It happens if I load this page: http://demos.hacks.mozilla.org/openweb/VIDEOWAVE/index.svg It was working 10 days ago (Retained Layers bug?)

WFM on 64-bit Linux: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b2pre) Gecko/20100720 Minefield/4.0b2pre But confirmed crash (immediate on loading) in 32-bit Linux: Mozilla/5.0 (X11; Linux i686; rv:2.0b2pre) Gecko/20100720 Minefield/4.0b2pre Crash reports (at [@ nsTArray_base::EnsureNotUsingAutoArrayBuffer ] for me): bp-8cc0fbc1-9b02-4f44-a758-7e73e2100720 bp-2e6e4a8a-5970-4dc8-90b2-dd0892100720

Paul's crash is bp-a3ed88dc-e4cb-410f-99c6-d4b7a2100720 with signature [@ nsTArray_base::SwapArrayElements(nsTArray_base&, unsigned int) ] (which is just up one stack-level from mine).

I can reproduce the crash on both my 32-bit and 64-bit system with this much-reduced testcase, only using foreignObject and html:video. (no SMIL) bp-69cb1032-dbb2-4da8-bbae-078812100720 bp-0cd41e81-bcca-4612-9f47-e40832100720

Might be better as Core-Layout since it's crashing in the new layers code.

Works: Mozilla/5.0 (X11; Linux i686 (x86_64); en-US; rv:2.0b2pre) Gecko/20100715 Minefield/4.0b2pre 20100715030436 5fda39cd703c Broken: Mozilla/5.0 (X11; Linux i686 (x86_64); en-US; rv:2.0b2pre) Gecko/20100716 Minefield/4.0b2pre 20100716025911 96de199027d7 Pushlog for regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5fda39cd703c&tochange=96de199027d7 That range contains the retained layers landing, so this indeed looks like a regression from that. Marking as blocking that bug.

http://crash-stats.mozilla.com/report/index/69cb1032-dbb2-4da8-bbae-078812100720 0 libxul.so nsTArray_base::EnsureNotUsingAutoArrayBuffer xpcom/glue/nsTArray.h:168 1 libxul.so nsTArray_base::SwapArrayElements nsTArray.cpp:206 2 libxul.so mozilla::FrameLayerBuilder::DrawThebesLayer nsTArray.h:780 3 libxul.so mozilla::layers::BasicThebesLayer::Paint gfx/layers/basic/BasicLayers.cpp:312 4 libxul.so mozilla::layers::BasicLayerManager::PaintLayer gfx/layers/basic/BasicLayers.cpp:936 5 libxul.so mozilla::layers::BasicLayerManager::PaintLayer gfx/layers/basic/BasicLayers.cpp:944 6 libxul.so mozilla::layers::BasicLayerManager::EndTransaction gfx/layers/basic/BasicLayers.cpp:849 7 libxul.so nsDisplayList::PaintForFrame layout/base/nsDisplayList.cpp:405 8 libxul.so nsDisplayList::PaintRoot layout/base/nsDisplayList.cpp:345 9 libxul.so nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:1343 10 libxul.so nsSVGForeignObjectFrame::PaintSVG layout/svg/base/src/nsSVGForeignObjectFrame.cpp:263 11 libxul.so nsSVGUtils::PaintFrameWithEffects layout/svg/base/src/nsSVGUtils.cpp:1060 12 libxul.so nsSVGDisplayContainerFrame::PaintSVG layout/svg/base/src/nsSVGContainerFrame.cpp:172 13 libxul.so nsSVGUtils::PaintFrameWithEffects layout/svg/base/src/nsSVGUtils.cpp:1060 14 libxul.so nsSVGOuterSVGFrame::Paint layout/svg/base/src/nsSVGOuterSVGFrame.cpp:570 15 libxul.so nsDisplaySVG::Paint layout/svg/base/src/nsSVGOuterSVGFrame.cpp:465 16 libxul.so mozilla::FrameLayerBuilder::DrawThebesLayer layout/base/FrameLayerBuilder.cpp:1397 17 libxul.so mozilla::layers::BasicThebesLayer::Paint gfx/layers/basic/BasicLayers.cpp:352 18 libxul.so mozilla::layers::BasicLayerManager::PaintLayer gfx/layers/basic/BasicLayers.cpp:936 19 libxul.so mozilla::layers::BasicLayerManager::PaintLayer gfx/layers/basic/BasicLayers.cpp:944 20 libxul.so mozilla::layers::BasicLayerManager::EndTransaction gfx/layers/basic/BasicLayers.cpp:849 21 libxul.so nsDisplayList::PaintForFrame layout/base/nsDisplayList.cpp:405 22 libxul.so nsDisplayList::PaintRoot layout/base/nsDisplayList.cpp:345 23 libxul.so nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:1343 24 libxul.so PresShell::Paint layout/base/nsPresShell.cpp:5904 25 libxul.so nsViewManager::RenderViews view/src/nsViewManager.cpp:448 26 libxul.so nsViewManager::Refresh view/src/nsViewManager.cpp:414 27 libxul.so nsViewManager::DispatchEvent view/src/nsViewManager.cpp:843 28 libxul.so HandleEvent view/src/nsView.cpp:160 29 libxul.so nsWindow::DispatchEvent widget/src/gtk2/nsWindow.cpp:571 30 libxul.so nsWindow::OnExposeEvent widget/src/gtk2/nsWindow.cpp:2422 31 libxul.so expose_event_cb widget/src/gtk2/nsWindow.cpp:5634 Probably related to the other @ mozilla::FrameLayerBuilder::DrawThebesLayer crashes.

Actually I think this is its own bug.

Bug 580494 crashes in a similar manner.

The testcase from bug 467423, https://bugzilla.mozilla.org/attachment.cgi?id=350844 , is also crashing with this stacktrace.

This demo is also crashing with this signature:http://people.mozilla.com/~prouget/demos/round/index.xhtml

Not fixed by bug 572520.

The testcases in this bug are fixed by the patch I just attached in bug 580494.

Fixed by 580494