Closed
Bug 295670
Opened 19 years ago
Closed 19 years ago
Crash in [@ nsDOMEvent::GetTargetFromFrame] when clicking menu items...
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P1)
Core
DOM: UI Events & Focus Handling
Tracking
()
VERIFIED
FIXED
mozilla1.8beta3
People
(Reporter: bsr500, Assigned: bzbarsky)
References
()
Details
(Keywords: crash, regression)
Crash Data
Attachments
(3 files)
744 bytes,
text/html
|
Details | |
657 bytes,
text/html
|
Details | |
2.40 KB,
patch
|
roc
:
review+
roc
:
superreview+
chofmann
:
approval1.8b3+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050526 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050526 Firefox/1.0+ On http://www.demonhunter.net if you click "media" it will crash browser (3/4 of the time) Reproducible: Sometimes Steps to Reproduce: 1. Goto www.demonhunter.net 2. Click Media in the menu 3. Click it again if nothing happens Actual Results: Crashes browser. Expected Results: Not crash.
Comment 1•19 years ago
|
||
They are using cludgy JS code to do the mouse overs. Seems to crash in Trunk builds Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050514 Firefox/1.0+ But WFM on milestone Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4
Comment 2•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527 Firefox/1.0+ ID:2005052704 WFM (tried 20 times) Wait for todays trunk build and try it again , some serious crashing has been fixed
Comment 3•19 years ago
|
||
I get the bug Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050526 Firefox/1.0+.Talkback reports TB6170556H and TB6170569Q.
Component: General → JavaScript Engine
Keywords: crash,
regression
Product: Firefox → Core
Version: unspecified → Trunk
Updated•19 years ago
|
Component: JavaScript Engine → Event Handling
Comment 4•19 years ago
|
||
Confirming. I see this with build 2005-05-27-06 on Windows XP Seamonkey trunk. nsDOMEvent::GetTargetFromFrame [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMEvent.cpp, line 234] nsDOMEvent::nsDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMEvent.cpp, line 115] nsDOMUIEvent::nsDOMUIEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMUIEvent.cpp, line 59] nsDOMMouseEvent::nsDOMMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsDOMMouseEvent.cpp, line 52] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2140] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2173] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2173] nsXULElement::HandleChromeEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2869] nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp, line 903] nsDocument::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp, line 3958] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2085] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsGenericHTMLElement::HandleDOMEventForAnchors [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1475] nsHTMLLinkElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLLinkElement.cpp, line 308] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2079] nsHTMLImageElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLImageElement.cpp, line 507] nsEventStateManager::DispatchMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2518] nsEventStateManager::NotifyMouseOver [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2640] nsEventStateManager::GenerateMouseEnterExit [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2672] nsEventStateManager::PreHandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 479] PresShell::HandleEventInternal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 6321] PresShell::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 6167] nsViewManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2502] nsViewManager::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2224] nsViewManager::ProcessSynthMouseMoveEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 4442] nsSynthMouseMoveEvent::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 4386] SHDOCVW.dll + 0x150c24 (0x778b0c24) 0x006e006f
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Crash when clicking menu items... → Crash in [@ nsDOMEvent::GetTargetFromFrame] when clicking menu items...
Comment 5•19 years ago
|
||
This crashes for me, when clicking a couple of times on the image link. As a sidenote, strange things happen when hovering over the image. I continuously get mouseover/mouseout events. I don't think that should happen.
Comment 6•19 years ago
|
||
Ok, doesn't crash in 2005-03-28 build, but there the image shrinks to nothing, which doesn't seem correct to me, either. It crashes in 2005-03-29 build. http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-03-28+06%3A00%3A00&maxdate=2005-03-29+09%3A00%3A00&cvsroot=%2Fcvsroot It seems to me that bug 286813 is a likely culprit.
Comment 7•19 years ago
|
||
The bug only happens in strict mode, in quirks mode, everything seems to work just fine.
Assignee | ||
Comment 8•19 years ago
|
||
> I continuously get mouseover/mouseout events.
That's correct -- you're toggling the image URI between broken image and the cat
picture. When it's broken, the mouse is not over the image, so mouseout fires
on the image....
Assignee | ||
Comment 9•19 years ago
|
||
I consistently crash with the following stack: #0 0xb6ba6733 in nsCachedStyleData::GetStyleData (this=0xddddddf9, aSID=@0xbfffe070) at nsRuleNode.h:210 #1 0xb6ba8204 in nsStyleContext::GetStyleData (this=0xdddddddd, aSID=eStyleStruct_UserInterface) at ../../../mozilla/layout/style/nsStyleContext.cpp:248 #2 0xb69ea6e2 in nsIFrame::GetStyleData (this=0x89677e0, aSID=eStyleStruct_UserInterface) at nsIFrame.h:607 #3 0xb69fd3aa in nsIFrame::GetStyleUserInterface (this=0x89677e0) at nsStyleStructList.h:106 #4 0xb6d0dd8f in nsEventStateManager::SetContentState (this=0x89683a8, aContent=0x88ce5b8, aState=4) at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:3721 #5 0xb6d0a526 in nsEventStateManager::NotifyMouseOver (this=0x89683a8, aEvent=0xbfffe820, aContent=0x88ce5b8) at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:2637 #6 0xb6d0a709 in nsEventStateManager::GenerateMouseEnterExit (this=0x89683a8, aEvent=0xbfffe820) at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:2672 #7 0xb6d04564 in nsEventStateManager::PreHandleEvent (this=0x89683a8, aPresContext=0x8844b70, aEvent=0xbfffe820, aTargetFrame=0x89cde68, aStatus=0xbfffe748, aView=0x8968638) at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:478 #8 0xb6a35642 in PresShell::HandleEventInternal (this=0x89a1278, aEvent=0xbfffe820, aView=0x8968638, aFlags=1, aStatus=0xbfffe748) at ../../../mozilla/layout/base/nsPresShell.cpp:6168 #9 0xb6a3502b in PresShell::HandleEvent (this=0x89a1278, aView=0x8968638, aEvent=0xbfffe820, aEventStatus=0xbfffe748, aForceHandle=0, aHandled=@0xbfffe6d8) at ../../../mozilla/layout/base/nsPresShell.cpp:6020 #10 0xb6e46bc1 in nsViewManager::HandleEvent (this=0x8690060, aView=0x896d2e8, aEvent=0xbfffe820, aCaptured=0) at ../../../mozilla/view/src/nsViewManager.cpp:2500 #11 0xb6e460dd in nsViewManager::DispatchEvent (this=0x8690060, aEvent=0xbfffe820, aStatus=0xbfffe81c) at ../../../mozilla/view/src/nsViewManager.cpp:2224 #12 0xb6e4b09b in nsViewManager::ProcessSynthMouseMoveEvent (this=0x8690060, aFromScroll=0) at ../../../mozilla/view/src/nsViewManager.cpp:4440 (gdb) frame 4 #4 0xb6d0dd8f in nsEventStateManager::SetContentState (this=0x89683a8, aContent=0x88ce5b8, aState=4) at ../../../../mozilla/content/events/src/nsEventStateManager.cpp:3721 3721 const nsStyleUserInterface* ui = mCurrentTarget->GetStyleUserInterface(); (gdb) p *mCurrentTarget $3 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddd, mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, mState = 3722304989} Not sure how we get to have an mCurrentTarget that's dead.... I'm guessing this is a regression from bug 284664.
Flags: blocking1.8b3?
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 10•19 years ago
|
||
Have to make sure to set the external reference bit so we'll be notified if the frame dies.
Attachment #185199 -
Flags: superreview?(roc)
Attachment #185199 -
Flags: review?(roc)
Attachment #185199 -
Flags: superreview?(roc)
Attachment #185199 -
Flags: superreview+
Attachment #185199 -
Flags: review?(roc)
Attachment #185199 -
Flags: review+
Assignee | ||
Comment 11•19 years ago
|
||
Comment on attachment 185199 [details] [diff] [review] This fixes things for me.... Requesting 1.8b3 approval for crash fix
Attachment #185199 -
Flags: approval1.8b3?
Comment 12•19 years ago
|
||
Comment on attachment 185199 [details] [diff] [review] This fixes things for me.... a=chofmann
Attachment #185199 -
Flags: approval1.8b3? → approval1.8b3+
Assignee | ||
Updated•19 years ago
|
Assignee: nobody → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta3
Assignee | ||
Comment 13•19 years ago
|
||
Fixed for 1.8b3
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
Updated•19 years ago
|
Flags: blocking1.8b3?
Updated•13 years ago
|
Crash Signature: [@ nsDOMEvent::GetTargetFromFrame]
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•