Closed
Bug 258121
Opened 20 years ago
Closed 20 years ago
Crash when right-clicking on image replaced with alt text multiple times
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla1.8alpha4
People
(Reporter: sharparrow1, Assigned: bzbarsky)
References
()
Details
(Keywords: crash, testcase)
Attachments
(1 file)
923 bytes,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040829 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040829 Encountered by accident after coming to a page with broken images; crash on right clicking image multiple times in a row. Reproducible: Always Steps to Reproduce: 1. Open URL 2. Right click on alt text for image 3. Click Copy Image Location or Properties 4. Right click on image Actual Results: Crash. Expected Results: Show right click menu, no crash. Talkback ID 735796. May be regression (no crash on old FF build I use).
Assignee | ||
Comment 1•20 years ago
|
||
The stack from that talkback ID doesn't seem to have symbols: xpcom.dll + 0x3da3d (0x610ada3d) xpcom.dll + 0x3daba (0x610adaba) xpc3250.dll + 0x1112a (0x60c6112a) xpc3250.dll + 0x6fdf (0x60c56fdf) xpc3250.dll + 0x665e (0x60c5665e) xpc3250.dll + 0x12da0 (0x60c62da0) xpc3250.dll + 0x1622c (0x60c6622c) js3250.dll + 0x1c20b (0x60d6c20b) etc.
Keywords: qawanted
Comment 2•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040904 crashed three times, but talkback can´t connect to the server, will retry tomorrow. Settings: Accept all images 1st try: clicked, context menu open, clicked, contextmenu hidden, clicked fast three more times, crash was clicking relatively fast. 2nd try: clicked slowly, about ten times, on the link and at other places, no crash. Double-click pon the image, crash. 3rd try: click image, wait, click again, crash.
Assignee | ||
Comment 3•20 years ago
|
||
I see this with a current trunk debug build... Crash stack: #0 0x080804cc in nsQueryInterface::operator()(nsID const&, void**) const ( this=0xbfffa06c, aIID=@0x40b213b4, answer=0xbfffa064) at nsCOMPtr.cpp:47 #1 0x08080658 in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ( this=0xbfffa150, qi={mRawPtr = 0x880b368}, iid=@0x40b213b4) at nsCOMPtr.cpp:96 #2 0x40b0c395 in nsCOMPtr<nsISupports>::operator=(nsQueryInterface) (this=0xbfffa150, rhs={mRawPtr = 0x880b368}) at nsCOMPtr.h:879 #3 0x40b04c4e in XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) (ccx=@0xbfffa5a0, Object=0x880b368, Scope=0x86ffde8, Interface=0x87dd3b8, resultWrapper=0xbfffa1bc) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:229 #4 0x40ae538c in XPCConvert::NativeInterface2JSObject(XPCCallContext&, nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, unsigned*) (ccx=@0xbfffa5a0, dest=0xbfffa280, src=0x880b368, iid=0xbfffa3c0, scope=0x850eac8, pErr=0xbfffa3bc) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1056 #5 0x40ae41bd in XPCConvert::NativeData2JS(XPCCallContext&, long*, void const*, nsXPTType const&, nsID const*, JSObject*, unsigned*) (ccx=@0xbfffa5a0, d=0xbfffa374, s=0xbfffa4a0, type=@0xbfffa356, iid=0xbfffa3c0, scope=0x850eac8, pErr=0xbfffa3bc) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcconvert.cpp:462 #6 0x40b0a35c in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (ccx=@0xbfffa5a0, mode=CALL_GETTER) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2115 (gdb) frame 0 #0 0x080804cc in nsQueryInterface::operator()(nsID const&, void**) const ( this=0xbfffa06c, aIID=@0x40b213b4, answer=0xbfffa064) at nsCOMPtr.cpp:47 47 status = mRawPtr->QueryInterface(aIID, answer); (gdb) p *mRawPtr $3 = {_vptr.nsISupports = 0x0} So calling through mRawPtr crashes... looks like it's a bogus pointer or something. dbradley, jst, shaver, any idea what's up here?
Assignee: jdunn → dbradley
Status: UNCONFIRMED → NEW
Component: Layout: Images → XPConnect
Ever confirmed: true
Keywords: qawanted
OS: Windows XP → All
QA Contact: core.layout.images → pschwartau
Hardware: PC → All
Comment 4•20 years ago
|
||
This was an out parameter that went bad. XPConnect was converting the out parameters after making a call to a native function. Unfortunately nothing in the stack to give any real specifics of the players.
Assignee | ||
Comment 5•20 years ago
|
||
Setting more minimal testcase. Old testcase was data:text/html,<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"><html><title>Testcase</title><table><tr><td><a href="XXX"><img src="fake:" alt="Right Click Here"></a></table>
Assignee | ||
Comment 6•20 years ago
|
||
This regressed between 2004-06-05-07 and 2004-06-06-08. Chances are, it's bug 196380. The full list of checkins for that period: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-06-05+07%3A00%3A00&maxdate=2004-06-06+08%3A00%3A00&cvsroot=%2Fcvsroot
Assignee | ||
Comment 7•20 years ago
|
||
This fixes it...
Assignee | ||
Updated•20 years ago
|
Assignee: dbradley → bzbarsky
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•20 years ago
|
||
The patch fixes bug 247712 too.
Updated•20 years ago
|
Attachment #158874 -
Flags: superreview+
Attachment #158874 -
Flags: review+
Assignee | ||
Comment 9•20 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8alpha4
Comment 10•20 years ago
|
||
Reversing the patch fixes bug #260212
You need to log in
before you can comment on or make changes to this bug.
Description
•