NetworkManager segfault (invalid glib callbacks)

[Pierre Ossman <drzeus-list drzeus cx>]

I've been experiencing segfaults with NetworkManager and after some
rather pesky debugging sessions it seems that the problem lies within glib.

backtrace from the crash:

#0  0x00000010 in ?? ()
#1  0xb7f6f134 in dbus_timeout_handle (timeout=0x8074610) at
dbus-timeout.c:470
#2  0xb7fdf71d in timeout_handler (data=0x8074610) at dbus-gmain.c:359
#3  0xb7ee66f9 in g_timeout_dispatch (source=0x8074660, callback=0x19,
    user_data=0x8074610) at gmain.c:3306
#4  0xb7ee3f4c in IA__g_main_context_dispatch (context=0x806ef38)
    at gmain.c:1947
#5  0xb7ee5792 in g_main_context_iterate (context=0x806ef38, block=1,
    dispatch=1, self=0x806d608) at gmain.c:2578
#6  0xb7ee5ac8 in IA__g_main_loop_run (loop=0x8071098) at gmain.c:2782
#7  0x0805905e in main (argc=2, argv=0xbffffa04) at NetworkManager.c:774

The problem here is that a 'source' that has been removed is somehow
still dispatched. When it is called here the related structures are
already freed and overwritten by other data. The callback address in the
object (a DBusTimeout structure) happens to get overwritten with 0x10
causes the segfault above.

I'm not too familiar with glib but I would think that once you've
removed a source from a context it would never be dispatched again?
The source is added with g_source_attach() and removed with
g_source_remove(). Is this correct usage?

I hope someone can help me with this. glib is a rather big beast and it
will take some time to understand how everything is connected on my own.

The versions involved are:

NetworkManager 0.3.4
dbus 0.23.4
glib 2.6.3

Rgds
Pierre