Crash in error-recovery code of GtkMenu

Submitted by Maxim Reznik

Link to original bug (#775753)

Description

Created attachment 341539 stack trace

Our application dumped core with the attached stack trace.

At frame #26 (closed), GTK+ is popping a menu up under the mouse pointer. The function gtk_menu_popup_for_device tries to grab the mouse pointer but, since the menu window is not realized or mapped yet, it creates a "transfer window" and grabs the mouse pointer on that instead.

If the grab on the "transfer_window" fails, then GTK_MENU_SHELL (xgrab_shell)->priv->have_xgrab remains FALSE, and we enter the "if" statement and call menu_grab_transfer_window_destroy (menu). Inside menu_grab_transfer_window_destroy at frame #25 (closed) we find that the menu has a transfer_window, so we do:

widget_window = gtk_widget_get_window (GTK_WIDGET (menu)); g_object_set_data (G_OBJECT (widget_window), I_("gdk-attached-grab-window"), window);

But widget_window is NULL because menu is not realized yet. So g_object_set_data crashes.

The bug is not systematic. Possible, the trigger for the bug is a "pointer grab failed" error reply from the X server. So it's hard to reproduce.

Here is part of stack trace and proposed patch.

Attachment 341539, "stack trace":
stack_trace.txt

Version: 3.22.x