https://crash-stats.mozilla.com/report/index/bp-53ad29ed-bdd9-48e9-b7f2-d9d502130505 Happens on current nightly. Steps to reproduce: 1) Go to google.com 2) Open Web Console 3) Type in window.content 4) Click on [object Window] (which should open a dialog with all attributes) 5) CRASH
This crash stack involves DebuggerObject_unsafeDereference, which was added in bug 837723 (Fx23). That's the most recent code that has changed in the stack, so I'd guess that's at fault. This is debugger-only, so maybe not really s-s in that case. Aside from that, there is lots of Xray-y stuff in the stack. Code from bug 836301 (Fx 22) is the most recently changed that I can see.