Page MenuHome

Fix T75521: Use after free error when using activate_init
Needs ReviewPublic

Authored by Jacques Lucke (JacquesLucke) on Wed, May 13, 3:48 PM.

Details

Summary

This took me way longer to track down than I'd like to admit. ^^

In the end I found that the text box adds a handler to window->modalhandlers
that should not be there. This one is not removed later on and causes the crash
later.

The reason this extra handler is added is that but->block->handle is
not yet initialized in wm_block_dialog_create. It will only be
initialized a little bit later in ui_popup_block_refresh.

Since wm_block_dialog_create already activates the button, the check
for popups in button_activate_state fails. Adding this extra check
solves the issue in the provided test file. However, this only works
if UI_BUT_ACTIVATE_ON_INIT is set only for buttons in popups. I'm
not sure if that is the case.

A better fix would be to move the call to UI_block_active_only_flagged_buttons
out of wm_block_dialog_create and only call it after the block has been
initialized completely. Alternatively, one could also move the handle into
wm_block_dialog_create. I'm not sure about the implications of those changes.

Diff Detail

Repository
rB Blender
Branch
activate-init-crash (branched from master)
Build Status
Buildable 8031
Build 8031: arc lint + arc unit

Event Timeline

Jacques Lucke (JacquesLucke) requested review of this revision.Wed, May 13, 3:48 PM
source/blender/editors/interface/interface.c
906

I'm also not sure about the implications of this. Below we unset the flag anyway if done==true.