Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#5021 closed defect (fixed)

Dragging images causes Tor Browser to crash on Mac

Reported by: mwolfe Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerry201204
Cc: Sebastian, g.koppen@… Actual Points: 4
Parent ID: Points: 4
Reviewer: Sponsor:

Description

If I deliberately or accidentally hold my mouse on an image and move the image, TBB Firefox (and before TBB Firefox, TBB Aurora) always crashes.

This happens on Snow Leopard, OS X 10.6.8 (not a problem on Windows).

The hardware is a MacBook Pro 2.66 GHz Intel Core i7.

I am currently using TBB 2.2.35-5, but this has been the case for all previous TBB.

Child Tickets

Attachments (2)

crash log.doc (119.5 KB) - added by mwolfe 8 years ago.
crash-report.txt (34.8 KB) - added by cypherpunks 8 years ago.
Crash Report - Image Dragging in TOR browser (OSX)

Download all attachments as: .zip

Change History (25)

comment:1 Changed 8 years ago by Sebastian

Component: - Select a componentTor Browser
Owner: set to mikeperry

Can't reproduce on Lion, can someone reproduce this at all and get some crash logs?

Changed 8 years ago by mwolfe

Attachment: crash log.doc added

comment:2 Changed 8 years ago by mikeperry

Component: Tor BrowserTorBrowserButton
Keywords: Firefox for TBB removed
Summary: Moving images on a webpage causes TBB Firefox to crashDragging images causes Tor Browser to crash on Mac
Version: Tor: 0.2.2.35

I can repro on my Mac, but no where else. Also, #4932 is a dup.

comment:3 Changed 8 years ago by mikeperry

mwolfe: is it possible to save that doc as a txt file and re-upload?

comment:4 Changed 8 years ago by mikeperry

Milestone: TorBrowserBundle 2.2.x-stable
Priority: normalmajor

comment:5 Changed 8 years ago by cypherpunks

The bug is not just limited to images. Dragging tabs into 'whitespace' surrounding browser window will result in the same crash behaviour. Expected behaviour is for aforementioned dragging manoeuvre to result in the tab opening in a new window.

Changed 8 years ago by cypherpunks

Attachment: crash-report.txt added

Crash Report - Image Dragging in TOR browser (OSX)

comment:6 Changed 8 years ago by Sebastian

Are there any updates/progress/things we can help with? This is a pretty big issue :/

comment:7 Changed 8 years ago by Sebastian

The discussion on https://bugzilla.mozilla.org/show_bug.cgi?id=673301 appears to be potentially relevant here

comment:8 Changed 8 years ago by mikeperry

FYI, the relevant code is invokeDragSessionWithImage() in external-app-blocker.js.

I do have a Mac. If it crashes on me enough times, I might be motivated to get to this soon... But the stack trace is in the middle of nowhere, so most likely I'll just be banging on the JS code blindly.

It's quite likely there is an underlying Firefox XPCOM bug on Mac triggering our woes here.. Which means I'm going to need to install Xcode+gdb and set up my Mac for Firefox development to fix this one... Not something I'm looking forward to.

comment:9 Changed 8 years ago by mikeperry

Cc: Sebastian added

Sebastian claims that commenting out invokeDragSessionWithImage and also unregistering the component did not help.. I think the next step is to try a Torbutton from before this support was added. 1.4.4.1 should do.

https://archive.torproject.org/tor-package-archive/torbutton/

comment:10 Changed 8 years ago by mikeperry

Sebastian: 1.4.4.1 works without crashing on my Mac. Let me know if it still crashes for you. If it still crashes, #5455 probably *is* a different crash bug...

comment:11 Changed 8 years ago by Sebastian

No, going back to 1.4.4.1 totally fixes the crash for me.

comment:12 in reply to:  11 Changed 8 years ago by mikeperry

Replying to Sebastian:

No, going back to 1.4.4.1 totally fixes the crash for me.

Ok then can you try out dragging tabs, images, and links around between browser windows, onto the desktop, and into other apps while running wireshark and let me know which ones cause proxy bypass? I'm especially interested in 10.7.

comment:13 Changed 8 years ago by Sebastian

I'm no expert in wireshark, but I didn't find any leak for just dragging any of the three inside Firefox. Once I dragged them to either the desktop or some other apps, stuff started leaking for images. Hyperlinks, texts, and tabs seemed to be fine.

comment:14 Changed 8 years ago by mikeperry

Bleh.. What happens if you set about:config pref nglayout.enable_drag_images to false? Any leaks then?

comment:15 Changed 8 years ago by Sebastian

That helped for images... Dragging a link into a browser means leakage tho, as the url is automatically loaded. I hadn't seen that before :/

comment:16 Changed 8 years ago by mikeperry

Ok, I was all set to reproduce this in vanilla Firefox 11 with Torbutton 1.4.5.1 today so I could pawn it off on Mozilla and forget about it for a while, but the damn thing isn't crashing with vanilla FF 11...

However, Torbutton 1.4.5.1 *is* successfully blocking drag and drop still on vanilla FF11, so for whatever reason the dnd blocking code is only causing crashes on our Firefox builds.

Perhaps there is something about our Mac OS build options that breaks these hooks?

comment:17 Changed 8 years ago by Sebastian

I'm using these settings:

# Options for client.mk.
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-@CONFIG_GUESS@
mk_add_options AUTOCONF=autoconf213
mk_add_options MOZILLA_OFFICIAL=1
mk_add_options BUILD_OFFICIAL=1
mk_add_options MOZ_MAKE_FLAGS="-s --no-print-directory -j8"

# Options for cross-compilation on Snow Leopard.
HOST_CC="gcc -arch i386"
HOST_CXX="g++ -arch i386"
CC="gcc -arch i386"
CXX="g++ -arch i386"
RANLIB=ranlib
AR=ar
AS=$CC
LD=ld
STRIP="strip -x -S"
CROSS_COMPILE=1
ac_add_options --target=i386-apple-darwin$DARWIN_VERSION

# Options for 'configure' (same as command-line options).
ac_add_options --with-macos-sdk=/Developer/SDKs/MacOSX10.6.sdk
ac_add_options --enable-macos-target=10.5
ac_add_options --enable-application=browser
ac_add_options --enable-official-branding
ac_add_options --enable-optimize
ac_add_options --enable-strip
ac_add_options --disable-debug
ac_add_options --disable-tests
ac_add_options --disable-crashreporter

comment:18 Changed 8 years ago by mikeperry

Yeah, there doesn't seem to be anything obvious wrt to drag+drop in that list... Are we able to extract the actual Mac build options out of Mozilla/the Firefox binaries in any way?

One quick test would be to build a Firefox from source with these options without any of my patches and see if it still crashes with Torbutton 1.4.5.1. There's a remote possibility one of my patches broke something tangentially.. Though I don't see any likely suspects.

comment:19 in reply to:  18 Changed 8 years ago by Sebastian

Replying to mikeperry:

Yeah, there doesn't seem to be anything obvious wrt to drag+drop in that list... Are we able to extract the actual Mac build options out of Mozilla/the Firefox binaries in any way?

Not to my knowledge.

One quick test would be to build a Firefox from source with these options without any of my patches and see if it still crashes with Torbutton 1.4.5.1. There's a remote possibility one of my patches broke something tangentially.. Though I don't see any likely suspects.

I built a firefox without any patches, and it crashes just the same. :/

comment:20 Changed 8 years ago by mikeperry

Ok, I performed a slightly different test. Instead of merely testing a Vanilla Firefox + NoScript + HTTPS-Everywhere + Torbutton, I pointed a vanilla Firefox at my TBB profile dir and managed to trigger a crash by dragging an image.

So it is not a build issue, at least.. Sounds like it could be triggered by one of our about:config prefs..

Anyone feel like binary searching through our prefs.js? :)

comment:21 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:22 Changed 7 years ago by Sebastian

Resolution: fixed
Status: newclosed

It does appear that the dragging crash is completely resolved. The other crash we're seeing has nothing to do with dragging. I'm closing this as fixed

comment:23 Changed 7 years ago by mikeperry

Actual Points: 4
Keywords: MikePerry201204 added
Points: 4

FYI, the patch we used came from https://bugzilla.mozilla.org/show_bug.cgi?id=715885#c35. It took some cleanup and had some build issues. The resulting patch is in our patches archive (and is also linked from that bug).

Note: See TracTickets for help on using tickets.