GNOME Bugzilla – Bug 751401
crash on DnD
Last modified: 2015-07-13 13:00:25 UTC
Created attachment 305945 [details] backtrace Open a documentation page, such as GtkListBoxRow, and drag the image a bit. devhelp doesn't have this problem
(In reply to Ben from comment #0) > devhelp doesn't have this problem Try running devhelp from `jhbuild shell` and you'll find it too crashes on your test case.
Created attachment 305966 [details] Better backtrace It affects WebKitGTK+ 2.4.9 as well as my build of WebKit master when running in my jhbuild shell, so it seems like it should not be a regression in WebKit. But WebKit is calling gtk_drag_begin() with a null GdkEvent, which is surely wrong. The bug occurs in Fedora rawhide as well (without jhbuild), but not in Fedora 22. Note: it took me half an hour and six attempts to get this backtrace :p
In WebKit::DragAndDropHandler::startDrag() we assume that gtk_get_current_event() returns nonnull, which was previously a valid assumption, but now it is returning null. I think we should return early there if gtk_get_current_event() returns null, since otherwise the untrusted web process could force the UI process to crash with fake startDrag messages. I will file a WebKit bug for that. That would fix the crash, but I guess drag-and-drop would still be broken. Let's use this bug to figure out why gtk_get_current_event() is returning null. I bisected it: 3ae953092a4089c6073d1df1546e50daf7099e4c is the first bad commit commit 3ae953092a4089c6073d1df1546e50daf7099e4c Author: Matthias Clasen <mclasen@redhat.com> Date: Sat May 16 23:55:09 2015 -0400 Don't force an icon window We were inadvertently forcing the use of an icon window in all cases. This patch makes it so that we once again use a combined cursor when possible.
I submitted a WebKit patch to fix the crash, but drag-and-drop is still broken.
(In reply to Michael Catanzaro from comment #3) > 3ae953092a4089c6073d1df1546e50daf7099e4c is the first bad commit > commit 3ae953092a4089c6073d1df1546e50daf7099e4c > Author: Matthias Clasen <mclasen@redhat.com> > Date: Sat May 16 23:55:09 2015 -0400 gtk_get_current_event() returns NULL both with and without this patch, you can only expect it to be non-NULL if called within code triggered by gtk_main_do_event(). And gtk_drag_begin() should cope just fine with NULL events, mostly needed for proper timestamps. That said, ephy indeed doesn't crash with this patch reverted, looks like a real refcounting issue.
Created attachment 306943 [details] [review] gtkdnd: Account for setting a same icon helper Just create the new ref before dropping the "old" one, possibly destroying the object.
Review of attachment 306943 [details] [review]: Might be a nice place for the new g_set_object
Created attachment 306955 [details] [review] gtkdnd: Account for setting a same icon helper g_set_object() will take care of ref'ing before destroying the previous instance, which might actually be the same pointer.
Review of attachment 306955 [details] [review]: yes
Attachment 306955 [details] pushed as dadb275 - gtkdnd: Account for setting a same icon helper
*** Bug 752282 has been marked as a duplicate of this bug. ***