User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre While performing HTTP fuzzing ran into a crash that occured when the test cases caused the iframes to display odd character codes seeming to shift the character set. The stack traces differed between debug and nightly builds, though the debug builds always landed into Cairo code. Lack of symbols for the nightly builds made it hard to trust the produced stack traces. Reproducible: Always Steps to Reproduce: 1. Grab attachements 2. Install twisted python module (link provided in readme) 3. Run httpfuzzer.py 80 4. Load httpfuzzer.html 5. Attach debugger 6. Click on "start" Takes about 10-15min to run through all test cases on a normal machine.

Can you attach a reduced testcase, or at least the stack traces?

This is the reduced test case. Sorry I forgot to past in the stack trace, must be late :) I usually trigger around 16600 ish. Doesn't take long to get there with a max of 1,000 test cases. This is also a series of tests that cause the problem to occur. The fuzzer should be fairly easy to run, the only dependency is Python and the Twisted python module (link in the readme.txt). ChildEBP RetAddr 0012d258 00e2313a firefox!_moz_cairo_win32_scaled_font_select_font+0x10 [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\cairo\cairo\src\cairo-win32-font.c @ 1620] 0012d270 00e22542 firefox!UniscribeItem::SelectFont+0x8a [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\thebes\src\gfxwindowsfonts.cpp @ 1520] 0012d28c 00e21fbc firefox!UniscribeItem::Shape+0x102 [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\thebes\src\gfxwindowsfonts.cpp @ 1250] 0012d520 00e20f92 firefox!gfxWindowsTextRun::MeasureOrDrawUniscribe+0x24c [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\thebes\src\gfxwindowsfonts.cpp @ 1778] 0012d54c 00e2082f firefox!gfxWindowsTextRun::Measure+0xa2 [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\thebes\src\gfxwindowsfonts.cpp @ 704] 0012d55c 00618145 firefox!gfxWrapperTextRun::GetAdvanceWidth+0x2f [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\thebes\src\gfxwindowsfonts.cpp @ 643] 0012d598 0061d399 firefox!nsThebesFontMetrics::GetWidth+0xc5 [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\thebes\nsthebesfontmetrics.cpp @ 370] 0012d5b8 00e775ad firefox!nsThebesRenderingContext::GetWidthInternal+0x49 [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\thebes\nsthebesrenderingcontext.cpp @ 1224] 0012d5e4 0061aa3c firefox!nsRenderingContextImpl::GetWidth+0x6d [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\shared\nsrenderingcontextimpl.cpp @ 601] 0012d600 0061d47d firefox!nsThebesRenderingContext::GetWidth+0x1c [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\thebes\nsthebesrenderingcontext.h @ 153] 0012d624 00e7780c firefox!nsThebesRenderingContext::GetTextDimensionsInternal+0x6d [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\thebes\nsthebesrenderingcontext.cpp @ 1244] 0012d65c 00990885 firefox!nsRenderingContextImpl::GetTextDimensions+0x3c [c:\audits\firefox\src021007-nightlysettings\mozilla\gfx\src\shared\nsrenderingcontextimpl.cpp @ 647] 0012d980 009927f5 firefox!nsTextFrame::MeasureText+0x8e5 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nstextframe.cpp @ 5324] 0012dcd8 00aedb11 firefox!nsTextFrame::Reflow+0x4d5 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nstextframe.cpp @ 6102] 0012de68 0099b15b firefox!nsLineLayout::ReflowFrame+0x3b1 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nslinelayout.cpp @ 889] 0012decc 0099ad53 firefox!nsBlockFrame::ReflowInlineFrame+0x4b [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 3396] 0012df48 0099a990 firefox!nsBlockFrame::DoReflowInlineFrames+0x1f3 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 3220] 0012e038 00998f21 firefox!nsBlockFrame::ReflowInlineFrames+0xe0 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 3068] 0012e134 009982a6 firefox!nsBlockFrame::ReflowLine+0x231 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 2161] 0012e238 00996891 firefox!nsBlockFrame::ReflowDirtyLines+0x426 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 1772] 0012e4bc 00af2fb0 firefox!nsBlockFrame::Reflow+0x191 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 896] 0012e528 0099a223 firefox!nsBlockReflowContext::ReflowBlock+0x380 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockreflowcontext.cpp @ 371] 0012e8a0 00998d8c firefox!nsBlockFrame::ReflowBlockFrame+0x5c3 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 2862] 0012e99c 009982a6 firefox!nsBlockFrame::ReflowLine+0x9c [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 2108] 0012eaa0 00996891 firefox!nsBlockFrame::ReflowDirtyLines+0x426 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 1772] 0012ed24 008822b8 firefox!nsBlockFrame::Reflow+0x191 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsblockframe.cpp @ 896] 0012ed58 009c3c8b firefox!nsContainerFrame::ReflowChild+0x78 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nscontainerframe.cpp @ 953] 0012eeb8 008822b8 firefox!CanvasFrame::Reflow+0xcb [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nshtmlframe.cpp @ 586] 0012eeec 00a0e35a firefox!nsContainerFrame::ReflowChild+0x78 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nscontainerframe.cpp @ 953] 0012f004 00a0e4bb firefox!nsHTMLScrollFrame::ReflowScrolledFrame+0x19a [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsgfxscrollframe.cpp @ 457] 0012f0e4 00a0ebac firefox!nsHTMLScrollFrame::ReflowContents+0x4b [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsgfxscrollframe.cpp @ 527] 0012f1f0 008822b8 firefox!nsHTMLScrollFrame::Reflow+0x21c [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsgfxscrollframe.cpp @ 742] 0012f224 009c457d firefox!nsContainerFrame::ReflowChild+0x78 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nscontainerframe.cpp @ 953] 0012f448 006d1b8c firefox!ViewportFrame::Reflow+0x12d [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsviewportframe.cpp @ 290] 0012f5a8 006ceb2f firefox!PresShell::ProcessReflowCommands+0x2cc [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\base\nspresshell.cpp @ 6062] 0012f5bc 00a109fc firefox!PresShell::FlushPendingNotifications+0x6f [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\base\nspresshell.cpp @ 4687] 0012f64c 00a11518 firefox!nsGfxScrollFrameInner::FireScrollPortEvent+0x3c [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsgfxscrollframe.cpp @ 1537] 0012f658 0032a2ba firefox!nsGfxScrollFrameInner::AsyncScrollPortEvent::Run+0x18 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\generic\nsgfxscrollframe.cpp @ 1880] 0012f68c 002d34ff xpcom_core!nsThread::ProcessNextEvent+0x12a [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\threads\nsthread.cpp @ 483] 0012f6a8 00665505 xpcom_core!NS_ProcessNextEvent_P+0x3f [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\xpcom\build\nsthreadutils.cpp @ 225] 0012f6bc 00da08e1 firefox!nsBaseAppShell::Run+0x45 [c:\audits\firefox\src021007-nightlysettings\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 153] 0012f6d0 00404c49 firefox!nsAppStartup::Run+0x41 [c:\audits\firefox\src021007-nightlysettings\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 171] 0012feec 00401035 firefox!XRE_main+0x2259 [c:\audits\firefox\src021007-nightlysettings\mozilla\toolkit\xre\nsapprunner.cpp @ 2838] 0012ff00 00401059 firefox!main+0x15 [c:\audits\firefox\src021007-nightlysettings\mozilla\browser\app\nsbrowserapp.cpp @ 61] 0012ff10 00ec2a10 firefox!WinMain+0x19 [c:\audits\firefox\src021007-nightlysettings\mozilla\browser\app\nsbrowserapp.cpp @ 70] 0012ffa0 77853833 firefox!__tmainCRTStartup+0x140 [f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589] 0012ffac 77dda9bd kernel32!BaseThreadInitThunk+0xe 0012ffec 00000000 ntdll!_RtlUserThreadStart+0x23

Probably related to bug 374949.

If you are not the right person to assign this to, please help us find someone that is.

Anyone want to further reduce this testcase?

lsg-mtso or Martijn, can you still reproduce this? I can help reduce if needed.

This bug is pretty stale. We could really use some help getting a reproducible testcase. lsg-mtso, you mentioned that you typically crash "around 16600-ish". When you do crash, does reloading the same testcase not reliably reproduce the crash?