Crash in error-recovery code of GtkMenu
Submitted by Maxim Reznik
Link to original bug (#775753)
Description
Created attachment 341539 stack trace
Our application dumped core with the attached stack trace.
At frame #26 (closed), GTK+ is popping a menu up under the mouse pointer. The function gtk_menu_popup_for_device tries to grab the mouse pointer but, since the menu window is not realized or mapped yet, it creates a "transfer window" and grabs the mouse pointer on that instead.
If the grab on the "transfer_window" fails, then GTK_MENU_SHELL (xgrab_shell)->priv->have_xgrab remains FALSE, and we enter the "if" statement and call menu_grab_transfer_window_destroy (menu). Inside menu_grab_transfer_window_destroy at frame #25 (closed) we find that the menu has a transfer_window, so we do:
widget_window = gtk_widget_get_window (GTK_WIDGET (menu)); g_object_set_data (G_OBJECT (widget_window), I_("gdk-attached-grab-window"), window);
But widget_window is NULL because menu is not realized yet. So g_object_set_data crashes.
The bug is not systematic. Possible, the trigger for the bug is a "pointer grab failed" error reply from the X server. So it's hard to reproduce.
Here is part of stack trace and proposed patch.
Attachment 341539, "stack trace":
stack_trace.txt
Version: 3.22.x