Closed
Bug 396829
Opened 16 years ago
Closed 16 years ago
Crash [@ SampleMouseAndKeyboard] when dragging text whose document goes away
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: jaas)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files, 2 obsolete files)
|
216 bytes,
text/html
|
Details | |
|
7.24 KB,
patch
|
smichaud
:
review+
roc
:
superreview+
roc
:
approval1.9+
|
Details | Diff | Splinter Review |
The testcase is a simple page with an iframe that "refreshes" every 2 seconds. Steps to reproduce: 1. Load the testcase. 2. Select some text in the iframe. 3. Drag the text to outside the iframe, keeping the mouse button held down. 4. Wait for the iframe to refresh. 5. Move the cursor again (?). Result: crash [@ SampleMouseAndKeyboard] [@ objc_msgSend] dereferencing a random address. This only crashes after the bug 395397 landing, because before that landing, timers did not fire during drags. I don't know whether it was possible to make this happen in other ways before the bug 395397 landing (e.g. using a timer in another window?). I don't know whether this is Mac-specific.
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:critical?]
autoreleasing is probably better, it seems weird for an object to call the final release on itself in its own method though apparently it wasn't a problem in this case.
Attachment #281612 -
Attachment is obsolete: true
Attachment #281617 -
Flags: review?(smichaud)
Attachment #281612 -
Flags: review?(smichaud)
This also fixes the bug and adds an additional measure of safety and efficiency. We retain/release much less often during a drag and there is no need to mess with autorelease.
Attachment #281617 -
Attachment is obsolete: true
Attachment #281624 -
Flags: review?(smichaud)
Attachment #281617 -
Flags: review?(smichaud)
|
||
Comment 4•16 years ago
|
||
Comment on attachment 281624 [details] [diff] [review] fix v2.0 Your patch looks fine to me, Josh. But there are a number of places (in nsDragService.mm) where gLastDragView and gLastDragEvent are used without null checking. Because of the way Objective-C works, these could never cause crashes. But you'd (presumably) still get strange results if they were ever null.
Attachment #281624 -
Flags: review?(smichaud) → review+
Comment on attachment 281624 [details] [diff] [review] fix v2.0 We do depend on the mouseDragged being on the stack before every place we use the globals. That is always true and like you said if it wasn't then we wouldn't crash.
Attachment #281624 -
Flags: superreview?(roc)
Attachment #281624 -
Flags: superreview?(roc)
Attachment #281624 -
Flags: superreview+
Attachment #281624 -
Flags: approval1.9+
landed on trunk
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 7•16 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase -> Verified fixed
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•15 years ago
|
||
Following the steps in comment 0 does not crash on branch.
Group: security
Flags: wanted1.8.1.x-
|
||
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Updated•12 years ago
|
Crash Signature: [@ SampleMouseAndKeyboard]
You need to log in
before you can comment on or make changes to this bug.
Description
•