Closed Bug 69589 Opened 24 years ago Closed 23 years ago

M08 & trunk Crash on AIM Express [@ nsEventStateManager::UpdateCursor]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9

People

(Reporter: peterlubczynski-bugs, Assigned: peterlubczynski-bugs)

References

(
URL
)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(2 files)

Screenshot of warning about crash (Thanks AOL!)
18.36 KB, image/jpeg
Details
simple null pointer check
285 bytes, patch
Details | Diff | Splinter Review 
Visit AIM Express with a trunk pull and notice all the assertions, then a crash 
in layout (GKCONTENT). Oddly enough, if you wait long enough during an 
assertion dialog, the Java applet actually loads and looks like it's going to 
work if it wasn't for all the assertions and then the final crash. I think 
busyFlags is pointing off into space. I think this is layout, but throw it back 
to me if it's plugins. 

Here's the stack trace:

nsEventStateManager::UpdateCursor(nsIPresContext * 0x16300840, nsEvent * 
0x0012f80c, nsIFrame * 0x164226fc, nsEventStatus * 0x0012f700) line 1485 + 18 
bytes
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x16311e60, 
nsIPresContext * 0x16300840, nsEvent * 0x0012f80c, nsIFrame * 0x164226fc, 
nsEventStatus * 0x0012f700, nsIView * 0x162c0a88) line 316
PresShell::HandleEventInternal(nsEvent * 0x0012f80c, nsIView * 0x162c0a88, 
unsigned int 1, nsEventStatus * 0x0012f700) line 4841 + 43 bytes
PresShell::HandleEvent(PresShell * const 0x162368bc, nsIView * 0x162c0a88, 
nsGUIEvent * 0x0012f80c, nsEventStatus * 0x0012f700, int 0, int & 1) line 4782 + 
25 bytes
nsView::HandleEvent(nsView * const 0x162c0a88, nsGUIEvent * 0x0012f80c, unsigned 
int 8, nsEventStatus * 0x0012f700, int 0, int & 1) line 372
nsView::HandleEvent(nsView * const 0x00ce5a50, nsGUIEvent * 0x0012f80c, unsigned 
int 8, nsEventStatus * 0x0012f700, int 0, int & 1) line 345
nsView::HandleEvent(nsView * const 0x163e0100, nsGUIEvent * 0x0012f80c, unsigned 
int 28, nsEventStatus * 0x0012f700, int 1, int & 1) line 345
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x163eff10, nsGUIEvent * 
0x0012f80c, nsEventStatus * 0x0012f700) line 1424
HandleEvent(nsGUIEvent * 0x0012f80c) line 68
nsWindow::DispatchEvent(nsWindow * const 0x00ce5b0c, nsGUIEvent * 0x0012f80c, 
nsEventStatus & nsEventStatus_eIgnore) line 687 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f80c) line 708
nsWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 3949 + 
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 
4159
nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 26673731, long * 
0x0012fbc0) line 2943 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x001201ae, unsigned int 512, unsigned int 0, long 
26673731) line 923 + 27 bytes
USER32! 77e148dc()
USER32! 77e14aa7()
USER32! 77e266fd()
nsAppShellService::Run(nsAppShellService * const 0x00b90228) line 408
main1(int 1, char * * 0x004a7b38, nsISupports * 0x00000000) line 978 + 32 bytes
main(int 1, char * * 0x004a7b38) line 1270 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e992a6()
Keywords: crash
This worked for me with just pulled debug build. I was able to sign on and chat.
I just pulled this morning. Strange. 

Shrir, can you try this as well?
I am on NT4.0. Could be that but unlikely.
Possible dupe of 67670? Thoughts?
reassigning to buster's list.
Assignee: karnaze → buster
This is a topcrash for mozilla 0.8 
adding topcrash keyword, M08 and [@ nsEventStateManager::UpdateCursor] for 
tracking

Here's the latest stack trace:

Incident ID 26826238 
nsEventStateManager::UpdateCursor 
[d:\builds\0.8\mozilla\layout\events\src\nsEventStateManager.cpp, line 1427] 
nsEventStateManager::PreHandleEvent 
[d:\builds\0.8\mozilla\layout\events\src\nsEventStateManager.cpp, line 303] 
PresShell::HandleEventInternal 
[d:\builds\0.8\mozilla\layout\html\base\src\nsPresShell.cpp, line 4911] 
PresShell::HandleEvent 
[d:\builds\0.8\mozilla\layout\html\base\src\nsPresShell.cpp, line 4851] 
nsView::HandleEvent [d:\builds\0.8\mozilla\view\src\nsView.cpp, line 372] 
nsView::HandleEvent [d:\builds\0.8\mozilla\view\src\nsView.cpp, line 345] 
nsView::HandleEvent [d:\builds\0.8\mozilla\view\src\nsView.cpp, line 345] 
nsViewManager2::DispatchEvent 
[d:\builds\0.8\mozilla\view\src\nsViewManager2.cpp, line 1424] 
HandleEvent [d:\builds\0.8\mozilla\view\src\nsView.cpp, line 68] 
nsWindow::DispatchEvent [d:\builds\0.8\mozilla\widget\src\windows\nsWindow.cpp, 
line 691] 
USER32.dll + 0x1a43f (0x77e8a43f) 
nsWindow::DispatchMouseEvent 
[d:\builds\0.8\mozilla\widget\src\windows\nsWindow.cpp, line 3951] 
ChildWindow::DispatchMouseEvent 
[d:\builds\0.8\mozilla\widget\src\windows\nsWindow.cpp, line 4159] 
nsWindow::ProcessMessage [d:\builds\0.8\mozilla\widget\src\windows\nsWindow.cpp, 
line 2991] 
nsWindow::WindowProc [d:\builds\0.8\mozilla\widget\src\windows\nsWindow.cpp, 
line 924] 
USER32.dll + 0x1820 (0x77e71820) 
0x00a1026e 

and here are some user comments and URLs to help reproduce:

        URL:(26937830) mycnn.com
        URL:(26950869) www.herrschners.com
        URL:(26661911) www.obersparpfennig.de
        URL:(26686719) http://www.bestbytes.de
        URL:(26986654) www.netfunny.org
        URL:(26623977) www.freewarepub.net
        URL:(26613092) 
http://slashdot.org/article.pl?sid=01/02/13/0720252&mode=thread
        URL:(26826238) http://my.yahoo.com
        URL:(27404004) http://www.zfmicro.com
        Comment: (26937830) save&close layout customization
        Comment: (27293569) going back several pages in history
        Comment: (26661911) denying the loading of images
        Comment: (27212523) Loading the following
page<HTML><HEAD><SCRIPT>var tid;function closeWin () {  tid =
setTimeout('window.close()'
        Comment: (27212523)  (document.body.all[e].onfocus) {
        Comment: (27212523)      }
        Comment: (27212523)  ONFOCUS="window.status = 'enter name'">
        Comment: (26686719) clicked a link button; maybe
unintentionally clicked it twice;(btw.this site attempts to
dynamically set the positon of a div on mouseover events of the
button.)
        Comment: (26986654) clicking on a link
        Comment: (26623977) Set up browser to ask me before accepting
images.  I was accepting/rejecting images when the browser crashed.
        Comment: (26613092) I clicked a link and then quickly pressed
the stop button (did not mean to click the link).
        Comment: (26826238) Selected bookmark from menuDr.
Watson:Exception: access violation (0xc0000005)
        Comment: (27168740) I was looking at www.slashdot.org and
trying to follow a link to one of the old "Ask Slashdot" articles
        Comment: (27320150) clicked the "delete" button in a
Microsoft Exchange outlook-for-theweb mail message
        Comment: (27404004) trying to enlarge an image
Keywords: topcrash
Summary: Crash on AIM Express → M08 Crash on AIM Express [@ nsEventStateManager::UpdateCursor]
buster's gone.  -> saari, cc joki
Assignee: buster → saari
Note: This WFM in Windows builds on 2/23 builds at home. And Andrei says it 
works. I'm willing to mark this WFM if it wasn't for all the Top Crash data. But 
this isn't a plugin issue.
This happens if you move the cursor in a special way. We get a null DocShell in 
the event state manager. I have a patch for this at home I will attach shortly. 

Adding "trunk" in the summary and changing OS to "All". A series of these 
bugs have been showing up in the top 20 bugs of nightly trunk builds on both 
Linux and Windows.
OS: Windows 2000 → All
Summary: M08 Crash on AIM Express [@ nsEventStateManager::UpdateCursor] → M08 & trunk Crash on AIM Express [@ nsEventStateManager::UpdateCursor]
Peter, please attach your patch, this is a top crash now. Thanks!
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9

    
    

    
  
I think this does it for me. Can anyone else who is seeing this try out my 
patch? review? Thanks!
Assignee: saari → peterlubczynski
Status: ASSIGNED → NEW

    
    

    
  
Using nscatfood keyword to track crash car bugs.
Keywords: nsCatFood

    
    

    
  
Woo Hoo! [s]r=attinasi on attachID=27750

Are we having another problem that still should be investigated here? Clearly,
checking for null is good, but I'd worry about a deeper bug we might be masking...

    
    

    
  
r=saari, but could someone comment on the way you have to move the cursor to get
a null docshell? I'm curious...

    
    

    
  
I'm not exactly sure as I can only reproduce it sometimes. I'm more concerned 
about the talkback data.
Status: NEW → ASSIGNED

    
    

    
  
Patch checked in.

===>new revision: 1.243; previous revision: 1.242
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Marking verified per last comments.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsEventStateManager::UpdateCursor]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: