Closed Bug 295670 Opened 19 years ago Closed 19 years ago

Crash in [@ nsDOMEvent::GetTargetFromFrame] when clicking menu items...

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P1)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta3

People

(Reporter: bsr500, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(3 files)

Testcase
744 bytes, text/html
Details
Testcase2, quirks mode
657 bytes, text/html
Details
This fixes things for me....
2.40 KB, patch
roc
: review+
roc
: superreview+
chofmann
: approval1.8b3+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050526 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050526 Firefox/1.0+

On http://www.demonhunter.net if you click "media" it will crash browser (3/4 of
the time)

Reproducible: Sometimes

Steps to Reproduce:
1. Goto www.demonhunter.net
2. Click Media in the menu
3. Click it again if nothing happens

Actual Results:  
Crashes browser.

Expected Results:  
Not crash.
They are using cludgy JS code to do the mouse overs. 

Seems to crash in Trunk builds 
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050514 Firefox/1.0+


But WFM on milestone
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527
Firefox/1.0+ ID:2005052704

WFM (tried 20 times)
Wait for todays trunk build and try it again , some serious crashing has been fixed
I get the bug Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
Gecko/20050526 Firefox/1.0+.Talkback reports TB6170556H and TB6170569Q.
Component: General → JavaScript Engine
Keywords: crash, regression
Product: Firefox → Core
Version: unspecified → Trunk
Component: JavaScript Engine → Event Handling
Confirming.  I see this with build 2005-05-27-06 on Windows XP Seamonkey trunk.

nsDOMEvent::GetTargetFromFrame 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMEvent.cpp,
line 234]
nsDOMEvent::nsDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMEvent.cpp,
line 115]
nsDOMUIEvent::nsDOMUIEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMUIEvent.cpp,
line 59]
nsDOMMouseEvent::nsDOMMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMMouseEvent.cpp,
line 52]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2140]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleChromeEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2869]
nsGlobalWindow::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 903]
nsDocument::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 3958]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2085]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsGenericHTMLElement::HandleDOMEventForAnchors 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1475]
nsHTMLLinkElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLLinkElement.cpp,
line 308]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2079]
nsHTMLImageElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLImageElement.cpp,
line 507]
nsEventStateManager::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2518]
nsEventStateManager::NotifyMouseOver 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2640]
nsEventStateManager::GenerateMouseEnterExit 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2672]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 479]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 6321]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 6167]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2502]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2224]
nsViewManager::ProcessSynthMouseMoveEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 4442]
nsSynthMouseMoveEvent::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 4386]
SHDOCVW.dll + 0x150c24 (0x778b0c24)
0x006e006f
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Crash when clicking menu items... → Crash in [@ nsDOMEvent::GetTargetFromFrame] when clicking menu items...
Attached file Testcase 
This crashes for me, when clicking a couple of times on the image link.
As a sidenote, strange things happen when hovering over the image. I
continuously get mouseover/mouseout events. I don't think that should happen.
Ok, doesn't crash in 2005-03-28 build, but there the image shrinks to nothing,
which doesn't seem correct to me, either.
It crashes in 2005-03-29 build.
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-03-28+06%3A00%3A00&maxdate=2005-03-29+09%3A00%3A00&cvsroot=%2Fcvsroot
It seems to me that bug 286813 is a likely culprit.
Attached file Testcase2, quirks mode 
The bug only happens in strict mode, in quirks mode, everything seems to work
just fine.
> I continuously get mouseover/mouseout events.

That's correct -- you're toggling the image URI between broken image and the cat
picture.  When it's broken, the mouse is not over the image, so mouseout fires
on the image....
I consistently crash with the following stack:

#0  0xb6ba6733 in nsCachedStyleData::GetStyleData (this=0xddddddf9,
aSID=@0xbfffe070)
    at nsRuleNode.h:210
#1  0xb6ba8204 in nsStyleContext::GetStyleData (this=0xdddddddd, 
    aSID=eStyleStruct_UserInterface)
    at ../../../mozilla/layout/style/nsStyleContext.cpp:248
#2  0xb69ea6e2 in nsIFrame::GetStyleData (this=0x89677e0, 
    aSID=eStyleStruct_UserInterface) at nsIFrame.h:607
#3  0xb69fd3aa in nsIFrame::GetStyleUserInterface (this=0x89677e0)
    at nsStyleStructList.h:106
#4  0xb6d0dd8f in nsEventStateManager::SetContentState (this=0x89683a8, 
    aContent=0x88ce5b8, aState=4)
    at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:3721
#5  0xb6d0a526 in nsEventStateManager::NotifyMouseOver (this=0x89683a8, 
    aEvent=0xbfffe820, aContent=0x88ce5b8)
    at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:2637
#6  0xb6d0a709 in nsEventStateManager::GenerateMouseEnterExit (this=0x89683a8, 
    aEvent=0xbfffe820)
    at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:2672
#7  0xb6d04564 in nsEventStateManager::PreHandleEvent (this=0x89683a8, 
    aPresContext=0x8844b70, aEvent=0xbfffe820, aTargetFrame=0x89cde68, 
    aStatus=0xbfffe748, aView=0x8968638)
    at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:478
#8  0xb6a35642 in PresShell::HandleEventInternal (this=0x89a1278,
aEvent=0xbfffe820, 
    aView=0x8968638, aFlags=1, aStatus=0xbfffe748)
    at ../../../mozilla/layout/base/nsPresShell.cpp:6168
#9  0xb6a3502b in PresShell::HandleEvent (this=0x89a1278, aView=0x8968638, 
    aEvent=0xbfffe820, aEventStatus=0xbfffe748, aForceHandle=0,
aHandled=@0xbfffe6d8)
    at ../../../mozilla/layout/base/nsPresShell.cpp:6020
#10 0xb6e46bc1 in nsViewManager::HandleEvent (this=0x8690060, aView=0x896d2e8, 
    aEvent=0xbfffe820, aCaptured=0) at
../../../mozilla/view/src/nsViewManager.cpp:2500
#11 0xb6e460dd in nsViewManager::DispatchEvent (this=0x8690060, aEvent=0xbfffe820, 
    aStatus=0xbfffe81c) at ../../../mozilla/view/src/nsViewManager.cpp:2224
#12 0xb6e4b09b in nsViewManager::ProcessSynthMouseMoveEvent (this=0x8690060, 
    aFromScroll=0) at ../../../mozilla/view/src/nsViewManager.cpp:4440

(gdb) frame 4
#4  0xb6d0dd8f in nsEventStateManager::SetContentState (this=0x89683a8, 
    aContent=0x88ce5b8, aState=4)
    at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:3721
3721        const nsStyleUserInterface* ui =
mCurrentTarget->GetStyleUserInterface();
(gdb) p *mCurrentTarget
$3 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, 
    y = -572662307, width = -572662307, height = -572662307}, mContent =
0xdddddddd, 
  mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, 
  mState = 3722304989}

Not sure how we get to have an mCurrentTarget that's dead....

I'm guessing this is a regression from bug 284664.
Flags: blocking1.8b3?
OS: Windows XP → All
Hardware: PC → All
Have to make sure to set the external reference bit so we'll be notified if the
frame dies.
Attachment #185199 - Flags: superreview?(roc)
Attachment #185199 - Flags: review?(roc)
Attachment #185199 - Flags: superreview?(roc)
Attachment #185199 - Flags: superreview+
Attachment #185199 - Flags: review?(roc)
Attachment #185199 - Flags: review+
Comment on attachment 185199 [details] [diff] [review]
This fixes things for me....

Requesting 1.8b3 approval for crash fix
Attachment #185199 - Flags: approval1.8b3?
Comment on attachment 185199 [details] [diff] [review]
This fixes things for me....

a=chofmann
Attachment #185199 - Flags: approval1.8b3? → approval1.8b3+
Assignee: nobody → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta3
Fixed for 1.8b3
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Flags: blocking1.8b3?
Crash Signature: [@ nsDOMEvent::GetTargetFromFrame]
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: