Closed
Bug 288006
Opened 20 years ago
Closed 20 years ago
Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bobchao, Assigned: jst)
References
Details
(5 keywords, Whiteboard: aviary-only)
Crash Data
Attachments
(3 files, 1 obsolete file)
|
2.32 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
|
1.45 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval-aviary1.0.3+
dveditz
:
approval1.7.7+
|
Details | Diff | Splinter Review |
|
8.65 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval-aviary1.0.5+
dveditz
:
approval1.7.9+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)
Always reproducible in:
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050317 Firefox/1.0.2
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050318 Firefox/1.0.2 (ax)
* [nightly] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050327 Firefox/1.0.2
see reproducing steps.
Reproducible: Always
Steps to Reproduce:
1. press ctrl-N to open another browser window.
2. open an image (say, http://www.mozilla.org/images/t_firefox.gif) in first
browse window.
3. drag the image into the new browser window
Actual Results:
Firefox crashed
Expected Results:
open the image without crash
Talkback: TB4650038Q
note: Is the bug related to bug 44254, bug 287962 or bug 281431?
|
||
Comment 1•20 years ago
|
||
WFM on trunk here
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050327
Firefox/1.0+
|
|
||
Comment 2•20 years ago
|
||
I can reproduce this crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.6) Gecko/20050328 Firefox/1.0.2
Talkback ID: TB4656657W
Incident ID: 4656657
Stack Signature msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f
Product ID Firefox10
Build ID 2005032722
Trigger Time 2005-03-28 05:27:58.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module msvcrt.dll + (000378c0)
URL visited
User Comments
Since Last Crash 24 sec
Total Uptime 24 sec
Trigger Reason Access violation
Source File, Line No. N/A
Stack Trace
msvcrt.dll + 0x378c0 (0x77c378c0)
XPTC_InvokeByIndex
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2034]
XPC_WN_CallMethod
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
js_InternalInvoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 1043]
JS_CallFunctionValue
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsapi.c,
line 3698]
nsJSContext::CallEventHandler
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1297]
nsJSEventListener::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsEventListenerManager::HandleEventSubType
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1436]
nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1516]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleChromeEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
PresShell::HandleEventInternal
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6059]
PresShell::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsNativeDragTarget::ProcessDrag
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 234]
nsNativeDragTarget::Drop
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 350]
ole32.dll + 0x118e86 (0x775e8e86)
ole32.dll + 0x1190c8 (0x775e90c8)
ole32.dll + 0xefc98 (0x775bfc98)
ole32.dll + 0xefb20 (0x775bfb20)
nsDragService::StartInvokingDragSession
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 168]
nsDragService::InvokeDragSession
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 133]
nsContentAreaDragDrop::DragGesture
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp,
line 703]
DispatchToInterface
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 127]
nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1524]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleChromeEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
nsGenericElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsGenericElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsHTMLImageElement::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/html/content/src/nsHTMLImageElement.cpp,
line 579]
nsEventStateManager::GenerateDragGesture
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1484]
nsEventStateManager::PreHandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 443]
PresShell::HandleEventInternal
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6056]
PresShell::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchMouseEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5261]
ChildWindow::DispatchMouseEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5511]
nsWindow::WindowProc
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8709 (0x77d38709)
USER32.dll + 0x87eb (0x77d387eb)
USER32.dll + 0x89a5 (0x77d389a5)
USER32.dll + 0x89e8 (0x77d389e8)
nsAppShell::Run
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppShellService::Run
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
Severity: normal → critical
Keywords: crash
Summary: Drag image across browser windows --> crash → Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
|
Assignee | |
Comment 4•20 years ago
|
||
The problem here is that the new dragDropSecurityCheck() method assumes (and
correctly so IMO) that the source document has a non-null documentURI property.
And it would, if ImageDocuments would tell xpconnect that they implement
nsIDOM3Document. This patch fixes that, and also makes checkLoadURIStr() not
crash if ever given a null source URI string.
|
|
Assignee | |
Updated•20 years ago
|
Assignee: nobody → jst
Status: UNCONFIRMED → ASSIGNED
Attachment #178880 -
Flags: superreview?(bzbarsky)
Attachment #178880 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•20 years ago
|
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
|
||
Comment 5•20 years ago
|
||
Comment on attachment 178880 [details] [diff] [review]
Fix.
Add a null-check for aTargetURIStr too, ok? And land the security manager part
on trunk?
Attachment #178880 -
Flags: superreview?(bzbarsky)
Attachment #178880 -
Flags: superreview+
Attachment #178880 -
Flags: review?(bzbarsky)
Attachment #178880 -
Flags: review+
|
||
Comment 6•20 years ago
|
||
Comment on attachment 178880 [details] [diff] [review]
Fix.
I wonder if a DOM_CLASSINFO_GENERIC_DOCUMENT_MAP_ENTRIES macro would make
sense.
|
|
Assignee | |
Comment 7•20 years ago
|
||
Turns out that this is aviary only, at least the crash part is. On the trunk,
the caps code is passed a string reference, so no need for null checks there,
and I already landed peterv's proposed cleanup (added a macro) on the trunk
too. This should go in for 1.0.3 whenever that goes out...
|
||
Comment 8•20 years ago
|
||
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch
Pushing this onto our radar for possible inclusion.
Attachment #178961 -
Flags: superreview?(dveditz)
Attachment #178961 -
Flags: review?(bzbarsky)
Attachment #178961 -
Flags: approval1.7.7?
Attachment #178961 -
Flags: approval-aviary1.0.3?
|
|
||
Updated•20 years ago
|
Attachment #178961 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 9•20 years ago
|
||
This is the same as the above patch, but w/o the nsDOMClassInfo changes just to
keep the regression risk at 0.
|
|
Assignee | |
Updated•20 years ago
|
Attachment #179603 -
Flags: superreview+
Attachment #179603 -
Flags: review+
Attachment #179603 -
Flags: approval-aviary1.0.3?
|
||
Comment 10•20 years ago
|
||
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch
We don't want to rush the iface changes, just stop the crash. (these will come
back as a new patch, minus the null check in attachment 179603 [details] [diff] [review])
Attachment #178961 -
Attachment is obsolete: true
Attachment #178961 -
Flags: superreview?(dveditz)
Attachment #178961 -
Flags: superreview+
Attachment #178961 -
Flags: approval1.7.7?
Attachment #178961 -
Flags: approval1.7.7-
Attachment #178961 -
Flags: approval-aviary1.0.3?
Attachment #178961 -
Flags: approval-aviary1.0.3-
|
|
Assignee | |
Comment 11•20 years ago
|
||
Attachment #179605 -
Flags: superreview+
Attachment #179605 -
Flags: review+
Attachment #179605 -
Flags: approval1.7.8?
Attachment #179605 -
Flags: approval-aviary1.0.4?
|
|
||
Comment 12•20 years ago
|
||
Comment on attachment 179603 [details] [diff] [review]
Caps only change for last-minute inclusion for 1.0.3
a=dveditz for 1.7.7 and aviary1.0.3 branches to stop the crash. Drop remains
broken after this patch, but doesn't crash.
Attachment #179603 -
Flags: approval1.7.7+
Attachment #179603 -
Flags: approval-aviary1.0.3?
Attachment #179603 -
Flags: approval-aviary1.0.3+
|
|
||
Comment 13•20 years ago
|
||
The the crash fix is blocking 1.7.7 and aviary 1.0.3; nominating 1.0.4 and 1.7.8
for the nsDOMClassInfo fix to make dropping images work again.
Flags: blocking1.7.8?
Flags: blocking1.7.7?
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.4?
Flags: blocking-aviary1.0.3?
Flags: blocking-aviary1.0.3+
|
||
Comment 14•20 years ago
|
||
I just landed attachment 179603 [details] [diff] [review] on the aviary and 1.7 branches on jst's behalf
per his request.
Keywords: fixed-aviary1.0.3,
fixed1.7.7
|
||
Comment 15•20 years ago
|
||
verified fixed using 2005040417-1.0.3 (linux, mac) and 2005040416-1.0.3
(windows) bits. tested using the case in comment 0, keeping in mind that the
dropped image won't load in the target window (comment 12): no crashes observed.
|
||
Updated•20 years ago
|
Whiteboard: aviary-only
|
|
Assignee | |
Comment 16•20 years ago
|
||
Marking bug fixed as this is not a trunk problem.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.8?
Flags: blocking-aviary1.0.5?
|
|
||
Comment 17•19 years ago
|
||
Comment on attachment 179605 [details] [diff] [review]
nsDOMClassInfo part of the fix to make dragging from image documents work again.
a=dveditz for landing on branches, but not blocking the release if it doesn't
happen.
If checked in please add the fixed-aviary1.0.5 and fixed1.7.9 keywords (without
removing the current 1.0.3/1.7.7 ones) to help triage and tracking queries.
Attachment #179605 -
Flags: approval1.7.9+
Attachment #179605 -
Flags: approval1.7.8?
Attachment #179605 -
Flags: approval-aviary1.0.5?
Attachment #179605 -
Flags: approval-aviary1.0.5+
|
|
||
Comment 19•19 years ago
|
||
verified fixed using 200506170x-1.0.5 firefox builds on linux fc3 and mac os x
10.4.1 --this time the dropped image does load in the second browser window. :)
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Crash Signature: [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
You need to log in
before you can comment on or make changes to this bug.
Description
•