From f7e60c8fc9dc2ed2d99cb6edba9a55dd7556d27e Mon Sep 17 00:00:00 2001 From: Steven Michaud Date: Wed, 30 Nov 2011 10:33:00 -0600 Subject: [PATCH] Bug 704866 - Crashes @ -[NativeMenuItemTarget menuItemHit:]. r=bgirard --- widget/src/cocoa/nsMenuBarX.mm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/widget/src/cocoa/nsMenuBarX.mm b/widget/src/cocoa/nsMenuBarX.mm index 4107824db9d2..e1d657c755c3 100644 --- a/widget/src/cocoa/nsMenuBarX.mm +++ b/widget/src/cocoa/nsMenuBarX.mm @@ -839,6 +839,23 @@ static BOOL gMenuItemsExecuteCommands = YES; { NS_OBJC_BEGIN_TRY_ABORT_BLOCK; + // menuGroupOwner below is an nsMenuBarX object, which we sometimes access + // after it's been deleted, causing crashes (see bug 704866 and bug 670914). + // To fix this "correctly", in nsMenuBarX::~nsMenuBarX() we'd need to + // iterate through every NSMenuItem in nsMenuBarX::mNativeMenu and its + // submenus, which might be quite time consuming. (For every NSMenuItem + // that has a "representedObject" that's a MenuItemInfo object, we'd need + // need to null out its "menuGroupOwner" if it's the same as the nsMenuBarX + // object being destroyed.) But if the nsMenuBarX object being destroyed + // corresponds to the currently focused window, it's likely that the + // nsMenuBarX destructor will null out sLastGeckoMenuBarPainted. So we can + // probably eliminate most of these crashes if we use this variable being + // null as an indicator that we're likely to crash below when we dereference + // menuGroupOwner. + if (!nsMenuBarX::sLastGeckoMenuBarPainted) { + return; + } + if (!gMenuItemsExecuteCommands) { return; }