There&#39;s no lock on the list access.<br><br><div class="gmail_quote">On 29 May 2010 07:51,  <span dir="ltr">&lt;<a href="mailto:mjmartin@svn.reactos.org">mjmartin@svn.reactos.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Author: mjmartin<br>
Date: Sat May 29 08:51:03 2010<br>
New Revision: 47393<br>
<br>
URL: <a href="http://svn.reactos.org/svn/reactos?rev=47393&amp;view=rev" target="_blank">http://svn.reactos.org/svn/reactos?rev=47393&amp;view=rev</a><br>
Log:<br>
[win32k]<br>
- The timer is created usingUserCreateObject. It may be a good idea to save the handle in the timer object so that it can be deleted later.<br>
- Dereference the object before attempting to delete it.<br>
<br>
Modified:<br>
    trunk/reactos/subsystems/win32/win32k/ntuser/timer.c<br>
<br>
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/timer.c<br>
URL: <a href="http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/timer.c?rev=47393&amp;r1=47392&amp;r2=47393&amp;view=diff" target="_blank">http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/timer.c?rev=47393&amp;r1=47392&amp;r2=47393&amp;view=diff</a><br>

==============================================================================<br>
--- trunk/reactos/subsystems/win32/win32k/ntuser/timer.c [iso-8859-1] (original)<br>
+++ trunk/reactos/subsystems/win32/win32k/ntuser/timer.c [iso-8859-1] Sat May 29 08:51:03 2010<br>
@@ -50,13 +50,21 @@<br>
   if (!FirstpTmr)<br>
   {<br>
       FirstpTmr = UserCreateObject(gHandleTable, NULL, &amp;Handle, otTimer, sizeof(TIMER));<br>
-      if (FirstpTmr) InitializeListHead(&amp;FirstpTmr-&gt;ptmrList);<br>
+      if (FirstpTmr)<br>
+      {<br>
+         FirstpTmr-&gt;head.h = Handle;<br>
+         InitializeListHead(&amp;FirstpTmr-&gt;ptmrList);<br>
+      }<br>
       Ret = FirstpTmr;<br>
   }<br>
   else<br>
   {<br>
       Ret = UserCreateObject(gHandleTable, NULL, &amp;Handle, otTimer, sizeof(TIMER));<br>
-      if (Ret) InsertTailList(&amp;FirstpTmr-&gt;ptmrList, &amp;Ret-&gt;ptmrList);<br>
+      if (Ret)<br>
+      {<br>
+         Ret-&gt;head.h = Handle;<br>
+         InsertTailList(&amp;FirstpTmr-&gt;ptmrList, &amp;Ret-&gt;ptmrList);<br>
+      }<br>
   }<br>
   return Ret;<br>
 }<br>
@@ -66,14 +74,17 @@<br>
 FASTCALL<br>
 RemoveTimer(PTIMER pTmr)<br>
 {<br>
+  BOOL Ret = FALSE;<br>
   if (pTmr)<br>
   {<br>
      /* Set the flag, it will be removed when ready */<br>
      RemoveEntryList(&amp;pTmr-&gt;ptmrList);<br>
-     UserDeleteObject( UserHMGetHandle(pTmr), otTimer);<br>
-     return TRUE;<br>
-  }<br>
-  return FALSE;<br>
+     UserDereferenceObject(pTmr);<br>
+     Ret = UserDeleteObject( UserHMGetHandle(pTmr), otTimer);<br>
+  }<br>
+  if (!Ret) DPRINT1(&quot;Warning unable to delete timer\n&quot;);<br>
+<br>
+  return Ret;<br>
 }<br>
<br>
 PTIMER<br>
@@ -528,9 +539,7 @@<br>
    {<br>
       if ((pTmr) &amp;&amp; (pTmr-&gt;pti == pti) &amp;&amp; (pTmr-&gt;pWnd == Window))<br>
       {<br>
-         RemoveEntryList(&amp;pTmr-&gt;ptmrList);<br>
-         UserDeleteObject( UserHMGetHandle(pTmr), otTimer);<br>
-         TimersRemoved = TRUE;<br>
+         TimersRemoved = RemoveTimer(pTmr);<br>
       }<br>
       pLE = pTmr-&gt;ptmrList.Flink;<br>
       pTmr = CONTAINING_RECORD(pLE, TIMER, ptmrList);<br>
@@ -557,9 +566,7 @@<br>
    {<br>
       if ((pTmr) &amp;&amp; (pTmr-&gt;pti == pti))<br>
       {<br>
-         RemoveEntryList(&amp;pTmr-&gt;ptmrList);<br>
-         UserDeleteObject( UserHMGetHandle(pTmr), otTimer);<br>
-         TimersRemoved = TRUE;<br>
+         TimersRemoved = RemoveTimer(pTmr);<br>
       }<br>
       pLE = pTmr-&gt;ptmrList.Flink;<br>
       pTmr = CONTAINING_RECORD(pLE, TIMER, ptmrList);<br>
<br>
<br>
</blockquote></div><br>