Last Comment Bug 723445 - Crash in js::StackIter::settleOnNewState @ CrashIfInvalidSlot
: Crash in js::StackIter::settleOnNewState @ CrashIfInvalidSlot
Status: RESOLVED FIXED
: crash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical with 1 vote (vote)
: mozilla14
Assigned To: Luke Wagner [:luke]
:
Mentors:
Depends on: 738279
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-02 02:46 PST by Scoobidiver (away)
Modified: 2012-04-14 12:45 PDT (History)
14 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix stack iter (1.15 KB, patch)
2012-04-05 17:56 PDT, Luke Wagner [:luke]
bhackett1024: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-02-02 02:46:13 PST
It's #34 top crasher in the first days of 10.0.

Signature 	CrashIfInvalidSlot More Reports Search
UUID	d3d85865-dd7a-4a22-a337-efbb72120202
Date Processed	2012-02-02 00:34:41
Uptime	1663
Last Crash	1.7 hours before submission
Install Age	27.7 minutes since version was first installed.
Install Time	2012-02-01 23:49:25
Product	Firefox
Version	13.0a1
Build ID	20120201031146
Release Channel	nightly
OS	Mac OS X
OS Version	10.7.2 11C74
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 10
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0xbad
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x 8a3GL Context? GL Context+
GL Layers? GL Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	XUL 	CrashIfInvalidSlot 	js/src/vm/Stack.cpp:934
1 	XUL 	js::StackIter::settleOnNewState 	js/src/vm/Stack.cpp:1022
2 	XUL 	js::StackIter::operator++ 	js/src/vm/Stack.cpp:1084
3 	XUL 	InitExnPrivate 	js/src/vm/Stack.h:1851
4 	XUL 	js_ErrorToException 	js/src/jsexn.cpp:1171
5 	XUL 	ReportError 	js/src/jscntxt.cpp:363
6 	XUL 	js_ReportErrorNumberVA 	js/src/jscntxt.cpp:719
7 	XUL 	JS_ReportErrorFlagsAndNumber 	js/src/jsapi.cpp:6227
8 	XUL 	js_ReportIsNullOrUndefined 	js/src/jscntxt.cpp:805
9 	XUL 	js::mjit::stubs::GetProp 	js/src/jsobjinlines.h:658
10 		@0x110e7a89c 	
11 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1052
12 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1111
13 	XUL 	js::RunScript 	js/src/jsinterp.cpp:471
14 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:537
15 	XUL 	js_fun_apply 	js/src/jsinterp.h:157
16 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:311
17 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:429
....

There's a strong correlation with Firebug:
  CrashIfInvalidSlot|EXCEPTION_ACCESS_VIOLATION_WRITE (39 crashes)
     87% (34/39) vs.   3% (368/13378) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)

Here are some useful comments:
"Problem arrived when in firebug looking at added prototype function: String.prototype.namespace = function (separator) { this.split(separator || '.').inject(window, function (parent, child) { return parent[child] = parent[child] || { }; }); };"
"simple jquery post call to server: $.post('http://192.168.23.2/timekeeper/save.php', timesJSON, function(resp) { $('#status').html(resp); }); "
"Debugging teh following code with firebug: if ($(id).val().toLower() === 'true') { return $.validator.methods.required.call(this, value, element); }"
"I was debugging JavaScript with Firebug 1.8.4. Using jQuery. Single stepping over this line crashed the browser: $("#" + this._leftValueFieldID).on("click", function (event) { alert("test"); });"

More reports at:
https://crash-stats.mozilla.com/report/list?signature=CrashIfInvalidSlot
Comment 1 Luke Wagner [:luke] 2012-02-02 14:19:20 PST
The comments mention stepping through code.  There are a lot of Google+ URLs in the crashes.  CC'ing Honza to see if he has heard anything.  STR here would probably let us knock out the problem quickly.
Comment 2 Marcia Knous [:marcia - use ni] 2012-02-02 14:35:25 PST
I can run a URL report and ferret out some of the URLs - it might help us get closer to a site where we can repro.
Comment 3 Luke Wagner [:luke] 2012-02-02 14:47:32 PST
I opened maybe 30 today, but many are session-specific so I can't view them.  A list of popular non-private URLs would be great.
Comment 4 Marek 2012-02-03 01:02:23 PST
I also have this crash when firebug is enabled.

https://crash-stats.mozilla.com/report/index/bp-08e980e6-d010-424d-ae7c-8c8b62120202

PluralForm.jsm: Index #2 of 'Firebug's log limit has been reached. 0 entry not shown.;Firebug's log limit has been reached. 0 entries not shown.' for value 0 is invalid -- plural rule #9; called by 
*** nss-shared-helper: Shared database disabled (set NSS_USE_SHARED_DB to enable).
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by 
Assertion failure: rt->onOwnerThread(), at /home/abuild/rpmbuild/BUILD/mozilla/js/src/jsapi.cpp:6316

After install FF10 worked for a few hours, then I deleted message from Thubderbird(?) and both crashed. Firefox was opened with one blank tab. I couldn't start FF anymore with Firebug enabled. So to test behaviour, I created new profile and got the same. Couple hours, blank tab, no other tabs opened, FF crashed, can't start.
Comment 5 Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08 2012-02-03 02:01:36 PST
(In reply to Marek from comment #4)
> I also have this crash when firebug is enabled.
Related Firebug issue report
http://code.google.com/p/fbug/issues/detail?id=5202

Honza
Comment 6 Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08 2012-02-05 23:44:17 PST
Some new reports that could be related to this crash available here:
http://code.google.com/p/fbug/issues/detail?id=5202#c9

Honza
Comment 7 Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08 2012-02-08 03:47:51 PST
Possible related thread:
https://groups.google.com/d/topic/firebug/CbPVBH31FM4/discussion

Any progress on this issue? I am getting a lots of complaints.


Honza
Comment 8 Luke Wagner [:luke] 2012-02-08 07:53:06 PST
Since this code is a funnel for misbehavior in many parts of the code, it is difficult to find the problem without STR.
Comment 9 Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08 2012-02-09 06:22:53 PST
Could this be related: Bug 725619 ?
(there are also some STR)

Honza
Comment 10 Shrenik 2012-02-13 08:34:44 PST
I don't think this is only related to firebug. Clicking on Firebug's DOM tab is a sure crasher. 

Even with firebug disabled, for e.g. other addons such as Awesome Screeshot from Diigo. Take a screenshot -> click Done -> Close Tab and the browser crashes.

Simply close the browser and it crashes.
http://crash-stats.mozilla.com/report/index/bp-6ff8f906-cb26-4864-82ed-31db72120213
http://crash-stats.mozilla.com/report/index/bp-5a9ac084-5c83-42e9-9295-923132120213
Comment 11 Luke Wagner [:luke] 2012-02-13 10:41:54 PST
The two linked crashes don't seem to be in settleOnNewState.  A new bug seems appropriate.
Comment 12 Swarnava Sengupta (:Swarnava) 2012-02-16 09:29:55 PST
Firefox 10 crash report: bp-240f874f-f77c-4bee-bfdb-563a22120215
Comment 13 Christian Holler (:decoder) 2012-03-02 10:56:09 PST
See also bug 732496 which might be related and has a shell test.
Comment 14 Luke Wagner [:luke] 2012-03-02 12:21:39 PST
(In reply to Christian Holler (:decoder) from comment #13)
Unfortunately the call stacks in the crash reports don't look like it.
Comment 15 Robert Kaiser 2012-03-08 07:45:57 PST
$ gunzip --stdout /data/security_group/crash_urls/20120307-crashdata.csv.gz | awk -W compat -F\t '$1 ~ /CrashIfInvalidSlot/ {print $2}' | sort | uniq -c | sort -nr
     33 \N
     24 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      6 http://www.facebook.com/
      6 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      6 
      5 https://www.google.com/settings/
      5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      4 https://moncompte.bluepaid.com/admin/reversements-rev-calculs.htm
      4 https://mail.google.com/mail/?shva=1
      3 https://mail.google.com/mail/?shva=1#inbox
      3 https://mail.google.com/mail/
      3 https://dev-bpm75.bi-telecom.local:9443/mum/enabler#pid...
      3 http://localhost:63068/dev/epharma/move/Home
      3 file:///C:/USBMS_Sandbox_MD_Defelsko101/Template/DetailTemplate.htm
      2 https://www.facebook.com/login.php?login_attempt=1
      2 https://plus.google.com/u/0/
      2 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      2 https://mail.google.com/mail/?rld=1&shva=1#inbox
      2 https://centralapp.nursing.uic.edu/CORE/CORE.htm
      2 http://localhost:8080/ACSCWeb11/templates/layout.faces
      2 http://lh.afisha.ru/article/walter-isaacson-on-steve-jobs/
      2 http://intranet.aruba.it/technorail/serverdedicati/InvioEmailOptin.aspx?...
      2 http://apps.facebook.com/170494249733664/
      1 wyciwyg://32/http://localhost:8080/sisp/documento.do?acao=edit&tipo=new
      1 http://zaycev.net/pages/466/46667.shtml?miniplayer=true
      1 http://www.zapjuegos.com/juego/goodgame-mafia.html
      1 http://www.youtube.com/watch?v=chQjBZKWOOo
      1 http://www.techimo.com/forum/graphic-design-digital-photography/12160-can-i-show-directory-list-using-html.html
      1 http://www.tag-local.com/messages_delta.html
      1 http://www.sitetrail.com/what/
      1 http://www.richptc.com/gpt.php?v=verify&buttonClicked=2&id=44030&type=ptc&...
      1 http://www.leedsjewishcommunity.com/communal-diary.html
      1 http://www.hotbollywoodactress.net/cat-tanushree-dutta-78.htm
      1 http://www.google.com/
      1 http://www.fangchan.com/Admin/AddClientIntermediary.aspx
      1 http://www.facebook.com/radiomagicfm?sk=app_4949752878
      1 http://www.facebook.com/profile.php?sk=timeline
      1 http://www.facebook.com/ajax/pagelet/generic.php/ProfileTimelineSectionPagelet?...
      1 http://www.chinatme.com/jiaoge.asp?p_id=223
      1 http://www.baimusic.ru/order/?mktime=1331125840
      1 http://www1.skysports.com/football/news/11863/7577378/Abbiati-I-got-lucky
      1 http://www1.prefpoa.com.br/proweb3/testador.php
      1 http://www.160by2.com/SendSMSAction
      1 http://wdfd00288086a.wdf.sap.corp:50078/sap/bc/gui/sap/its/webgui/!?=&sap-client=000&sap-language=DE
      1 http://wave.webaim.org/toolbar
      1 http://vkontakte.ru/
      1 http://vk.com/feed
      1 http://v5.vvv.it.uu.se/internt/web/sandbox?action=save&lang=sv
      1 http://tw.stock.yahoo.com/
      1 http://twitter.com/#!/stockswager
      1 http://translate.google.co.id/#id|el|...
      1 https://www.google.com/settings/privacy?tab=4
      1 https://www.facebook.com/shirley.gaulton
      1 https://www.facebook.com/ai.php?aed=...
      1 https://vs-wb22/okayama-egis/print/print.asp
      1 http://stress-art-app1:7209/jenkins/
      1 http://starasov.viacode.com/EnterpriseWebUI/Common/Pages/LoginPage.aspx?CheckPopUp=no
      1 https://snafu.cr.usgs.gov/redmine/my/page_layout
      1 https://release-dev.akamai.com/release_cr_json.html?releaseid=18904&v=2&m=a
      1 https://rapnettest.ricoh.com.au/wps/myportal/dealers/bus/picform
      1 https://quenby-win7/EdFiDashboardDevFreeze/LubbockISD/Schools/Evans-Middle-School/Staff/Lataria-Aguiar-3879
      1 https://plusone.google.com/u/0/_/+1/hover?...
      1 https://plusone.google.com/_/+1/hover?...
      1 https://plusone.google.com/_/+1/hover?...
      1 https://plus.google.com/u/0/stream
      1 https://plus.google.com/u/0/photos/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/...
      1 https://plus.google.com/114323796124194866952/posts
      1 https://mail.google.com/mail/u/0/?shva=1#inbox
      1 https://mail.google.com/mail/?shva=1#inbox/p2
      1 http://site.com/admin/addproduct.aspx
      1 https://apps.facebook.com/wordswithfriends/?...
      1 https://apps.facebook.com/onthefarm/?...
      1 https://apps.facebook.com/crimecitygame/streams/click/?...
      1 http://rbm0-migration-pp.ra1.intra.groupama.fr/gtautostart.aspx
      1 http://project.captivatecnologia.info/milestones/show?id=8
      1 http://petroholru/hoteldesc266.html
      1 http://new.fabuwood.com/videoGallery.aspx?
      1 http://mydocs.local/pinboard2/boards/my/42
      1 http://mpham3400/that/
      1 http://mips.elcom.com.au/MemberRenewals/MIPSMemberUpdateDetails.aspx?Mode=1&Record=...
      1 http://melpyou.mentine.net/eventi/
      1 http://maps.google.com/maps/place?q=...
      1 http://maps.google.com/
      1 http://localhost/Web/Approval/AppType/APP000190.aspx
      1 http://localhost.t-mobile.com/Plan/Prepaid/PrePaid.aspx?unavid=plans
      1 http://localhost/sp/htdocs/index.php?page_id=0&_layoutmode=on
      1 http://localhost/Secure/party/companysearch.aspx
      1 http://localhost/RtWebPartResources/TagSearch.aspx?...
      1 http://localhost/projects/arena/root/Dev/crossTermWeb/content/order.htm
      1 http://localhost/perf/dv
      1 http://localhost/Machine_mail/admin/leads/
      1 http://localhost/index.php?action=classregister
      1 http://localhost/dashboardchanges/AllOperations/Home/Home?&rt=...
      1 http://localhost/cwp/index.php/useraccount/company_select
      1 http://localhost/ContractRoom/Objetos/Croomer/Formularios/crfItem.aspx?...
      1 http://localhost:9090/BCS/accountCard_add.html
      1 http://localhost:8407/App/...
      1 http://localhost:8084/
      1 http://localhost:8081/docente/mostra
      1 http://localhost:8080/WVO_LiveSite/WVR/Components/Forms/ContactUs.page
      1 http://localhost:8080/webportal/mall/number
      1 http://localhost:8080/SearchMockup/SearchField.html
      1 http://localhost:8080/news/index2.jsp
      1 http://localhost:8080/massquote/view
      1 http://localhost:8080/html/mainDebug.html?...
      1 http://localhost:8080/hb-aiche/tadmin/
      1 http://localhost:8080/elevatormgr/WebClient/view3.0/index.html#
      1 http://localhost:8080/auth/password.do
      1 http://localhost:8080/apps/services/preview/ConfiguratorOSS/mobilewebapp/1.0/default/index.html
      1 http://localhost:7788/Loan/EditListReadyToCertify?from=Dashboard
      1 http://localhost:65501/DailySheet
      1 http://localhost:64082/FIDA/National/Internal/NFIDACommunication.aspx
      1 http://localhost:61386/Private
      1 http://localhost:55555/_events/cbAnalytics.aspx
      1 http://localhost:51984/Field/InspectionsAndObservations/ProjectActivity?activityId=160
      1 http://localhost:50324/Competition
      1 http://localhost:4952/test/file
      1 http://localhost:49474/DisplayAssetsFlex.aspx?mode=performing
      1 http://localhost:4866/AssignJob/Index/3
      1 http://localhost:44454/d2l/eP/artifacts/wizard/form_response.d2l?formId=2&step=3&orgUnitId=&ou=6606
      1 http://localhost:4067/Informes/Index
      1 http://localhost:3122/NQFDashBoard.aspx
      1 http://localhost:30091/
      1 http://localhost:3000/nectar/eshops/price-checker-results.eshops.htm#!&query=dress
      1 http://localhost:2999/user/enterprise/newenterpriseinfo.aspx
      1 http://localhost:28295/CadastroMotivoCancelamento/Acordo#
      1 http://localhost:26087/sigre/Residuos.aspx
      1 http://localhost:2383/Domain/ManageDomainLibraries
      1 http://localhost:22770/shared/index.aspx
      1 http://localhost:1997/
      1 http://localhost:13103/
      1 http://localhost:1145/PARTC/ElectronicSignature.aspx?setMasterPage=Root
      1 http://local.cafe.naver.com/oskm.cafe?iframe_url=/ArticleRead.nhn%3Farticleid=951
      1 http://f5mail.rediff.com/ajaxprism/container?...
      1 http://en.wikipedia.org/wiki/Wink_Martindale
      1 http://e-mex.net/
      1 http://ctvapppartnera.my.phpcloud.com/ctvapp/
      1 http://clck.yandex.ru/redir/...
      1 http://clck.yandex.ru/redir/...
      1 http://belkin.dev.paymo.biz/projects/index/page/1
      1 http://automatyka-pl.p4/firm-profilepl/trainingpl/indexpl#...
      1 http://apps.facebook.com/l.php?...
      1 http://ad1a.tankionline.com/battle-ru23.html
      1 http://192.168.126.128:8888/inet/pub/ticket#2
      1 http://192.168.1.114/regsiter.aspx
      1 http://172.16.0.190/zam/FileManager.aspx
      1 http://127.0.0.1/cgi/lct.cgi
      1 http://127.0.0.1:81/Contacts/Promote/64
      1 http://127.0.0.1:8080/CherishPortal/orgtype.html
      1 http://10.33.0.23:8080/spoc/template/registration%2CSearchClients.vm/action/registration%2CSearchClientsAction/np/registration%2CSearchClientResults.vm/i/1?formSField=12&formComp=1&formSData=123&cont=Search+Clients
      1 http://10.33.0.23:8080/spoc/template/registration%2CSearchClients.vm
      1 http://10.220.12.110/tapelib/buildup-hd.php
      1 http://10.105.33.25:8082/profile/MyAccount/MyInformation/myInformation.jsp
      1 file:///Users/my118c/Desktop/WebGL/WebGLTest.html
      1 file:///F:/bam/practice/autocomplete/completing.html
      1 file:///E:/CYBERXEED/Cyx/Web/Page/Xkw2110g.html
      1 file:///D:/freelance/test/test.html
      1 file:///D:/carifer/daaus/website/daaus-demo/innerpage.html
      1 file:///D:/11.html
      1 file:///C:/Users/marcelo/Desktop/scriptaculous/dragdrop.htm
      1 file:///C:/temp/jsTableau/tablo.html
      1 file:///C:/E-CSU/WebContent/Treeview_control.html
      1 file:///C:/Documents%20and%20Settings/Yuri/Desktop/Archiviazione%20-%20dhtmlxGrid/index.html
      1 file:///C:/Documents%20and%20Settings/gxsn/%E6%A1%8C%E9%9D%A2/Noname1.html
      1 file:///C:/Documents%20and%20Settings/Administrator/%E6%A1%8C%E9%9D%A2/a.html
      1 about:blank

Pretty clear that most of those things are internal stuff and not too useful for trying to reproduce or so. I replaced parts of the URL with "..." where it felt like there would potentially be session IDs or other possibly privacy-related things.
Comment 16 Scoobidiver (away) 2012-03-20 08:02:53 PDT
There's a spike in crashes from March 20 in 14.0a1.
Comment 17 Chris Peterson [:cpeterson] 2012-04-02 23:22:13 PDT
I do not have Firebug installed, but I hit this crash almost every day on my older MacBook Pro (running OSX 10.6) but not on my newer MacBook Pro (running OSX 10.7). I first started seeing this crash on March 28, a few days after upgrading to 14.0a1.
Comment 18 Luke Wagner [:luke] 2012-04-03 09:33:28 PDT
If you can find any STR, that would be greatly appreciated.
Comment 19 Chris Peterson [:cpeterson] 2012-04-03 23:55:28 PDT
I have found STR that can reliably crash Firefox 14.0a1 on my MacBook Pro (running Mac OS X 10.6):

STR:
1. Disable all Add-ons
2. Install EFF's `HTTPS Everywhere` Add-on version 2.0.1
3. Load Google Reader using this URL: https://www.google.com/reader/view/#stream/

The crash goes away if I do any of the following:
* "Disable All" sites in HTTPS Everywhere's preferences
* Disable or uninstall the HTTPS Everywhere Add-on itself
* Load Google Reader using https://www.google.com/reader/view/ (without "#stream") instead of https://www.google.com/reader/view/#stream/
Comment 20 Luke Wagner [:luke] 2012-04-04 09:32:30 PDT
Thanks for narrowing that down!  Unfortunately I wasn't able to reproduce (I tried OS X 10.6 on a nightly and Linux debug custom build).  I used a new profile (with the HTTPS addon installed); can you reproduce with a new profile?  Also, it may just be my reader stream.  If it isn't too much trouble, perhaps you could create a new google reader account (whose name/pass you wouldn't mind sending me) and get it crashing?
Comment 21 Chris Peterson [:cpeterson] 2012-04-05 00:08:47 PDT
I think have found STR that can reproduce this crash with a new profile. I've tested two different MacBook Pros with new profiles and reproduced this crash 30 times this evening.

1. Create a new profile.
2. Install Ghostery addon. (This is the only addon I have installed, besides the bundled pdf.js addon. My hypothesis about the HTTPS Everywhere addon was a red herring.)
3. Load Google Reader.
4. Change Reader's view button from "# New Items" to "All Items" (so you'll still have headlines to view after step #5).
5. Click "Mark all as read" button a couple times. Nothing bad happens.
6. In a different tab, open about:config.
7. Set javascript.options.methodjit_always=true
8. Go back to Google Reader tab.
9. Click "Mark all as read" button twice. Firefox crashes here 100% for me.

The crash goes away if I set javascript.options.methodjit_always=false (its default value) or if I disable or uninstall the Ghostery addon.
Comment 22 Luke Wagner [:luke] 2012-04-05 09:23:59 PDT
That does reproduce; thanks a lot for your investigation!  The game is afoot.
Comment 23 Luke Wagner [:luke] 2012-04-05 16:33:49 PDT
So the testcase hits the (!inline_) assert (before crashing at CrashIfInvalid in release builds).  The inlined frame is in a compartment different than cx->compartment (there must be a cross-compartment call in the callstack) so I think the bug is simply that StackIter::StackIter() calls ExpandInlineFrames only for cx->compartment and needs to expand *all* compartments' inline frames.

Again, awesome job finding a reproducible testcase!
Comment 24 Luke Wagner [:luke] 2012-04-05 17:56:26 PDT
Created attachment 612764 [details] [diff] [review]
fix stack iter

Simple fix iterates over all compartments.  Following the STR and no more crash.
Comment 25 Luke Wagner [:luke] 2012-04-05 17:59:15 PDT
cc'ing Jesse for interesting fuzzer material.
Comment 28 Scoobidiver (away) 2012-04-13 03:29:09 PDT
It's not fixed. See bp-0d114d02-950a-4e00-8e25-654b22120412.
Comment 29 Luke Wagner [:luke] 2012-04-13 10:29:58 PDT
To be clear, the signature isn't fixed (it is a funnel for a lot of different bugs), but the particular bug reported in comment 21 and patched in comment 26 has been fixed.
Comment 30 Jesse Ruderman 2012-04-14 12:45:28 PDT
Please file a new bug on the crash signature. Sorry for morphing your bug, but one-fix-per-bug is important.

Note You need to log in before you can comment on or make changes to this bug.