Closed Bug 233211 Opened 21 years ago Closed 21 years ago

Dragging favicon from Location Bar to Personal Toolbar crashes Mozilla at dropping

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: hhschwab, Assigned: jag+mozilla)

References

Details

(Keywords: crash, regression) 

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040205

regression: BuildID 2004020311 ok, BuildID 2004020317 regressed.

I noticed this behaviour in later mozillas, and then went back, to see it
reproducible in BuildID 2004020317, not in the build before.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040205
Thought this to be working, when I could drag&drop a favicon, but crashed next
time doing this.
DocWatson came up, telling me OLE32.DLL tried to use a null ptr

Reproducible: Sometimes
Steps to Reproduce:
1.Drag a favicon to from Loaction Bar to Personal Toolbar
2.Drop it => crash,
3. or open folder in Personal Toolbar, try to drop it there => crash

Actual Results:  
BuildID 2003020317 installed from zip: instant crash, reproduced three times.
later BuildIDs, installed from zip: same as before, tried once
BuildID 2003020311, installed from full installer (exe): no crash seen

BuildID 2004020508, installed from exe: first try o.k., second try crashed.
crashed, when I wanted to drag the favicon of this bug into one of my bug
folders in the P.T.
I the filed it with the mouse using Bookmarks->File Bookmark, and this was
working. I filed it in a folder in the folder, because I didn´t want it to be at
the end of the huge list. Thought I could move it from that folder to a place in
the parent folder, but when I tried this, it crashed, at drop, and the bookmark
was lost, Doc Watson came up.
Keywords: regression
both Firebird and Mozilla crashing:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040205 Firebird/0.7+
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040205

latest Firebird-0.8 seems not to crash.
Flags: blocking1.7a?
Keywords: crash
WFM on Win2k with cvs build from Feb 5th.
This bug also crashes Moz (2004020708 win32 build on win98se) when dragging
favicon to a *subfolder* of the bookmarks folder on the toolbar.  I can
successfully drag into the bookmarks folder without crashing, but if I hover
over a bookmarks subfolder, wait for it to open and then drop the link into
place in a subfolder, Moz crashes on drop, every time.

More info:

MOZILLA caused an invalid page fault in
module <unknown> at 0000:00000013.
Registers:
EAX=000003a0 CS=0167 EIP=00000013 EFLGS=00010a86
EBX=04090c6c SS=016f ESP=0066e88c EBP=0066e8d0
ECX=04096270 DS=016f ESI=0066e8dc FS=565f
EDX=00000000 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
00 54 ff 00 f0 d1 9d 00 f0 53 ff 00 f0 00 00 67 
Stack dump:
65f57ba4 04096270 00000000 00000000 04091af0 00000000 00000001 000001a0 00000001
00000330 00000200 00000000 00000001 00fb8bd6 000002e6 000000f5 
crash on BuildID 2004020713
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040207

I tested multiple builds from mozilla.org tinderbox and nightlies, and all were
crashing, starting with build 2004020317.
The crashes always triggered DocWatson, but I didn´t see a system where the
builds were crashing. Tested on Win98SE and Win98 SP1, very different hardware.
I still can not crash with the steps given using a debug build pulled yesterday
on Win2k.
However, when I drag the icon to the window of a different application (and
_only_ then, but not every application works: a different Mozilla instance (not
window) or the text editor EditPad e.g. make it crash) it crashes and gives me
the following stack. But I'm not sure if it's the same crash...

Before that crash the assertion in nsCOMPtr.h(?!), line 670 is hit: "You can't
dereference a NULL nsCOMPtr with operator ->()".

nsNativeDragTarget::ProcessDrag(IDataObject * 0x00000000, unsigned int
0x00000579, unsigned long 0x00000001, _POINTL {...}, unsigned long * 0x0012d8e4)
line 224 + 18 bytes
nsNativeDragTarget::DragOver(nsNativeDragTarget * const 0x030b40d8, unsigned
long 0x00000001, _POINTL {...}, unsigned long * 0x0012d8e4) line 290
OLE32! 77b03590()
OLE32! 77b03720()
OLE32! 77acae2e()
OLE32! 77aca9db()
nsDragService::StartInvokingDragSession(nsDragService * const 0x029454d0,
IDataObject * 0x03a626f8, unsigned int 0x00000007) line 165 + 25 bytes
nsDragService::InvokeDragSession(nsDragService * const 0x029454d0, nsIDOMNode *
0x031efd2c, nsISupportsArray * 0x03d30dd8, nsIScriptableRegion * 0x00000000,
unsigned int 0x00000007) line 133 + 25 bytes
XPTC_InvokeByIndex(nsISupports * 0x029454d0, unsigned int 0x00000003, unsigned
int 0x00000004, nsXPTCVariant * 0x0012db0c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2022 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x012f09a0, JSObject * 0x03869498, unsigned int
0x00000004, long * 0x0485b814, long * 0x0012dddc) line 1272 + 14 bytes
js_Invoke(JSContext * 0x012f09a0, unsigned int 0x00000004, unsigned int
0x00000000) line 941 + 23 bytes
js_Interpret(JSContext * 0x012f09a0, long * 0x0012e710) line 2962 + 15 bytes
js_Invoke(JSContext * 0x012f09a0, unsigned int 0x00000001, unsigned int
0x00000002) line 958 + 13 bytes
js_InternalInvoke(JSContext * 0x012f09a0, JSObject * 0x036cd0e8, long
0x036cd088, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012e958,
long * 0x0012e834) line 1035 + 20 bytes
JS_CallFunctionValue(JSContext * 0x012f09a0, JSObject * 0x036cd0e8, long
0x036cd088, unsigned int 0x00000001, long * 0x0012e958, long * 0x0012e834) line
3579 + 31 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x02a1abf0, void * 0x036cd0e8,
void * 0x036cd088, unsigned int 0x00000001, void * 0x0012e958, int * 0x0012e95c)
line 1259 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x031efde0, nsIDOMEvent
* 0x047c7e98) line 178 + 69 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x031efea0,
nsIDOMEvent * 0x047c7e98, nsIDOMEventTarget * 0x04859110, unsigned int
0x00000010, unsigned int 0x00000007) line 1420 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x031efd88,
nsIPresContext * 0x0292ac60, nsEvent * 0x0012f024, nsIDOMEvent * * 0x0012efd8,
nsIDOMEventTarget * 0x04859110, unsigned int 0x00000007, nsEventStatus *
0x0012f078) line 1513 + 56 bytes
nsXULElement::HandleDOMEvent(nsIPresContext * 0x0292ac60, nsEvent * 0x0012f024,
nsIDOMEvent * * 0x0012efd8, unsigned int 0x00000007, nsEventStatus * 0x0012f078)
line 2915
nsEventStateManager::GenerateDragGesture(nsIPresContext * 0x0292ac60, nsGUIEvent
* 0x0012f774) line 1465
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x033ad638,
nsIPresContext * 0x0292ac60, nsEvent * 0x0012f774, nsIFrame * 0x0376c648,
nsEventStatus * 0x0012f570, nsIView * 0x037675d0) line 432
PresShell::HandleEventInternal(nsEvent * 0x0012f774, nsIView * 0x037675d0,
unsigned int 0x00000001, nsEventStatus * 0x0012f570) line 6092 + 49 bytes
PresShell::HandleEvent(PresShell * const 0x030f4dfc, nsIView * 0x037675d0,
nsGUIEvent * 0x0012f774, nsEventStatus * 0x0012f570, int 0x00000001, int &
0x00000001) line 5983 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x037675d0, nsGUIEvent * 0x0012f774, int
0x00000001) line 2271
nsViewManager::DispatchEvent(nsViewManager * const 0x030b3d38, nsGUIEvent *
0x0012f774, nsEventStatus * 0x0012f668) line 2010 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f774) line 79
nsWindow::DispatchEvent(nsWindow * const 0x0376766c, nsGUIEvent * 0x0012f774,
nsEventStatus & nsEventStatus_eIgnore) line 1048 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f774) line 1069
nsWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000001,
nsPoint * 0x00000000) line 5191 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int
0x00000001, nsPoint * 0x00000000) line 5446
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000001, long
0x000c0005, long * 0x0012fc30) line 3965 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0002031e, unsigned int 0x00000200, unsigned int
0x00000001, long 0x000c0005) line 1330 + 27 bytes
USER32! 77e2a2b8()
USER32! 77e045b1()
USER32! 77e0a752()
nsAppShellService::Run(nsAppShellService * const 0x012fbb98) line 484
main1(int 0x00000001, char * * 0x00262638, nsISupports * 0x012ce038) line 1291 +
32 bytes
main(int 0x00000001, char * * 0x00262638) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e9847c()

still crashing, Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040208

simple steps to repeat:
1. start mozilla
2. type about: into the location bar, or open Help->About Mozilla
3. when the page has loaded, drag the icon to the content area,
 don´t drop, but additionally right-click -> instant crash.
(In reply to comment #8)
> 1. start mozilla
> 2. type about: into the location bar, or open Help->About Mozilla
> 3. when the page has loaded, drag the icon to the content area,
>  don´t drop, but additionally right-click -> instant crash.

Doesn't crash
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040208
(cvs debug build)

Can you try to find somebody to test it on non-Win98? Becase so far it only
crashed there...
to summarize:
It is crashing on Win98, Celeron 333 with 96 MB RAM, 8 MB Sis6326 VGA-card.
It is crashing on Win98SE, Athlon XP1600+ with 512 MB RAM, nForce integrated
grafics.
Last working version:  BuildID 2004020311 
First failing version: BuildID 2004020317

so it must be caused by one of these check-ins:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=02%2F03%2F2004+11%3A00&maxdate=02%2F03%2F2004+17%3A00&cvsroot=%2Fcvsroot

I don´t want to drop bookmarks somewhere, I want to drag them into folders in
folders at places where I want them, not autmatically added somewhere.
So this type of crash makes Mozilla unusable for me, I´ve got to reinstall
2004020311 after testing the nightly, or switch to linux, someday.

Andreas, is your crash reproducable?
Can you see it if you install a nightly from BuildID 2004020311 ?
http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/2004-02-03-11-trunk/
Dragging "Personal Toolbar Folder", "Bookmark Toolbar Folder" item left or right
to desktop causes crash. Dragging through the toolbar is required to reproduce.
I can confirm this bug on WinXP Mozilla-trunk and Firebird-trunk.
(In reply to comment #10)
> to summarize:
> It is crashing on Win98, Celeron 333 with 96 MB RAM, 8 MB Sis6326 VGA-card.
> It is crashing on Win98SE, Athlon XP1600+ with 512 MB RAM, nForce integrated
> grafics.

On Win2k, Athlon 2600+, GeForce4, 512 MB it does *only* (but reliably) crash
when you drag the icon to certain places (e.g. an EditPad window), not to
anywhere in Mozilla.

> Last working version:  BuildID 2004020311 
> First failing version: BuildID 2004020317

I can sort of confirm this: 2004020318 crashes (my way),
mozilla-win32-svg-libart-mathml 2004020309 does not crash.

> Can you see it if you install a nightly from BuildID 2004020311 ?
> http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/2004-02-03-11-trunk/

Nope, won't use an installer these days. But see above. I'll try to do one or
more CVS builds from within this timeframe to narrow it down.

dbaron:
I see you already cc'd yourself, so I do not need to do so after finding that
bug 20022 causes this to happen. 
I rebuilt Mozilla several times with/without the fixes in question and found
that backing out the following patch (plus the bustage fix afterwards) makes
this not happen:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=02%2F03%2F2004+16%3A10&maxdate=02%2F03%2F2004+16%3A12&cvsroot=%2Fcvsroot

When applying/removing that patch, it did not apply cleanly, maybe this could
point to a problem, maybe not.
Confirming crash with Moz 1.7a build 2004020808 (exe-Installer) on Win NT 4.0.

Reproducible: Always
Steps to Reproduce:
1. Drag a favicon or the selected URL from the Location Bar to the Personal Toolbar
2. Drop it => crash
requesting blocker status for 1.7a.
This bug will clearly block testing of Mozilla 1.7a using Win98/WinNT.

This bug makes Mozilla and Firefox Nightlies unusable with Win9x and WinNT,
according to google there are still 27% using Win98 and 3% using WinNT.
Seems to be in a milder form in Win2000, thats another 19%, 
for a total of 49% of google users using the above mentioned OS.
Win98 users have to switch the OS on buying a new computer, but they don´t have
to switch the browser, if it´s Mozilla.
http://www.google.com/press/zeitgeist_nov03.html

Regression timeframe 6 hours was specified in comment 3, 
checkin for bug 20022 was found causing this bug in comment 14.

Though 1.7a is alpha, I don´t want to tell friends, don´t use it, it is crashing
when you bookmark.
Severity: critical → blocker
*** Bug 233677 has been marked as a duplicate of this bug. ***
As I wrote in my bug (didn't find this one here, is Component "XP
Toolkit/Widgets" really the right one?) I see this crash on Win98SE too. But not
if I drag the URL to Mozillas separate Bookmark Window.

In the meantime I reproduced the crash on a different Win98SE and another Win95
machine. While testing it on Win2k it didn't crash (only tried dragging within
the same window). But when dragging the URL to somewhere in the bookmark tree or
a subfolder on the Personal Toolbar (not the PT toplevel) it always created the
bookmark 2 times.
To reproduce on WinXP SP1: Start dragging an item from the personal toolbar,
drag it back and forth on the personal toolbar and finally drag and drop it to
the desktop. Repeat if it didn't crash. 
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040210 Firebird/0.8.0+
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7a) Gecko/20040210 Firebird/0.8.0+

This seems to affect dragging in general. Anything seems far easier to reproduce
while pages are loading (or shortly thereafter). Additional ways to trigger this
include:
Customizing the Toolbar
Dragging text from urlbar to search-bar (hard to do)
Dragging tabs with TBE/miniT (but happens more often with miniT).
plussing until we know more.  having a hard time reproducing on several systems.
Flags: blocking1.7a? → blocking1.7a+
I was checking to see if I could make it fail gracefully in the case described
in comment #7, but it seems to be crashing in random places, if
DispatchDragDropEvent(aEventType, pt);
is there in nsNativeDragTarget::ProcessDrag. If that line is commented out, it
doesn't crash (or work, obviously). 
wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040214
BuildID 2004021413

The backout in Bug 20022 Comment 88 seems to have fixed this for me.
WFM now with Moz 1.7a build 2004021508 (exe-Installer) on Win NT 4.0. Steps like
in comment 15. Thanks!
Marking fixed, but leaving dependency so I can track it before relanding bug 20022.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I relanded bug 20022.  I did fix a number of other bugs that could have fixed
this.  I tried to reproduce the bug and was unable to, but that doesn't mean
it's fixed in the relanding.  Please let me know if you see this again.
You need to log in before you can comment on or make changes to this bug.