From 77cbc951cb6daa7c42e95b2cf46b228cd3cfed8b Mon Sep 17 00:00:00 2001 From: Pekka Paalanen Date: Tue, 15 Nov 2011 13:34:55 +0200 Subject: [PATCH] window: clean up redraw and focuses on destroy Currently, the way to destroy a window in a response to an event (e.g. button click), is to put a task into the deferred list with display_defer(). The task will then call window_destroy() from outside event handling code. As events are handled, it is possible that the deferred list contains also the redraw task for this window. As the execution order of these tasks is unknown (redrawing a freed window is a bug) and redrawing something that goes away immediately is not useful, the redraw task must be removed on window_destroy(). 'struct input' contains pointers to windows currently in focus for that input device. These pointers must also be cleared on window_destroy(). This fixes a use-after-free bug for the unlock dialog in desktop-shell (future commit). As an irrelevant minor cleanup, window::grab_device member is not used anywhere, and is removed. Signed-off-by: Pekka Paalanen --- clients/window.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clients/window.c b/clients/window.c index d75a0ac8..16322ff6 100644 --- a/clients/window.c +++ b/clients/window.c @@ -112,7 +112,6 @@ struct window { int type; int decoration; int transparent; - struct input *grab_device; struct input *keyboard_device; uint32_t name; enum window_buffer_type buffer_type; @@ -987,6 +986,19 @@ window_draw_decorations(struct window *window) void window_destroy(struct window *window) { + struct display *display = window->display; + struct input *input; + + if (window->redraw_scheduled) + wl_list_remove(&window->redraw_task.link); + + wl_list_for_each(input, &display->input_list, link) { + if (input->pointer_focus == window) + input->pointer_focus = NULL; + if (input->keyboard_focus == window) + input->keyboard_focus = NULL; + } + wl_surface_destroy(window->surface); wl_list_remove(&window->link); free(window);