Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users
Status: Verified
Owner:
Closed: Aug 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Browser crash with file and drag and drop
Reported by venkataramana@chromium.org, Aug 4 2010 Back to list
Build: 6.0.472.22
OS: XP

-Navigate to http://jli3-corp.ad/alice/drag_out.html
-Select 'Huge file (40M)' on the page and drag and drop the google image on the desktop.
-After file is successfully copied to desktop, repeat step 2 again.
-While download is in progress, please click on drop-down list on the download-self.
-Browser crashes. 

The full crash report can be found @ 
http://crash/reportdetail?reportid=d6d96f42d7271394

PS: will figure out, if it is a regression

Stack trace:
############
Thread 0 *CRASHED* ( EXCEPTION_PRIV_INSTRUCTION @ 0x02b2727e )

0x02b2727e	 [chrome.dll	 + 0x00ef727e]	
0x0258dee4	 [chrome.dll	 - view.cc:490]	views::View::ProcessMousePressed(views::MouseEvent const &,views::View::DragInfo *)
0x0259cc4c	 [chrome.dll	 - root_view.cc:341]	views::RootView::OnMousePressed(views::MouseEvent const &)
0x02596036	 [chrome.dll	 - widget_win.cc:1010]	views::WidgetWin::ProcessMousePressed(WTL::CPoint const &,unsigned int,bool,bool)
0x02595ae4	 [chrome.dll	 - widget_win.cc:708]	views::WidgetWin::OnLButtonDown(unsigned int,WTL::CPoint const &)
0x01e5ce59	 [chrome.dll	 - widget_win.h:159]	views::WidgetWin::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long)
0x01e5ca11	 [chrome.dll	 - widget_win.h:112]	views::WidgetWin::ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long)
0x02596483	 [chrome.dll	 - widget_win.cc:1231]	views::WidgetWin::OnWndProc(unsigned int,unsigned int,long)
0x024a3dcc	 [chrome.dll	 - window_impl.cc:195]	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)
0x7e418733	 [user32.dll	 + 0x00008733]	InternalCallWinProc
0x7e418815	 [user32.dll	 + 0x00008815]	UserCallWinProcCheckWow
0x7e4189cc	 [user32.dll	 + 0x000089cc]	DispatchMessageWorker
0x7e418a0f	 [user32.dll	 + 0x00008a0f]	DispatchMessageW
0x0258d693	 [chrome.dll	 - accelerator_handler_win.cc:57]	views::AcceleratorHandler::Dispatch(tagMSG const &)
0x01cfd994	 [chrome.dll	 - message_pump_win.cc:354]	base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &)
0x01cfd7f2	 [chrome.dll	 - message_pump_win.cc:199]	base::MessagePumpForUI::DoRunLoop()
0x01cfd619	 [chrome.dll	 - message_pump_win.cc:52]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01cebda8	 [chrome.dll	 - message_loop.cc:252]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cec437	 [chrome.dll	 - message_loop.cc:655]	MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
0x01d65e4a	 [chrome.dll	 - browser_main.cc:368]	`anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
0x01d6785c	 [chrome.dll	 - browser_main.cc:1268]	BrowserMain(MainFunctionParams const &)
0x01c33d33	 [chrome.dll	 - chrome_dll_main.cc:889]	ChromeMain
0x004038cd	 [chrome.exe	 - client_util.cc:238]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00403e9f	 [chrome.exe	 - chrome_exe_main.cc:46]	wWinMain
0x00446b3e	 [chrome.exe	 - crt0.c:263]	__tmainCRTStartup
0x7c817076	 [kernel32.dll	 + 0x00017076]	BaseProcessStart
Thread 1

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c80958f	 [kernel32.dll	 + 0x0000958f]	CreateFileMappingA
0x77df8630	 [advapi32.dll	 + 0x00028630]	WmipEventPump
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 2

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90d219	 [ntdll.dll	 + 0x0000d219]	ZwDelayExecution
0x7c927f21	 [ntdll.dll	 + 0x00027f21]	RtlpTimerThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 3

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90da49	 [ntdll.dll	 + 0x0000da49]	ZwRemoveIoCompletion
0x7c91028c	 [ntdll.dll	 + 0x0001028c]	RtlpWorkerThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 4

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c929cb5	 [ntdll.dll	 + 0x00029cb5]	RtlpWaitThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 5

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90da49	 [ntdll.dll	 + 0x0000da49]	ZwRemoveIoCompletion
0x7c80a7e5	 [kernel32.dll	 + 0x0000a7e5]	GetQueuedCompletionStatus
0x00410c70	 [chrome.exe	 - broker_services.cc:155]	sandbox::BrokerServicesBase::TargetEventsThread(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 6

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df59	 [ntdll.dll	 + 0x0000df59]	ZwWaitForSingleObject
0x7c8025da	 [kernel32.dll	 + 0x000025da]	WaitForSingleObjectEx
0x7c802541	 [kernel32.dll	 + 0x00002541]	WaitForSingleObject
0x01cf99ba	 [chrome.dll	 - waitable_event_win.cc:50]	base::WaitableEvent::Wait()
0x01cfd356	 [chrome.dll	 - message_pump_default.cc:42]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x01cebdb3	 [chrome.dll	 - message_loop.cc:257]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cebce6	 [chrome.dll	 - message_loop.cc:207]	MessageLoop::Run()
0x02584168	 [chrome.dll	 - thread.cc:136]	base::Thread::Run(MessageLoop *)
0x0258420e	 [chrome.dll	 - thread.cc:160]	base::Thread::ThreadMain()
0x01cf5c9c	 [chrome.dll	 - platform_thread_win.cc:26]	`anonymous namespace'::ThreadFunc(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 7

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c80958f	 [kernel32.dll	 + 0x0000958f]	CreateFileMappingA
0x7e4195f8	 [user32.dll	 + 0x000095f8]	RealMsgWaitForMultipleObjectsEx
0x01cfd8f4	 [chrome.dll	 - message_pump_win.cc:256]	base::MessagePumpForUI::WaitForWork()
0x01cfd85a	 [chrome.dll	 - message_pump_win.cc:228]	base::MessagePumpForUI::DoRunLoop()
0x01cfd619	 [chrome.dll	 - message_pump_win.cc:52]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01cfd456	 [chrome.dll	 - message_pump_win.h:79]	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x01cebdb3	 [chrome.dll	 - message_loop.cc:257]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cebce6	 [chrome.dll	 - message_loop.cc:207]	MessageLoop::Run()
0x02584168	 [chrome.dll	 - thread.cc:136]	base::Thread::Run(MessageLoop *)
0x0258420e	 [chrome.dll	 - thread.cc:160]	base::Thread::ThreadMain()
0x01cf5c9c	 [chrome.dll	 - platform_thread_win.cc:26]	`anonymous namespace'::ThreadFunc(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
 
 Issue 44528  has been merged into this issue.
Comment 3 by kerz@chromium.org, Aug 4 2010
Labels: ReleaseBlock-Beta
adding Jian, since I think this is his code
I was unable to repro.
The download-shelf disappears very quickly and it's hard to click it.
I was able to get it to stay long enough for me to click it, but it would not crash.
Here is the demo for you !!
www.corp.google.com/chromeqa/crashDumps/FileDragOutCrash.avi

To better reproduce the issue, please make your browser busy and also delete the file that was already copied to desktop. Hope this will help you !!
PS: As I mentioned in the original bug report, pls try to click on download self from 2nd drag-out onwards. It won't crash for first one !!
I had a hang (which eventually recovered after about a minute) on Windows Vista when I dragged a Picasa (desktop app) photo from an album to the Facebook Upload Photo control (<input type="file">).  I don't know if this is absolutely related but it matches the bug title.
Comment 9 by huanr@chromium.org, Aug 5 2010
Status: Assigned
Status: Started
I can repro a crasher but the stack is a bit different.
I think the trick is that when the file has been downloaded, the download bar disappears. It will crash if you have the download menu on the item in the infobar open when the bar disappears (when the file has been downloaded).
I understand what is causing the crasher.
See http://codereview.chromium.org/3052043/show for details.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55430 

------------------------------------------------------------------------
r55430 | jcivelli@chromium.org | 2010-08-09 11:58:18 -0700 (Mon, 09 Aug 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/download_item_view.cc?r1=55430&r2=55429
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/download_item_view.h?r1=55430&r2=55429

Fix crasher with download bar.
When dragging out a file, the download bar is shown and disappear automatically once the download is complete.
If the download item menu was opened at that point, we would crash.
This was because showing the menu runs an inner message loop that would process the hide for the download bar, leading to the download item that was on the call-stack to be deleted, causing a crasher once the stack-unwinded and the deleted object was accessed.

BUG= 51187 
TEST=In GMail, open an email with a large attachment (like 2 MB). Drag the file from GMail to your desktop. Click on the arrow on the item on the download bar to bring up the download menu. Keep the menu open until the download is completed and the bar gets hidden. It should not crash.

Review URL: http://codereview.chromium.org/3052043
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55443 

------------------------------------------------------------------------
r55443 | jcivelli@chromium.org | 2010-08-09 12:43:22 -0700 (Mon, 09 Aug 2010) | 11 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/views/download_item_view.cc?r1=55443&r2=55442
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/views/download_item_view.h?r1=55443&r2=55442

Merging r55430 to the M6 branch:

Fix crasher with download bar.
When dragging out a file, the download bar is shown and disappear automatically once the download is complete.
If the download item menu was opened at that point, we would crash.
This was because showing the menu runs an inner message loop that would process the hide for the download bar, leading to the download item that was on the call-stack to be deleted, causing a crasher once the stack-unwinded and the deleted object was accessed.

BUG= 51187 
TEST=In GMail, open an email with a large attachment (like 2 MB). Drag the file from GMail to your desktop. Click on the arrow on the item on the download bar to bring up the download menu. Keep the menu open until the download is completed and the bar gets hidden. It should not crash.

Review URL: http://codereview.chromium.org/3023052
------------------------------------------------------------------------

Status: Fixed
Status: Verified
Build: 6.0.472.33
Labels: -Crash bulkmove Stability-Crash
Build: 6.0.472.22
OS: XP

-Navigate to http://jli3-corp.ad/alice/drag_out.html
-Select 'Huge file (40M)' on the page and drag and drop the google image on the desktop.
-After file is successfully copied to desktop, repeat step 2 again.
-While download is in progress, please click on drop-down list on the download-self.
-Browser crashes. 

The full crash report can be found @ 
http://crash/reportdetail?reportid=d6d96f42d7271394

PS: will figure out, if it is a regression

Stack trace:
############
Thread 0 *CRASHED* ( EXCEPTION_PRIV_INSTRUCTION @ 0x02b2727e )

0x02b2727e	 [chrome.dll	 + 0x00ef727e]	
0x0258dee4	 [chrome.dll	 - view.cc:490]	views::View::ProcessMousePressed(views::MouseEvent const &amp;,views::View::DragInfo *)
0x0259cc4c	 [chrome.dll	 - root_view.cc:341]	views::RootView::OnMousePressed(views::MouseEvent const &amp;)
0x02596036	 [chrome.dll	 - widget_win.cc:1010]	views::WidgetWin::ProcessMousePressed(WTL::CPoint const &amp;,unsigned int,bool,bool)
0x02595ae4	 [chrome.dll	 - widget_win.cc:708]	views::WidgetWin::OnLButtonDown(unsigned int,WTL::CPoint const &amp;)
0x01e5ce59	 [chrome.dll	 - widget_win.h:159]	views::WidgetWin::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &amp;,unsigned long)
0x01e5ca11	 [chrome.dll	 - widget_win.h:112]	views::WidgetWin::ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &amp;,unsigned long)
0x02596483	 [chrome.dll	 - widget_win.cc:1231]	views::WidgetWin::OnWndProc(unsigned int,unsigned int,long)
0x024a3dcc	 [chrome.dll	 - window_impl.cc:195]	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)
0x7e418733	 [user32.dll	 + 0x00008733]	InternalCallWinProc
0x7e418815	 [user32.dll	 + 0x00008815]	UserCallWinProcCheckWow
0x7e4189cc	 [user32.dll	 + 0x000089cc]	DispatchMessageWorker
0x7e418a0f	 [user32.dll	 + 0x00008a0f]	DispatchMessageW
0x0258d693	 [chrome.dll	 - accelerator_handler_win.cc:57]	views::AcceleratorHandler::Dispatch(tagMSG const &amp;)
0x01cfd994	 [chrome.dll	 - message_pump_win.cc:354]	base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &amp;)
0x01cfd7f2	 [chrome.dll	 - message_pump_win.cc:199]	base::MessagePumpForUI::DoRunLoop()
0x01cfd619	 [chrome.dll	 - message_pump_win.cc:52]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01cebda8	 [chrome.dll	 - message_loop.cc:252]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cec437	 [chrome.dll	 - message_loop.cc:655]	MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
0x01d65e4a	 [chrome.dll	 - browser_main.cc:368]	`anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
0x01d6785c	 [chrome.dll	 - browser_main.cc:1268]	BrowserMain(MainFunctionParams const &amp;)
0x01c33d33	 [chrome.dll	 - chrome_dll_main.cc:889]	ChromeMain
0x004038cd	 [chrome.exe	 - client_util.cc:238]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00403e9f	 [chrome.exe	 - chrome_exe_main.cc:46]	wWinMain
0x00446b3e	 [chrome.exe	 - crt0.c:263]	__tmainCRTStartup
0x7c817076	 [kernel32.dll	 + 0x00017076]	BaseProcessStart
Thread 1

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c80958f	 [kernel32.dll	 + 0x0000958f]	CreateFileMappingA
0x77df8630	 [advapi32.dll	 + 0x00028630]	WmipEventPump
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 2

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90d219	 [ntdll.dll	 + 0x0000d219]	ZwDelayExecution
0x7c927f21	 [ntdll.dll	 + 0x00027f21]	RtlpTimerThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 3

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90da49	 [ntdll.dll	 + 0x0000da49]	ZwRemoveIoCompletion
0x7c91028c	 [ntdll.dll	 + 0x0001028c]	RtlpWorkerThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 4

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c929cb5	 [ntdll.dll	 + 0x00029cb5]	RtlpWaitThread
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 5

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90da49	 [ntdll.dll	 + 0x0000da49]	ZwRemoveIoCompletion
0x7c80a7e5	 [kernel32.dll	 + 0x0000a7e5]	GetQueuedCompletionStatus
0x00410c70	 [chrome.exe	 - broker_services.cc:155]	sandbox::BrokerServicesBase::TargetEventsThread(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 6

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df59	 [ntdll.dll	 + 0x0000df59]	ZwWaitForSingleObject
0x7c8025da	 [kernel32.dll	 + 0x000025da]	WaitForSingleObjectEx
0x7c802541	 [kernel32.dll	 + 0x00002541]	WaitForSingleObject
0x01cf99ba	 [chrome.dll	 - waitable_event_win.cc:50]	base::WaitableEvent::Wait()
0x01cfd356	 [chrome.dll	 - message_pump_default.cc:42]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x01cebdb3	 [chrome.dll	 - message_loop.cc:257]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cebce6	 [chrome.dll	 - message_loop.cc:207]	MessageLoop::Run()
0x02584168	 [chrome.dll	 - thread.cc:136]	base::Thread::Run(MessageLoop *)
0x0258420e	 [chrome.dll	 - thread.cc:160]	base::Thread::ThreadMain()
0x01cf5c9c	 [chrome.dll	 - platform_thread_win.cc:26]	`anonymous namespace'::ThreadFunc(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Thread 7

0x7c90e514	 [ntdll.dll	 + 0x0000e514]	KiFastSystemCallRet
0x7c90df49	 [ntdll.dll	 + 0x0000df49]	NtWaitForMultipleObjects
0x7c80958f	 [kernel32.dll	 + 0x0000958f]	CreateFileMappingA
0x7e4195f8	 [user32.dll	 + 0x000095f8]	RealMsgWaitForMultipleObjectsEx
0x01cfd8f4	 [chrome.dll	 - message_pump_win.cc:256]	base::MessagePumpForUI::WaitForWork()
0x01cfd85a	 [chrome.dll	 - message_pump_win.cc:228]	base::MessagePumpForUI::DoRunLoop()
0x01cfd619	 [chrome.dll	 - message_pump_win.cc:52]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01cfd456	 [chrome.dll	 - message_pump_win.h:79]	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x01cebdb3	 [chrome.dll	 - message_loop.cc:257]	MessageLoop::RunInternal()
0x01cebd38	 [chrome.dll	 - message_loop.cc:229]	MessageLoop::RunHandler()
0x01cebce6	 [chrome.dll	 - message_loop.cc:207]	MessageLoop::Run()
0x02584168	 [chrome.dll	 - thread.cc:136]	base::Thread::Run(MessageLoop *)
0x0258420e	 [chrome.dll	 - thread.cc:160]	base::Thread::ThreadMain()
0x01cf5c9c	 [chrome.dll	 - platform_thread_win.cc:26]	`anonymous namespace'::ThreadFunc(void *)
0x7c80b728	 [kernel32.dll	 + 0x0000b728]	BaseThreadStart
Project Member Comment 17 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 18 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-UI -Feature-Downloads -Mstone-6 M-6 Cr-UI Cr-UI-Browser-Downloads
Project Member Comment 19 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Sign in to add a comment