topcrash [@ nsDisplayText::Paint(nsDisplayListBuilder*, nsIRenderingContext*)]

RESOLVED FIXED in mozilla1.9.3a2

Status

()

P1
normal
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: dbaron, Assigned: jtd)

Tracking

({crash, topcrash})

Trunk
mozilla1.9.3a2
x86
Windows XP
crash, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status2.0 ?)

Details

(crash signature)

Comment 1

9 years ago
The crash occurs at http://hg.mozilla.org/mozilla-central/annotate/ed7d1a491a8e/layout/generic/nsTextFrameThebes.cpp#l3895

The crash address is very consistent: 0xfffffffff0de8017

The only consistency between the sites so far are that they have cyrillic characters.
(In reply to comment #1)
> The crash address is very consistent: 0xfffffffff0de8017

The frame poison pattern is probably 0xf0de8000, so that's memory released to the frame arena.



I suppose this could be a regression some other change in the regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bcd9709de08a&tochange=6712bed154ed
plus a baseline of some other bug at lower frequency.
I seem to recall ВКонтакте (VKontakte) having some sort of plugin.  Could it be related to that?

Comment 4

9 years ago
jfkthame says this may be related to bug 533251, we should check the crash stats again when this lands
Depends on: 533251
(In reply to comment #3)
> I seem to recall ВКонтакте (VKontakte) having some sort of plugin.  Could it be
> related to that?

... we even blocklisted some versions of it (bug 540692).
This went from 22 crashes in Feb. 22 builds and 24 crashes in Feb. 23 builds to none in today's (Feb. 24) builds yet, so it pretty clearly was fixed by bug 533251.

I'm guessing it being a topcrash was a regression from bug 541924.
Assignee: nobody → jdaggett
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Component: Plug-ins → Layout: Text
Priority: -- → P1
QA Contact: plugins → layout.fonts-and-text
Resolution: --- → FIXED
Summary: [OOPP] topcrash [@ nsDisplayText::Paint(nsDisplayListBuilder*, nsIRenderingContext*)] → topcrash [@ nsDisplayText::Paint(nsDisplayListBuilder*, nsIRenderingContext*)]
Target Milestone: --- → mozilla1.9.3a2

Comment 7

8 years ago
This signature is showing up again on 3.6.x, and even higher rate on 4.0betas when you consider the size of the user population.  guessing this is a new and different problem with the same signature.  more details over in bug 593511
status2.0: --- → ?
Crash Signature: [@ nsDisplayText::Paint(nsDisplayListBuilder*, nsIRenderingContext*)]
You need to log in before you can comment on or make changes to this bug.