Bug 756042 – GtkAssistant: Segfault after g_object_run_dispose(page)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 756042 - GtkAssistant: Segfault after g_object_run_dispose(page)


Summary:	GtkAssistant: Segfault after g_object_run_dispose(page)


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Widget: Other
Version:	3.18.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:	755942

Reported:	2015-10-04 12:51 UTC by Kjell Ahlstedt
Modified:	2015-10-05 13:56 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Test case (4.44 KB, text/plain) 2015-10-04 12:57 UTC, Kjell Ahlstedt	Details

Description Kjell Ahlstedt 2015-10-04 12:51:06 UTC

When the C++ binding of gtk+, gtkmm, deletes the C++ wrapper of a widget, it
calls g_object_run_dispose(object), where 'object' is the wrapped gtk+ widget.
The call to g_object_run_dispose() makes the widget disconnect from its parent
by calling gtk_container_remove().

This usually works fine, and has done so for many years. But now it causes
segfault in assistant_remove_page_cb(), if one of GtkAssistant's pages is
disposed of. That's because of the commit
https://git.gnome.org/browse/gtk+/commit/?id=6cc65260f4ba54ea0ca9f93068050435bd6b9f1a

Previously, the parent of a page was the notebook in the assistant. When a page
widget removed itself from its parent, it was removed from the notebook. Then
assistant_remove_page_cb() was called.

Now the parent of a page is a box, created by gtk_assistant_insert_page().
When a page widget removes itself from its parent, it is removed from the box.
Then assistant_remove_page_cb() is *not* called.
Later, when assistant_remove_page_cb() is called because the box is removed
from the notebook, the box has no children. The program crashes because
children is NULL in the following code, copied from assistant_remove_page_cb().

  if (GTK_IS_BOX (page))
    {
      GList *children;

      children = gtk_container_get_children (GTK_CONTAINER (page));
      page = GTK_WIDGET (children->data);
      g_list_free (children);
    }

It would be easy to test if children is NULL after the call to
gtk_container_get_children(), but I suppose that's not enough.
assistant_remove_page_cb() should be called when a page is removed from its
parent.

Comment 1 Kjell Ahlstedt 2015-10-04 12:57:32 UTC

Created attachment 312626 [details]
Test case

Show the assistant by clicking "simple assistant"
While the assistant is shown, click "delete page 1"
Destroy the assistant by clicking "simple assistant" again
Segfault!

It may look like a strange example in C code, but it's approximately what
happens in e.g. https://git.gnome.org/browse/gtkmm-documentation/tree/examples/
book/assistant, when the application is closed. The assistant's pages are
deleted before the assistant itself is deleted.

Comment 2 Murray Cumming 2015-10-05 13:56:28 UTC

This was apparently the fix:
https://git.gnome.org/browse/gtk+/commit/?id=35b088459e3c6886ae63cd18404c626160092eab