Build ID: 2002121808 on Win2k. Steps to reproduce 100%: 1. Load URL http://www.t-mobile.com/hotspot/ 2. Mouse over the 'About us' box, grey should change to white, 3. remove mouse from box, 4. Wait, Mozilla crashes. Talkback ID: TB15275544K could be regression from bug 103055, see bug 185850.

Doesn't crash with 120702 trunk on Win2k Stack from 121713 trunk on Win2k dddddddd() nsEventStateManager::DispatchMouseEvent(nsIPresContext * 0x041d0a50, nsGUIEvent * 0x0012f7d8, unsigned int 0x0000014c, nsIContent * 0x0421d378, nsIFrame * 0x04134ea4, nsIContent * 0x0421bb70) line 2416 nsEventStateManager::GenerateMouseEnterExit(nsIPresContext * 0x041d0a50, nsGUIEvent * 0x0012f7d8) line 2518 nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02fc3b50, nsIPresContext * 0x041d0a50, nsEvent * 0x0012f7d8, nsIFrame * 0x03b92098, nsEventStatus * 0x0012f5d4, nsIView * 0x03cdb2c8) line 377 PresShell::HandleEventInternal(nsEvent * 0x0012f7d8, nsIView * 0x03cdb2c8, unsigned int 0x00000001, nsEventStatus * 0x0012f5d4) line 6147 + 43 bytes PresShell::HandleEvent(PresShell * const 0x041e6394, nsIView * 0x03cdb2c8, nsGUIEvent * 0x0012f7d8, nsEventStatus * 0x0012f5d4, int 0x00000000, int & 0x00000001) line 6076 + 25 bytes nsViewManager::HandleEvent(nsView * 0x0416aad8, nsGUIEvent * 0x0012f7d8, int 0x00000000) line 2209 nsView::HandleEvent(nsViewManager * 0x041d4c10, nsGUIEvent * 0x0012f7d8, int 0x00000000) line 304 nsViewManager::DispatchEvent(nsViewManager * const 0x041d4c10, nsGUIEvent * 0x0012f7d8, nsEventStatus * 0x0012f6d8) line 1943 + 23 bytes HandleEvent(nsGUIEvent * 0x0012f7d8) line 83 nsWindow::DispatchEvent(nsWindow * const 0x0416ab94, nsGUIEvent * 0x0012f7d8, nsEventStatus & nsEventStatus_eIgnore) line 1116 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7d8) line 1137 nsWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 5376 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 5633 nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x009b02fe, long * 0x0012fc48) line 4068 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0133021a, unsigned int 0x00000200, unsigned int 0x00000000, long 0x009b02fe) line 1403 + 27 bytes USER32! 77e3a244() USER32! 77e145e5() USER32! 77e1a792() nsAppShellService::Run(nsAppShellService * const 0x00ffd2a0) line 472 main1(int 0x00000001, char * * 0x002c6e50, nsISupports * 0x002c6eb8) line 1543 + 32 bytes main(int 0x00000001, char * * 0x002c6e50) line 1904 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77ea847c()

Adding topcrash+, testcase and making this a zt4newcrash bug. This crash was introduced on 12/17 MozillaTrunk builds. Looking at the source, it looks like it's due to one of jkeiser's checkins on 12/16 or 12/17 (somewhere around nsEventStateManager.cpp line 2427). Here is the latest from Talkback: nsEventStateManager::DispatchMouseEvent 10 BBID range: 15203590 - 15266035 Min/Max Seconds since last crash: 37 - 45894 Min/Max Runtime: 41 - 45894 Crash data range: 2002-12-17 to 2002-12-18 Build ID range: 2002121704 to 2002121808 Keyword List : Stack Trace: nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2427] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2529] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 377] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6150] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6078] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2209] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1949] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1404] USER32.dll + 0x2a2b8 (0x77e0a2b8) USER32.dll + 0x45b1 (0x77de45b1) USER32.dll + 0xa752 (0x77dea752) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1907] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1927] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77e7847c) Source File : c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line : 2427 (15214161) Comments: actually it's just triple clicking the top addressee after doing reply-all and hitting delete that seems to cause the crash. (15208849) URL: wfrv_new.webtest.netnet.net

I have determined the problem. The *last* mouseover frame is sometimes null, and we didn't fix that in the last crasher bug. I will put more generic protection in here now, I don't want this happening anymore, or to anyone else. (There are some subtle problems with recursion here anyway.)

*** Bug 186220 has been marked as a duplicate of this bug. ***

Confirming with 2002122001/FreeBSD and 2002121908/MacOS 9.2.2.

http://chrismage.cjb.net 1. put mousecursor on some link on this site 2. when link changes colour, don´t move mouse 3. if you move mouse, instant crash crashes with current phoenix, current mozilla ( WIN98, Win98SE ) no crash with phoenix 0.5-release (20021207), Netscape 7.01C same with t-mobile.com/hotspot/ Talkbacks: TB15349272K TB15349698M TB 15349720G about 5 Talkbacks yesterday on another system with above URL specified.

confirming : PPC Mac OS X Mach-O; rv:1.3b; Gecko/20021219-07

This fixes the crash, hopefully once and for all. Now we don't trust *any* frames after frame refs were cleared (the alternative was to create an array of frames, but I didn't think I wanted ClearFrameRefs (which could be called multiple times per event, I believe) iterating over such an array.

*** Bug 186535 has been marked as a duplicate of this bug. ***

*** Bug 186555 has been marked as a duplicate of this bug. ***

Can someone change the OS to "All" since this is not Windows specific. I just got this crash and stack from a Linux build 20021223, so i guess John's patch hasn't made it into cvs tree ? (gdb) bt #0 0xdddddddd in ?? () #1 0x40da00e5 in nsEventStateManager::GenerateMouseEnterExit (this=0x90f1370, aPresContext=0x8b6cca0, aEvent=0xbffff4d4) at nsEventStateManager.cpp:2526 #2 0x40d98e4e in nsEventStateManager::PreHandleEvent (this=0x90f1370, aPresContext=0x8b6cca0, aEvent=0xbffff4d4, aTargetFrame=0x9395cc4, aStatus=0xbffff21c, aView=0x942c080) at nsEventStateManager.cpp:374 #3 0x41efcf1b in PresShell::HandleEventInternal (this=0x916b218, aEvent=0xbffff4d4, aView=0x942c080, aFlags=1, aStatus=0xbffff21c) at nsPresShell.cpp:6147 #4 0x41efcba4 in PresShell::HandleEvent (this=0x916b218, aView=0x942c080, aEvent=0xbffff4d4, aEventStatus=0xbffff21c, aForceHandle=0, aHandled=@0xbffff220) at nsPresShell.cpp:6076 #5 0x421a4872 in nsViewManager::HandleEvent (this=0x91c1870, aView=0x942bd40, aEvent=0xbffff4d4, aCaptured=0) at nsViewManager.cpp:2207 #6 0x4219759c in nsView::HandleEvent (this=0x942bd40, aVM=0x91c1870, aEvent=0xbffff4d4, aCaptured=0) at nsView.cpp:303 #7 0x421a3f2e in nsViewManager::DispatchEvent (this=0x91c1870, aEvent=0xbffff4d4, aStatus=0xbffff3b8) at nsViewManager.cpp:1943 #8 0x42196f4f in HandleEvent (aEvent=0xbffff4d4) at nsView.cpp:80 #9 0x413e1354 in nsWidget::DispatchEvent (this=0x942bdc8, aEvent=0xbffff4d4, aStatus=@0xbffff468) at nsWidget.cpp:1448 #10 0x413e1030 in nsWidget::DispatchWindowEvent (this=0x942bdc8, event=0xbffff4d4) at nsWidget.cpp:1336 #11 0x413e13ee in nsWidget::DispatchMouseEvent (this=0x942bdc8, aEvent=@0xbffff4d4) at nsWidget.cpp:1475 #12 0x413e19c0 in nsWidget::OnMotionNotifySignal (this=0x942bdc8, aGdkMotionEvent=0x8287ac0) at nsWidget.cpp:1694 #13 0x413e770d in nsWindow::OnMotionNotifySignal (this=0x942bdc8, aGdkMotionEvent=0x8287ac0) at nsWindow.cpp:1637 #14 0x413e7c6f in nsWindow::HandleGDKEvent (this=0x942bdc8, event=0x8287ac0) at nsWindow.cpp:1792 #15 0x413d6eae in dispatch_superwin_event (event=0x8287ac0, window=0x942bdc8) at nsGtkEventHandler.cpp:1001 #16 0x413d6c3c in handle_gdk_event (event=0x8287ac0, data=0x0) at nsGtkEventHandler.cpp:876 #17 0x4051d613 in gdk_event_dispatch () from /usr/local/lib/libgdk-1.2.so.0 #18 0x4054c866 in g_main_dispatch () from /usr/local/lib/libglib-1.2.so.0 #19 0x4054ce93 in g_main_iterate () from /usr/local/lib/libglib-1.2.so.0 #20 0x4054d04c in g_main_run () from /usr/local/lib/libglib-1.2.so.0 #21 0x4046a7fb in gtk_main () from /usr/local/lib/libgtk-1.2.so.0 #22 0x413c9d61 in nsAppShell::Run (this=0x8117848) at nsAppShell.cpp:347 #23 0x413761f2 in nsAppShellService::Run (this=0x8128448) at nsAppShellService.cpp:471 #24 0x0805a72c in main1 (argc=1, argv=0xbffffaa4, nativeApp=0x80a0590) at nsAppRunner.cpp:1543 #25 0x080595cb in main (argc=1, argv=0xbffffaa4) at nsAppRunner.cpp:1904 #26 0x406b256d in __libc_start_main () from /lib/libc.so.6 (gdb) quit

Comment on attachment 109954 [details] [diff] [review] Patch r=saari, we should think about solving the general recursion issues with Before/AfterDispatchEvent later. For now this fixes the crash

Comment on attachment 109954 [details] [diff] [review] Patch sr=dbaron, although I prefer prefix ++/-- to postfix (see bug 78032 comment 1 for why)

(Oh, and is there a bug on making the ESM not hold on to frames? I know roc talks about that...)

roc has talked about us not sending events to frames (which would probably make those frame refs unnecessary), which is in the back of my mind now that he told me about it, but won't happen until after the big HandleDOMEvent move (though it may happen *during*). That one is bug 185758.

The following crash seems to be due to the same bug. Could you confirm? Go to <http://www.vinc17.org/cine_fra.html>. There is a menu (top right) using CSS only. If I move the mouse over this menu upwards and downwards very quickly, after a few seconds, Mozilla crashes. 100% reproductible. Build ID: 2002122200 (Linux/PPC). BTW, I can't reproduce the http://www.t-mobile.com/hotspot/ bug (grey doesn't even change to white).

Fix checked in. No crashy. It behaves a little strangely, though I haven't investigated that yet--the menus get un-highlighted at weird times. Not due to mouseout though, I think, because there are no mouseout handlers, period.

*** Bug 186810 has been marked as a duplicate of this bug. ***

*** Bug 186602 has been marked as a duplicate of this bug. ***

reopening. this crash is still around after the fix went in. it looks like the number of crashes has gone down a bit, but the stack signature and very similar stack trace is still showing up in Talkback data: Count Offset Real Signature [ 21 nsEventStateManager::DispatchMouseEvent 0002c960 - nsEventStateManager::DispatchMouseEvent ] Crash date range: 2002-12-23 to 2002-12-29 Min/Max Seconds since last crash: 17 - 161132 Min/Max Runtime: 1191 - 268443 Keyword List : Count Platform List 21 Windows NT 5.1 build 2600 Count Build Id List 6 2002122308 6 2002122008 2 2002122108 1 2002122708 1 2002122704 1 2002122604 1 2002122408 1 2002122404 1 2002122304 1 2002122208 No of Unique Users 17 Stack trace(Frame) nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2438] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2575] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 379] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6150] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6078] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2209] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1949] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1404] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x4455 (0x77d44455) USER32.dll + 0x95d5 (0x77d495d5) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1907] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1927] WinMainCRTStartup() kernel32.dll + 0x214c7 (0x77e814c7) (15546728) URL: lansynergy.com (15478048) URL: http://www.l33tpeeps.com/l33t/print.php?sid=1 ==================================================================================================== Count Offset Real Signature [ 18 nsEventStateManager::DispatchMouseEvent 6ddd0a1d - nsEventStateManager::DispatchMouseEvent ] [ 2 nsEventStateManager::DispatchMouseEvent d1f69a85 - nsEventStateManager::DispatchMouseEvent ] Crash date range: 2002-12-21 to 2002-12-29 Min/Max Seconds since last crash: 21 - 32308 Min/Max Runtime: 3134 - 177462 Keyword List : Count Platform List 18 Windows 98 4.10 build 67766446 2 Windows NT 5.0 build 2195 Count Build Id List 7 2002122108 5 2002122208 4 2002122304 2 2002122908 1 2002122704 1 2002122504 No of Unique Users 5 Stack trace(Frame) nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2438] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2575] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 379] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6152] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6080] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2209] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1949] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1404] KERNEL32.DLL + 0x363b (0xbff7363b) KERNEL32.DLL + 0x245af (0xbff945af) 0x00648b62 ==================================================================================================== Count Offset Real Signature [ 14 nsEventStateManager::DispatchMouseEvent f7f363c4 - nsEventStateManager::DispatchMouseEvent ] Crash date range: 2002-12-20 to 2002-12-27 Min/Max Seconds since last crash: 10 - 95136 Min/Max Runtime: 104 - 266568 Keyword List : Count Platform List 14 Windows NT 5.0 build 2195 Count Build Id List 3 2002122408 3 2002122008 2 2002122308 2 2002122208 2 2002122108 1 2002122608 1 2002122004 No of Unique Users 11 Stack trace(Frame) nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2433] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2575] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 379] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6150] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6078] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2209] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1949] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1404] USER32.dll + 0x2a244 (0x77e3a244) USER32.dll + 0x45e5 (0x77e145e5) USER32.dll + 0xa792 (0x77e1a792) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1907] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1927] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77ea847c) (15543979) URL: http://remix.kwed.org/ (15496195) Comments: application error in mozilla.exe using code below &lt;html&gt; &lt;body&gt; &lt;div id="fscroller" onmouseover="this.innerHTML=''"&gt;&lt;b&gt;mouseoverme&lt;/b&gt;&lt;/div&gt; &lt;/body&gt; &lt;/html&gt; (15495586) Comments: just submitted incident tb15495451q on the same thing. again no url (will post url w/ bugzilla submission) but it crashes on the poppeeper.com forums. move the mouse over the green news text; appears to happen after text disappears. (15495451) Comments: at poppeeper.com forums (sorry don't have the url) (15454396) URL: www.cooksillustrated.com (15454396) Comments: Clicking on a stupid link. BOOM. (15454045) URL: http://www2s.biglobe.ne.jp/~geoph/ (15397914) URL: http://joehewitt.com/ (15397914) Comments: clicked "comments" link http://joehewitt.com/mt/mt-comments.cgi?entry_id=63 (15388575) URL: www.gnutella2.com ==================================================================================================== Count Offset Real Signature [ 7 nsEventStateManager::DispatchMouseEvent 2cdae0fe - nsEventStateManager::DispatchMouseEvent ] [ 6 nsEventStateManager::DispatchMouseEvent eb3023f1 - nsEventStateManager::DispatchMouseEvent ] [ 6 nsEventStateManager::DispatchMouseEvent 869bd774 - nsEventStateManager::DispatchMouseEvent ] [ 5 nsEventStateManager::DispatchMouseEvent bcb9f9b0 - nsEventStateManager::DispatchMouseEvent ] [ 4 nsEventStateManager::DispatchMouseEvent aa7225aa - nsEventStateManager::DispatchMouseEvent ] [ 3 nsEventStateManager::DispatchMouseEvent 1f5e315c - nsEventStateManager::DispatchMouseEvent ] [ 2 nsEventStateManager::DispatchMouseEvent acb1bdc1 - nsEventStateManager::DispatchMouseEvent ] [ 2 nsEventStateManager::DispatchMouseEvent 8e32ddf3 - nsEventStateManager::DispatchMouseEvent ] Crash date range: 2002-12-20 to 2002-12-28 Min/Max Seconds since last crash: 12 - 65072 Min/Max Runtime: 66 - 386336 Keyword List : Count Platform List 17 Windows NT 5.1 build 2600 10 Windows NT 5.0 build 2195 6 Windows 98 4.10 build 67766446 2 Windows 98 4.10 build 67766222 Count Build Id List 7 2002122408 5 2002122208 5 2002122108 4 2002122304 3 2002122204 3 2002122008 2 2002122508 2 2002122308 2 2002122104 1 2002122608 1 2002122004 No of Unique Users 22 Stack trace(Frame) nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2427] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2529] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 377] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6150] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6078] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2209] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1949] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1404] USER32.dll + 0x2a244 (0x77e0a244) USER32.dll + 0x45e5 (0x77de45e5) USER32.dll + 0xa792 (0x77dea792) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1907] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1927] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77e7847c) (15521383) URL: http://www.apple.com/ (15438370) Comments: Clicked back button (15415346) URL: http://www.ctxeurope.com (15415346) Comments: Composing an e-mail (15405487) URL: joehewitt.com (15405487) Comments: opened comments. closed. poof. (15353607) URL: http://bugzilla.mozilla.gr.jp/show_bug.cgi?id=2624 (15323289) URL: http://chrismage.cjb.net (15323289) Comments: Crash on this site when LEAVING a link with the mouse

This crash is still consistently happening on the MozillaTrunk...anyone have time to look into this yet?

No crash but the div stays white when the mouse leave it: shouldn't

I was just able to crash with MozillaTrunk build 2003010808: Incident ID 16142251 Stack Signature nsEventStateManager::DispatchMouseEvent 0002c960 Email Address jpatel@netscape.com Product ID MozillaTrunk Build ID 2003010808 Trigger Time 2003-01-13 16:20:51 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gkcontent.dll URL visited chrismage.cjb.net/bio.php User Comments just clicking through links on this site. reproducing a bug in bugzilla...forgot the number. i'll find it after restarting. Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp Trigger Line No. 2447 Stack Trace nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2447] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2584] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 379] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6155] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6083] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2210] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1950] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1120] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1137] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4069] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1404] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x4455 (0x77d44455) USER32.dll + 0x95d5 (0x77d495d5) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1907] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1927] WinMainCRTStartup() kernel32.dll + 0x214c7 (0x77e814c7)

Comment on attachment 111490 [details] Reduced testcase (from chrisimage.cjb.net) crashing 20030113 ><HTML><HEAD><TITLE>bug 186132</TITLE> > ><STYLE type="text/css"> >BODY { > background: #111; > font-family: Verdana, Arial, Helvetica, sans-serif; > font-size:12px; > color: #DDDDDD; > margin:0px; > padding:0px; >} > >A:link {BACKGROUND: none; COLOR: #66cc99; TEXT-DECORATION: none} >A:active {BACKGROUND: none; COLOR: #66ff99; TEXT-DECORATION: none} >A:visited {BACKGROUND: none; COLOR: #66cc99; TEXT-DECORATION: none} >A:hover {BACKGROUND: none; COLOR: #699; TEXT-DECORATION: none; position: relative; top:1px} > >#Menu { > position:absolute; > top:20px; > right:20px; > width:172px; > padding:10px; > font-size: 11px; > background-color:#222; > border:1px dashed #699; > line-height:1.3em; > voice-family:inherit; > width:150px; > } > ></STYLE></HEAD> ><BODY> > ><DIV id="Menu"> ><A href="test.html">click here</A><BR/> ><A href="test.html">and here, quickly</A><BR/> ></DIV> ></BODY></HTML>

Comment on attachment 111490 [details] Reduced testcase (from chrisimage.cjb.net) crashing 20030113 you'll have to save testcase on harddrive and name it test.html, I thought I could edit this attachment within Bugzilla but I can't, sorry for the spam.

i can reproduce the crash using Olivier's testcase on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030105

I don't crash anymore using build 2003012315 neither on testcase or URL. Possibly due to patch for bug 185889. Doesn't show up anymore on Topcrashers' list either since 01/21. Fixed ?

Doesn't show up anymore, yes. Marking fixed.

Verifying on 2003-12-25-08-trunk

ftp://ftp.mozilla.org/pub/data/crash-data/Trunk-topcrashers.html shows 15 crashes since 01-28 in this place. Is that a different problem or should this bug be reopened?

Reopening so this gets looked at again, since the recent crashes do look very similar to the one originally reported. Although the testcase attached doesn't seem to crash anymore, it looks like there are other cases that do. I'll dig through Talkback data and see what I can find. jkeiser: if you think we should log a new bug, let me know.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030204 I tried to repeat the crashes I made in comment 6, without success. Made some interesting observations on t-mobile-URL: If I´m hovering horizontal, I get instanteaneous reaction, colour changes gray to yellow and vice versa. If I´m moving up, that the link "See all T-Mobile International sites" gets underlined, and back down on "About Us", I get no reaction. I´ve got to wait for more than 5 seconds, and then I have to move the mouse to another field, to get a colour reaction. If I make small movements, staying inside the text "About Us", I get no reaction. Reaction starts after at least 5 seconds, and leaving that text-area. Also, on vertical movements the picture is moving, maybe a pixel up or down, giving the impression the laptop is shifted on the table. I had this URL open in a neighboring tab, and switched to it, to see the effects while describing here. Just a moment ago, when I switched to that tab, "AboutUs" was still highlighted, and I had no reaction. I also couldn´t write here, but maybe I didn´t see the cursor. I killed some tabs, and all was well. I started system monitor, loaded t-mobile again and looked at CPU: well below 10% with no action, rising to 50, 75, 95% if I´m hovering horizontally. So much action for changing colour of a small field? System Celeron333, 96MB, Win98. I will try crashing that URL after I´ve sent this text, and report here, only if I succeed making a crash.

Looking at the movement of the picture at the right: mh_home_rgt.jpg When you move the mouse up to link "See all T-Mobile International sites", the table and part of the chair move down, image is distorted. Image is restored, when you move the mouse down till "Starbucks" is reached. It is also restored, when one of the links from "Services" through "About Us" is highlighted, but the last two, "Contact Us" and "About Us", are highlighted only after a long delay, about 5 seconds. Don´t know, where to file this bug, and if it´s relevant, but maybe this is related to the crash. BTW, the site is written in MSHTML 6.00.2715.400

unsetting blocker designation for re-evaluation.

no longer zt4newcrash

tested today with javascript-console and got following warning when hovering at the top right as described in previous comment, going down gave 11 repeats of this warning Warning: reference to undefined property event.target.className Source File: http://www.t-mobile.com/hotspot/masthead/js/BrowserAbsLayers/WindowsNav6.js Line: 138

jkeiser, this is high on the topcrash radar. Can you look into this for 1.3final (real soon now)? Thanks.

Here's the latest from Talkback. Not too many user comments/urls...but better than nothing. nsEventStateManager::DispatchMouseEvent 18 186132 REOP jkeiser@netscape.com mozilla1.3beta 15:04:31 BBID range: 16852676 - 17045807 Min/Max Seconds since last crash: 8 - 120809 Min/Max Runtime: 196 - 126700 Crash data range: 2003-02-02 to 2003-02-08 Build ID range: 2003013108 to 2003020704 Stack Trace: nsEventStateManager::DispatchMouseEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2439] nsEventStateManager::GenerateMouseEnterExit [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 2571] nsEventStateManager::PreHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line 376] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6208] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp line 6136] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 2210] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 304] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp line 1948] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1119] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1136] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5378] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 5633] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 4068] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp line 1403] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x4455 (0x77d44455) USER32.dll + 0x95d5 (0x77d495d5) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 480] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1289] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1639] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1660] WinMainCRTStartup() kernel32.dll + 0x214c7 (0x77e814c7) Source File : c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line : 2439 (17027966) URL: http://www.nic.uk/TagHolders/BecomingATagHolder/ (16947649) URL: www.microcenter.com (16947649) Comments: Just hit the back button to visit 1 page back.

I can reproduce crash by going to http://www.nic.uk/TagHolders/BecomingATagHolder/ and double-clicking, sliding mouse, triple-clicking on the left DHTML menu, hard to say how exactly, but it can crashes. This is with build ID 2003021005: TB17071020W.

This bug appears to be fixed with bug 185889. Bug 103055 messed up .target unfortunately :( That is the likely cause of this. I can reproduce in a nightly before patch, but not after.

Hmm, I see a place where we could use a null check nonetheless.

+ mDOMEventLevel++; + BeforeDispatchEvent(); // void BeforeDispatchEvent() { mDOMEventLevel++; } double '++' of mDOMEventLevel here?

Both the crash and the ++ are bad things, still reproducible, and still fixable, and I have a patch, but it crashes elsewhere when I fix it. Investigating.

Changing URL from http://www.t-mobile.com/hotspot/ to http://www.nic.uk/TagHolders/BecomingATagHolder/ because the latter URL has been much more useful in reproducing the crash (there is also an odd recursive problem if you do this, probably not directly related).

The problem is if you click on a link and the shell goes away before you return from the event flow, we will currently crash. And the problem rbs noted is real too, and would cause us to re-resolve *too* much.

I can't reproduce the bug. i tried to drag, doubleclick triple click on this menu and i just arrived to block the tab Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b; MultiZilla v1.1.33 (b)) Gecko/20030131

Is this the same bug: (if so its fairly easy to repro) 1. Go to http://uk.gsmbox.com/news/mobile_news/all/95198.gsmbox 2. Type http://www.mozilla.org/ in the address bar and press enter* 3. Before the GSM Box page has gone, mouseover the underlined text "Nokia" on the first line of the introduction (an alert pops up) 4. Wait for mozilla.org to load in the background. 5. Press OK in the alert. * mozilla.org is just an example, any url will do :) crashes in nsEventStateManager::DispatchMouseEvent(nsIPresContext*, nsGUIEvent*, unsigned, nsIContent*, nsIFrame*, nsIContent*)

*** Bug 193613 has been marked as a duplicate of this bug. ***

Comment on attachment 114512 [details] [diff] [review] Patch for presshell going away during event what's the mDOMEventLevel++ removal for?

same question, otherwise looks okay

bryner, saari: that is to fix the problem rbs found in comment 43. It would cause us to re-resolve the frame too often.

so, is this ready to go in for 1.3?

Comment on attachment 114512 [details] [diff] [review] Patch for presshell going away during event r=saari

Comment on attachment 114512 [details] [diff] [review] Patch for presshell going away during event a=asa (on behalf of drivers) for checkin to 1.3

Setting Hardware=All per comment 5.

Fix checked in.

see bug 194493: this still happens.