gthreadedresolver: Fix race between source callbacks and finalize (!3575) · Merge requests · GNOME / GLib

Philip Withnall requested to merge pwithnall/glib:3105-threaded-resolver-refs into main Sep 11, 2023

I had thought that because g_source_destroy() was called for the two sources (cancel and timeout) in the GTask finalize function for a threaded resolver operation, that it would be fine to use a plain pointer in the source callbacks to point to the GTask.

That turns out to not be true: because the source callbacks are executed in the GLib worker thread, and the GTask can be finalized in another thread, it’s possible for a source callback (e.g. cancelled_cb()) to be scheduled in the worker thread, then for the GTask to be finalized, and then the source callback to continue execution and find itself doing a use-after-free.

Fix that by using a weak ref to the GTask in the source callbacks, rather than a plain pointer.

Signed-off-by: Philip Withnall philip@tecnocode.co.uk

Fixes: #3105 (closed)

Closes #3105 (closed)

gthreadedresolver: Fix race between source callbacks and finalize

Merge request reports