Fix: don't deference stale pager pointer in core

Reset pager pointer in platform_thread if pager object is removed.

Fixes #532

base/include/base/pager.h

@@ -43,6 +43,8 @@ namespace Genode {
 			 */
 			unsigned long _badge;
 
+			Thread_capability _thread_cap;
+
 			/**
 			 * User-level signal handler registered for this pager object via
 			 * 'Cpu_session::exception_handler()'.
@@ -97,6 +99,13 @@ namespace Genode {
 				Signal_transmitter transmitter(_exception_sigh);
 				transmitter.submit();
 			}
+
+			/**
+			 * Remember thread cap so that rm_session can tell thread that
+			 * rm_client is gone.
+			 */
+			Thread_capability thread_cap() { return _thread_cap; } const
+			void thread_cap(Thread_capability cap) { _thread_cap = cap; }
 	};
 
 	/**

base/src/core/cpu_session_component.cc

@@ -81,6 +81,8 @@ int Cpu_session_component::set_pager(Thread_capability thread_cap,
 	if (!p) return -2;
 
 	thread->platform_thread()->pager(p);
+	p->thread_cap(thread->cap());
+   
 	return 0;
 }
 

base/src/core/rm_session_component.cc

@@ -756,6 +756,15 @@ Rm_session_component::~Rm_session_component()
 
 	/* remove all clients */
 	while (Rm_client *cl = _client_slab.raw()->first_object()) {
+		Thread_capability thread_cap = cl->thread_cap();                        
+		if (thread_cap.valid()) {                                               
+			/* lookup thread and reset pager pointer */
+			Cpu_thread_component *cpu_thread = dynamic_cast<Cpu_thread_component *>
+			                                   (_thread_ep->obj_by_cap(thread_cap));
+			if (cpu_thread)                                                     
+				cpu_thread->platform_thread()->pager(0);                        
+		}                                                                       
+
 		_lock.unlock();
 		cl->dissolve_from_faulting_rm_session();
 		this->dissolve(cl);