[bug #61727] Premature cleanup in NSPopUpButtonCell -dealloc crashes application

Thu, 23 Dec 2021 07:40:31 -0800 

URL:
  <https://savannah.gnu.org/bugs/?61727>

                 Summary: Premature cleanup in NSPopUpButtonCell -dealloc
crashes application
                 Project: GNUstep
            Submitted by: yavor
            Submitted on: Thu 23 Dec 2021 05:40:10 PM EET
                Category: Gui/AppKit
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

GTAMSAnalyzer crashes with GUI 0.29; backtrace at
https://bugs.debian.org/1001537.  Cannot reproduce with earlier GUI versions. 
Relevant valgrind output:


==6853== Process terminating with default action of signal 11 (SIGSEGV)
==6853==  Access not within mapped region at address 0xDEADFB0E
==6853==    at 0x569CD55: objc_msg_lookup (sendmsg.c:442)
==6853==    by 0x4AD1DBA: _i_NSApplication__targetForAction_to_from_
(NSApplication.m:2294)
==6853==    by 0x4B93B67: _i_NSMenu___autoenableItem_ (NSMenu.m:1179)
==6853==    by 0x4B98D36: _i_NSMenu__update (NSMenu.m:1255)
==6853==    by 0x4BBE5E0: _i_NSPopUpButtonCell__setMenuItem_
(NSPopUpButtonCell.m:640)
==6853==    by 0x4BBEDEB:
_i_NSPopUpButtonCell__synchronizeTitleAndSelectedItem
(NSPopUpButtonCell.m:842)
==6853==    by 0x4BBFA1A: _i_NSPopUpButtonCell__dealloc
(NSPopUpButtonCell.m:152)
==6853==    by 0x4B2B1C0: _i_NSControl__dealloc (NSControl.m:125)
==6853==    by 0x4C46BDB: _i_NSView__removeSubview_ (NSView.m:965)
==6853==    by 0x4C55B6F: _i_NSView__dealloc (NSView.m:745)
==6853==    by 0x4C46BDB: _i_NSView__removeSubview_ (NSView.m:965)
==6853==    by 0x4C55B6F: _i_NSView__dealloc (NSView.m:745)


If I revert commit b7f5fb2, the problem goes away.  I think what is happening
is exactly as described in the code comment which was deleted in that commit:


/* 
 * We don't use methods here to clean up the selected item, the menu
 * item and the menu as these methods internally update the menu,
 * which tries to access the target of the menu item (or of this cell). 
 * When the popup is relases this target may already have been freed, 
 * so the local reference to it is invalid and will result in a 
 * segmentation fault. 
 */





    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61727>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

Reply via email to