Closed Bug 135498 Opened 22 years ago Closed 22 years ago

Navigating exclusively in tabs crashes browser - Trunk M100 [@ nsEventStateManager::GetEventTargetContent]

Categories

(Core :: DOM: Events, defect, P1)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: mozilla, Assigned: joki)

References

Details

(Keywords: crash, topcrash+, Whiteboard: win32 only? [adt2 RTM] (jp) [ETA Needed])

Crash Data

Attachments

(2 files)

Stack, Parameters/Values and code for incident 5983904.
4.54 KB, text/plain
Details
Disassambly and Registers
11.21 KB, text/plain
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.9+) Gecko/20020404
BuildID:    2002040403

This may be a dupe...I saw several reports that were similar, but none of them
described crashes while opening new tabs.

System:
Win98SE
IE 5.5
Visual Studio 6.0 (Visual C++ and Visual Basic)

When browsing exclusively via right clicking and opening pages in new tabs, the
browser will invariably crash after a (fairly small) number of pages have been
opened in this manner.  The limit is usually four to ten new tabs (closing some,
opening new ones, etc...).

The crash always occurs after the new tab is shown, but before the document
interface is drawn.

The text of the fault dialog is:

  MOZILLA caused an invalid page fault in
  module GKCONTENT.DLL at 017f:602fd28e.
  Registers:
  EAX=00000000 CS=017f EIP=602fd28e EFLGS=00010202
  EBX=00000000 SS=0187 ESP=0064f930 EBP=0064f948
  ECX=6033a330 DS=0187 ESI=02311448 FS=3a5f
  EDX=0064f968 ES=0187 EDI=02032d64 GS=0000
  Bytes at CS:EIP:
  ff 50 54 eb 06 8b 45 10 83 20 00 5f 33 c0 5e 5d 
  Stack dump:
  02032d64 0083c300 0064fb0c 0064f968 0258fea8 0258fe80 0064f974
  60300c97 02311448 0064fb0c 0064f968 00000000 021c62a0 0064fb0c
  00000000 02311448 

I have experienced this problem in release builds of 0.9.7, 0.9.9 and in the
daily build 0.9.9.2002040403

Reproducible: Always
Steps to Reproduce:
1. Visit any page with a lot of links (mozilla.org is useful)
2. Open links via right-clicking and choosing New Tab (I usually press the "T" key)
3. Continue doing this, leaving some tabs open, closing others.  I am usually
focused on the FIRST tab for navigation, though I will often open pages from
subsequent tabs, as well.

Actual Results:  Browser will crash. 

Expected Results:  Browser should not crash.

Information on three crashes in this manner was submitted via Talkback:

TB4827731K
TB4827382Q
TB4825217Q
Keywords: crash, stackwanted
Quiet likely a duplicate of bug 134664. We need the stack from the talkback
reports to compare.
nsEventStateManager::GetEventTargetContent 4c037cf2)
    nsEventStateManager::GetEventTargetContent
<javascript:OpenAuxWindow(0, 4827731, 0)>
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp,
line 3367]
    nsDOMEvent::GetTarget <javascript:OpenAuxWindow(1, 4827731, 0)>
[d:\builds\seamonkey\mozilla\content\events\src\nsDOMEvent.cpp, line 336]
    nsXULElement::HandleDOMEvent <javascript:OpenAuxWindow(2, 4827731,
0)>
[d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp,
line 3425]
    HandleImagePLEvent <javascript:OpenAuxWindow(3, 4827731, 0)>
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line
494]
    HandleImageOnloadPLEvent <javascript:OpenAuxWindow(4, 4827731, 0)>
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp,
line 155]
    PL_HandleEvent <javascript:OpenAuxWindow(5, 4827731, 0)>
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 597]
    PL_ProcessPendingEvents <javascript:OpenAuxWindow(6, 4827731, 0)>
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 530]
    _md_EventReceiverProc <javascript:OpenAuxWindow(7, 4827731, 0)>
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1078]
    KERNEL32.DLL + 0x24407 (0xbff94407) <javascript:OpenAuxWindow(8,
4827731, 0)>
    0x00648c16 <javascript:OpenAuxWindow(9, 4827731, 0)>
Keywords: stackwanted
Summary: Navigating exclusively in tabs crashes browser → Navigating exclusively in tabs crashes browser [nsEventStateManager::GetEventTargetContent]
Confirming this bug, it's been a topcrasher on the MozillaTrunk for a few days now:

nsEventStateManager::GetEventTargetContent   27
		 78574 	 VERI 	 FIXE 	 hewitt@netscape.com 	 mozilla0.9.1 	 2001-05-10 
BBID range: 5122159 - 5441834
Min/Max Seconds since last crash: 45 - 53833
Min/Max Runtime: 45 - 92947
Crash data range: 2002-04-12 to 2002-04-21
Build ID range: 2002041206 to 2002041914
Keyword List : 
Stack Trace: 

	 nsEventStateManager::GetEventTargetContent
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp  line 3385]
	 nsDOMEvent::GetTarget
[d:\builds\seamonkey\mozilla\content\events\src\nsDOMEvent.cpp  line 336]
	 nsXULElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp  line 3354]
	 HandleImagePLEvent
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 145]
	 HandleImageOnloadPLEvent
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 155]
	 PL_HandleEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 597]
	 PL_ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 530]
	 _md_EventReceiverProc
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 1078]
	 nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 309]
	 main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1430]
	 main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1765]
	 WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1783]
	 WinMainCRTStartup()
	 KERNEL32.DLL + 0xd326 (0x77e8d326)
 
 	Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/events/src/nsEventStateManager.cpp
line : 3385
     (5441834)	URL: www.jubii.dk
     (5418363)	Comments: I opened link by new tab.
     (5353446)	URL: www.hotmail.com

Adding crash keywords, qawanted to see if we can get this reproduced and
nominating for nsbeta1.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta1, qawanted, topcrash
Summary: Navigating exclusively in tabs crashes browser [nsEventStateManager::GetEventTargetContent] → Navigating exclusively in tabs crashes browser [@ nsEventStateManager::GetEventTargetContent]
Sarah, could you take a look at this crash and see if you can reproduce the
crash. Thanks.
i haven't encountered this crash with recent builds from the branch on linux
rh7.2, where i use tabs all the time.

i often use tabs on win2k and mac 10.1.4 as well, and i haven't encountered a
crash like this either.

at first i thought this would be bug 134664, which was fixed on 10 april.
however, Jay sez that the builds for current reports range from 12 - 19 april
--but from the trunk. could this be trunk only?

i'll grab today's trunk bits, but i'll keep qawanted since i have been spending
more time on the branch recently --until i (or another person) come up with a
good recipe or two.
Whiteboard: trunk only?
so far haven't encountered this crash using 2002.04.24.12-trunk (commercial)
bits on linux rh7.2...

Jay, what platforms is this crash occurring on? win32-only, or others?
Sairuh: Talkback data for this stack signature is only showing crashes on Win32
machines.   But if you have been crashing on Linux it might be worth finding out
what stack signature the Linux crashes are being reported under.

This crash appears to be on the Mozilla1.0 branch as well, since there are a few
crashes with Mozilla1.0 RC1.
Summary: Navigating exclusively in tabs crashes browser [@ nsEventStateManager::GetEventTargetContent] → Navigating exclusively in tabs crashes browser - Trunk M1RC1 [@ nsEventStateManager::GetEventTargetContent]
jay, thanks for the info! will play around more with win2k bits today...
Whiteboard: trunk only? → win32 only?
hrm, so far i haven't been able to get a crash using either 2002.04.25.08-gmake
(trunk) or 2002.04.25.08-1.0.0 (branch) commercial bits on win2k.

out of curiosity, for thos who're encountering this: how soon after you start
mozilla (or netscape) d'you see this? how frequently do you see this? also, are
you using QuickLaunch? (btw, i'm not currently using QuickLaunch.)
nsbeta1+/adt2 per Nav triage team
Keywords: nsbeta1nsbeta1+
Whiteboard: win32 only? → win32 only? [adt2]
Target Milestone: --- → mozilla1.0
Whiteboard: win32 only? [adt2] → win32 only? [adt2] (jp)
Is this still happening?  Talkback server seems to be down right now...
Priority: -- → P1
Peter, Talkback shows this signature is still happening on the Trunk with ten
crashes in these Windows builds:
2002050508
2002050408
2002050108
2002043010
2002042603

Here is a single signature with some of the code information, including values
at the time of the crash.
Comment on attachment 82618 [details]
Stack, Parameters/Values and code for incident 5983904.

>nsEventStateManager::GetEventTargetContent [nsEventStateManager.cpp, line 3385]

>3383   if (mCurrentTarget) {
>3384     mCurrentTarget->GetContentForEvent(mPresContext, aEvent, aContent);
>3385     return NS_OK;    <-- Always returning a positive value
>3386   }

This suggests that perhaps mCurrentTarget is pointing to a destroyed
frame.	Disassembly and registers would be the only way to tell for
sure, though.

If that's the case, it might be easier to reproduce the bug if you apply
the patches in bug 114219 and bug 114221 (in a debug build).
dbaron, registers and disassembly for your viewing pleasure.
Yeah, definitely looks like mCurrentTarget was destroyed -- its vtable pointer
is null (that's what's in EAX).
Why isn't this topcrash+?
Whiteboard: win32 only? [adt2] (jp) → win32 only? [adt1] (jp)
->topcrash+ (possible oneliner fix.)
Blocks: 136392
-> Events, maybe they can make sense of this.
Assignee: jaggernaut → joki
Component: Tabbed Browser → Event Handling
QA Contact: sairuh → rakeshmishra
Sorry, wrong events component.
Component: Event Handling → DOM Events
QA Contact: rakeshmishra → vladimire
Keywords: mozilla1.0
Blocks: 143047
Whiteboard: win32 only? [adt1] (jp) → win32 only? [adt1 RTM] (jp)
making topcrash+ again (the + was somehow removed)
Keywords: topcrashtopcrash+
changing impact to [adt2 rtm] per adt.
Whiteboard: win32 only? [adt1 RTM] (jp) → win32 only? [adt2 RTM] (jp)
Tom - Haven't seen a comment form you in this bug. Any idea on how close we are
to resolving this one? Pls add your ETA to the Status Whiteboard. thanks!
Keywords: mozilla1.0mozilla1.0.1
Whiteboard: win32 only? [adt2 RTM] (jp) → win32 only? [adt2 RTM] (jp) [ETA Needed]
Target Milestone: mozilla1.0 → mozilla1.0.1
Updating summary with M100, this has been a topcrasher for Mozilla 1.0 (although
there are only 38 crashes out of the current datasample of 13000).  Still, it is
a topcrasher at #43 for that release.  

Any progress here?  No one has looked at this bug for a while.
Summary: Navigating exclusively in tabs crashes browser - Trunk M1RC1 [@ nsEventStateManager::GetEventTargetContent] → Navigating exclusively in tabs crashes browser - Trunk M100 [@ nsEventStateManager::GetEventTargetContent]
Current assignee has not accepted, or even commented on this topcrash bug. Can
anyone else take it?
ok
Assignee: joki → saari
I tried to repro this before and didn't have any luck so I kind of back-burner'd
it for a while.  Looking at it again I think I may have a good idea what the
issue is.  The issue is likely with code looking back for old data which isn't
there anymore when using PostDOMEvent.  I'll post a possible patch but without
being able to replicate this I can't test how well it works very easily.
saari, should this one go to joki, since he is looking into it, and has a
possible patch?
yes, back to tom
Assignee: saari → joki
Okay, a fix has been checked into the trunk and branch (for bug 157845).  Since
I can't repro this bug I can't verify that the fix will take care of this also
but the stack traces seem to indicate that both should be fixed.  Rather then
dupe this one I'm just going to mark this one fixed for now and we should watch
the talkback data to see if this one goes away.
Status: NEW → RESOLVED
Closed: 22 years ago
Keywords: mozilla1.0.1fixed1.0.1
Resolution: --- → FIXED
mozilla@meow.org (Anthony Jenkins), or anyone else who reproduced the problem
before, can you please verify with latest build?
verifying due to lack of responce, if this was still present people would speak up..
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsEventStateManager::GetEventTargetContent]
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: