dbus: DbusScreen object used after destructed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Compiz |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
For a long time I had the experience that compiz sometimes crashed when enabling / disabling plugins. Looking into a bug with the dbus interface (https:/
This might be related to the following bugs:
https:/
https:/
Steps to reproduce:
1. Open CCSM
2. Enable any plugin that has a dbus interface (e.g. annotate, used in the later example)
3. Enable the D-Bus plugin (if it was disabled)
4. Disable the D-Bus plugin
5. Enable the D-Bus plugin again
6. Send any command via dbus, e.g.
dbus-send --print-reply --type=method_call --dest=
Compiz crashes (tried with a debug build from the latest git source).
I've identified a possible cause is that a DbusScreen object is used after its lifetime ended. I've created a branch which simply includes statements to print the value of 'this' in the constructor and destructor of DbusScreen and in DbusScreen:
https:/
Running with this patch, I get the following output (only the relevant part):
DBusScreen ctor: this: 0x5582df315090, connection: 0x5582df318840, fd: 12, watchFdHandle: 2
DBusScreen dtor: this: 0x5582df315090, connection: 0x5582df318840, watchFdHandle: 2
DBusScreen ctor: this: 0x5582df377de0, connection: 0x5582df318840, fd: 12, watchFdHandle: 3
DbusScreen:
dbus[15474]: arguments to dbus_connection
This is normally a bug in some application using the D-Bus library.
D-Bus not built with -rdynamic so unable to print a backtrace
The first constructor call is at step 3 (enabling D-Bus the first time), the destructor is called at step 4 (disabling D-Bus), and the second constructor call is at step 5 (enabling the second time). Note that the second object has a different memory address.
When in processMessages() (triggered by step 6, i.e. sending a dbus command), still the original object is accessed which results in a crash. Particularly in this case, the reason is that the 'connection' member (refering to the DBusConnection object used) happens to be NULL.
This is strange given that the constructor seems to set up properly the callback (lines 1780-1783) and the destructor inactivates it (line 1829). With the D-Bus plugin disabled, the crash does not occur, but this is probably due to dbus-send not being able find the interfaces.
I'm attaching a stacktrace.
Related branches
- Dmitry Shachnev: Approve
-
Diff: 17 lines (+2/-3)1 file modifiedsrc/screen.cpp (+2/-3)
Changed in compiz: | |
status: | New → Fix Committed |
I might have found a solution; I'll create a merge proposal with it.