diff options
| author | Christophe Fergeau <cfergeau@redhat.com> | 2014-05-26 12:55:24 +0200 |
|---|---|---|
| committer | Christophe Fergeau <cfergeau@redhat.com> | 2014-05-26 14:53:30 +0200 |
| commit | 8613089e38f3440cbed8f215e6e8b245ef6d4385 (patch) | |
| tree | edb192e1d539a42b93e93520182849bad9061a64 | |
| parent | 5139aa6c10219b9fd386caed9d51de3ba6ef38cc (diff) | |
dconf: Fix GVariant refcounting in watch_func()
IBusConfigDConf::watch_func() is roughly doing:
GVariant *variant = dconf_client_read(...)
if (variant == NULL) {
variant = g_variant_new(...);
}
ibus_config_service_value_changed(..., variant);
g_variant_unref(variant);
The problem with that is that the GVariant returned by
dconf_client_read() is non-floating while the one returned by
g_variant_new() is floating.
Since ibus_config_service_value_changed() will take ownership of
floating references, we should not unref 'variant' if it was created
through g_variant_new(), but we must call it when 'variant' is created
through dconf_client_read() or we will leak memory.
This commit fixes that by making sure we sink the reference we got
through g_variant_new().
This was sometimes causing crashes of ibus-dconf when repeatedly running
tests/ibus-config:
(ibus-dconf:24679): GLib-CRITICAL **: g_variant_unref: assertion
'value->ref_count > 0' failed
==24679== Invalid read of size 4
==24679== at 0x572E140: g_variant_unref (gvariant-core.c:625)
==24679== by 0x572DBB3: g_variant_release_children (gvariant-core.c:257)
==24679== by 0x572E202: g_variant_unref (gvariant-core.c:640)
==24679== by 0x572DBB3: g_variant_release_children (gvariant-core.c:257)
==24679== by 0x572E202: g_variant_unref (gvariant-core.c:640)
==24679== by 0x518CFDE: g_dbus_message_finalize (gdbusmessage.c:534)
==24679== by 0x5459628: g_object_unref (gobject.c:3112)
==24679== by 0x519C911: message_to_write_data_free (gdbusprivate.c:898)
==24679== by 0x519D687: write_message_cb (gdbusprivate.c:1353)
==24679== by 0x510F7F2: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==24679== by 0x519CEF2: write_message_continue_writing (gdbusprivate.c:1077)
==24679== by 0x519D040: write_message_async (gdbusprivate.c:1131)
==24679== Address 0x5d8c9c4 is 36 bytes inside a block of size 40 free'd
==24679== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24679== by 0x56EDF6B: g_free (gmem.c:190)
==24679== by 0x5706B53: g_slice_free1 (gslice.c:1112)
==24679== by 0x572E229: g_variant_unref (gvariant-core.c:643)
==24679== by 0x40240F: _watch_func (config.c:232)
==24679== by 0x3DEA605D8B: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.1)
==24679== by 0x3DEA6056BB: ffi_call (in /usr/lib64/libffi.so.6.0.1)
==24679== by 0x544EE88: g_cclosure_marshal_generic_va (gclosure.c:1541)
==24679== by 0x544D396: _g_closure_invoke_va (gclosure.c:831)
==24679== by 0x5468808: g_signal_emit_valist (gsignal.c:3215)
==24679== by 0x54699DF: g_signal_emit (gsignal.c:3363)
==24679== by 0x4C1478D: dconf_client_dispatch_change_signal (dconf-client.c:150)
| -rw-r--r-- | conf/dconf/config.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/conf/dconf/config.c b/conf/dconf/config.c index f0e195b3..500ea1d8 100644 --- a/conf/dconf/config.c +++ b/conf/dconf/config.c @@ -205,6 +205,7 @@ _watch_func (DConfClient *client, if (variant == NULL) { /* Use a empty tuple for a unset value */ variant = g_variant_new_tuple (NULL, 0); + g_variant_ref_sink (variant); } gname = strrchr (gkeys[i], '/'); |