97708 - Copying lots of text with mouse causes huge crash

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect, P2)

Description

[rob]

Copying lots of text from Mozilla to another application causes both Mozilla and
the application to crash.

While using build 2001083008, in an attempt to work around bug 97658, I selected
the entire text of http://www.lojban.org/files/machine-grammars/grammar.300 and
opened a vim window to paste it into. When I middle-clicked, there was a brief
pause, and then Mozilla crashed, and vim became unresponsive as it was waiting
for the paste.

The expected result is that the paste would complete normally.

Comment 1

[Greg Breland]

Works for me with 2001083008.  Of course, not liking VIm, I used pico (the
editor of champions).  It also worked fine with VI.

Marking->WFM

Comment 2

[R.K.Aa.]

reopening and marking dup of bug 86262

Comment 3

[R.K.Aa.]

*** This bug has been marked as a duplicate of 86262 ***

Comment 4

[R.K.Aa.]

marked dup because crash is reported.
I saw no crash when pasting to pico, but the paste was incomplete even if all
text was selected, only a few paragraphs pasted.
Reporter: If you can produce a backtrace of this, it would help.

./mozilla -g -d gdb
run

if stack varies a lot from bug 86262 please reopen or add comment.

Comment 5

[rob]

Running the above debugging command caused Mozilla to not run, and ended with
the message:
ptrace: No such process.

Mozilla seems to care a lot about what's being done with the pasted text. In
nvi, the entire text gets pasted. In emacs, only the first few paragraphs get
pasted. In gedit, Mozilla crashes.

Comment 6

[R.K.Aa.]

tadaa..reopening. I can reproduce the crash with 2001083108 linux like this

go to http://www.lojban.org/files/machine-grammars/grammar.300
after it's loaded, click "Edit" and "select all", then "Copy"
Start gedit (in this case v. 0.9.4)
Middle clicked - nothing happened.
Selected Edit and paste in gedit:
Mozilla crashed.

Verifying for now, will look for dups.

Stack:
#0  0x406a5254 in NSGetModule () from libuconv.so
#1  0x406aba65 in NSGetModule () from libuconv.so
#2  0x406ab500 in NSGetModule () from libuconv.so
#3  0x406ab702 in NSGetModule () from libuconv.so
#4  0x40c8d0e3 in NSGetModule () from libwidget_gtk.so
#5  0x40280ec3 in gtk_marshal_NONE__POINTER_INT_INT (object=0x878eaa8, 
    func=0x40c8cb6c <NSGetModule+161708>, func_data=0x0, args=0xbfffed04) at
gtkmarshal.c:375
#6  0x402b056a in gtk_handlers_run (handlers=0x82ea3f8, signal=0xbfffec94,
object=0x878eaa8, 
    params=0xbfffed04, after=0) at gtksignal.c:1917
#7  0x402af9bb in gtk_signal_real_emit (object=0x878eaa8, signal_id=40,
params=0xbfffed04)
    at gtksignal.c:1477
#8  0x402addbf in gtk_signal_emit_by_name (object=0x878eaa8, name=0x4030a41f
"selection_get")
    at gtksignal.c:618
#9  0x402acd54 in gtk_selection_invoke_handler (widget=0x878eaa8,
data=0xbffff034, time=2795849164)
    at gtkselection.c:1475
#10 0x402ac335 in gtk_selection_request (widget=0x878eaa8, event=0x81831d8) at
gtkselection.c:899
#11 0x40280c21 in gtk_marshal_BOOL__POINTER (object=0x878eaa8, func=0x402ac118
<gtk_selection_request>, 
    func_data=0x0, args=0xbffff124) at gtkmarshal.c:28
#12 0x402af9fb in gtk_signal_real_emit (object=0x878eaa8, signal_id=37,
params=0xbffff124)
    at gtksignal.c:1492
#13 0x402ada30 in gtk_signal_emit (object=0x878eaa8, signal_id=37) at
gtksignal.c:552
#14 0x402e4ee8 in gtk_widget_event (widget=0x878eaa8, event=0x81831d8) at
gtkwidget.c:2864
#15 0x4027fdf8 in gtk_main_do_event (event=0x81831d8) at gtkmain.c:834
#16 0x40c9213f in NSGetModule () from libwidget_gtk.so
#17 0x4033a16b in gdk_event_dispatch (source_data=0x0, current_time=0xbffff550,
user_data=0x0)
    at gdkevents.c:2139
#18 0x4036a055 in g_main_dispatch (dispatch_time=0xbffff550) at gmain.c:656
#19 0x4036a659 in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#20 0x4036a7e8 in g_main_run (loop=0x817dba8) at gmain.c:935
#21 0x4027f65b in gtk_main () at gtkmain.c:524
#22 0x40c8a120 in NSGetModule () from libwidget_gtk.so
#23 0x406c0bea in NSGetModule () from libnsappshell.so
#24 0x0804ffa0 in main1 () at eval.c:41
#25 0x080507f5 in main () at eval.c:41
#26 0x404ab177 in __libc_start_main (main=0x80506c8 <main>, argc=1,
ubp_av=0xbffff7bc, 
    init=0x804b428 <_init>, fini=0x8052518 <_fini>, rtld_fini=0x4000e184
<_dl_fini>, stack_end=0xbffff7b4)
    at ../sysdeps/generic/libc-start.c:129

Comment 7

[mjudge]

i just gotta think this is copy. select all worked.  bumping to apps

Comment 8

[Peter Trudelle]

->bryner, critical/nsbeta1+

Comment 9

[Hixie (not reading bugmail)]

I managed to crash my entire X server doing this. (trying to copy the URI of the
query page for the bugs that appear in the 1.0 uber bug dependency chain)

Comment 10

[R.K.Aa.]

*** Bug 120239 has been marked as a duplicate of this bug. ***

Comment 11

[Jaime Rodriguez, Jr.]

Is this really a nsbeta1+, P2? If yes, then we need to try and targeted to a
mielstone M1.0 or earlier to make the beta.

Comment 12

[Brian Ryner (not reading)]

Attachment: patch

This fixes the problem.  The code wasn't taking into account the fact that the
transferable object stores the length in bytes, not in characters.

Pavlov, since you wrote this originally, can you r=?

Comment 13

[Brian Ryner (not reading)]

er, actually adding pavlov to cc

Pav, since you wrote this code, can you r=?

Comment 14

[Bradley Baetz (:bbaetz)]

Comment on attachment 65713 [details] [diff] [review]
patch

r=bbaetz

Comment 15

[Brian Ryner (not reading)]

going to shoot for 0.9.8 with this

Comment 16

[Johnny Stenback (:jst)]

Comment on attachment 65713 [details] [diff] [review]
patch

sr=jst

Comment 17

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 65713 [details] [diff] [review]
patch

a=dbaron for 0.9.8

Comment 18

[Brian Ryner (not reading)]

checked in.

Comment 19

[Terri Preston]

Verified Fixed linux build 2002012909

Comment 20

[Brian Ryner (not reading)]

*** Bug 117492 has been marked as a duplicate of this bug. ***