Bug 41339 - Crash when calling method on unassociated proxy then disposing of it
Summary: Crash when calling method on unassociated proxy then disposing of it
Status: RESOLVED DUPLICATE of bug 38408
Alias: None
Product: dbus
Classification: Unclassified
Component: GLib (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Rob Taylor
QA Contact: John (J5) Palmieri
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-29 09:03 UTC by Dan Williams
Modified: 2011-09-29 10:11 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Dan Williams 2011-09-29 09:03:13 UTC 
NM currently uses the following code to poke ModemManager to ensure that it's started:

	g_connection = nm_dbus_manager_get_connection (priv->dbus_mgr);
	proxy = dbus_g_proxy_new_for_name (g_connection,
	 				   MM_DBUS_SERVICE,
	                                   MM_DBUS_PATH,
	                                   MM_DBUS_INTERFACE);
	dbus_g_proxy_call_no_reply (proxy, "EnumerateDevices", G_TYPE_INVALID);
	g_object_unref (proxy);

which causes the following crash:

[ 8160.978739] NetworkManager[3678]: #8  0x44b24b1f in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
[ 8160.990446] NetworkManager[3678]: #10 0x494b62df in g_assertion_message (domain=0x0, file=0x4973ea16 "dbus-gproxy.c", line=1058, func=0x4973f5a0 "dbus_g_proxy_manager_unregister", message=<optimized out>) at gtestutils.c:1425
[ 8161.042036] NetworkManager[3678]: #12 0x497347a2 in dbus_g_proxy_manager_unregister (manager=0x9969e30, proxy=0x9993b90 [DBusGProxy]) at dbus-gproxy.c:1058
[ 8161.046343] NetworkManager[3678]: #14 0x49588319 in g_object_unref (_object=0x9993b90) at gobject.c:2709
[ 8161.047711] NetworkManager[3678]: #16 0x080c91a9 in modem_manager_disappeared (self=0x998f800 [NMModemManager]) at nm-modem-manager.c:335
[ 8161.053489] NetworkManager[3678]: #22 0x080968a7 in nm_manager_init () at nm-manager.c:3494

due to presumably a race condition inside dbus-glib.  The crash in dbus_g_proxy_manager_unregister() corresponds to the following code:

  else
    {
      link = g_slist_find (manager->unassociated_proxies, proxy);
--->  g_assert (link != NULL);

      manager->unassociated_proxies = g_slist_delete_link (manager->unassociated_proxies, link);
    }

I think we can work around this in NM by not disposing of the proxy immediately, but waiting until the reply comes back...  but this is a crasher bug none-the-less.
Comment 1 Dan Williams 2011-09-29 09:06:13 UTC 
Hmm, I suppose I assumed that dbus-glib would take a reference to the DBusGProxy over any calls, until the call completed.  Is that not the case?  Seems like nothing does, I can't find anything in dbus_g_proxy_call_no_reply() that refs the proxy.
Comment 2 Dan Williams 2011-09-29 09:13:34 UTC 
If it's the case that proxies are not kept alive by internal references over calls, then please close this bug as INVALID.  I've fixed up NetworkManager in any case.
Comment 3 Dan Williams 2011-09-29 09:22:30 UTC 
Relevant NM fix: c9119c759956852a1f35a2fc36fb460d54ab97ad
Comment 4 Simon McVittie 2011-09-29 10:02:34 UTC 
This should have been fixed in 0.96 (Bug #38408), which version were you using?

Do you have a standalone, compilable test case for this? If not, I'll write one based on your code snippet.
Comment 5 Dan Williams 2011-09-29 10:11:31 UTC 
Seems we're shipping F16 with 0.92 for some reason...  so yeah, lets dupe this bug report to the other one and call it fixed.

*** This bug has been marked as a duplicate of bug 38408 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.