Load the URL in a trunk build on winxp. You may need to click in the url bar or reload to see the crash. JSTRAP_CONTINUE 0x00000001 int + pc 0x04b20f6b "нннннннннннннннннннннннннннннннннннннннннннннннннннн" unsigned char * + rt 0x00fa90e0 {state=JSRTS_UP gcArenaList=0x00fa90e4 gcRootsHash={...} ...} JSRuntime * + script 0x04b20f28 {code=0xdddddddd <Bad Ptr> length=0xdddddddd main=0xdddddddd <Bad Ptr> ...} JSScript * > js3250.dll!js_Interpret(JSContext * cx=0x03c54230, unsigned char * pc=0x04b20f6b, long * result=0x0012f808) Line 6140 + 0x42 bytes C js3250.dll!generator_send(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec) Line 778 + 0x14 bytes C js3250.dll!generator_close(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec) Line 828 + 0x17 bytes C js3250.dll!js_Invoke(JSContext * cx=0x03c54230, unsigned int argc=0x00000000, unsigned int flags=0x00000002) Line 1328 + 0x20 bytes C js3250.dll!js_InternalInvoke(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, long fval=0x04affa00, unsigned int flags=0x00000000, unsigned int argc=0x00000000, long * argv=0x00000000, long * rval=0x0012fa40) Line 1422 + 0x14 bytes C js3250.dll!generator_closehook(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18) Line 632 + 0x1b bytes C js3250.dll!ExecuteCloseHooks(JSContext * cx=0x03c54230, const JSObjectsToClose * toClose=0x0012fb04) Line 859 + 0x10 bytes C js3250.dll!js_GC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000) Line 2633 + 0xd bytes C js3250.dll!js_ForceGC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000) Line 2098 + 0xd bytes C js3250.dll!JS_GC(JSContext * cx=0x03c54230) Line 1907 + 0xb bytes C gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x03e8b670) Line 2996 + 0xd bytes C++ xpcom_core.dll!nsTimerImpl::Fire() Line 404 C++ xpcom_core.dll!nsTimerEvent::Run() Line 486 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=0x00000001, int * result=0x0012fc34) Line 483 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b083b8, int mayWait=0x00000001) Line 225 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++ xul.dll!XRE_main(int argc=0x00000004, char * * argv=0x00b07fe0, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ firefox.exe!main(int argc=0x00000004, char * * argv=0x00b07fe0) Line 61 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes

I still get this nasty crash with deleted memory on the trunk during shutdown in the browser test using the v3 js17 rollup patch.

This occurs on 1.8.1a3/winxp as well now that js17 has landed. Note that deleted memory use is exploitable.

If this is fixed now that the fixes for bug 343455 have landed, please mark dup. /be

ulled cvs and built trunk debug depends and still crash after clicking url bar and reload with same stack as in bug 343295 comment 2.

crashes for me on linux trunk with clearing hooks. same stack as in the description.

*** This bug has been marked as a duplicate of 343455 ***

Note test: js1_7/geniter/326466-01.js: result: CRASHED type: browser description: none : results/2006-07-24-05-43-40-firefox-2.0-dbg-1.8.1b1_2006072312-prune.log CRASHED 5 (2.468000 seconds) test: js1_7/geniter/326466-01.js: result: CRASHED type: browser description: none : results/2006-07-24-08-35-59-firefox-2.0-dbg-mac-1.8.1b1_2006072312-pineapple.mozilla.org.log CRASHED signal 6 (4.244419 seconds)