Automated RandomStyles testing on WiNXP with today's FF trunk: http://php5.akbkhome.com:81/svn.php seed=140;skip=255;changesPerInterval=144;interval=246; nsIFrame::GetStyleData(nsStyleStructID eStyleStruct_Visibility) line 607 + 3 bytes nsIFrame::GetStyleVisibility() line 98 + 17 bytes nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext * 0x030da0b8, nsIFrame * 0x0446ebd4, nsIFrame * 0x00000000, nsMargin & {...}, const nsHTMLReflowState * 0x0012e4a0, nsHypotheticalBox & {...}) line 893 + 8 bytes nsHTMLReflowState::InitAbsoluteConstraints(nsPresContext * 0x030da0b8, const nsHTMLReflowState * 0x0012e4a0, int 0x00004b00, int 0x00003237) line 1066 nsHTMLReflowState::InitConstraints(nsPresContext * 0x030da0b8, int 0x00004b00, int 0x00003237, nsMargin * 0x00000000, nsMargin * 0x00000000) line 1965 nsHTMLReflowState::Init(nsPresContext * 0x030da0b8, int 0xffffffff, int 0xffffffff, nsMargin * 0x00000000, nsMargin * 0x00000000) line 343 nsHTMLReflowState::nsHTMLReflowState(nsPresContext * 0x030da0b8, const nsHTMLReflowState & {...}, nsIFrame * 0x04670550, const nsSize & {...}, nsReflowReason eReflowReason_Resize, int 0x00000001) line 217 nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000001) line 5233 nsFrame::RefreshSizeCache(nsFrame * const 0x04670550, nsBoxLayoutState & {...}) line 4812 + 70 bytes nsFrame::GetAscent(nsFrame * const 0x04670550, nsBoxLayoutState & {...}, int & 0x00000000) line 5019 nsSprocketLayout::GetAscent(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 1563 nsBoxFrame::GetAscent(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 971 + 38 bytes nsSprocketLayout::Layout(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}) line 257 nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}) line 1089 + 34 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 802 nsStackLayout::Layout(nsStackLayout * const 0x028d14c0, nsIFrame * 0x040a7680, nsBoxLayoutState & {...}) line 321 nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a7680, nsBoxLayoutState & {...}) line 1089 + 34 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 802 nsBoxFrame::Reflow(nsBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 840 nsRootBoxFrame::Reflow(nsRootBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 215 nsContainerFrame::ReflowChild(nsIFrame * 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) line 891 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x040a75ec, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 229 + 43 bytes IncrementalReflow::Dispatch(nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 857 PresShell::ProcessReflowCommands(int 0x00000001) line 6484 PresShell::WillPaint(PresShell * const 0x030dfd80) line 6143 nsViewManager::DispatchEvent(nsViewManager * const 0x030da5c0, nsGUIEvent * 0x0012f040, nsEventStatus * 0x0012ef24) line 2036 HandleEvent(nsGUIEvent * 0x0012f040) line 176 nsWindow::DispatchEvent(nsWindow * const 0x030da6b4, nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1140 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1166 nsWindow::OnPaint(HDC__ * 0x00000000) line 5717 + 28 bytes nsWindow::ProcessMessage(unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000, long * 0x0012f554) line 4257 + 19 bytes nsWindow::WindowProc(HWND__ * 0x002e0126, unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000) line 1329 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d4b4c0() USER32! 77d4b50c() NTDLL! 7c90eae3() nsWindow::DispatchStarvedPaints(HWND__ * 0x002e0126, long 0x00000000) line 4075 + 10 bytes USER32! 77d4ccd1() USER32! 77d4da57() nsWindow::DispatchPendingEvents() line 4116 nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156, long * 0x0012fb88) line 4488 nsWindow::WindowProc(HWND__ * 0x002b00f2, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156) line 1329 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x00baa870) line 135 nsAppStartup::Run(nsAppStartup * const 0x00baa7d0) line 161 + 26 bytes XRE_main(int 0x00000001, char * * 0x003f6ed0, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes main(int 0x00000001, char * * 0x003f6ed0) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()

Similar stack: http://www.faser.net/mab/chrome/content/mab.xul seed=140;skip=255;changesPerInterval=144;interval=246

Similar stack: http://www.croczilla.com/svg/samples/xulsvg1/xulsvg1.xul seed=140;skip=255;changesPerInterval=144;interval=246

Probably bug 253479

The testcase in comment 0 currently (with the other fixes in my tree) gives me a crash related to XUL menus doing attribute changes during frame construction.

... and I see the same problem for the testcase in comment 1.

...and the testcase in comment 2 now crashes in something that's probably related to XUL menus setting attributes when they shouldn't.

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060205 Firefox/1.6a1 Comment 0, opt: After 20703 or 20847, it crashes [@ nsTreeBodyFrame::InvalidateScrollbars] with PresShell::Thaw on the stack Comment 0, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent] Comment 1, opt: After 6015 or 8751, it stops drawing. Comment 1, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent]. Comment 2, opt: Passes 25000 without problems. Comment 2, debug: Passes 25000 without problems. dbaron, do any of the problems I see correspond to the XUL menu problems you saw? If not, do you still see the XUL menu problems? Do you have a good enough understanding of those problems that you don't need simplified testcases?

Not blocking 1.8.0.2: it's not exploitable and we're having trouble getting resources the more important exploitable flaws fixed in this timeframe. If this is blocking further testing we can reconsider.

update crash bugs to critical per guidelines.

Opening based on comment 8.

Site no longer loads and no testcases attached.