These are 100% reproducible, in today's m-c nightly, on OS X and Windows, with and without e10s, using the following URL (among others): http://www.bmj.com/theBMJ

Regression range on OS X: firefox-2015-06-11-03-02-08-mozilla-central firefox-2015-06-12-03-02-05-mozilla-central http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bfd82015df48&tochange=0093691d3715

(Following up comment #1) The regression range is the same on Windows (Windows 7).

To see these crashes with e10s on (in the content process), you may need to switch away from the tab containing http://www.bmj.com/theBMJ and then back again.

[Tracking Requested - why for this release]: These crashes are very easy to reproduce, and will probably quickly become a topcrasher on all platforms.

So in a debug build, after loading this page I get: Assertion failure: type == MIRType_Object, at ../../../mozilla/js/src/jit/IonTypes.h:450 #0 js::jit::ValueTypeFromMIRType (type=js::jit::MIRType_Value) at IonTypes.h:450 #1 0x0000000107ace9c9 in js::jit::CodeGeneratorX64::visitBox (this=0x13ef9a000, box=0x159aaf3b0) at CodeGenerator-x64.cpp:81 #2 0x0000000107b129e6 in js::jit::LBox::accept (this=0x159aaf3b0, visitor=0x13ef9a000) at LIR-x64.h:19 #3 0x00000001077eae49 in js::jit::CodeGenerator::generateBody (this=0x13ef9a000) at CodeGenerator.cpp:4103 #4 0x00000001077fe9d2 in js::jit::CodeGenerator::generate (this=0x13ef9a000) at CodeGenerator.cpp:7779 Looking at the regression range, bug 1166711 seems like a possible cause. In fact, bug 1174547 already covers the assert I'm seeing....

I will investigate this issue once I am done with Bug 1174547.

All the Socorro stacks I've seen for this bug are incomplete. I thought I'd have better luck with a non-opt non-debug self build. But even when running that in gdb, most of my stacks are still incomplete. Still, though, I did manage to get this one.

In bug 1175339 I noted that hg bisect identified: The first bad revision is: changeset: 248305:e51492b08d25 user: Nicolas B. Pierron <nicolas.b.pierron@mozilla.com> date: Thu Jun 11 14:30:29 2015 +0200 summary: Bug 1165348 - Move Scalar Replacement after GVN. r=jandem I am currently doing a debug build and when that completes I will try to verify via backout that that is, in fact, the regressor. If so I will update this bug accordingly.

I am finishing a custom build, I will double check.(In reply to Steven Michaud [:smichaud] from comment #0) > These are 100% reproducible, in today's m-c nightly, on OS X and Windows, > with and without e10s, using the following URL (among others): > > http://www.bmj.com/theBMJ I was unable to reproduce this Crash on a custom build including Bug 1174322, Bug 1174547, and Bug 1175233 patches. I will mark it as a duplicate of Bug 1174547 (which is waiting for review).

Assuming that this is a dup of bug 1174547, we do not need to track this bug. Please re-open if that is not the case.