Closed Bug 396829 Opened 15 years ago Closed 15 years ago

Crash [@ SampleMouseAndKeyboard] when dragging text whose document goes away

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: jaas)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 2 obsolete files)

The testcase is a simple page with an iframe that "refreshes" every 2 seconds.

Steps to reproduce:
1. Load the testcase.
2. Select some text in the iframe.
3. Drag the text to outside the iframe, keeping the mouse button held down.
4. Wait for the iframe to refresh.
5. Move the cursor again (?).

Result: crash [@ SampleMouseAndKeyboard] [@ objc_msgSend] dereferencing a random address.

This only crashes after the bug 395397 landing, because before that landing, timers did not fire during drags.  I don't know whether it was possible to make this happen in other ways before the bug 395397 landing (e.g. using a timer in another window?).  I don't know whether this is Mac-specific.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Attached patch fix v1.0 (obsolete) — Splinter Review
Assignee: nobody → joshmoz
Status: NEW → ASSIGNED
Attachment #281612 - Flags: review?(smichaud)
Flags: blocking1.9? → blocking1.9+
Attached patch fix v1.1 (obsolete) — Splinter Review
autoreleasing is probably better, it seems weird for an object to call the final release on itself in its own method though apparently it wasn't a problem in this case.
Attachment #281612 - Attachment is obsolete: true
Attachment #281617 - Flags: review?(smichaud)
Attachment #281612 - Flags: review?(smichaud)
Attached patch fix v2.0Splinter Review
This also fixes the bug and adds an additional measure of safety and efficiency. We retain/release much less often during a drag and there is no need to mess with autorelease.
Attachment #281617 - Attachment is obsolete: true
Attachment #281624 - Flags: review?(smichaud)
Attachment #281617 - Flags: review?(smichaud)
Comment on attachment 281624 [details] [diff] [review]
fix v2.0

Your patch looks fine to me, Josh.

But there are a number of places (in nsDragService.mm) where
gLastDragView and gLastDragEvent are used without null checking.
Because of the way Objective-C works, these could never cause crashes.
But you'd (presumably) still get strange results if they were ever
null.
Attachment #281624 - Flags: review?(smichaud) → review+
Comment on attachment 281624 [details] [diff] [review]
fix v2.0

We do depend on the mouseDragged being on the stack before every place we use the globals. That is always true and like you said if it wasn't then we wouldn't crash.
Attachment #281624 - Flags: superreview?(roc)
Attachment #281624 - Flags: superreview?(roc)
Attachment #281624 - Flags: superreview+
Attachment #281624 - Flags: approval1.9+
landed on trunk
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase

-> Verified fixed
Status: RESOLVED → VERIFIED
Following the steps in comment 0 does not crash on branch.
Group: security
Flags: wanted1.8.1.x-
Flags: in-testsuite?
Crash Signature: [@ SampleMouseAndKeyboard]
You need to log in before you can comment on or make changes to this bug.