Otherwise write_watcher_destroy_notify can be invoked after
GAtMux has been deallocated which results in write after free:
==3952== Invalid write of size 4
==3952== at 0xABF54: write_watcher_destroy_notify (gatmux.c:285)
==3952== by 0x4AF21E7: g_source_callback_unref (gmain.c:1561)
==3952== by 0x4AF2E53: g_source_destroy_internal.constprop.8 (gmain.c:1207)
==3952== by 0x4AF61CF: g_main_dispatch (gmain.c:3177)
==3952== by 0x4AF61CF: g_main_context_dispatch (gmain.c:3769)
==3952== by 0x4AF658F: g_main_loop_run (gmain.c:4034)
==3952== by 0xBDDBB: main (main.c:261)
==3952== Address 0x50c6cb0 is 8 bytes inside a block of size 4,396 free'd
==3952== at 0x4840B28: free (vg_replace_malloc.c:530)
==3952== by 0xACB53: g_at_mux_unref (gatmux.c:642)
==3952== Block was alloc'd at
==3952== at 0x4841BF0: calloc (vg_replace_malloc.c:711)
==3952== by 0xAC9DF: g_at_mux_new (gatmux.c:603)
==3952== by 0xADF2F: g_at_mux_new_gsm0710_basic (gatmux.c:1160)
Leaving them there may result in invalid reads like this:
==2312== Invalid read of size 4
==2312== at 0xAB8C0: dispatch_sources (gatmux.c:134)
==2312== by 0xAC5D3: channel_close (gatmux.c:479)
==2312== by 0x4AE8885: g_io_channel_shutdown (giochannel.c:523)
==2312== by 0x4AE8A1D: g_io_channel_unref (giochannel.c:240)
==2312== by 0xAC423: watch_finalize (gatmux.c:426)
==2312== by 0x4AF2CC9: g_source_unref_internal (gmain.c:2048)
==2312== by 0x4AF44E1: g_source_destroy_internal (gmain.c:1230)
==2312== by 0x4AF44E1: g_source_destroy (gmain.c:1256)
==2312== by 0x4AF5257: g_source_remove (gmain.c:2282)
==2312== by 0xAB5CB: io_shutdown (gatio.c:325)
==2312== by 0xAB667: g_at_io_unref (gatio.c:345)
==2312== by 0xA72C7: at_chat_unref (gatchat.c:972)
==2312== by 0xA829B: g_at_chat_unref (gatchat.c:1446)
==2312== Address 0x51420f0 is 56 bytes inside a block of size 60 free'd
==2312== at 0x4840B28: free (vg_replace_malloc.c:530)
==2312== by 0x4AF2D33: g_source_unref_internal (gmain.c:2075)
==2312== by 0x4AF44E1: g_source_destroy_internal (gmain.c:1230)
==2312== by 0x4AF44E1: g_source_destroy (gmain.c:1256)
==2312== by 0x4AF5257: g_source_remove (gmain.c:2282)
==2312== by 0xAB46B: g_at_io_set_write_handler (gatio.c:283)
==2312== by 0xA713F: at_chat_suspend (gatchat.c:938)
==2312== by 0xA72B7: at_chat_unref (gatchat.c:971)
==2312== by 0xA829B: g_at_chat_unref (gatchat.c:1446)
==2312== Block was alloc'd at
==2312== at 0x4841BF0: calloc (vg_replace_malloc.c:711)
==2312== by 0x4AFB117: g_malloc0 (gmem.c:124)
==2312== by 0x4AF401F: g_source_new (gmain.c:892)
==2312== by 0xAC6A7: channel_create_watch (gatmux.c:506)
==2312== by 0x4AE7C4F: g_io_add_watch_full (giochannel.c:649)
==2312== by 0xAB4EB: g_at_io_set_write_handler (gatio.c:297)
==2312== by 0xA7103: chat_wakeup_writer (gatchat.c:931)
==2312== by 0xA753F: at_chat_send_common (gatchat.c:1045)
==2312== by 0xA850F: g_at_chat_send (gatchat.c:1502)
It's also necessary to add additional references to the sources
for the duration of the dispatch_sources loop because any source
can be removed when any callback is invoked (and not necessarily
the one being dispatched).
This patch was generated by the following semantic patch
(http://coccinelle.lip6.fr/)
// <smpl>
@fix disable is_null,isnt_null1@
expression *E;
@@
- !E
+ E == NULL
// </smpl>
GAtMux can now be made to work with multiple multiplexing protocols.
Currently on the 27.010 (07.10) Advanced and Basic modes are supported.
However, further protocol support can be added by providing the
necessary driver functions for GAtMux