Last Comment Bug 288006 - Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f]
: Drag image across browser windows --> crash [@ msvcrt.dll + 0x378c0 (0x77c378...
Status: VERIFIED FIXED
aviary-only
: crash, fixed-aviary1.0.3, fixed-aviary1.0.5, fixed1.7.7, fixed1.7.9
Product: Core
Classification: Components
Component: Drag and Drop (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
Mentors:
Depends on:
Blocks: 287897
  Show dependency treegraph
 
Reported: 2005-03-28 04:07 PST by Po-chiang Chao [:bobchao]
Modified: 2006-03-12 18:25 PST (History)
5 users (show)
dveditz: blocking1.7.7+
dveditz: blocking‑aviary1.0.3+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix. (2.32 KB, patch)
2005-03-28 17:51 PST, Johnny Stenback (:jst, jst@mozilla.com)
bzbarsky: review+
bzbarsky: superreview+
Details | Diff | Splinter Review
Same thing for the 1.0.1 branch (10.08 KB, patch)
2005-03-29 12:46 PST, Johnny Stenback (:jst, jst@mozilla.com)
bzbarsky: review+
dveditz: superreview+
dveditz: approval‑aviary1.0.3-
dveditz: approval1.7.7-
Details | Diff | Splinter Review
Caps only change for last-minute inclusion for 1.0.3 (1.45 KB, patch)
2005-04-04 11:33 PDT, Johnny Stenback (:jst, jst@mozilla.com)
jst: review+
jst: superreview+
dveditz: approval‑aviary1.0.3+
dveditz: approval1.7.7+
Details | Diff | Splinter Review
nsDOMClassInfo part of the fix to make dragging from image documents work again. (8.65 KB, patch)
2005-04-04 11:37 PDT, Johnny Stenback (:jst, jst@mozilla.com)
jst: review+
jst: superreview+
dveditz: approval‑aviary1.0.5+
dveditz: approval1.7.9+
Details | Diff | Splinter Review

Description Po-chiang Chao [:bobchao] 2005-03-28 04:07:31 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 (ax)

Always reproducible in:
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050317 Firefox/1.0.2
* [release] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050318 Firefox/1.0.2 (ax)
* [nightly] Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6)
Gecko/20050327 Firefox/1.0.2

see reproducing steps.

Reproducible: Always

Steps to Reproduce:
1. press ctrl-N to open another browser window.
2. open an image (say, http://www.mozilla.org/images/t_firefox.gif) in first
browse window.
3. drag the image into the new browser window

Actual Results:  
Firefox crashed

Expected Results:  
open the image without crash

Talkback: TB4650038Q

note: Is the bug related to bug 44254, bug 287962 or bug 281431?
Comment 1 Pavel Penaz 2005-03-28 05:19:08 PST
WFM on trunk here

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050327
Firefox/1.0+
Comment 2 Pavel Penaz 2005-03-28 05:29:28 PST
I can reproduce this crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.6) Gecko/20050328 Firefox/1.0.2

Talkback ID: TB4656657W
Comment 3 timeless 2005-03-28 07:30:24 PST
Incident ID: 4656657
Stack Signature	msvcrt.dll + 0x378c0 (0x77c378c0) 517abc0f
Product ID	Firefox10
Build ID	2005032722
Trigger Time	2005-03-28 05:27:58.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	msvcrt.dll + (000378c0)
URL visited	
User Comments	
Since Last Crash	24 sec
Total Uptime	24 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
msvcrt.dll + 0x378c0 (0x77c378c0)
XPTC_InvokeByIndex 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2034]
XPC_WN_CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
js_InternalInvoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 1043]
JS_CallFunctionValue 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsapi.c,
line 3698]
nsJSContext::CallEventHandler 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1297]
nsJSEventListener::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsEventListenerManager::HandleEventSubType 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1436]
nsEventListenerManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1516]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2860]
nsXULElement::HandleChromeEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6059]
PresShell::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsNativeDragTarget::ProcessDrag 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 234]
nsNativeDragTarget::Drop 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsNativeDragTarget.cpp,
line 350]
ole32.dll + 0x118e86 (0x775e8e86)
ole32.dll + 0x1190c8 (0x775e90c8)
ole32.dll + 0xefc98 (0x775bfc98)
ole32.dll + 0xefb20 (0x775bfb20)
nsDragService::StartInvokingDragSession 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 168]
nsDragService::InvokeDragSession 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsDragService.cpp,
line 133]
nsContentAreaDragDrop::DragGesture 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp,
line 703]
DispatchToInterface 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 127]
nsEventListenerManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1524]
nsXULElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2841]
nsXULElement::HandleChromeEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3988]
GlobalWindowImpl::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 954]
nsDocument::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 3753]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1999]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsGenericElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 1993]
nsHTMLImageElement::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/html/content/src/nsHTMLImageElement.cpp,
line 579]
nsEventStateManager::GenerateDragGesture 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1484]
nsEventStateManager::PreHandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 443]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6056]
PresShell::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2326]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchMouseEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5261]
ChildWindow::DispatchMouseEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5511]
nsWindow::WindowProc 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8709 (0x77d38709)
USER32.dll + 0x87eb (0x77d387eb)
USER32.dll + 0x89a5 (0x77d389a5)
USER32.dll + 0x89e8 (0x77d389e8)
nsAppShell::Run 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppShellService::Run 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2005-03-28 17:51:38 PST
Created attachment 178880 [details] [diff] [review]
Fix.

The problem here is that the new dragDropSecurityCheck() method assumes (and
correctly so IMO) that the source document has a non-null documentURI property.
And it would, if ImageDocuments would tell xpconnect that they implement
nsIDOM3Document. This patch fixes that, and also makes checkLoadURIStr() not
crash if ever given a null source URI string.
Comment 5 Boris Zbarsky [:bz] 2005-03-28 18:05:43 PST
Comment on attachment 178880 [details] [diff] [review]
Fix.

Add a null-check for aTargetURIStr too, ok?  And land the security manager part
on trunk?
Comment 6 Peter Van der Beken [:peterv] 2005-03-29 01:31:50 PST
Comment on attachment 178880 [details] [diff] [review]
Fix.

I wonder if a DOM_CLASSINFO_GENERIC_DOCUMENT_MAP_ENTRIES macro would make
sense.
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2005-03-29 12:46:10 PST
Created attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch

Turns out that this is aviary only, at least the crash part is. On the trunk,
the caps code is passed a string reference, so no need for null checks there,
and I already landed peterv's proposed cleanup (added a macro) on the trunk
too. This should go in for 1.0.3 whenever that goes out...
Comment 8 Chase Phillips 2005-04-04 07:35:24 PDT
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch

Pushing this onto our radar for possible inclusion.
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2005-04-04 11:33:07 PDT
Created attachment 179603 [details] [diff] [review]
Caps only change for last-minute inclusion for 1.0.3

This is the same as the above patch, but w/o the nsDOMClassInfo changes just to
keep the regression risk at 0.
Comment 10 Daniel Veditz [:dveditz] 2005-04-04 11:36:48 PDT
Comment on attachment 178961 [details] [diff] [review]
Same thing for the 1.0.1 branch

We don't want to rush the iface changes, just stop the crash. (these will come
back as a new patch, minus the null check in attachment 179603 [details] [diff] [review])
Comment 11 Johnny Stenback (:jst, jst@mozilla.com) 2005-04-04 11:37:31 PDT
Created attachment 179605 [details] [diff] [review]
nsDOMClassInfo part of the fix to make dragging from image documents work again.
Comment 12 Daniel Veditz [:dveditz] 2005-04-04 11:38:00 PDT
Comment on attachment 179603 [details] [diff] [review]
Caps only change for last-minute inclusion for 1.0.3

a=dveditz for 1.7.7 and aviary1.0.3 branches to stop the crash. Drop remains
broken after this patch, but doesn't crash.
Comment 13 Daniel Veditz [:dveditz] 2005-04-04 11:40:25 PDT
The the crash fix is blocking 1.7.7 and aviary 1.0.3; nominating 1.0.4 and 1.7.8
for the nsDOMClassInfo fix to make dropping images work again.
Comment 14 Christopher Aillon (sabbatical, not receiving bugmail) 2005-04-04 13:37:08 PDT
I just landed attachment 179603 [details] [diff] [review] on the aviary and 1.7 branches on jst's behalf
per his request.
Comment 15 sairuh (rarely reading bugmail) 2005-04-04 19:24:52 PDT
verified fixed using 2005040417-1.0.3 (linux, mac) and 2005040416-1.0.3
(windows) bits. tested using the case in comment 0, keeping in mind that the
dropped image won't load in the target window (comment 12): no crashes observed.
Comment 16 Johnny Stenback (:jst, jst@mozilla.com) 2005-05-03 16:05:31 PDT
Marking bug fixed as this is not a trunk problem.
Comment 17 Daniel Veditz [:dveditz] 2005-06-07 13:40:42 PDT
Comment on attachment 179605 [details] [diff] [review]
nsDOMClassInfo part of the fix to make dragging from image documents work again.

a=dveditz for landing on branches, but not blocking the release if it doesn't
happen.

If checked in please add the fixed-aviary1.0.5 and fixed1.7.9 keywords (without
removing the current 1.0.3/1.7.7 ones) to help triage and tracking queries.
Comment 18 Johnny Stenback (:jst, jst@mozilla.com) 2005-06-07 14:16:11 PDT
Fixed on the brances.
Comment 19 sairuh (rarely reading bugmail) 2005-06-17 11:03:27 PDT
verified fixed using 200506170x-1.0.5 firefox builds on linux fc3 and mac os x
10.4.1 --this time the dropped image does load in the second browser window. :)

Note You need to log in before you can comment on or make changes to this bug.