This bug was filed from the Socorro interface and is report bp-c64bccc4-4047-463f-b3c8-d37da2120920 . ============================================================= Seen while looking at 16 beta data. Fairly low volume Windows crash that appears primarily in Firefox 16 betas. https://crash-stats.mozilla.com/report/list?signature=DrawingContext::CreateLinearGradientBrush%28D2D1_LINEAR_GRADIENT_BRUSH_PROPERTIES%20const*,%20D2D1_BRUSH_PROPERTIES%20const*,%20ID2D1GradientStopCollection*,%20ID2D1LinearGradientBrush**%29 Frame Module Signature Source 0 d2d1.dll DrawingContext::CreateLinearGradientBrush 1 d2d1.dll D2DRenderTargetBase<ID2D1BitmapRenderTarget>::CreateLinearGradientBrush 2 gkmedias.dll _cairo_d2d_create_linear_gradient_brush gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1703 3 gkmedias.dll _cairo_d2d_create_brush_for_pattern gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1750 4 gkmedias.dll _cairo_d2d_fill gfx/cairo/cairo/src/cairo-d2d-surface.cpp:3637 5 gkmedias.dll _cairo_surface_fill gfx/cairo/cairo/src/cairo-surface.c:2351 6 d2d1.dll D2DRenderTargetBase<ID2D1DCRenderTarget>::GetPixelSize Some comments: Dragged a blank second window to a second screen and tried to use the link displayed there and the system crashed I was trying to open a photo on facebook from a group and then it crashed. Some URLs: 8 http://www.mcnz.org.nz/ 7 https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=1 4 http://dark-music.org/ 3 https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=2 3 https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport.aspx?dvid=1&BugID=1044172 3 https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport2_7.aspx?dvid=2&BugId=104679 2 https://nvbugswb.nvidia.com/nvbugs/Main/vwBugReport2_7.aspx?dvid=2&BugID=1049132 2 http://www.google.rs/

It started spiking in 17.0a1/20120726 and 16.0a2/20120821. The regression ranges might be: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ef20925bc2a5&tochange=20db7c6d82cc http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=95a9ef9dfc3d&tochange=d7b344615437 It's likely a regression from bug 768775.

Nothing obvious in the crash reports. STR would be really useful...

A manual check shows it's mostly correlated to Location Bar Enhancer (https://addons.mozilla.org/firefox/addon/ui-enhancer/).

It's #2 top browser crasher in the first hours of 16.0b4. Correlations confirm my manual check: 83% (59/71) vs. 0% (84/55717) UIEnhancer@girishsharma

Build Identifier: http://hg.mozilla.org/releases/mozilla-beta/rev/c3be659f6121 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 ID:20120919065210 bp-5fb9d795-a5a0-4cdf-9d71-15d352120923 Steps to Reproduce: 1 . Start Firefox 16Beta4 with clean profile 2. Open http://mlb.mlb.com/mlb/scoreboard/index.jsp 3. Mouse over SCHEDULE at the top and wait to expand the menu 4. Move mouse pointer to the left (i.e.Mouse over STANDINGS ) Actual results: Browser crashes

Regression window(mozilla-beta tinderbox build) Good: http://hg.mozilla.org/releases/mozilla-beta/rev/cdd04249a313 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120911 Firefox/16.0 ID:20120918100658 Crashes: http://hg.mozilla.org/releases/mozilla-beta/rev/fc24961171a3 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120912 Firefox/16.0 ID:20120918105357 Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=cdd04249a313&tochange=fc24961171a3 Triggered by: c24961171a3 Benoit Girard — Backout 461c9816a3be (bug 779399) for bug 787947 graphics corruption regression. r=backout a=akeybl

Hey Benoit - can you look at this given the fact that your backout appears to be the regressing bug? It'd be good to understand why we didn't see this topcrash previously, when bug 779399 originally landed.

Unfortunately I can't reproduce the crash following those instructions, in a debug build I made. Alice, can you reproduce this in a debug build? If so, are you able to attach a Visual C++ debugger and get information out of the crashing process? If so, it would be great if you could get a complete crash stack from the debugger, and if possible the values of parameters and local variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of 'num_stops' and the contents of the 'stops' array (obtained by Quick Evaluate "stops,6") and p1 and p2 would be extra valuable.

(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #8) > Unfortunately I can't reproduce the crash following those instructions, in a > debug build I made. > > Alice, can you reproduce this in a debug build? If so, are you able to > attach a Visual C++ debugger and get information out of the crashing > process? If so, it would be great if you could get a complete crash stack > from the debugger, and if possible the values of parameters and local > variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of > 'num_stops' and the contents of the 'stops' array (obtained by Quick > Evaluate "stops,6") and p1 and p2 would be extra valuable. I cannot reproduce in the following debug build yet, because the debug build is too slooooooow in some reason. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-09-24-mozilla-beta-debug/firefox-16.0.en-US.debug-win32.installer.exe FYI, It is slightly difficult to reproduce in 16Beta4 than 16Beta3 bp-955d9a41-d2d0-410f-bdf3-207f72120924 After step 4 in comment#5, move around mouse pointer over top menus[SCOREBOAD .....TEAMS]for a while

Great, I can reproduce in an opt build. Thanks a ton.

This affects all branches but is less important where Azure is enabled (i.e. everything except beta)

This patch is really safe. We just back off an optimization slightly.

Comment on attachment 664470 [details] [diff] [review] fix Review of attachment 664470 [details] [diff] [review]: ----------------------------------------------------------------- ::: gfx/cairo/cairo/src/cairo-d2d-surface.cpp @@ +1,4 @@ > /* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */ > /* Cairo - a vector graphics library with display and print output > * > + * Copyright � 2010 Mozilla Foundation Bugzilla seems to think something weird happened to the copyright character.. @@ +1632,5 @@ > num_stops *= (after_repeat + before_repeat); > + if (num_stops == 0) { > + fprintf(stderr, "num_stops == 0: max_dist=%f, min_dist=%f, after_repeat=%d, before_repeat=%d\n", > + max_dist, min_dist, after_repeat, before_repeat); > + } nit: Indent here is off, also, shouldn't this be unreachable now?

I'll take those hunks out.

https://hg.mozilla.org/releases/mozilla-beta/rev/7c0af9b7ed61 https://hg.mozilla.org/releases/mozilla-aurora/rev/1ae0273dc1d2 I'll check in on inbound tonight when it's quieter.

Oh my, Its not my add-ons fault, right ? Can I do something to prevent it?

(In reply to Girish Sharma [:Optimizer] from comment #16) > Oh my, Its not my add-ons fault, right ? > Can I do something to prevent it? It's not your fault. This bug should not end up in any shipping Firefox release; we caught it in time.

https://hg.mozilla.org/mozilla-central/rev/55ccbc8d52e6 https://hg.mozilla.org/mozilla-central/rev/71192a9431a7

https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=DrawingContext%3A%3ACreateLinearGradientBrush%28D2D1_LINEAR_GRADIENT_BRUSH_PROPERTIES%20const%2A%2C%20D2D1_BRUSH_PROPERTIES%20const%2A%2C%20ID2D1GradientStopCollection%2A%2C%20ID2D1LinearGradientBrush%2A%2A%29 This crash only appears once in Socorro in the last 4 weeks, but there it has a different stack trace.

(In reply to Ioana Budnar [QA] from comment #20) > This crash only appears once in Socorro in the last 4 weeks, but there it > has a different stack trace. In builds post-fix.

mass remove verifyme requests greater than 4 months old