New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 16280 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2009
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug
M-3

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Crash - RenderViewHost::DragSourceMovedTo(int,int,int,int)

Project Member Reported by lafo...@chromium.org, Jul 9 2009

Issue description

This crash was detected in 3.0.192.1 and appears to be a regression from 3.0.191.3.
It is currently ranked #9 (based on the relative number of reports in the release).  There have been 4 reports from 4 clients.
Search query: http://crash/search?query=Chrome+3.0.192.1+RenderWidgetHost%3A%3ASend%28IPC%3A%3AMessage+*%29
----------------------------
*       Summary Data       *
----------------------------
Report Link: http://crash/reportdetail?reportid=a009b5d204c725c1
Mini Dump Link: http://crash/file?reportid=a009b5d204c725c1&name=upload_file_minidump

Uptime: 41 sec
User Comments: null
OS: Windows 7 
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 14 stepping 12
rept: null
ptype: browser
plat: Win32
crash type:(EXCEPTION_ACCESS_VIOLATION@0x0000001b)

----------------------------
*        Crash Trace       *
----------------------------
        [render_widget_host.cc:127] - RenderWidgetHost::Send(IPC::Message *)
          [render_view_host.cc:567] - RenderViewHost::DragSourceMovedTo(int,int,int,int)
            [web_drag_source.cc:68] - WebDragSource::OnDragSourceMove()
           [base_drag_source.cc:28] - BaseDragSource::QueryContinueDrag(int,unsigned long)
             [ole32.dll+0x0010783f] - CDragOperation::UpdateTarget()
             [ole32.dll+0x00107b14] - DoDragDrop
     [tab_contents_view_win.cc:186] - TabContentsViewWin::StartDragging(WebDropData const &)
         [ipc_message_utils.h:1152] - IPC::MessageWithTuple<Tuple1<WebDropData> >::Dispatch<RenderViewHost,void ( RenderViewHost::*)(WebDropData const &)>(IPC::Message const *,RenderViewHost *,void ( RenderViewHost::*)(WebDropData const &))
          [render_view_host.cc:709] - RenderViewHost::OnMessageReceived(IPC::Message const &)
[browser_render_process_host.cc:772] - BrowserRenderProcessHost::OnMessageReceived(IPC::Message const &)
                       [task.h:307] - RunnableMethod<CancelableRequest<CallbackRunner<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >,void ( CancelableRequest<CallbackRunner<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >::*)(Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> const &),Tuple1<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >::Run()
              [message_loop.cc:313] - MessageLoop::RunTask(Task *)
              [message_loop.cc:321] - MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
              [message_loop.cc:427] - MessageLoop::DoWork()
          [message_pump_win.cc:209] - base::MessagePumpForUI::DoRunLoop()
           [message_pump_win.cc:52] - base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
              [message_loop.cc:193] - MessageLoop::RunInternal()
              [message_loop.cc:181] - MessageLoop::RunHandler()
              [message_loop.cc:589] - MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
              [browser_main.cc:192] - `anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
              [browser_main.cc:792] - BrowserMain(MainFunctionParams const &)
           [chrome_dll_main.cc:513] - ChromeMain
       [google_update_client.cc:96] - google_update::GoogleUpdateClient::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,wchar_t *,char const *,int *)
            [chrome_exe_main.cc:94] - wWinMain
                       [crt0.c:324] - __tmainCRTStartup
          [kernel32.dll+0x000510db] - BaseThreadInitThunk
             [ntdll.dll+0x00061e9d] - 
             [ntdll.dll+0x00061e70] - 

----------------------------
*      Loaded Modules      *
----------------------------
    mdnsNSP.dll
    WLIDNSP.DLL
    GoogleDesktopAPI2.dll
    GoogleDesktopCommon.dll
    GoogleDesktopNetwork3.dll
    GoogleDesktopResources_en.dll
    sfShellTools.dll
    chrome.dll
    gears.dll
    icudt38.dll
    chrome.exe
    CRYPTBASE.dll
    EhStorShell.dll
    FWPUCLNT.DLL
    IPHLPAPI.DLL
    KERNELBASE.dll
    PeerDist.dll
    RpcRtRemote.dll
    SensApi.dll
    WSHTCPIP.DLL
    WindowsCodecs.dll
    Wldap32.dll
    advapi32.dll
    apphelp.dll
    authz.dll
    bcrypt.dll
    bcryptprimitives.dll
    cabinet.dll
    cfgmgr32.dll
    clbcatq.dll
    credssp.dll
    crypt32.dll
    cryptnet.dll
    cryptsp.dll
    cscapi.dll
    cscdll.dll
    cscui.dll
    devobj.dll
    devrtl.dll
    dhcpcsvc.dll
    dhcpcsvc6.DLL
    dnsapi.dll
    dwmapi.dll
    gdi32.dll
    gpapi.dll
    iertutil.dll
    imm32.dll
    kernel32.dll
    lpk.dll
    msasn1.dll
    mscms.dll
    msctf.dll
    msvcrt.dll
    mswsock.dll
    ncrypt.dll
    normaliz.dll
    nsi.dll
    ntdll.dll
    ntmarta.dll
    ntshrui.dll
    ole32.dll
    oleacc.dll
    oleaut32.dll
    profapi.dll
    propsys.dll
    psapi.dll
    rasadhlp.dll
    riched20.dll
    rpcrt4.dll
    rsaenh.dll
    schannel.dll
    sechost.dll
    secur32.dll
    setupapi.dll
    shdocvw.dll
    shell32.dll
    shlwapi.dll
    slc.dll
    srvcli.dll
    sspicli.dll
    sxs.dll
    t2embed.dll
    urlmon.dll
    user32.dll
    userenv.dll
    usp10.dll
    uxtheme.dll
    version.dll
    webio.dll
    winhttp.dll
    wininet.dll
    winmm.dll
    winnsi.dll
    wpdshext.dll
    ws2_32.dll
    wship6.dll
    comctl32.dll
    GdiPlus.dll

 
Labels: -Area-BrowserUI Area-BrowserBackend Mstone-3
Status: Assigned
Summary: Crash - RenderViewHost::DragSourceMovedTo(int,int,int,int)

Comment 3 by darin@chromium.org, Jul 9 2009

Labels: -Area-BrowserBackend Area-BrowserUI
Status: Available
Hmm, it looks like the RenderWidgetHost is a junk address here since the crash is a 
bad address deref @0x0000001b.  That is a bit of a strange address.  The offset of 
the process_ member of RenderWidgetHost is not 0x1b as best as I can tell.  And, 
besides the WebDragSource has a CHECK that the given RenderWidgetHost is not null.

At any rate, I suspect that we probably began tearing down parts of the UI (possibly 
only the tab) while a drag-n-drop operation was in progress.

-> BrowserUI

Comment 4 by tony@chromium.org, Jul 9 2009

Arv's been looking at this recently, although the stack doesn't seem to be related to 
his change.

Comment 5 by arv@chromium.org, Jul 9 2009

FWIW I saw crashes in Safari for Windows as well when I was fixing another DnD bug.

Comment 6 by tony@chromium.org, Jul 10 2009

Status: Started
I'm able to repro.  Darin is right, if the window that we're dragging from is closed 
(e.g., via JS), we crash.  Investigating...

Comment 7 by tony@chromium.org, Jul 10 2009

 Issue 12524  has been merged into this issue.
 Issue 16366  has been merged into this issue.

Comment 9 by bugdro...@gmail.com, Jul 10 2009

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=20436 

------------------------------------------------------------------------
r20436 | tc@google.com | 2009-07-10 16:10:42 -0700 (Fri, 10 Jul 2009) | 13 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/base_drag_source.cc?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/base_drag_source.h?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/tab_contents.cc?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/tab_contents_view.h?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/web_drag_source.cc?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/tab_contents/tab_contents_view_win.cc?r1=20436&r2=20435
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/tab_contents/tab_contents_view_win.h?r1=20436&r2=20435

Fix a crash that happens if a tab is closed while
we're in the middle of a drag originating from the tab.

The problem is that the tab gets deleted out from under the
drag operation which is happening in a nested message loop.

To work around this, if we're in the middle of a drag and
we get a tab close request, delay the tab close until after
the drag operation is finished.

BUG= 16280 

Review URL: http://codereview.chromium.org/149466
------------------------------------------------------------------------

Comment 10 by tony@chromium.org, Jul 10 2009

Status: Fixed
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=20695 

------------------------------------------------------------------------
r20695 | laforge@chromium.org | 2009-07-14 17:51:20 -0700 (Tue, 14 Jul 2009) | 17 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/193/src/base/base_drag_source.cc?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/base/base_drag_source.h?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/tab_contents.cc?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/tab_contents_view.h?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/web_drag_source.cc?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/views/tab_contents/tab_contents_view_win.cc?r1=20695&r2=20694
   M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/views/tab_contents/tab_contents_view_win.h?r1=20695&r2=20694

Merge 20436 - Fix a crash that happens if a tab is closed while
we're in the middle of a drag originating from the tab.

The problem is that the tab gets deleted out from under the
drag operation which is happening in a nested message loop.

To work around this, if we're in the middle of a drag and
we get a tab close request, delay the tab close until after
the drag operation is finished.

BUG= 16280 

Review URL: http://codereview.chromium.org/149466

TBR=tc@google.com

Review URL: http://codereview.chromium.org/155548
------------------------------------------------------------------------

Comment 12 by tony@chromium.org, Jul 17 2009

 Issue 16073  has been merged into this issue.
Project Member

Comment 13 by bugdroid1@chromium.org, Oct 12 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Mstone-3 M-3
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment