Created attachment 8519876 [details] windgb data win 7 trunk debug build found via bughunter on http://wallpaperswide.com/tom_clancys_splinter_cell_conviction-wallpapers.html Steps to reproduce: -> Load http://wallpaperswide.com/tom_clancys_splinter_cell_conviction-wallpapers.html in a Windows 7 Trunk Debug Build as example ---> Asssertion failure filing as sec bug just in case. Exploitable failed here: !exploitable 18.104.22.168 Exploitability Classification: UNKNOWN Recommended Bug Title: Possible Stack Corruption starting at xul!AssertReversePostorder+0x000000000000014e (Hash=0x5943b9bc.0x09a6d749) The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.
Jan, can you look at this? It would be good to get somebody to investigate before the page changes. Also, how bad of an assertion is this?
(In reply to Andrew McCreight [:mccr8] from comment #1) > Jan, can you look at this? It would be good to get somebody to investigate > before the page changes. Also, how bad of an assertion is this? I could reproduce it once with a m-c debug build from last week (Nov 10), but it no longer crashes with the same build, new profile etc. Tomcat had the same issue and suggested it may depend on a particular ad or something. I'll keep trying. CC'ing more people, it'd be great if somebody could repro this reliably...
According to the attachment, it asserts under AssertExtendedGraphCoherency after the MakeLoopsContiguous phase. The previous AssertExtendedGraphCoherency call after DCE apparently didn't assert. Forwarding so sunfish based on that...
I am also unable to repro.
Carsten, okay to close this one?
Looks like the fuzzers just found this too, bug 1118894 :)
I'm going to optimistically dupe this to the newer bug with a testcase. Although "worksforme" or "incomplete" might be equally valid destinations for this bug.