| | [ Return to Bugs & Features | Roadmap 1.3 | SVN ⇄ GIT ]
STR #3503
| Application: | FLTK Library |
|---|
| Status: | 1 - Closed w/Resolution |
|---|
| Priority: | 4 - High, e.g. key functionality not working |
|---|
| Scope: | 3 - Applies to all machines and operating systems |
|---|
| Subsystem: | Core Library |
|---|
| Summary: | Crash in case Fl_Choice is released while pulldown is on screen |
|---|
| Version: | 1.3.4 |
|---|
| Created By: | meixner |
|---|
| Assigned To: | AlbrechtS |
|---|
| Fix Version: | 1.3.5 |
|---|
| Fix Commit: | 7ce74b42a06a5c26e818d6e0d87f743d6fc59243 |
|---|
| Update Notification: | |
|---|
Trouble Report Files:
Trouble Report Comments:
| |
| #1 | meixner
03:03 Dec 07, 2018 |
| If an Fl_Choice is released while the pulldown menu is shown on screen, a crash will result.
The reason is that inside Fl_Menu_Item::pulldown() Fl::wait() is invoked and the assumption is made, that when Fl::wait() returns the Fl_Choice object and objects depending on it are still valid. This assumption is wrong, if a timeout was set up, that deletes the Fl_Choice() widget. In this case data is referenced, that is no longer valid and the program crashes. | |
| |
| #2 | AlbrechtS
05:42 Dec 07, 2018 |
| Fixed in Git repository.
Thank you very much for the report and the analysis which is correct.
The fix is now in our Git repository in branch-1.3 and will be in the next release (1.3.5).
I'm going to fix this is 1.4.0 (master branch) as well... | |
| |
| #3 | AlbrechtS
05:57 Dec 07, 2018 |
| Please see file fl_choice-crash.cxx for a working demo program. Test instructions are included.
Fixed in branch 'master' (FLTK 1.4.0) as well:
commit d87ac9b59783dec5628e7ae242b390cf5097b77a | |
| |
| #4 | AlbrechtS
06:21 Dec 07, 2018 |
| Bad news: the fix seems to have an issue under Windows.
If the menu is open while the timer expires the Fl_Choice widget gets removed and the (empty) window is redrawn. However, the program seems to hang somehow and the window can't be closed (Windows says "the program does not react" or "no feedback from the program" - sorry, I don't have an English Windows system).
Investigating ... | |
| |
| #5 | AlbrechtS
09:05 Dec 07, 2018 |
| Fixed in Git repository.
Good news: another similar modification directly in Fl_Choice::handle() fixed it all - hopefully ;-)
Fix in 1.3: commit dabc725486a9465d0f5648aeaad12c2d569b5350
Fix in 1.4: commit 7c1ccfa03875e47e178f0852e8e9ae05bcc554a2
@OP: Please test and confirm that this fixes your issue as well.
@all: Test results on macOS (generally and with the posted test program) would be appreciated much (both in branch-1.3 and master).
TIA. | |
| |
| #6 | meixner
02:43 Dec 11, 2018 |
| Thanks for the fast response. However, I have already replaced it by a custom widget, since I did not expect to see a solution that fast and since I am tied to version 1.3.3 on the system I am developing for. | |
| |
| #7 | AlbrechtS
03:07 Dec 11, 2018 |
| Update: unfortunately the fix turned out to be incomplete. It is correct for the menu of Fl_Choice and other widgets, but pulldown() can also be called w/o a widget context (argument 'pulldown' == 0). See discussion here:
https://github.com/fltk/fltk/commit/d87ac9b59783dec5628e7ae242b390cf5097b77a#comments
The latest fix for 1.4 is now in
commit 9ea0d4ccbce4b0efd7db5368a4382bb992c64e13
I'm still investigating and follow-up with a fix for branch-1.3 (1.3.5). | |
| |
| #8 | AlbrechtS
03:08 Dec 11, 2018 |
| @OP (meixner): thanks for the feedback. | |
| |
| #9 | AlbrechtS
06:57 Jan 01, 2019 |
| Fixed in Git repository.
Fixed in 1.3.5 as well in commit 9ea0d4ccbce4b0efd7db5368a4382bb992c64e13.
See https://github.com/fltk/fltk/commit/9ea0d4ccbce4b0efd7db5368a4382bb992c64e13
This fix in both 1.3.5 and 1.4.0 can now be considered final. Closing this STR. | |
| |
| #10 | manolo
01:51 Feb 05, 2019 |
| I believe one more thing merits being taken care of to
complete this STR.
Run the attached file #1 fl_choice-crash.cxx as a test.
If you move the pointer to an item of the menu and then wait
for the timeout to delete the menu, function Fl_Menu_Item::pulldown()
runs and returns a value of type Fl_Menu_Item* which in fact points
to a memory zone that has just been deleted by the delete menu
operation.
If Fl_Menu_Item::pulldown() is called by public function
Fl_Menu_Item::popup(), then the return value of this public
function is a bad pointer.
My suggestion is to replace, 6 lines before the end of
Fl_Menu_Item::pulldown(), this
const Fl_Menu_Item* m = pp.current_item;
by that
const Fl_Menu_Item* m =
pbutton && wp.deleted() ? NULL : pp.current_item;
All of that applies identically to branches 1.3 and 1.4. | |
| |
| #11 | AlbrechtS
08:26 Feb 05, 2019 |
| Thanks for this comment, Manolo. I reopened the STR to be sure we fix this before we release 1.3.5.
Since I'm pretty busy with other things it'll take a while until I can check this further. | |
| |
| #12 | manolo
09:50 Feb 05, 2019 |
| The additional fixed mentionned at comment #10 above is now
committed to both branches:
in master branch: 751506a3fb05072c0e53c64b9bc304c34bdfdf73
in branch-1.3: 7ce74b42a06a5c26e818d6e0d87f743d6fc59243
This STR will be re-closed. | |
| |
| #13 | manolo
09:51 Feb 05, 2019 |
| Fixed in Git repository. | |
[ Return to Bugs & Features ]
|
| |
