GTK4 / Win32 Drag'n'drop crash
Steps to reproduce
- Open
gtk4-demo
- Select the
Paint
demo - Drag the
GtkColorButton
on the right of the header bar - Resize the
Paint
demo window - Drag the
GtkColorButton
button again
Version information
GTK4/git built on MSYS2
Warnings
No warnings
Stack trace
Thread 12 "GDK Win32 DnD Thread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 14280.0x2094]
0x00007fffe4740069 in process_dnd_queue (timed=0, end_time=0,
getdata_check=0x0) at ../gtk4/gdk/win32/gdkdrag-win32.c:472
472 ddd->src_context->util_data = updatestate->produced_util_data;
(gdb) bt -full
#0 0x00007fffe4740069 in process_dnd_queue (timed=0, end_time=0,
getdata_check=0x0) at ../gtk4/gdk/win32/gdkdrag-win32.c:472
item = 0x26d4e5a6960
updatestate = 0x26d4e5a6960
ddd = 0x26d5064bce0
__func__ = "process_dnd_queue"
#1 0x00007fffe4741737 in idropsource_querycontinuedrag (This=0x26d5059a8d0,
fEscapePressed=0, grfKeyState=1) at ../gtk4/gdk/win32/gdkdrag-win32.c:1052
ctx = 0x26d5059a8d0
#2 0x00007ff81eb2bece in ole32!OleGetPackageClipboardOwner ()
from C:\WINDOWS\System32\ole32.dll
No symbol table info available.
#3 0x00007ff81eb2c91c in ole32!DoDragDrop ()
from C:\WINDOWS\System32\ole32.dll
No symbol table info available.
#4 0x00007fffe4740811 in do_drag_drop (ddd=0x26d5059a870)
at ../gtk4/gdk/win32/gdkdrag-win32.c:643
hr = 621
#5 0x00007fffe47409b3 in _gdk_win32_dnd_thread_main (data=0x26d4e7bc280)
at ../gtk4/gdk/win32/gdkdrag-win32.c:697
queue = 0x26d4e7bc280
item = 0x26d5059a870
msg = {hwnd = 0x0, message = 49765, wParam = 0, lParam = 0,
time = 347503750, pt = {x = 447, y = 130}}
hr = 0
__func__ = "_gdk_win32_dnd_thread_main"
#6 0x00007fffe74082d1 in ?? () from D:\msys64\mingw64\bin\libglib-2.0-0.dll
No symbol table info available.
#7 0x00007ff80afe4f33 in ?? () from D:\msys64\mingw64\bin\libwinpthread-1.dll
No symbol table info available.
#8 0x00007ff81dbcaf5a in msvcrt!_beginthreadex ()
from C:\WINDOWS\System32\msvcrt.dll
No symbol table info available.
#9 0x00007ff81dbcb02c in msvcrt!_endthreadex ()
from C:\WINDOWS\System32\msvcrt.dll
No symbol table info available.
#10 0x00007ff81e557034 in KERNEL32!BaseThreadInitThunk ()
from C:\WINDOWS\System32\kernel32.dll
No symbol table info available.
#11 0x00007ff81ece2651 in ntdll!RtlUserThreadStart ()
from C:\WINDOWS\SYSTEM32\ntdll.dll
No symbol table info available.
#12 0x0000000000000000 in ?? ()
No symbol table info available.
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) frame 0
#0 0x00007fffe4740069 in process_dnd_queue (timed=0, end_time=0,
getdata_check=0x0) at ../gtk4/gdk/win32/gdkdrag-win32.c:472
472 ddd->src_context->util_data = updatestate->produced_util_data;
(gdb) p *ddd
$1 = {base = {item_type = 2661523408, opaque_context = 0x2c19fab4240},
src_context = 0xfeeefeeefeeefeee, src_object = 0xfeeefeeefeeefeee,
allowed_drop_effects = 4277075694, received_drop_effect = 4277075694,
received_result = -17891602}
(gdb) p *ddd->src_context
Cannot access memory at address 0xfeeefeeefeeefeee
(gdb)
It's an use-after-free: https://stackoverflow.com/questions/68076771/c-segmentation-fault-and-0xfeeefeeefeeefeee-error-with-pointers
Other informations
Beside the crash, there are visual artifacts. It seems like the DnD inidicators are not destroyed when the DnD ends. Visual artifacts can be seen also on Linux, created #4179 for that