stacks look like http://crash-stats.mozilla.com/report/index/21f40e00-d30b-4154-8498-96eaa2091125 Frame Module Signature [Expand] Source 0 xul.dll nsIFrame::GetOffsetTo layout/generic/nsFrame.cpp:3515 1 xul.dll nsDisplayListBuilder::ToReferenceFrame layout/base/nsDisplayList.h:218 2 xul.dll nsDisplayPlugin::GetBounds layout/generic/nsObjectFrame.cpp:1160 3 xul.dll nsDisplayPlugin::Paint layout/generic/nsObjectFrame.cpp:1168 4 xul.dll nsDisplayList::Paint layout/base/nsDisplayList.cpp:385 5 xul.dll nsDisplayClip::Paint layout/base/nsDisplayList.cpp:1076 6 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:1132 7 xul.dll PresShell::Paint layout/base/nsPresShell.cpp:5794 8 xul.dll nsViewManager::RenderViews view/src/nsViewManager.cpp:534 9 xul.dll nsViewManager::Refresh view/src/nsViewManager.cpp:493 10 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1008 11 xul.dll HandleEvent view/src/nsView.cpp:167 12 xul.dll nsWindow::DispatchEvent widget/src/windows/nsWindow.cpp:2830 13 xul.dll nsWindow::DispatchWindowEvent widget/src/windows/nsWindow.cpp:2863 14 xul.dll nsWindow::OnPaint widget/src/windows/nsWindowGfx.cpp:510 15 xul.dll nsWindow::ProcessMessage widget/src/windows/nsWindow.cpp:3741 16 xul.dll nsWindow::WindowProc widget/src/windows/nsWindow.cpp:3446 17 user32.dll InternalCallWinProc 18 user32.dll UserCallWinProcCheckWow 19 user32.dll DispatchClientMessage 20 user32.dll __fnDWORD 21 ntdll.dll KiUserCallbackDispatcher 22 xul.dll nsAttributeSH::GetFlags 23 xul.dll nsWindow::Update widget/src/windows/nsWindow.cpp:2119 24 xul.dll nsViewManager::ForceUpdate view/src/nsViewManager.cpp:1866 25 xul.dll nsViewManager::Composite view/src/nsViewManager.cpp:588 26 xul.dll nsViewManager::UpdateViewAfterScroll view/src/nsViewManager.cpp:691 more reports by query to http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsIFrame::GetOffsetTo%28nsIFrame%20const*%29 then sort on 3.6 and/or crash address no comments in the frame poisoned crashes, but the 3.5.x crashes seem to have a lot of comments in german and asian languages, and comments in english about trouble with the wall street journal site.

quick glance shows no urls like those mentioned in the comment above. the frame poisoned 3.6 crash ulrs are things like http://www.pokerprolabs.com/puto-lino/pokerstars.aspx http://www.technospot.net/blogs/download-free-20-plus-windows-vista-themes-and-styles/pt/ http://www.technospot.net/blogs/extract-text-from-pdf-a-tool-which-really-works/pt/ youtube, orkut, picassa, and a variety of adult video and photo sites nothing reproducible. when we get some 3.6b4 data we can get tomcats automation to try that list.

This is #16. 62 0xfffffffff0dea803 Windows NT nsIFrame::GetOffsetTo(nsIFrame const*) from the list generated on 11/22 https://bug526587.bugzilla.mozilla.org/attachment.cgi?id=414317&t=Xdp40j4oJ9

(In reply to comment #1) > quick glance shows no urls like those mentioned in the comment above. > > the frame poisoned 3.6 crash ulrs are things like > > http://www.pokerprolabs.com/puto-lino/pokerstars.aspx > http://www.technospot.net/blogs/download-free-20-plus-windows-vista-themes-and-styles/pt/ > http://www.technospot.net/blogs/extract-text-from-pdf-a-tool-which-really-works/pt/ > thanks, will hammer also on this urls, maybe again a crash after a while or so :/ > > nothing reproducible. when we get some 3.6b4 data we can get tomcats > automation to try that list. cool ! CrashCats rock :)

ranks at about #286 in 3.5.6 and #268 in early 3.6b5 data averaging about 150 crashes per day across all releases checking --- 20091219-crashdata.csv nsIFrame::GetOffsetTo release total-crashes nsIFrame::GetOffsetTo crashes pct. all 208220 158 0.000758813 3.0.15 8049 1 0.000124239 3.0.16 28224 14 0.000496032 3.5.5 21966 17 0.000773923 3.5.6 97104 92 0.000947438 3.6b5 14558 11 0.000755598 3.6b4 7097 7 0.000986332 3.6b3 701 0 3.6b2 752 1 0.00132979 3.6b1 2016 1 0.000496032

Crash bugs where all we have are stats should not be security-sensitive. If you figure out steps to reproduce, *that* should be security-sensitive.

The most common URLs reported yesterday for this crash are, with query strings removed: 1011 http://apps.facebook.com/wildones/index.php 525 http://wild-fb-apache-active-vip.playdom.com/pub/php/playdomapi.js.php 172 http://apps.facebook.com/wildones/

I pretty reliably crash on the url mentioned in comment 6: http://crash-stats.mozilla.com/report/index/764cde58-8868-4617-bbb4-3e7052100720 I don't seem to crash in current trunk build.

Hmm, never mind, I posted the wrong stack. And it doesn't seem to crash anymore, in my 3.6.8. build.

not showing up in 4.0 betas so something along the way might have fixed this, or the signature could have shifted.

I'm going to mark this works for me since it still does not show on 4.0.

It probably just changed names to nsIFrame::GetOffsetToCrossDoc.

ok, that sounds like the #66 ranked crash in RC1 137 crashes per day nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) In 9+ releases: 4.0 4.0b12 4.0b7 4.0b8 4.0b11 4.0b9 4.0b3 4.0b13pre 4.0b10 ... bug 621551

Crash volume for signature 'nsIFrame::GetOffsetTo': - nightly (50): 1 - aurora (49): 3 - beta (48): 137 - release (47): 410 - esr (45): 11 Affected platforms: Windows, Linux

only 78 crashes for 50.1.0 and none I sampled have the same stack as comment 1. I don't think current crashes matches the report. And it's relatively low volume