Run SWT.SetData callbacks inside Display.asyncExec() #678

zkxvh · zkxvh · commit 04987c0c1e1e · 2025-01-21T12:27:57.000+05:00
Move execution of SWT.SetData callbacks from cellDataProc(...) to Display.asyncExec(...) to avoid app crashes and/or other native code problems. Why: 1. cellDataProc() is a so called "cell data function" (a GTK3 term), GTK3 expects no tree structure modifications inside such functions. Failing to do so may lead to app crash and/or other native code problems. 2. SWT.SetData callbacks are written by users, and can contain any code, including code for tree modifications. Fixes #678
diff --git a/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/Table.java b/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/Table.java
@@ -15,6 +15,8 @@
 package org.eclipse.swt.widgets;
 
 
+import java.util.*;
+
 import org.eclipse.swt.*;
 import org.eclipse.swt.events.*;
 import org.eclipse.swt.graphics.*;
@@ -98,6 +100,7 @@ public class Table extends Composite {
 	int headerHeight;
 	boolean boundsChangedSinceLastDraw, headerVisible, wasScrolled;
 	boolean rowActivated;
+	AsyncSetDataTask asyncSetDataTask = new AsyncSetDataTask();
 
 	private long headerCSSProvider;
 
@@ -220,15 +223,15 @@ long cellDataProc (long tree_column, long cell, long tree_model, long iter, long
 		}
 	}
 	if (modelIndex == -1) return 0;
-	boolean setData = false;
+	boolean updated = false;
+	long [] ptr = new long [1];
 	if ((style & SWT.VIRTUAL) != 0) {
-		if (!item.cached) {
-			lastIndexOf = index[0];
-			setData = checkData (item);
+		if (item.cached) {
+			updated = item.updated;
+			item.updated = false;
+		} else {
+			asyncSetDataTask.enqueueItem (item);
 		}
-	}
-	long [] ptr = new long [1];
-	if (setData) {
 		ptr [0] = 0;
 		if (isPixbuf) {
 			GTK.gtk_tree_model_get (tree_model, iter, modelIndex + CELL_PIXBUF, ptr, -1);
@@ -266,7 +269,7 @@ long cellDataProc (long tree_column, long cell, long tree_model, long iter, long
 			}
 		}
 	}
-	if (setData) {
+	if (updated) {
 		ignoreCell = cell;
 		setScrollWidth (tree_column, item);
 		ignoreCell = 0;
@@ -4249,4 +4252,68 @@ public void dispose() {
 		headerCSSProvider = 0;
 	}
 }
+
+/**
+ * A task to set data for {@link TableItem items} via {@link SWT#SetData} user
+ * callbacks asynchronously.
+ * <p>
+ * {@link SWT#SetData} callbacks should not be run inside
+ * {@link Table#cellDataProc(long, long, long, long, long)} because it's a cell
+ * data function (in GTK terms) and no tree structure modifications are allowed
+ * in such functions.<br>
+ * Violation of the above may cause application crashes and other native-code
+ * problems in gtk.<br>
+ * Since {@link SWT#SetData} callbacks are written by users, we run them inside
+ * {@link Display#asyncExec(Runnable)} to avoid the native-code problems.
+ */
+class AsyncSetDataTask implements Runnable {
+	boolean scheduled;
+	LinkedHashSet<TableItem> itemsQueue = new LinkedHashSet<> ();
+
+	void enqueueItem (TableItem item) {
+		itemsQueue.add (item);
+		ensureExecutionScheduled ();
+	}
+
+	void ensureExecutionScheduled () {
+		if (!scheduled && !isDisposed ()) {
+			display.asyncExec (this);
+			scheduled = true;
+		}
+	}
+
+	@Override
+	public void run () {
+		scheduled = false;
+		if (itemsQueue.isEmpty () || isDisposed ()) {
+			return;
+		}
+		boolean updated = false;
+		LinkedHashSet<TableItem> items = itemsQueue;
+		itemsQueue = new LinkedHashSet<> ();
+		try {
+			for (Iterator<TableItem> it = items.iterator (); it.hasNext ();) {
+				TableItem item = it.next ();
+				it.remove ();
+				if (!item.cached && !item.isDisposed ()) {
+					if (checkData (item)) {
+						updated = item.updated = true;
+					}
+				}
+			}
+		} catch (Throwable t) {
+			if (!items.isEmpty ()) {
+				itemsQueue.addAll (items);
+				if (updated) {
+					display.asyncExec ( () -> redraw ());
+				}
+				ensureExecutionScheduled ();
+			}
+			throw t;
+		}
+		if (updated) {
+			redraw ();
+		}
+	}
+}
 }
diff --git a/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/TableItem.java b/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/TableItem.java
@@ -44,7 +44,7 @@ public class TableItem extends Item {
 	Font font;
 	Font[] cellFont;
 	String [] strings;
-	boolean cached, grayed, settingData;
+	boolean cached, grayed, updated, settingData;
 
 /**
  * Constructs a new instance of this class given its parent
diff --git a/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/Tree.java b/bundles/org.eclipse.swt/Eclipse SWT/gtk/org/eclipse/swt/widgets/Tree.java
@@ -110,6 +110,7 @@ public class Tree extends Composite {
 	Color headerBackground, headerForeground;
 	boolean boundsChangedSinceLastDraw, wasScrolled;
 	boolean rowActivated;
+	AsyncSetDataTask asyncSetDataTask = new AsyncSetDataTask();
 
 	private long headerCSSProvider;
 
@@ -296,20 +297,15 @@ long cellDataProc (long tree_column, long cell, long tree_model, long iter, long
 		}
 	}
 	if (modelIndex == -1) return 0;
-	boolean setData = false;
 	boolean updated = false;
+	long [] ptr = new long [1];
 	if ((style & SWT.VIRTUAL) != 0) {
-		if (!item.cached) {
-			//lastIndexOf = index [0];
-			setData = checkData (item);
-		}
-		if (item.updated) {
-			updated = true;
+		if (item.cached) {
+			updated = item.updated;
 			item.updated = false;
+		} else {
+			asyncSetDataTask.enqueueItem (item);
 		}
-	}
-	long [] ptr = new long [1];
-	if (setData) {
 		if (isPixbuf) {
 			ptr [0] = 0;
 			GTK.gtk_tree_model_get (tree_model, iter, modelIndex + CELL_PIXBUF, ptr, -1);
@@ -348,7 +344,7 @@ long cellDataProc (long tree_column, long cell, long tree_model, long iter, long
 			}
 		}
 	}
-	if (setData || updated) {
+	if (updated) {
 		ignoreCell = cell;
 		setScrollWidth (tree_column, item);
 		ignoreCell = 0;
@@ -4333,4 +4329,68 @@ public void dispose() {
 		headerCSSProvider = 0;
 	}
 }
+
+/**
+ * A task to set data for {@link TreeItem items} via {@link SWT#SetData} user
+ * callbacks asynchronously.
+ * <p>
+ * {@link SWT#SetData} callbacks should not be run inside
+ * {@link Tree#cellDataProc(long, long, long, long, long)} because it's a cell
+ * data function (in GTK terms) and no tree structure modifications are allowed
+ * in such functions.<br>
+ * Violation of the above may cause application crashes and other native-code
+ * problems in gtk.<br>
+ * Since {@link SWT#SetData} callbacks are written by users, we run them inside
+ * {@link Display#asyncExec(Runnable)} to avoid the native-code problems.
+ */
+class AsyncSetDataTask implements Runnable {
+	boolean scheduled;
+	LinkedHashSet<TreeItem> itemsQueue = new LinkedHashSet<> ();
+
+	void enqueueItem (TreeItem item) {
+		itemsQueue.add (item);
+		ensureExecutionScheduled ();
+	}
+
+	void ensureExecutionScheduled () {
+		if (!scheduled && !isDisposed ()) {
+			display.asyncExec (this);
+			scheduled = true;
+		}
+	}
+
+	@Override
+	public void run () {
+		scheduled = false;
+		if (itemsQueue.isEmpty () || isDisposed ()) {
+			return;
+		}
+		boolean updated = false;
+		LinkedHashSet<TreeItem> items = itemsQueue;
+		itemsQueue = new LinkedHashSet<> ();
+		try {
+			for (Iterator<TreeItem> it = items.iterator (); it.hasNext ();) {
+				TreeItem item = it.next ();
+				it.remove ();
+				if (!item.cached && !item.isDisposed ()) {
+					if (checkData (item)) {
+						updated = item.updated = true;
+					}
+				}
+			}
+		} catch (Throwable t) {
+			if (!items.isEmpty ()) {
+				itemsQueue.addAll (items);
+				if (updated) {
+					display.asyncExec ( () -> redraw ());
+				}
+				ensureExecutionScheduled ();
+			}
+			throw t;
+		}
+		if (updated) {
+			redraw ();
+		}
+	}
+}
 }
diff --git a/tests/org.eclipse.swt.tests.gtk/ManualTests/org/eclipse/swt/tests/gtk/snippets/Issue678_JvmCrashOnTreeItemSetImage.java b/tests/org.eclipse.swt.tests.gtk/ManualTests/org/eclipse/swt/tests/gtk/snippets/Issue678_JvmCrashOnTreeItemSetImage.java
@@ -0,0 +1,106 @@
+package org.eclipse.swt.tests.gtk.snippets;
+
+import org.eclipse.swt.SWT;
+import org.eclipse.swt.graphics.Image;
+import org.eclipse.swt.layout.FillLayout;
+import org.eclipse.swt.widgets.Display;
+import org.eclipse.swt.widgets.Shell;
+import org.eclipse.swt.widgets.Tree;
+import org.eclipse.swt.widgets.TreeItem;
+
+/**
+ * Title: app crash
+ * <p>
+ *
+ * How to run: run this class as java application.
+ * <p>
+ *
+ * Bug description: when {@link TreeItem#setImage(Image)} is called within an
+ * {@link SWT#SetData} event handler for a {@link SWT#VIRTUAL} tree, then a JVM
+ * crash can happen because of use-after-free gtk3 renderer in
+ * {@code Tree.cellDataProc()}.
+ *
+ * <pre>
+ * Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
+ * C  [libgobject-2.0.so.0+0x3b251]  g_type_check_instance_is_fundamentally_a+0x11
+ * C  [libswt-pi3-gtk-4958r2.so+0x4b609]  Java_org_eclipse_swt_internal_gtk_OS_g_1object_1set__J_3BJJ+0x4a
+ *
+ * Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
+ * J 11988  org.eclipse.swt.internal.gtk.OS.g_object_set(J[BJJ)V (0 bytes)
+ * J 10921 c1 org.eclipse.swt.widgets.Tree.cellDataProc(JJJJJ)J (486 bytes)
+ * J 10920 c1 org.eclipse.swt.widgets.Display.cellDataProc(JJJJJ)J (29 bytes)
+ * v  ~StubRoutines::call_stub
+ * J 11619  org.eclipse.swt.internal.gtk3.GTK3.gtk_main_iteration_do(Z)Z (0 bytes)
+ * J 11623 c1 org.eclipse.swt.widgets.Display.readAndDispatch()Z (88 bytes)
+ * </pre>
+ *
+ * Please note that the crash isn't guaranteed to happen.<br>
+ * Why: the causes of the bug is use-after-free in native code. <br>
+ * The app crash happens when in-between "free" and "use" the released memory is
+ * allocated and modified by some other native code.<br>
+ * For example some if some pointer accessed during "use" is changed to contain
+ * address to inaccessible memory, then the app will crash with SIGSEGV.<br>
+ * The problem is that the native code in-between "free" and "use" (i.e. jvm and
+ * 3d-party libraries) is too complex to predict.
+ *
+ * Expected results: image is shown in the tree, no crashes, no errors.
+ * <p>
+ *
+ * GTK Version(s): 3.24.37
+ */
+public class Issue678_JvmCrashOnTreeItemSetImage {
+
+	private static final int NUM_ITERATIONS = 100;
+
+	public static void main (String[] args) {
+		Display display = new Display ();
+		Shell shell = new Shell (display);
+		shell.setSize (400, 300);
+		shell.setLayout (new FillLayout ());
+		shell.open ();
+		Image image = new Image (display, 20, 20);
+
+		for (int i = 0; i < NUM_ITERATIONS; i++) {
+			Tree tree = new Tree (shell, SWT.VIRTUAL);
+			tree.addListener (SWT.SetData, e -> {
+				TreeItem item = (TreeItem) e.item;
+				item.setText (0, "A");
+
+				// for some reason sleeping increases probability of crash
+				try {
+					Thread.sleep (50);
+				} catch (InterruptedException ex) {
+					throw new RuntimeException (ex);
+				}
+
+				item.setImage (image); // <-- this is the critical line!
+			});
+			tree.setItemCount (1);
+			shell.layout ();
+
+			waitUntilIdle ();
+
+			tree.dispose ();
+		}
+
+		display.dispose ();
+	}
+
+	private static void waitUntilIdle () {
+		long lastActive = System.currentTimeMillis ();
+		while (true) {
+			if (Thread.interrupted ()) {
+				throw new AssertionError ();
+			}
+			if (Display.getCurrent ().readAndDispatch ()) {
+				lastActive = System.currentTimeMillis ();
+			} else {
+				if (lastActive + 10 < System.currentTimeMillis ()) {
+					return;
+				}
+				Thread.yield ();
+			}
+		}
+	}
+
+}
