Call dbus_g_proxy_disconnect_signal() with an "almost-freed" parameter
Submitted by Alban Crequy
Assigned to Telepathy bugs list
Description
telepathy-glib/proxy-signals.c tp_proxy_signal_connection_disconnect_dbus_glib() line 87:
dbus_g_proxy_disconnect_signal (iface_proxy, sc->member, sc->collect_args, (gpointer) sc);
The variable sc->member is not freed before the call but it will be freed during the call by this stack:
==9440== at 0x4024866: free (vg_replace_malloc.c:325) ==9440== by 0x5C26FE5: g_free (gmem.c:190) ==9440== by 0x4366828: tp_proxy_signal_connection_unref (proxy-signals.c:174) ==9440== by 0x5BAD932: g_closure_unref (gclosure.c:254) ==9440== by 0x5BC3C50: signal_handlers_foreach_matched_R (gsignal.c:637) ==9440== by 0x5BC3E15: g_signal_handlers_disconnect_matched (gsignal.c:2673) ==9440== by 0x425926E: dbus_g_proxy_disconnect_signal (dbus-gproxy.c:3033)
It means the implementation of dbus_g_proxy_disconnect_signal() cannot read its parameter "signal_name" after the signal disconnection although the parameter is supposedly "const".
It is not a problem with the current version of dbus-glib because it does not read the parameter after the disconnection. But it is surprising, I think tp-glib should not give a parameter that it is going to free before the end of the call.
I found this problem while hacking on Bug #23846.