Nullify the gobject cache accessible when the accessible is finalized.

When the gobject is disposed the weak reference finalize
the accessible. But the gobject could still be reference
thus not finalized. As the gobject still holds the accessible
in its qdata, next call to atk_gobject_accessible_for_object
returns the old accessible freed memory. If the caller attempts
to do anything with this memory as if an atkobject it segfaults.

This happens here : gnome-shell segfault when the password prompt
it generates is triggered more than once. As the clutter stage still
 holds a reference to the StIMText, which wasdisposed when the
 password widget was destroyed with the end of the first password
widget, when the second password prompt attempt notify key focus to the
old widget, it gets its accessible (now freed memory) via the StIMText
qdata cache, and pass this to atk_object_notify_state_change.

gobject still hold a pointer to it via qdata.

https://bugzilla.gnome.org/show_bug.cgi?id=699262

1 files changed, 6 insertions, 0 deletions

diff --git a/atk/atkgobjectaccessible.c b/atk/atkgobjectaccessible.c
index ba87480..eb0bf09 100644
--- a/atk/atkgobjectaccessible.c
+++ b/atk/atkgobjectaccessible.c
@@ -140,8 +140,14 @@ atk_real_gobject_accessible_initialize (AtkObject  *atk_obj,
 static void
 atk_gobject_accessible_dispose (gpointer  data)
 {
+  GObject *object;
+
   g_return_if_fail (ATK_IS_GOBJECT_ACCESSIBLE (data));
 
+  object = atk_gobject_accessible_get_object (data);
+  if (object)
+      g_object_set_qdata (object, quark_accessible_object, NULL);
+
   g_object_set_qdata (G_OBJECT (data), quark_object, NULL);
   atk_object_notify_state_change (ATK_OBJECT (data), ATK_STATE_DEFUNCT,
                                   TRUE);