steps to reproduce: Load http://milwaukee.brewers.mlb.com/index.jsp?c_id=mil da0.edc): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=7ffd4000 ecx=7c9175d4 edx=7c97e178 esi=0000e718 edi=00c8f6f0 eip=7c90120e esp=00126998 ebp=00126cb4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 Event Type: Exception Exception Faulting Address: 0x7c90120e First Chance Exception Type: STATUS_BREAKPOINT (0x80000003) Faulting Instruction:7c90120e int 3 Basic Block: 7c90120e int 3 Exception Hash (Major/Minor): 0x5f7e4e79.0x5f624e1c Stack Trace: ntdll!DbgBreakPoint+0x0 xpcom_core+0x8c28f xpcom_core+0x8bd94 gklayout+0x1249b8 gklayout+0xe4baf gklayout+0xe4872 gklayout+0xe25e2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0xd6969 gklayout+0x1103ee gklayout+0x110603 gklayout+0x110ec9 gklayout+0x12c76d gklayout+0x12be3c gklayout+0xdf338 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0xd6969 gklayout+0x1103ee gklayout+0x110603 gklayout+0x110ec9 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0x12f5a3 gklayout+0xe3a23 gklayout+0xe23f2 gklayout+0xe12b1 gklayout+0xdeb91 gklayout+0xd6969 gklayout+0xf254b gklayout+0xd6969 gklayout+0x1103ee gklayout+0x110603 gklayout+0x110ec9 gklayout+0xd6969 gklayout+0xf31ed gklayout+0x21048 Instruction Address: 0x000000007c90120e Description: Breakpoint Short Description: Breakpoint Exploitability Classification: UNKNOWN Recommended Bug Title: Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from xpcom_core+0x000000000008c28f (Hash=0x5f7e4e79.0x5f624e1c) While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target. In either case breakpoints should not exist in production code.

more information: ChildEBP RetAddr 001268d4 0030c28f ntdll!DbgBreakPoint 00126bf4 0030bd94 xpcom_core!Break(char * aMsg = 0x00126c14 "###!!! ASSERTION: bad width: 'Not Reached', file c:/work/mozilla/builds/1.9.1/mozilla/layout/generic/nsLineLayout.cpp, line 182")+0x22f [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 491] *** WARNING: Unable to verify checksum for c:\work\mozilla\builds\1.9.1\mozilla\firefox-debug\dist\bin\components\gklayout.dll 0012700c 033049b8 xpcom_core!NS_DebugBreak_P(unsigned int aSeverity = 1, char * aStr = 0x03bf6ae4 "bad width", char * aExpr = 0x03bf6ad8 "Not Reached", char * aFile = 0x03bf6a90 "c:/work/mozilla/builds/1.9.1/mozilla/layout/generic/nsLineLayout.cpp", int aLine = 182)+0x2a4 [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 364] 0012703c 032c4baf gklayout!nsLineLayout::BeginLineReflow(int aX = 0, int aY = 0, int aWidth = 606960, int aHeight = 1073741824, int aImpactedByFloats = 0, int aIsTopOfPage = 0)+0x98 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nslinelayout.cpp @ 182] 001270dc 032c4872 gklayout!nsBlockFrame::DoReflowInlineFrames(class nsBlockReflowState * aState = 0x00127750, class nsLineLayout * aLineLayout = 0x00127110, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460, LineReflowStatus * aLineReflowStatus = 0x001271d0, int aAllowPullUp = 1)+0x10f [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3393] 001271d8 032c25e2 gklayout!nsBlockFrame::ReflowInlineFrames(class nsBlockReflowState * aState = 0x00127750, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460)+0xf2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3276] 001272d8 032c12b1 gklayout!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x00127750, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460)+0x2c2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 2331] 00127490 032beb91 gklayout!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x00127750)+0x561 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 1911] 00127860 0330f5a3 gklayout!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aMetrics = 0x00127bc4, struct nsHTMLReflowState * aReflowState = 0x00127ae0, unsigned int * aStatus = 0x00127b88)+0x251 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 955] 0012789c 032c3a23 gklayout!nsBlockReflowContext::ReflowBlock(struct nsRect * aSpace = 0x00127acc, int aApplyTopMargin = 1, struct nsCollapsingMargin * aPrevMargin = 0x00128240, int aClearance = 0, int aIsAdjacentWithTop = 1, class nsLineBox * aLine = 0x07b65710, struct nsHTMLReflowState * aFrameRS = 0x00127ae0, unsigned int * aFrameReflowStatus = 0x00127b88, class nsBlockReflowState * aState = 0x001281b8)+0x1a3 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockreflowcontext.cpp @ 310] 00127c40 032c23f2 gklayout!nsBlockFrame::ReflowBlockFrame(class nsBlockReflowState * aState = 0x001281b8, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127ec8)+0x6b3 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3004] 00127d40 032c12b1 gklayout!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x001281b8, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127ec8)+0xd2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 2276] 00127ef8 032beb91 gklayout!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x001281b8)+0x561 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 1911] 001282c8 032b6969 gklayout!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aMetrics = 0x001284d4, struct nsHTMLReflowState * aReflowState = 0x00128388, unsigned int * aStatus = 0x00128434)+0x251 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 955] 0012830c 032f03ee gklayout!nsContainerFrame::ReflowChild(class nsIFrame * aKidFrame = 0x07b65428, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aDesiredSize = 0x001284d4, struct nsHTMLReflowState * aReflowState = 0x00128388, int aX = 0, int aY = 0, unsigned int aFlags = 3, unsigned int * aStatus = 0x00128434, class nsOverflowContinuationTracker * aTracker = 0x00000000)+0xe9 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nscontainerframe.cpp @ 821] 00128448 032f0603 gklayout!nsHTMLScrollFrame::ReflowScrolledFrame(struct ScrollReflowState * aState = 0x00128578, int aAssumeHScroll = 0, int aAssumeVScroll = 0, struct nsHTMLReflowMetrics * aMetrics = 0x001284d4, int aFirstPass = 1)+0x32e [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 528] 00128514 032f0ec9 gklayout!nsHTMLScrollFrame::ReflowContents(struct ScrollReflowState * aState = 0x00128578, struct nsHTMLReflowMetrics * aDesiredSize = 0x00128a3c)+0x53 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 622] 00128638 0330c76d gklayout!nsHTMLScrollFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aDesiredSize = 0x00128a3c, struct nsHTMLReflowState * aReflowState = 0x00128980, unsigned int * aStatus = 0x00128b04)+0x249 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 823] 00128a98 0330be3c gklayout!nsAbsoluteContainingBlock::ReflowAbsoluteFrame(class nsIFrame * aDelegatingFrame = 0x07b65270, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowState * aReflowState = 0x001291a0, int aContainingBlockWidth = 59400, int aContainingBlockHeight = 0, int aConstrainHeight = 1, class nsIFrame * aKidFrame = 0x07b65360, unsigned int * aStatus = 0x00128b04, struct nsRect * aChildBounds = 0x00128d64)+0x37d [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsabsolutecontainingblock.cpp @ 436] 00128b2c 032bf338 gklayout!nsAbsoluteContainingBlock::Reflow(class nsContainerFrame * aDelegatingFrame = 0x07b65270, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowState * aReflowState = 0x001291a0, unsigned int * aReflowStatus = 0x00128e28, int aContainingBlockWidth = 59400, int aContainingBlockHeight = 0, int aConstrainHeight = 1, int aCBWidthChanged = 1, int aCBHeightChanged = 0, struct nsRect * aChildBounds = 0x00128d64)+0xcc [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsabsolutecontainingblock.cpp @ 158] FAULTING_IP: ntdll!DbgBreakPoint+0 7c90120e cc int 3 EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 7c90120e (ntdll!DbgBreakPoint) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 3 Parameter[0]: 00000000 Parameter[1]: 7c9175d4 Parameter[2]: 7c97e178 FAULTING_THREAD: 0000073c BUGCHECK_STR: 80000003 DEFAULT_BUCKET_ID: STATUS_BREAKPOINT PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. LAST_CONTROL_TRANSFER: from 0030c28f to 7c90120e FOLLOWUP_IP: xpcom_core!Break+22f [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 491] 0030c28f 8da5e8fcffff lea esp,[ebp-318h] FAULTING_SOURCE_CODE: 487: asm("int $3"); 488: #else 489: // don't know how to break on this platform 490: #endif > 491: } 492: 493: static const nsDebugImpl kImpl; 494: 495: NS_METHOD 496: nsDebugImpl::Create(nsISupports* outer, const nsIID& aIID, void* *aInstancePtr) SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: xpcom_core!Break+22f FOLLOWUP_NAME: MachineOwner MODULE_NAME: xpcom_core IMAGE_NAME: xpcom_core.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a6de20b STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: 80000003_xpcom_core!Break+22f BUCKET_ID: 80000003_xpcom_core!Break+22f

Where does it crash when it's not a debug build? Can we capture the web page, or better, a reduced copy?

Resolving as incomplete after over two years. Tomcat, please reopen if it is still occurring and you can give us the data that Dan wanted.