It is a crash signature in 4.0b7. It is #41 top crasher in 4.0b7 for the last week. According to some comments, it happens while copying/pasting. Signature nsTextFrame::GetTrimmedOffsets(nsTextFragment const*, int) UUID ccdfa729-be44-4f9c-807a-a577b2101113 Time 2010-11-13 22:51:51.482068 Uptime 431 Last Crash 105838 seconds (1.2 days) before submission Install Age 139289 seconds (1.6 days) since version was first installed. Product Firefox Version 4.0b7 Build ID 20101104142426 Branch 2.0 OS Windows NT OS Version 5.1.2600 Service Pack 2 CPU x86 CPU Info GenuineIntel family 6 model 15 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 1002, AdapterDeviceID: 714a Frame Module Signature [Expand] Source 0 xul.dll nsTextFrame::GetTrimmedOffsets layout/generic/nsTextFrameThebes.cpp:2222 1 xul.dll nsTextFrame::GetRenderedText layout/generic/nsTextFrameThebes.cpp:6996 2 xul.dll nsTextAccessible::AppendTextTo accessible/src/base/nsTextAccessible.cpp:65 3 xul.dll nsAccEventQueue::CreateTextChangeEventFor accessible/src/base/nsEventShell.cpp:474 4 xul.dll nsAccEventQueue::Push accessible/src/base/nsEventShell.cpp:152 More reports at: http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=nsTextFrame%3A%3AGetTrimmedOffsets%28nsTextFragment%20const*%2C%20int%29&version=Firefox%3A4.0b7

I don't have any clue why it may crash. Boris, could you look at crash stack, perhaps you would have an idea?

> I don't have any clue why it may crash. Because you're failing one of the precondition assertions at the start of the function?

Bug 615475 has a testcase that crashes with the same signature.

(In reply to comment #2) > > I don't have any clue why it may crash. > > Because you're failing one of the precondition assertions at the start of the > function? Right it seems NS_FRAME_IN_REFLOW is set. Hopefully bug 498015 fixes this; awaiting bz review there ;)

This is #16 on the b8 topcrash list.

Bug 498015 landed, so this might be fixed.

(In reply to comment #6) > Bug 498015 landed, so this might be fixed. Must be fixed by bug 498015. Now we create accessible tree, fire events on content insertion (that's a stack trace of this bug) when layout is done.

reopen since we still may crash on content removed that's processed immediately, stack is too short to say uniquely.

btw, it can be closed once bug 615475 is fixed (crash on content removal).

Note the number of crashes really seem to drop off after the January 10th build, i.e. the last large number of crashes had build id: 20110110191547

Hmmm #14 beta crasher right now. A new comment today on a recent crash-stats entry says: "Saving a document with ctrl-s in google docs".

fixed by bug 630001 part1.