This bug was filed from the Socorro interface and is report bp-f405af85-c167-4170-a497-e35432110725 . ============================================================= This is crashing in http://hg.mozilla.org/mozilla-central/annotate/19348341366b/js/src/jsscript.cpp#l1317 which is a line added for bug 671113. More similar crashes are at https://crash-stats.mozilla.com/report/list?signature=DestroyScript - Bill, is this your instrumentation showing what's actually going on? Related to bug 670702?
BTW, this bug is for the rise of such cases in 8.0a1 starting with the 20110722 build IDs - there is a residual crash in this function since Firefox 4, which probably is a different thing, I guess.
Yes, all the ones crashing with address 0x0 are intentional crashes. They're places where memory is getting corrupted somehow--usually when we try to free a script twice. I'm trying to get additional data in bug 673625 to track down the cause.
You need to log in before you can comment on or make changes to this bug.