Crash in [@ ContextMenu_GetCommandStringVerb]
Categories
(Core :: Widget: Win32, defect, P3)
Tracking
()
People
(Reporter: gsvelto, Unassigned)
References
(Depends on 2 open bugs)
Details
(Keywords: crash, Whiteboard: [win:stability][tbird crash])
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/150049de-858a-4195-b460-c705a0211126
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 explorerframe.dll long ContextMenu_GetCommandStringVerb
1 explorerframe.dll int64_t CNscTree::_OnContextMenu
2 explorerframe.dll CNscTree::_OnNotify
3 explorerframe.dll virtual int64_t CNscTree::v_WndProc
4 explorerframe.dll static int64_t CImpWndProc::s_WndProc
5 user32.dll int64_t UserCallWinProcCheckWow
6 user32.dll CallWindowProcW
7 comctl32.dll CallNextSubclassProc
8 comctl32.dll DefSubclassProc
9 explorerframe.dll virtual int64_t CNotifySubclassWndProc::_DefWindowProc
This crash seems to be happening on Windows when users try to create or rename a folder in the file picker dialog. Here's a few comments from the crashes:
I was renaming a folder when the crash happened
I opened an email in Gmail the mail item had a link to a website - i selected it the web page had an image on it I right clicked the image, selected "save as" windows explorer opeted I right clicked a folder, create new folder crash
right click on folder file browser dialog and select "Open in new window"
Trying to make a sub-folder.
I tried to create a new folder to download a file from Dropbox and it crashed immediately.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 1•3 years ago
|
||
Per :toshi, this seems likely to be due to bugs in third-party DLLs that are being loaded by the file picker. If so, this would be greatly mitigated by bug 1677170.
|
||
Comment 2•3 years ago
|
||
This callstack occurs when a user clicks a context menu in the side bar of the dialog (the treeview showing Quick access, This PC, and etc.). In my environment, the crashing instruction fetches an instance of explorerframe!CContextMenuOnContextMenuArray regardless whether a menu item is hosted by a shell extension or not.
The crash happened because the address that is expected to hold CContextMenuOnContextMenuArray was null. This instance is created in the beginning of explorerframe!CNscTree::_OnContextMenu when a context menu is shown, and freed at the end of explorerframe!CNscTree::_OnContextMenu when the context menu is closed. Having null there means somehow the process fails to allocate memory, or there might be a codepath to reset it after it's set. Anyway, I don't think this is a bug on Firefox side.
|
|
||
Comment 3•3 years ago
|
||
Marking this as blocked by bug 1677170 and adjusting severity to match the severity of bug 1677170.
|
|
||
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
About half the crashes are Thunderbird bp-5ba6e0c8-3e81-4838-afc7-4e3400230112
|
|
||
Comment 5•2 years ago
|
||
bp-8d38cd50-6023-43a1-85ca-f2c7b0230830 "Crashed whilst trying to save an attachment in a new folder in an existing directory. Crash happened on attempt at creating the new folder." According to modules list, user has winzip installed
|
|
||
Comment 6•10 months ago
|
||
All crashes since Fx130 have resulted from save dialogs occurring when trying to print, which are unfortunately still opened in the parent process. Migrating those out is bug 1799458.
Description
•