Closed Bug 288006 Opened 19 years ago Closed 19 years ago

Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bobchao, Assigned: jst)

References

Details

(5 keywords, Whiteboard: aviary-only)

Crash Data

Attachments

(3 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)

Always reproducible in:
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050317 Firefox/1.0.2
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050318 Firefox/1.0.2 (ax)
* [nightly] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050327 Firefox/1.0.2

see reproducing steps.

Reproducible: Always

Steps to Reproduce:
1. press ctrl-N to open another browser window.
2. open an image (say, http://www.mozilla.org/images/t_firefox.gif) in first
browse window.
3. drag the image into the new browser window

Actual Results:  
Firefox crashed

Expected Results:  
open the image without crash

Talkback: TB4650038Q

note: Is the bug related to bug 44254, bug 287962 or bug 281431?
WFM on trunk here

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050327
Firefox/1.0+
I can reproduce this crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.6) Gecko/20050328 Firefox/1.0.2

Talkback ID: TB4656657W
Incident ID: 4656657
Stack Signature	msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f
Product ID	Firefox10
Build ID	2005032722
Trigger Time	2005-03-28 05:27:58.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	msvcrt.dll + (000378c0)
URL visited	
User Comments	
Since Last Crash	24 sec
Total Uptime	24 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
msvcrt.dll + 0x378c0 (0x77c378c0)
XPTC_InvokeByIndex 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2034]
XPC_WN_CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
js_InternalInvoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 1043]
JS_CallFunctionValue 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsapi.c,
line 3698]
nsJSContext::CallEventHandler 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1297]
nsJSEventListener::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsEventListenerManager::HandleEventSubType 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1436]
nsEventListenerManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1516]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleChromeEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6059]
PresShell::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsNativeDragTarget::ProcessDrag 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 234]
nsNativeDragTarget::Drop 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 350]
ole32.dll + 0x118e86 (0x775e8e86)
ole32.dll + 0x1190c8 (0x775e90c8)
ole32.dll + 0xefc98 (0x775bfc98)
ole32.dll + 0xefb20 (0x775bfb20)
nsDragService::StartInvokingDragSession 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 168]
nsDragService::InvokeDragSession 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 133]
nsContentAreaDragDrop::DragGesture 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp,
line 703]
DispatchToInterface 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 127]
nsEventListenerManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1524]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleChromeEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsHTMLImageElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/html/content/src/nsHTMLImageElement.cpp,
line 579]
nsEventStateManager::GenerateDragGesture 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1484]
nsEventStateManager::PreHandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 443]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6056]
PresShell::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchMouseEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5261]
ChildWindow::DispatchMouseEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5511]
nsWindow::WindowProc 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8709 (0x77d38709)
USER32.dll + 0x87eb (0x77d387eb)
USER32.dll + 0x89a5 (0x77d389a5)
USER32.dll + 0x89e8 (0x77d389e8)
nsAppShell::Run 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppShellService::Run 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
Severity: normal → critical
Keywords: crash
Summary: Drag image across browser windows --> crash → Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
Attached patch Fix.Splinter Review
The problem here is that the new dragDropSecurityCheck() method assumes (and
correctly so IMO) that the source document has a non-null documentURI property.
And it would, if ImageDocuments would tell xpconnect that they implement
nsIDOM3Document. This patch fixes that, and also makes checkLoadURIStr() not
crash if ever given a null source URI string.
Assignee: nobody → jst
Status: UNCONFIRMED → ASSIGNED
Attachment #178880 - Flags: superreview?(bzbarsky)
Attachment #178880 - Flags: review?(bzbarsky)
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Comment on attachment 178880 [details] [diff] [review]
Fix.

Add a null-check for aTargetURIStr too, ok?  And land the security manager part
on trunk?
Attachment #178880 - Flags: superreview?(bzbarsky)
Attachment #178880 - Flags: superreview+
Attachment #178880 - Flags: review?(bzbarsky)
Attachment #178880 - Flags: review+
Comment on attachment 178880 [details] [diff] [review]
Fix.

I wonder if a DOM_CLASSINFO_GENERIC_DOCUMENT_MAP_ENTRIES macro would make
sense.
Blocks: 287897
Attached patch Same thing for the 1.0.1 branch (obsolete) — Splinter Review
Turns out that this is aviary only, at least the crash part is. On the trunk,
the caps code is passed a string reference, so no need for null checks there,
and I already landed peterv's proposed cleanup (added a macro) on the trunk
too. This should go in for 1.0.3 whenever that goes out...
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch

Pushing this onto our radar for possible inclusion.
Attachment #178961 - Flags: superreview?(dveditz)
Attachment #178961 - Flags: review?(bzbarsky)
Attachment #178961 - Flags: approval1.7.7?
Attachment #178961 - Flags: approval-aviary1.0.3?
Attachment #178961 - Flags: review?(bzbarsky) → review+
This is the same as the above patch, but w/o the nsDOMClassInfo changes just to
keep the regression risk at 0.
Attachment #179603 - Flags: superreview+
Attachment #179603 - Flags: review+
Attachment #179603 - Flags: approval-aviary1.0.3?
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch

We don't want to rush the iface changes, just stop the crash. (these will come
back as a new patch, minus the null check in attachment 179603 [details] [diff] [review])
Attachment #178961 - Attachment is obsolete: true
Attachment #178961 - Flags: superreview?(dveditz)
Attachment #178961 - Flags: superreview+
Attachment #178961 - Flags: approval1.7.7?
Attachment #178961 - Flags: approval1.7.7-
Attachment #178961 - Flags: approval-aviary1.0.3?
Attachment #178961 - Flags: approval-aviary1.0.3-
Attachment #179605 - Flags: superreview+
Attachment #179605 - Flags: review+
Attachment #179605 - Flags: approval1.7.8?
Attachment #179605 - Flags: approval-aviary1.0.4?
Comment on attachment 179603 [details] [diff] [review]
Caps only change for last-minute inclusion for 1.0.3

a=dveditz for 1.7.7 and aviary1.0.3 branches to stop the crash. Drop remains
broken after this patch, but doesn't crash.
Attachment #179603 - Flags: approval1.7.7+
Attachment #179603 - Flags: approval-aviary1.0.3?
Attachment #179603 - Flags: approval-aviary1.0.3+
The the crash fix is blocking 1.7.7 and aviary 1.0.3; nominating 1.0.4 and 1.7.8
for the nsDOMClassInfo fix to make dropping images work again.
Flags: blocking1.7.8?
Flags: blocking1.7.7?
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.4?
Flags: blocking-aviary1.0.3?
Flags: blocking-aviary1.0.3+
I just landed attachment 179603 [details] [diff] [review] on the aviary and 1.7 branches on jst's behalf
per his request.
verified fixed using 2005040417-1.0.3 (linux, mac) and 2005040416-1.0.3
(windows) bits. tested using the case in comment 0, keeping in mind that the
dropped image won't load in the target window (comment 12): no crashes observed.
Whiteboard: aviary-only
Marking bug fixed as this is not a trunk problem.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: blocking1.7.8?
Flags: blocking-aviary1.0.5?
Comment on attachment 179605 [details] [diff] [review]
nsDOMClassInfo part of the fix to make dragging from image documents work again.

a=dveditz for landing on branches, but not blocking the release if it doesn't
happen.

If checked in please add the fixed-aviary1.0.5 and fixed1.7.9 keywords (without
removing the current 1.0.3/1.7.7 ones) to help triage and tracking queries.
Attachment #179605 - Flags: approval1.7.9+
Attachment #179605 - Flags: approval1.7.8?
Attachment #179605 - Flags: approval-aviary1.0.5?
Attachment #179605 - Flags: approval-aviary1.0.5+
Fixed on the brances.
verified fixed using 200506170x-1.0.5 firefox builds on linux fc3 and mac os x
10.4.1 --this time the dropped image does load in the second browser window. :)
Status: RESOLVED → VERIFIED
Crash Signature: [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: