It was wrongly classified as bug 801453 but it's apparently not because there are still crashes after the patch of bug 802485 landed. Thus, it was #7 top crasher in yesterday's build. So it first appeared in 19.0a1/20121014 with the following regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=90857937b601&tochange=57304bbf9c0e Signature mozilla::image::Image::SizeOfData() More Reports Search UUID 2df44912-a546-40cb-ace4-1acc12121024 Date Processed 2012-10-24 14:25:17 Uptime 384 Last Crash 6.6 minutes before submission Install Age 28.9 minutes since version was first installed. Install Time 2012-10-24 13:56:11 Product Firefox Version 19.0a1 Build ID 20121024030643 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x6c App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0e3a, AdapterSubsysID: 14a41028, AdapterDriverVersion: 8.17.12.9635 Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0126, AdapterSubsysID2: 04a41028, AdapterDriverVersion2: 8.15.10.2418D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0e3a Total Virtual Memory 4294836224 Available Virtual Memory 3746594816 System Memory Use Percentage 39 Available Page File 13145284608 Available Physical Memory 5153431552 Frame Module Signature Source 0 xul.dll mozilla::image::Image::SizeOfData image/src/Image.cpp:40 1 xul.dll imgRequest::UpdateCacheEntrySize image/src/imgRequest.cpp:360 2 xul.dll imgStatusTrackerObserver::OnDiscard image/src/imgStatusTracker.cpp:201 3 xul.dll mozilla::image::RasterImage::Discard image/src/RasterImage.cpp:2424 4 xul.dll mozilla::image::DiscardTracker::DiscardNow image/src/DiscardTracker.cpp:268 5 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:472 6 winmm.dll timeGetTime 7 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:555 8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:620 9 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 10 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:208 11 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:182 12 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 13 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232 14 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:290 15 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3799 16 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3866 17 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3941 18 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:105 19 firefox.exe __tmainCRTStartup crtexe.c:552 20 kernel32.dll BaseThreadInitThunk 21 ntdll.dll __RtlUserThreadStart 22 ntdll.dll _RtlUserThreadStart More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Aimage%3A%3AImage%3A%3ASizeOfData%28%29

More reports also at: https://crash-stats.mozilla.com/report/list?signature=imgRequest%3A%3AUpdateCacheEntrySize%28%29

One Comment says "I was on flickr, I pressed backspace to go to the previous page." URLs: 4 http://www.facebook.com/ 2 https://www.edx.org/courses/MITx/3.091x/2012_Fall/book/0/ 2 http://10.0.0.1/phone.html 2 https://www.google.com/search?q=Stiefvater,+Maggie+ballad+cover&oe=utf-8&aq=t&rl 2 about:newtab 2 http://nfs.mobile.bg/pcgi/photos.cgi 1 https://www.google.com/search?q=diablo+3+custom+banner+online&oe=utf-8&aq=t&rls= 1 http://www.flickr.com/photos/rmellway/6232367305/in/photostream/lightbox/ 1 http://www.google.com.pa/search?hl=es&cp=16&gs_id=98&xhr=t&q=historia+del+calcul 1 http://omgpost.com/yesterday-you-said-tomorrow-just-do-it.html 1 http://www.google.com.ec/imgres?q=do%C3%B1a+b%C3%A1rbara+r%C3%B3mulo+gallegos&nu 1 http://i.imgur.com/315Mx.jpg 1 http://www.mangahere.com/manga/fujoshi_kanojo/v03/c010/34.html 1 https://groupees.com/uploads/bonus_products/240/cover/D7_cover2_text.jpg 1 http://comicsbook.ru/?p=2 1 http://www.notebooksbilliger.de/lenovo+thinkpad+edge+e530+nzq7cge/incrpc/topprod 1 http://www.oup.cz/slovniky/ 1 http://www.shamchat.c.la/ 1 http://freehqwallpapers.blogspot.in/2012/05/chota-bheem.html 1 http://www.google.com/imgres?hl=en&client=firefox-nightly&rls=org.mozilla:en-US: 1 http://lindaikeji.blogspot.ca/search?updated-max=2012-10-22T15:22:00%2B01:00&max 1 https://www.youtube.com/watch?v=ccpho8b5Vlw 1 http://www.skelbiu.lt/skelbimai/drabuziai-avalyne/moterims/sukneles/35?&category 1 http://tieba.baidu.com/f?kw=firefox 1 http://slipperyonion.com/content/hardcore-cum-mouth

Correlations from 2012-10-30: mozilla::image::Image::SizeOfData()|EXCEPTION_ACCESS_VIOLATION_READ (53 crashes) 19% (10/53) vs. 3% (56/1624) {8620c15f-30dc-4dba-a131-7c5d20cf4a29} (Nightly Tester Tools, https://addons.mozilla.org/addon/6543) 19% (10/53) vs. 5% (83/1624) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 17% (9/53) vs. 5% (75/1624) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364) 13% (7/53) vs. 4% (66/1624) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791) 9% (5/53) vs. 0% (5/1624) 5055f6331c615@5055f6331c63f.com 9% (5/53) vs. 0% (5/1624) pagehacker@webalx.com 9% (5/53) vs. 0% (5/1624) info@cssUpdater.com 9% (5/53) vs. 0% (6/1624) firefile@strebitzer.at 11% (6/53) vs. 3% (43/1624) {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} (WOT, https://addons.mozilla.org/addon/3456) 11% (6/53) vs. 3% (46/1624) wrc@avast.com 100% (53/53) vs. 94% (1523/1624) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150) 13% (7/53) vs. 8% (126/1624) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748) 30% (16/53) vs. 25% (406/1624) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)

I saw at least two different crashes. One is a READ access violation at http://hg.mozilla.org/mozilla-central/annotate/0947e291578a/image/src/Image.cpp#l31 --> it appears to be reading mError which probably means the image is a deleted object (that is, a use-after-free). Another is an EXEC access violation at http://hg.mozilla.org/mozilla-central/annotate/f9acc2e4d4e3/image/src/Image.cpp#l40 --> appears to have called a virtual function pointing off into space, again most likely means the Image is being used after having been freed. These are exploitable. In that regression range the most relevant/likely fix is jdm's bug 505385, an 18-part patch for "Refactor Imagelib notifications"

We're planning to land this bandaid and see whether crash stats are affected. The results should clarify the nature of the problem, which is a bit mysterious right now.

Comment on attachment 678902 [details] [diff] [review] Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker. more patch please

Now with 100% more patch.

Comment on attachment 679167 [details] [diff] [review] Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker. Review of attachment 679167 [details] [diff] [review]: ----------------------------------------------------------------- this has precisely enough patch

https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a followup to stop intermittent browser-chrome oranges.

https://hg.mozilla.org/mozilla-central/rev/799074867286 https://hg.mozilla.org/mozilla-central/rev/00cd00ba0ac2

(In reply to Josh Matthews [:jdm] from comment #11) > https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a > followup to stop intermittent browser-chrome oranges. https://hg.mozilla.org/mozilla-central/rev/a0df3314bee0

The tag to leave this bug open is still present.

Ok, the diagnostic patch did not seem to have an effect. That's a shame.

Judging by a bunch of the crash stacks, the fix for bug 803125 might help here. However, ones like https://crash-stats.mozilla.com/report/index/2a782af8-de6e-4c86-ad28-fe5132121112 still have me completely baffled.

Looking at crash stats this signature is limited to 19.0a1 users 100%. Something else must have fixed. Dunno if 30-ish crashes makes this a topcrash in 19, if so we should figure out the fix range and think about uplift. If it's not a topcrash maybe just forget about it.

mozilla::image::Image::SizeOfData crashes stopped after 19.0a1/20121120. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bc69705c162d&tochange=4f19e7fd8bea imgRequest::UpdateCacheEntrySize crashes almost (one crash in 19.0a1/20121124) stopped after 19.0a1/20121118. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b959971b8219&tochange=4fddb9923ef0 Those ones are likely fixed by bug 803125.