On Tue Sep 26 10:21:37 2023 +0000, Zhiyi Zhang wrote:
Because present_clock_timer_callback_Invoke() releases the same object. If Release() is called here then present_clock_timer_callback_Invoke() also gets called, the timer object will be released twice while being in `clock->timers` only holds one reference count. It's either this or check timer is still in clock->timers when calling present_clock_timer_callback_Invoke().
Ok, it's worse than I thought. I think present_clock_timer_CancelTimer() also has the same race. The idea was that items should be removed when transitioning to the running state, so that potentially on the next transition they are not submitted again. I think we should try to make both cases work. We could, like you said, check that it's in the list, some list entry pointer check might be enough to tell if it is.