Compiz

dbus: DbusScreen object used after destructed

Bug #1879975 reported by Daniel Kondor
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Compiz
Fix Released
Undecided
Unassigned

Bug Description

For a long time I had the experience that compiz sometimes crashed when enabling / disabling plugins. Looking into a bug with the dbus interface (https://bugs.launchpad.net/compiz/+bug/1878545) I found a reproducible way and a possible cause for some of these.

This might be related to the following bugs:
https://bugs.launchpad.net/compiz/+bug/1641944
https://bugs.launchpad.net/compiz/+bug/959395

Steps to reproduce:
1. Open CCSM
2. Enable any plugin that has a dbus interface (e.g. annotate, used in the later example)
3. Enable the D-Bus plugin (if it was disabled)
4. Disable the D-Bus plugin
5. Enable the D-Bus plugin again
6. Send any command via dbus, e.g.
dbus-send --print-reply --type=method_call --dest=org.freedesktop.compiz /org/freedesktop/compiz/annotate/screen0/clear_key org.freedesktop.compiz.activate

Compiz crashes (tried with a debug build from the latest git source).

I've identified a possible cause is that a DbusScreen object is used after its lifetime ended. I've created a branch which simply includes statements to print the value of 'this' in the constructor and destructor of DbusScreen and in DbusScreen::processMessages:
https://code.launchpad.net/~kondor-dani/compiz/+git/compiz/+ref/dbus-bug

Running with this patch, I get the following output (only the relevant part):

DBusScreen ctor: this: 0x5582df315090, connection: 0x5582df318840, fd: 12, watchFdHandle: 2
DBusScreen dtor: this: 0x5582df315090, connection: 0x5582df318840, watchFdHandle: 2
DBusScreen ctor: this: 0x5582df377de0, connection: 0x5582df318840, fd: 12, watchFdHandle: 3

DbusScreen::processMessages():this: 0x5582df315090, connection: (nil)
dbus[15474]: arguments to dbus_connection_read_write_dispatch() were incorrect, assertion "connection != NULL" failed in file ../../../dbus/dbus-connection.c line 3772.
This is normally a bug in some application using the D-Bus library.

  D-Bus not built with -rdynamic so unable to print a backtrace

The first constructor call is at step 3 (enabling D-Bus the first time), the destructor is called at step 4 (disabling D-Bus), and the second constructor call is at step 5 (enabling the second time). Note that the second object has a different memory address.

When in processMessages() (triggered by step 6, i.e. sending a dbus command), still the original object is accessed which results in a crash. Particularly in this case, the reason is that the 'connection' member (refering to the DBusConnection object used) happens to be NULL.

This is strange given that the constructor seems to set up properly the callback (lines 1780-1783) and the destructor inactivates it (line 1829). With the D-Bus plugin disabled, the crash does not occur, but this is probably due to dbus-send not being able find the interfaces.

I'm attaching a stacktrace.

Related branches

~kondor-dani/compiz:dbus-fix
Dmitry Shachnev: Approve
Diff: 17 lines (+2/-3)
1 file modified
src/screen.cpp (+2/-3)
Revision history for this message
Daniel Kondor (kondor-dani) wrote :
Revision history for this message
Daniel Kondor (kondor-dani) wrote :

I might have found a solution; I'll create a merge proposal with it.

Dmitry Shachnev (mitya57)
Changed in compiz:
status: New → Fix Committed
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

I have released version 0.9.14.2 today, which includes this fix.

Changed in compiz:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.