UNIX signal mainloop source can use destroyed GMainContext
@sdroege
Submitted by Sebastian Dröge Link to original bug (#768229)
Description
wake_source() in gmain.c has a long description about how it should be thread-safe but seems to miss one specific problem nonetheless (probably the code changed since then):
-
Final g_main_context_unref() on the GSource's context, main_context_list is locked, context is removed, main_context_list is unlocked, context switch before the line that sets source->context = NULL
-
wake_source() is called, main_context_list is locked, context is taken from the GSource and is still not NULL, context switch
-
g_main_context_unref() finished (it does not lock main_context_list again) and the main context is destroyed
-
wake_source() continues and uses a GWakeup and context pointer that is not valid anymore