Seen while reviewing crash stats for trunk. Seems to only affect Windows 7 and is probably some sort of driver issue? Started showing up in crash stats using 2010111000 build. Many of the comments mention some kind of interaction with flash. Frame Module Signature [Expand] Source 0 nvwgf2umx.dll nvwgf2umx.dll@0x56f71a 1 nvwgf2umx.dll nvwgf2umx.dll@0x12cfa9 2 nvwgf2umx.dll nvwgf2umx.dll@0x113e10 3 nvwgf2umx.dll nvwgf2umx.dll@0x1493c8 4 nvwgf2umx.dll nvwgf2umx.dll@0x1864ab 5 nvwgf2umx.dll nvwgf2umx.dll@0x1493c8 6 nvwgf2umx.dll nvwgf2umx.dll@0x1641c4

Adding kev. Would be good to have a contact at Nvidia to talk to about this issue since I believe it is one of their drivers that may be involved with the crash.

Does not seem to be Nvidia related. Same issue with ATI card (same result on same site with Nvidia and ATI -> crash) http://crash-stats.mozilla.com/report/index/bp-a8236f4e-cc93-4b59-b40b-06cd82101111

It is a mega top crasher, there are about 500 crashes/buildday/signature. 4.0b8pre/20101110043309 : works 4.0b8pre/20101110140021 : fails As there is no changeset associated to 4.0b8pre/20101110140021, an accurate regression range can not be determined. Here is a larger regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=df1d1ff6b489&tochange=0f17e5f1eb01

> As there is no changeset associated to 4.0b8pre/20101110140021 I was misleaded because now Minefield 64-bit can submit crash reports. Here is the regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5f427b7d7b60&tochange=85b93f3ea9d1

adding joe from gfx

roc's push is the one that changed graphics stuff the most, though I don't think any of it touched low level code, just setup. Do we have symbols for any of these crashes? The crash in comment #2 has absolutely zero symbols, which is strange.

non-hardware acceleration issue is bug 611970. In CairoImageD3D10::SetData, data.pSysMem is invalid pointer. 0:000> .frame 18 18 00000000`0038ddb0 000007fe`e376a5d5 0:000> x 00000000`0038de50 this = 0x00000000`17028640 00000000`0038de58 aData = 0x00000000`0038e110 00000000`0038ddf0 data = struct D3D10_SUBRESOURCE_DATA 00000000`0038de00 desc = struct CD3D10_TEXTURE2D_DESC 0:000> dt data Local var @ 0x38ddf0 Type D3D10_SUBRESOURCE_DATA +0x000 pSysMem : 0xffffffff`02add7ec +0x008 SysMemPitch : 0xfffff39c +0x00c SysMemSlicePitch : 0 stack is 00000000`0038ddb0 000007fe`e376a5d5 xul!mozilla::layers::CairoImageD3D10::SetData+0x244 00000000`0038de50 000007fe`e376ac86 xul!nsPluginInstanceOwner::SetCurrentImage+0x135 00000000`0038deb0 000007fe`e303ae2a xul!nsPluginInstanceOwner::InvalidateRect+0x62 00000000`0038df30 000007fe`e3036223 xul!nsNPAPIPluginInstance::InvalidateRect+0x9a 00000000`0038df80 000007fe`e3205232 xul!mozilla::plugins::parent::_invalidaterect+0xcf 00000000`0038dff0 000007fe`e3207213 xul!mozilla::plugins::PluginInstanceParent::RecvNPN_InvalidateRect+0x12 00000000`0038e020 000007fe`e3267742 xul!mozilla::plugins::PluginInstanceParent::RecvShow+0x28b 00000000`0038e0b0 000007fe`e324ba14 xul!mozilla::plugins::PPluginInstanceParent::OnMessageReceived+0x25e 00000000`0038e210 000007fe`e323f3ca xul!mozilla::plugins::PPluginModuleParent::OnMessageReceived+0x90 00000000`0038e300 000007fe`e323a852 xul!mozilla::ipc::SyncChannel::OnDispatchMessage+0x142 00000000`0038e3a0 000007fe`e324fa89 xul!mozilla::ipc::RPCChannel::Call+0x992 00000000`0038e790 000007fe`e32123ad xul!mozilla::plugins::PPluginModuleParent::CallPPluginInstanceConstructor+0x2c1 00000000`0038e8f0 000007fe`e303b79b xul!mozilla::plugins::PluginModuleParent::NPP_New+0x271 00000000`0038e9b0 000007fe`e305928c xul!nsNPAPIPluginInstance::InitializePlugin+0x37f 00000000`0038eab0 000007fe`e305d9ab xul!nsPluginHost::TrySetUpPluginInstance+0x5f4 00000000`0038ef50 000007fe`e3058166 xul!nsPluginHost::SetUpPluginInstance+0x37 00000000`0038efd0 000007fe`e305d969 xul!nsPluginHost::DoInstantiateEmbeddedPlugin+0x9d2 00000000`0038f280 000007fe`e376c1e7 xul!nsPluginHost::InstantiateEmbeddedPlugin+0x11 00000000`0038f2c0 000007fe`e3774203 xul!nsObjectFrame::InstantiatePlugin+0x1eb 00000000`0038f330 000007fe`e4637d46 xul!nsObjectFrame::Instantiate+0x283 00000000`0038f3e0 000007fe`e46387b4 xul!nsObjectLoadingContent::Instantiate+0x1ca 00000000`0038f490 000007fe`e4360974 xul!nsAsyncInstantiateEvent::Run+0x13c 00000000`0038f540 000007fe`e33f3bfc xul!nsThread::ProcessNextEvent+0x1cc 00000000`0038f5a0 000007fe`e322da8f xul!NS_ProcessNextEvent_P+0x58 00000000`0038f5e0 000007fe`e438d4a2 xul!mozilla::ipc::MessagePump::Run+0x11f 00000000`0038f650 000007fe`e438e503 xul!MessageLoop::RunHandler+0x3a 00000000`0038f680 000007fe`e423e88f xul!MessageLoop::Run+0x23 00000000`0038f6e0 000007fe`e415eb36 xul!nsBaseAppShell::Run+0x53 00000000`0038f720 000007fe`e2ebfc0e xul!nsAppStartup::Run+0x7e 00000000`0038f760 00000001`3fa71da5 xul!XRE_main+0x2652 00000000`0038fb40 00000001`3fa72030 firefox!NS_internal_main+0x2dd 00000000`0038fba0 00000001`3fa75db2 firefox!wmain+0x160 00000000`0038fc10 00000001`3fa75c0e firefox!__tmainCRTStartup+0x192 00000000`0038fc80 00000000`76cdbe3d firefox!wmainCRTStartup+0xe 00000000`0038fcb0 00000000`77026a51 kernel32!BaseThreadInitThunk+0xd 00000000`0038fce0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

maybe, this is a regression of bug 596451 (async plugin rendering)

This is compiler bug. 0:000> u xul!mozilla::gfx::SharedDIBSurface::InitSurface xul!mozilla::gfx::SharedDIBSurface::InitSurface: 000007fe`e33e7a38 488bc4 mov rax,rsp 000007fe`e33e7a3b 53 push rbx 000007fe`e33e7a3c 4883ec30 sub rsp,30h 000007fe`e33e7a40 488bd9 mov rbx,rcx 000007fe`e33e7a43 418d48ff lea ecx,[r8-1] 000007fe`e33e7a47 448bda mov r11d,edx 000007fe`e33e7a4a 4533d2 xor r10d,r10d 000007fe`e33e7a4d 41f7db neg r11d 000007fe`e33e7a50 895008 mov dword ptr [rax+8],edx 000007fe`e33e7a53 488b5360 mov rdx,qword ptr [rbx+60h] 000007fe`e33e7a57 41c1e302 shl r11d,2 000007fe`e33e7a5b 453aca cmp r9b,r10b 000007fe`e33e7a5e 410f94c2 sete r10b 000007fe`e33e7a62 4489400c mov dword ptr [rax+0Ch],r8d 000007fe`e33e7a66 4c8d4008 lea r8,[rax+8] 000007fe`e33e7a6a 410fafcb imul ecx,r11d <--- 32-bit calculation 000007fe`e33e7a6e 482bd1 sub rdx,rcx <--- 64-bit calculation without sign conversion!!!!! 000007fe`e33e7a71 488bcb mov rcx,rbx 000007fe`e33e7a74 458bcb mov r9d,r11d 000007fe`e33e7a77 448950e8 mov dword ptr [rax-18h],r10d I am working new fix for this.

Ahh, this isn't compiler bug. aHeight is PRUint32, we need to cast to signed.

also, does SysMemPitch supports negative value? SysMemPitch is UINT. 0:000> dt xul!D3D10_SUBRESOURCE_DATA +0x000 pSysMem : Ptr64 Void +0x008 SysMemPitch : Uint4B +0x00c SysMemSlicePitch : Uint4B

Use top-to-bottom DIB This is testing on try server. http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/m_kato@ga2.so-net.ne.jp-13d9bf11bdab

Will bug 611595 be fixed by this? Bas, this is likely the cause of most of the D3D crashes we've been seeing.

We need to get this fixed before beta 8 can ship; our crashiness is way up because of it.

this fix is also include bug 611970's fix.

(In reply to comment #14) > Will bug 611595 be fixed by this? Bas, this is likely the cause of most of the > D3D crashes we've been seeing. No. bug 611595 seems to be that mManager->device() is null... I don't know why device() is null.

Makoto: I see one instance of an ATI crash still occurring using the 20101119 build - http://crash-stats.mozilla.com/report/index/36b867c2-86f6-49df-a858-5ed722101119. Should I file a new bug for this occurrence?

> Makoto: I see one instance of an ATI crash still occurring using the 20101119 > build - > http://crash-stats.mozilla.com/report/index/36b867c2-86f6-49df- > a858-5ed722101119. > Should I file a new bug for this occurrence? This one happens in a 32-bit build. So it is not related to the fixing of this bug. You can file a new bug but there have been only two crashes for the last 3 days.