diff options
author | David Herrmann <dh.herrmann@gmail.com> | 2014-03-22 18:06:38 +0100 |
---|---|---|
committer | David Herrmann <dh.herrmann@gmail.com> | 2014-03-22 18:06:38 +0100 |
commit | eb33a6f858c2cd39dcf9c2f39514c9f83ed040fe (patch) | |
tree | 6bf4d80d8f66d252574407de3b10af7011f42378 /src/libsystemd/sd-bus | |
parent | sd-rtnl: fix self-reference leaks (diff) | |
download | systemd-eb33a6f858c2cd39dcf9c2f39514c9f83ed040fe.tar.xz systemd-eb33a6f858c2cd39dcf9c2f39514c9f83ed040fe.zip |
sd-bus: add note about sd_bus_unref() recursion
In sd_bus_unref() we check for self-reference loops and destruct our
queues in case we're the only reference holders. However, we do _not_
modify our own ref-count, thus effectively causing the
message-destructions to enter with the same reference count as we did.
The only reason this doesn't cause an endless recursion (or trigger
assert(m->n_ref > 0) in sd_bus_message_unref()) is the fact that we
decrease queue-counters _before_ calling _unref(). That's not obvious at
all, so add a big fat note in bus_reset_queues() to everyone touching that
code.
Diffstat (limited to 'src/libsystemd/sd-bus')
-rw-r--r-- | src/libsystemd/sd-bus/sd-bus.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c index 15c767723c..984611fd4d 100644 --- a/src/libsystemd/sd-bus/sd-bus.c +++ b/src/libsystemd/sd-bus/sd-bus.c @@ -111,6 +111,12 @@ static void bus_node_destroy(sd_bus *b, struct node *n) { static void bus_reset_queues(sd_bus *b) { assert(b); + /* NOTE: We _must_ decrement b->Xqueue_size before calling + * sd_bus_message_unref() for _each_ message. Otherwise the + * self-reference checks in sd_bus_unref() will fire for each message. + * We would thus recurse into sd_bus_message_unref() and trigger the + * assert(m->n_ref > 0) */ + while (b->rqueue_size > 0) sd_bus_message_unref(b->rqueue[--b->rqueue_size]); @@ -1408,7 +1414,10 @@ _public_ sd_bus *sd_bus_unref(sd_bus *bus) { /* We are the only holders on the messages, and the * messages are the only holders on us, so let's drop * the messages and thus implicitly also kill our own - * last references */ + * last references. + * bus_reset_queues() decrements the queue-size before + * calling into sd_bus_message_unref(). Thus, it + * protects us from recursion. */ if (q) bus_reset_queues(bus); |