[gnome-boxes] Workaround race condition in Util::exec

From: Christophe Fergeau <teuf src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-boxes] Workaround race condition in Util::exec
Date: Thu, 30 Aug 2012 11:45:26 +0000 (UTC)

commit 2cfefa79ee88b60778505f19b8db89295dce6a42
Author: Christophe Fergeau <cfergeau redhat com>
Date:   Tue Aug 14 19:12:19 2012 +0200

    Workaround race condition in Util::exec
    
    The C code generated by vala for Util::exec is racy because it does
    not make a copy of argv for its own use. Since argv is then used
    in a run_in_thread callback, it may have been freed between the time
    Util::exec returned and the time the callback was run in the thread.
    
    18:18 <@juergbi> teuf: arrays are not implicitly copied as arrays are
                     not reference counted and this breaks at least
                     one use case (byte buffer passed to async read())
    18:18 <@juergbi> either the caller has to make sure that the array stays
                     alive until the end of the async function call
    18:19 <@juergbi> or you should be explicit that you want to keep the array
                     stored as part of the async function
    18:19 <@juergbi> you can do that by marking the argv parameter as 'owned'
    18:19 <@juergbi> (or copying it into a local variable)
    
    Using 'owned' does not work as expected (I triggered an argv double-free in the
    generated code), so let's use a local variable for now, this forces a copy of
    the argv array and works as expected.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=679752

 src/util.vala |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
---
diff --git a/src/util.vala b/src/util.vala
index 441927f..45ba441 100644
--- a/src/util.vala
+++ b/src/util.vala
@@ -198,9 +198,11 @@ namespace Boxes {
                             out string? standard_error = null) throws GLib.Error {
         string std_output = "";
         string std_error = "";
+        // make sure vala makes a copy of argv that will be kept alive until run_in_thread finishes
+        string[] argv_copy = argv;
 
         yield run_in_thread (() => {
-           exec_sync (argv, out std_output, out std_error);
+           exec_sync (argv_copy, out std_output, out std_error);
         }, cancellable);
 
         standard_output = std_output;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]