ctf_close_trace was being called twice when calling bt_context_remove_trace thus causing free() to be called on an invalid pointer.
Calling bt_context_remove_trace() would call ctf_close_trace() once via the close_handle callback registered on the ctf format struct and a second call would take place from bt_trace_handle_destroy() which is registered as the value_destroy_func on the trace_handles hash table of the current context. The first explicit call to handle->format->close_trace is unnecessary. The crash is reproducible by invoking the tests-python.py script. Signed-off-by: Jérémie Galarneau <[email protected]> --- lib/context.c | 8 +------- lib/trace-handle.c | 5 ++++- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/context.c b/lib/context.c index 5516e49..05fb994 100644 --- a/lib/context.c +++ b/lib/context.c @@ -156,7 +156,6 @@ end: int bt_context_remove_trace(struct bt_context *ctx, int handle_id) { struct bt_trace_handle *handle; - int ret; if (!ctx) return -EINVAL; @@ -168,12 +167,7 @@ int bt_context_remove_trace(struct bt_context *ctx, int handle_id) /* Remove from containers */ trace_collection_remove(ctx->tc, handle->td); - /* Close the trace */ - ret = handle->format->close_trace(handle->td); - if (ret) { - fprintf(stderr, "Error in close_trace callback\n"); - return ret; - } + /* Remove and free the handle */ g_hash_table_remove(ctx->trace_handles, (gpointer) (unsigned long) handle_id); diff --git a/lib/trace-handle.c b/lib/trace-handle.c index 0da565b..17a6e0d 100644 --- a/lib/trace-handle.c +++ b/lib/trace-handle.c @@ -49,7 +49,10 @@ struct bt_trace_handle *bt_trace_handle_create(struct bt_context *ctx) void bt_trace_handle_destroy(struct bt_trace_handle *th) { - th->format->close_trace(th->td); + if (th->format->close_trace(th->td)) { + fprintf(stderr, "Error in close_trace callback\n"); + } + g_free(th); } -- 1.8.1.1 _______________________________________________ lttng-dev mailing list [email protected] http://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
