On Thu, 2015-09-03 at 16:20 +0200, Jonathon Jongsma wrote: > On Thu, 2015-09-03 at 11:22 +0200, Christophe Fergeau wrote: > > On Thu, Sep 03, 2015 at 05:09:31AM -0400, Frediano Ziglio wrote: > > > > > > > > > > > Hey, > > > > > > > > On Thu, Sep 03, 2015 at 09:21:04AM +0100, Frediano Ziglio wrote: > > > > > Do not access to timer after we call the associated function. > > > > > Some of these callbacks can free timer making the pointer pointing > > > > > to freed data. > > > > > > > > Some callbacks are calling > > > > spice_timer_remove()/spice_timer_queue_destroy() which then frees > > > > the SpiceTimer instance? Or is something more complicated happening? > > > > > > > > Christophe > > > > > > > > > > Yes, the callback calls spice_timer_remove. > > > > Can you replace "can free timer" with "can call spice_timer_remove" in > > the log? ACK with that changed. > > > If timer callbacks are really calling spice_timer_remove(), then we > still have potential problems, since spice_timer_queue_cb() also calls > spice_timer_cancel() after calling the timer->func(). I wonder if it > wouldn't be better to simply change spice_timer_cancel() to return if > the timer is not in the ring rather than asserting... Sorry, nevermind. For some reason I thought this was another case where this pattern happened, but this is the exact code that you are changing.... _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel