It's #3 top crasher on Mac OX X in 9.0b2, #13 in 10.0a2, and #14 in 11.0a1. It happens only with Mac OS X 10.7. Signature __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1 UUID 947c6e73-0e48-42e3-9391-cfe3a2111121 Date Processed 2011-11-21 17:10:09.155660 Uptime 1453 Last Crash more than 3 months before submission Install Age 3.3 days since version was first installed. Install Time 2011-11-18 18:43:36 Product Firefox Version 9.0 Build ID 20111116091359 Release Channel beta OS Mac OS X OS Version 10.7.2 11C74 Build Architecture amd64 Build Architecture Info family 6 model 23 stepping 10 Crash Reason EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash Address 0x0 App Notes Renderers: 0x22600,0x20400GL Context? GL Context+ GL Layers? GL Layers+ EMCheckCompatibility True Frame Module Signature [Expand] Source 0 XUL __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1 widget/src/cocoa/nsChildView.mm:3116 1 AppKit AppKit@0x3f7ef5 2 libsystem_c.dylib libsystem_c.dylib@0xa115c 3 libobjc.A.dylib objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 4 libobjc.A.dylib _objc_rootRetain 5 CoreFoundation CoreFoundation@0x31008 6 CoreFoundation CoreFoundation@0x4b44e 7 libsystem_c.dylib libsystem_c.dylib@0x4d46f 8 libsystem_c.dylib libsystem_c.dylib@0x4d6aa 9 AppKit AppKit@0x98b75f 10 Foundation Foundation@0xa58a 11 Foundation Foundation@0xa2c6 12 CoreFoundation CoreFoundation@0x312e4 13 AppKit AppKit@0x6fe37 14 AppKit AppKit@0x6d6af 15 AppKit AppKit@0x6e0f6 16 AppKit AppKit@0x3f5156 17 libobjc.A.dylib objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 18 libobjc.A.dylib _objc_rootRetain 19 CoreFoundation CoreFoundation@0x31008 20 AppKit AppKit@0x6dd1b 21 AppKit AppKit@0x9064 More reports at: https://crash-stats.mozilla.com/report/list?signature=__-[ChildView%20maybeTrackScrollEventAsSwipe%3AscrollOverflow%3A]_block_invoke_1

We seem to be dereferencing a null pointer in mGeckoChild. I need to add a null check. I'll post a patch shortly. Thanks for noticing this. It needs to be fixed before it gets into a release.

On the branches that have this bug (9 and up), this is currently the #11 Mac topcrasher.

Here's a fix for these crashes. I've already encountered them (and fixed them) at bug 698761, where my work on Chrome-style swipe animation made them easier to reproduce. See bug 698761 comment #22 and bug 698761 comment #23.

Landed on mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/2edff46b93f6

Comment on attachment 576224 [details] [diff] [review] Fix This is a trivial fix for what could become a topcrasher, if it gets into a release.

Comment on attachment 576224 [details] [diff] [review] Fix Get it landed soon please, thanks!

Comment on attachment 576224 [details] [diff] [review] Fix Landed on mozilla-aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/c9328943fc9e

Comment on attachment 576224 [details] [diff] [review] Fix Landed on mozilla-beta: http://hg.mozilla.org/releases/mozilla-beta/rev/c5ecaaed936d

This could have caused a perf regression. Please have a look at dev.tree-management: > Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.73% on Linux Firefox-Non-PGO > Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.61% on Linux x64 Firefox-Non-PGO

(In reply to comment #10) Nope, it couldn't have: This patch is Mac-only.

This looks good on trunk - I see no crashes after 20111122042008 build.

http://bit.ly/tCoxdN Verified based on crash reports. No crashes occurred since the fix landed on all channels (last crash build 2011112200)