }
Certainly this doesn't make things worse. From my reading: - if wl_proxy_destroy has not already been called, then the refcount could not be down to 1, so this change has no effect - if wl_proxy_destroy has already been called, we skip the object-map manipulation and just do the same as proxy_destroy's bottom half This does leave a potential error case where the queue is released whilst the object holds a dangling pointer to it, but that's already true today, so, pushed: bbe6795..441f9bb master -> master Cheers, Daniel _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
