Bug 121099

Summary: [WK2][GTK] Frequent crashes when showing context menus in Debug builds
Product: WebKit Reporter: Sergio Villar Senin <svillar>
Component: WebKitGTKAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, gustavo, mrobinson, svillar, xan.lopez
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch cgarcia: review+

Sergio Villar Senin
Reported 2013-09-10 09:48:12 PDT
It's becoming quite common to get a crash in the UIProcess when showing context menus at least with Debug builds. After debugging it a bit it looks like the problem happens inside WebContextMenuProxyGtk::contextMenuItemVisibilityChanged, here GOwnPtr<GList> items(gtk_container_get_children(GTK_CONTAINER(menu))); Basically the problem is that the menu reference is invalid. That likely means that the menu was freed and then we're trying to use it. Since this is a signal callback the problem is likely that we aren't disconnecting the signals when destroying the context menu. Patch to follow.
Attachments
Patch (3.60 KB, patch)
2013-09-10 09:52 PDT, Sergio Villar Senin 		cgarcia: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sergio Villar Senin
Comment 1 2013-09-10 09:52:44 PDT
Created attachment 211208 [details] Patch
Carlos Garcia Campos
Comment 2 2013-09-10 09:58:05 PDT
Comment on attachment 211208 [details] Patch I wonder if we could use g_signal_connect_object and we don't need to keep a map of signal handlers.
Sergio Villar Senin
Comment 3 2013-09-10 10:12:19 PDT
(In reply to comment #2) > (From update of attachment 211208 [details]) > I wonder if we could use g_signal_connect_object and we don't need to keep a map of signal handlers. You mean using the GtkMenu as the object? Yeah I guess that could work as well...
Carlos Garcia Campos
Comment 4 2013-09-10 10:39:47 PDT
(In reply to comment #3) > (In reply to comment #2) > > (From update of attachment 211208 [details] [details]) > > I wonder if we could use g_signal_connect_object and we don't need to keep a map of signal handlers. > > You mean using the GtkMenu as the object? Yeah I guess that could work as well... I meant for the GtkAction, but doesn't make sense since it's the menu what is destroyed.
Carlos Garcia Campos
Comment 5 2013-09-10 10:42:21 PDT
Comment on attachment 211208 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=211208&action=review LGTM > Source/WebKit2/UIProcess/gtk/WebContextMenuProxyGtk.cpp:174 > + for (HashMap<unsigned long, GtkAction*>::const_iterator iter = m_signalHandlers.begin(); iter != m_signalHandlers.end(); ++iter) > + g_signal_handler_disconnect(iter->value, iter->key); I'm not C++ expert, but now that we are using C++ 11 features I wonder if we could use auto here.
Martin Robinson
Comment 6 2013-09-10 11:14:33 PDT
(In reply to comment #5) > (From update of attachment 211208 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=211208&action=review > > LGTM > > > Source/WebKit2/UIProcess/gtk/WebContextMenuProxyGtk.cpp:174 > > + for (HashMap<unsigned long, GtkAction*>::const_iterator iter = m_signalHandlers.begin(); iter != m_signalHandlers.end(); ++iter) > > + g_signal_handler_disconnect(iter->value, iter->key); > > I'm not C++ expert, but now that we are using C++ 11 features I wonder if we could use auto here. I think you're right. See Source/JavaScriptCore/runtime/MapData.cpp for instance.
Sergio Villar Senin
Comment 7 2013-09-10 11:34:00 PDT
Committed r155459: <http://trac.webkit.org/changeset/155459>
Note You need to log in before you can comment on or make changes to this bug.