M130B Trunk crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ] [@ nsEventStateManager::DispatchMouseEvent]

RESOLVED FIXED in mozilla1.3final

Status

()

Core
Layout: Misc Code
P1
critical
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Johannes Koskinen, Assigned: John Keiser (jkeiser))

Tracking

({crash, testcase, topcrash+})

Trunk
mozilla1.3final
crash, testcase, topcrash+
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed1.3, crash signature, URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030221
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030221

In the page http://www.futurecrew.com/skaven/, the image changing (onmouseover)
code crashes the mozilla. When using IE6.0SP1 the page works fine. I don't know
whether this is a javascript or layout problem.

Reproducible: Always

Steps to Reproduce:
1.Open page http://www.futurecrew.com/skaven/
2.Move mouse cursor on and around the images
3.The mozilla crashes

Actual Results:  
The mozilla crashes instead of changing the picture.

Expected Results:  
Change the picture layout using javascript or don't do anything (if the script
language is not compatible with mozilla one)

Mozilla version 1.3.20030.22105, 
module gklayout.dll versio 1.3.20030.22105, 
Address 0x000c3af5.

Updated

15 years ago
Severity: normal → critical
Keywords: crash

Comment 1

15 years ago
confirming using build 2003022202 on Win2k: TB17404345Q.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: stackwanted
Whiteboard: TB17404345Q

Comment 2

15 years ago
confirming BuildID 2003032108 on Win98: TB17404811W
reminds me at Bug 186132 Crash mouseovering box with CSS - Trunk [@
nsEventStateManager::DispatchMouseEvent] but that one has been fixed Feb 20th.

Comment 3

15 years ago
confirming build 2003022122, Linux x86 talkback: TB17405741M

Updated

15 years ago
OS: Windows XP → All
Hardware: PC → All

Comment 4

15 years ago
REGRESSION between 2003021908 and 2003022008
faulty, but no crash on build IDs 2003021808 and -1908, crash with -2008 and -2108
Win98SP1, tested with one fresh profile for all tests, and fresh
prorgammdirectory for each unzipped win32-talkback.zip. Can´t give TB-Nbrs,
deleted one directory after sending, and the other one won´t send. URL and
Bug-nbr noted in TB.

faulty: Frontpage-generated. Left Images in the topframe are restored on mouseout,
other images in topframe are replaced by ALT-text on first Mouseover, and with
broken-Image-icon afterwards.

Comment 5

15 years ago
Created attachment 115257 [details]
backtrace from a fresh linux build.

Stack indeed looks like the one in bug 186132.
And the crash occured the third time i moused over an image

Comment 6

15 years ago
Confirming with a fresh CVS trunk build on WindowsME.
(Assignee)

Comment 7

15 years ago
This is me.  I have a fix.
Assignee: misc → jkeiser
(Assignee)

Comment 8

15 years ago
Created attachment 115261 [details] [diff] [review]
Patch

This fixes the crash.  The problem is, mLastMouseOverFrame was being set to a
frame that went away during the event.	Even though we deal with this case
entirely *within* DispatchMouseEvent, we don't take care of it in the callers. 
In this patch I made DispatchMouseEvent clear the frame *for* the callers.  I
have checked all callers and this looks like the right thing to do for them.
(Assignee)

Comment 9

15 years ago
Created attachment 115262 [details] [diff] [review]
Patch v1.1

I like this patch better, it eliminates a variable.

Please note that while this patch fixes the crash, there is an evangelism on
this site--mouseovers will give you wrong images.  They have an element like <a
... lowsrc="blah"> and they are expecting JavaScript element.lowsrc to give
them the value of that attribute.  That's not how it works.  It may be that IE
supports lowsrc and that's why it works there.
Attachment #115261 - Attachment is obsolete: true
(Assignee)

Updated

15 years ago
Attachment #115262 - Flags: superreview?(bryner)
Attachment #115262 - Flags: review?(saari)

Comment 10

15 years ago
stack from Linux debug build (CVS 10h ago):

#0  0xdddddddd in ?? ()
#1  0x40ebf3ca in nsEventStateManager::GenerateMouseEnterExit (
    this=0x42501348, aPresContext=0x41cb72f8, aEvent=0xbfffece0)
    at nsEventStateManager.cpp:2527
#2  0x40eb7f17 in nsEventStateManager::PreHandleEvent (this=0x42501348,
    aPresContext=0x41cb72f8, aEvent=0xbfffece0, aTargetFrame=0x42b6efb0,
    aStatus=0xbfffe9e4, aView=0x42b49bd0) at nsEventStateManager.cpp:373
#3  0x40d88ebb in PresShell::HandleEventInternal (this=0x425f3ea8,
    aEvent=0xbfffece0, aView=0x42b49bd0, aFlags=1, aStatus=0xbfffe9e4)
    at nsPresShell.cpp:6220
#4  0x40d88b5e in PresShell::HandleEvent (this=0x425f3ea8, aView=0x42b49bd0,
    aEvent=0xbfffece0, aEventStatus=0xbfffe9e4, aForceHandle=0,
    aHandled=@0xbfffe9e8) at nsPresShell.cpp:6150
#5  0x41bd43dd in nsViewManager::HandleEvent (this=0x427afa78,
    aView=0x42b55510, aEvent=0xbfffece0, aCaptured=0) at nsViewManager.cpp:2210
#6  0x41bc9c37 in nsView::HandleEvent (this=0x42b55510, aVM=0x427afa78,
    aEvent=0xbfffece0, aCaptured=0) at nsView.cpp:303
#7  0x41bd3b0f in nsViewManager::DispatchEvent (this=0x427afa78,
    aEvent=0xbfffece0, aStatus=0xbfffebcc) at nsViewManager.cpp:1942
#8  0x41bc9628 in HandleEvent (aEvent=0xbfffece0) at nsView.cpp:80
#9  0x4142d51f in nsWidget::DispatchEvent (this=0x42b57ee0, aEvent=0xbfffece0,
    aStatus=@0xbfffec7c) at nsWidget.cpp:1496
[...]
Keywords: stackwanted
Summary: crash when executing javascript command onmouseover → crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ]
Whiteboard: TB17404345Q

Comment 11

15 years ago
Comment on attachment 115262 [details] [diff] [review]
Patch v1.1

spiff, r=saari
Attachment #115262 - Flags: review?(saari) → review+

Comment 12

15 years ago
Adding testcase keyword and making topcrash+.  Adding
nsEventStateManager::DispatchMouseEvent to summary as well.  Here is a recent
Talkback incident for future reference:

Incident ID 17444820
Stack Signature 	nsEventStateManager::DispatchMouseEvent 83cbc9d7
Email Address 	
Product ID 	MozillaTrunk
Build ID 	2003022308
Trigger Time 	2003-02-23 15:34:51
Platform 	Win32
Operating System 	Windows 98 4.10 build 67766222
Module 	GKLAYOUT.DLL
URL visited 	http://www.futurecrew.com/skaven/
User Comments 	bugzilla 194493
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp
Trigger Line No. 	2447
Stack Trace 	
nsEventStateManager::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2447]
nsEventStateManager::GenerateMouseEnterExit
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2530]
nsEventStateManager::PreHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 376]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6223]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6179]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2208]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1944]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1117]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1134]
nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5374]
ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5629]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4065]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1401]
KERNEL32.DLL + 0x363b (0xbff7363b)
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00658b66 
Keywords: testcase, topcrash+
Summary: crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ] → crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ] [@ nsEventStateManager::DispatchMouseEvent]

Comment 13

15 years ago
Is this going to make it into Mozilla 1.3?  The priority or target milestone
still need to be set.
Summary: crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ] [@ nsEventStateManager::DispatchMouseEvent] → M130B Trunk crash when executing javascript command onmouseover [@ nsEventStateManager::GenerateMouseEnterExit ] [@ nsEventStateManager::DispatchMouseEvent]
Attachment #115262 - Flags: superreview?(bryner) → superreview+
(Assignee)

Updated

15 years ago
Attachment #115262 - Flags: approval1.3?

Comment 14

15 years ago
Comment on attachment 115262 [details] [diff] [review]
Patch v1.1

a=asa (on behalf of drivers) for checkin to 1.3
Attachment #115262 - Flags: approval1.3? → approval1.3+
(Assignee)

Comment 15

15 years ago
Fix checked in on 1.3.  Leaving open until tree gets green and fix can be
checked in to trunk.
Priority: -- → P1
Target Milestone: --- → mozilla1.3final
(Assignee)

Comment 16

15 years ago
Checked in on trunk (checked in to 1.3 earlier).  Happy day.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

15 years ago
Whiteboard: fixed1.3
Crash Signature: [@ nsEventStateManager::GenerateMouseEnterExit ] [@ nsEventStateManager::DispatchMouseEvent]
You need to log in before you can comment on or make changes to this bug.