[Webkit-unassigned] [Bug 217482] [GTK] Crash in WebKit::DropTarget::drop

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 8 10:31:25 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=217482

--- Comment #2 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Michael Catanzaro from comment #1)
> OK here's a guess: maybe (1) user starts drag, (2) user leaves window,
> m_leaveTimer starts running, (3) user starts a new drag, m_leaveTimer still
> running, (4) m_leaveTimer fires, unsets m_selectionData etc., (5) user
> releases button, triggering drop, (6) crash.
> 
> It seems a little unlikely, because m_leaveTimer is stopped in
> DropTarget::accept, so the user would have to finish the drop before the
> source application sends its drag data offer. But that's actually possible,
> right?

It's actually called the first time drag-motion is received, so that is a little more plausible. But it still relies on that timer not firing immediately. My expectation is that the timer created with 0_s timeout would run on next iteration of the main loop, so it seems very unlikely... but I haven't looked into how Timer is implemented.

Notably, however, DropTarget::leaveTimerFired is actually prepared for m_selectionData to be nullopt! But DropTarget::drop is not. So if nothing else, that is inconsistent.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201008/5d051bbd/attachment.htm>


More information about the webkit-unassigned mailing list