On Thu, 2015-09-03 at 11:22 +0200, Christophe Fergeau wrote: > On Thu, Sep 03, 2015 at 05:09:31AM -0400, Frediano Ziglio wrote: > > > > > > > > Hey, > > > > > > On Thu, Sep 03, 2015 at 09:21:04AM +0100, Frediano Ziglio wrote: > > > > Do not access to timer after we call the associated function. > > > > Some of these callbacks can free timer making the pointer pointing > > > > to freed data. > > > > > > Some callbacks are calling > > > spice_timer_remove()/spice_timer_queue_destroy() which then frees > > > the SpiceTimer instance? Or is something more complicated happening? > > > > > > Christophe > > > > > > > Yes, the callback calls spice_timer_remove. > > Can you replace "can free timer" with "can call spice_timer_remove" in > the log? ACK with that changed. If timer callbacks are really calling spice_timer_remove(), then we still have potential problems, since spice_timer_queue_cb() also calls spice_timer_cancel() after calling the timer->func(). I wonder if it wouldn't be better to simply change spice_timer_cancel() to return if the timer is not in the ring rather than asserting... _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel