[Webkit-unassigned] [Bug 88800] [GTK] Showing the context menu in the Web Inspector can crash the browser

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 4 02:11:55 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=88800


Carlos Garcia Campos <cgarcia at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #149644|review?                     |review-
               Flag|                            |




--- Comment #5 from Carlos Garcia Campos <cgarcia at igalia.com>  2012-07-04 02:11:55 PST ---
(From update of attachment 149644)
View in context: https://bugs.webkit.org/attachment.cgi?id=149644&action=review

Thanks for the patch and sorry for the delay to review it. This is indeed a problem of using GtkMenu directly in ContextMenu.

> Source/WebCore/platform/gtk/ContextMenuGtk.cpp:56
> +    if (parent && parent != GTK_WIDGET(m_platformDescription)) {

Adding a widget twice to the same parent is an error too, so you only need to check whether it has parent.

> Source/WebCore/platform/gtk/ContextMenuGtk.cpp:62
> +    gtk_menu_shell_append(GTK_MENU_SHELL(m_platformDescription), platformItem);
> +    gtk_widget_show(platformItem);

You are leaking the platformItem in case of being reparented. You can fix the leak and simplify the code a bit using GRefPtr, someting like this:

GRefPtr<GtkWidget> platformItem = GTK_WIDGET(item.releasePlatformDescription());
ASSERT(platformItem);

if (GtkWidget* parent = gtk_widget_get_parent(platformItem.get()))
    gtk_container_remove(GTK_CONTAINER(parent), platformItem.get());

gtk_menu_shell_append(GTK_MENU_SHELL(m_platformDescription), platformItem.get());
gtk_widget_show(platformItem.get());

If the menu item has a floating reference (it hasn't been added to a container), the RefPtr consumes the floating reference and the reference counter will be 1. Then it's added to the parent, reference counter is increased, and when the function finishes the RefPtr releases its reference and the GtkMenu holds the only reference.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list