See testcase, which crashes current trunk build on reload. It doesn't crash in a 2008-06-22 build, it does crash in a 2008-06-23 build: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+04%3A00%3A00&enddate=2008-06-23+07%3A00%3A00 I think a regression from bug 344258. This might be related to bug 461027, so marking security sensitive. Breakpad doesn't really seem to give useful stacks: http://crash-stats.mozilla.com/report/index/bb0f8a7a-191e-4ea5-88a6-966b22081208?p=1 0 ntdll.dll KiFastSystemCallRet 1 ntdll.dll NtReleaseSemaphore 2 kernel32.dll ReleaseSemaphore 3 xul.dll google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:421 4 xul.dll google_breakpad::ExceptionHandler::HandlePureVirtualCall toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:393 5 mozcrt19.dll _purecall obj-firefox/memory/jemalloc/src/purevirt.c:47 6 xul.dll CallQueryInterface<nsIContent,nsIDOMElement> obj-firefox/dist/include/xpcom/nsISupportsUtils.h:203 7 xul.dll xul.dll@0x87eaa3

This is a stacktrace that I get from a debug build: > gklayout.dll!CallQueryInterface<nsIContent,nsIDOMElement>(nsIContent * aSource=0x084a4058, nsIDOMElement * * aDestination=0x0012ead0) Line 203 + 0x12 bytes C++ gklayout.dll!nsXULDocument::GetElementById(const nsAString_internal & aId={...}, nsIDOMElement * * aReturn=0x0012ead0) Line 1627 + 0xd bytes C++ gklayout.dll!nsXULDocument::FindBroadcaster(nsIContent * aElement=0x084a4e08, nsIDOMElement * * aListener=0x0012e990, nsString & aBroadcasterID={...}, nsString & aAttribute={...}, nsIDOMElement * * aBroadcaster=0x0012ead0) Line 4230 + 0x22 bytes C++ gklayout.dll!nsXULDocument::RemoveSubtreeFromDocument(nsIContent * aElement=0x084a4e08) Line 1798 + 0x59 bytes C++ gklayout.dll!nsXULDocument::RemoveSubtreeFromDocument(nsIContent * aElement=0x084a4db8) Line 1769 + 0x20 bytes C++ gklayout.dll!nsXBLBinding::ChangeDocument(nsIDocument * aOldDocument=0x0843b658, nsIDocument * aNewDocument=0x00000000) Line 1154 C++ gklayout.dll!nsBindingManager::ChangeDocumentFor(nsIContent * aContent=0x0845efd8, nsIDocument * aOldDocument=0x0843b658, nsIDocument * aNewDocument=0x00000000) Line 633 C++ gklayout.dll!nsGenericElement::DestroyContent() Line 3474 C++ gklayout.dll!nsXULElement::DestroyContent() Line 1521 C++ etc...

This is probably exploitable, and it's a regression. We should fix this.

This fixes this bug. The problem was that the XUL document was notified about an anonymous tree (containing elements with IDs) by a call to nsIXULDocument::AddSubtreeToDocument(). When the anonymous subtree is removed, the document was never told about the removal, and thus we ended up with dangling pointers in our ID hash. I'm not convinced that this is the right spot to call this, and I don't really understand this code that well, but this fixes the crash.

Is this a dup of Bug 472212?

(In reply to comment #4) > Is this a dup of Bug 472212? I guess it might be, the testcase is now wfm, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090113 Minefield/3.2a1pre

It is indeed.