Details
P1: Critical Description
QCocoaMenu::m_attachedItem can become invalid as soon as we delete this attached item in ~QCocoaMenuItem (and we never reset it).
It can happen the next time we populate the menu and call menu delelgate's method:
- (BOOL)menu:(NSMenu *)menu updateItem:(NSMenuItem *)item atIndex:(NSInteger)index shouldCancel:(BOOL)shouldCancel
we also call itemSubmenu->setAttachedItem(item), this results in
m_attachedItem.submenu = nil;
where m_attachedItem is a dangling pointer.
This was found while testing one of our examples (browser app) and owncloud client application (essentially it's using QSystemTrayIcon + QMenu) - in both cases 'the pattern' seems to be the similar:
- browser updates its list of recently viewed pages - thus clearing/re-populating the menu again and again
- the application re-populates the menu when sync status is changing.
I'm attaching the reproducer, which is essentially an excerpt/snippet for this scenario, a bit contrived maybe but making the problem obvious (well, you have to click on this orange systray icon and open context menu, probably, several times).