New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 917312 link

Starred by 2 users
Status: Assigned
Owner:
yunhanw@chromium.org
User never visited
Cc:
mcchou@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Fix crash when calling disconnect handlers

Project Member Reported by yunhanw@google.com, Dec 21 
When calling disconnect handlers the callback itself may remove items
from the queue causing the following crash:

Invalid read of size 8
  at 0x4D1D3C: queue_foreach (queue.c:219)
  by 0x4D8369: disconnect_cb (att.c:590)
  by 0x4E4FAA: watch_callback (io-glib.c:170)
  by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x40CCC0: main (main.c:770)
Address 0x888a888 is 8 bytes inside a block of size 16 free'd
  at 0x4C2FD18: free (vg_replace_malloc.c:530)
  by 0x4D1F9B: queue_remove_if (queue.c:302)
  by 0x4D763B: bt_att_unregister_disconnect (att.c:1206)
  by 0x4DC11E: bt_gatt_client_free (gatt-client.c:1762)
  by 0x4DC270: bt_gatt_client_unref (gatt-client.c:1903)
  by 0x4A316F: gatt_client_cleanup (device.c:573)
  by 0x4A326E: attio_cleanup (device.c:598)
  by 0x4A5EB9: att_disconnected_cb (device.c:4679)
  by 0x4D66D5: disconn_handler (att.c:538)
  by 0x4D1D4F: queue_foreach (queue.c:220)
  by 0x4D8369: disconnect_cb (att.c:590)
  by 0x4E4FAA: watch_callback (io-glib.c:170)

Comment 1 by yunhanw@google.com, Dec 28

Description: Show this description

Comment 2 by benhenry@google.com, Jan 11

Status: Assigned (was: Untriaged)
This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this.

Sign in to add a comment