http://crash-stats.mozilla.com/report/index/972ddfbb-dbdd-4695-bb22-977842091205 Frame Module Signature [Expand] Source 0 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:474 1 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 2 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 3 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 4 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 5 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 6 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 7 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 8 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 9 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 10 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 11 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 12 xul.dll nsStyleContext::Mark layout/style/nsStyleContext.cpp:492 13 xul.dll nsStyleSet::GCRuleTrees layout/style/nsStyleSet.cpp:915 14 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1278 more reports across all releases with a variety of different stacks at http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsStyleContext::Mark%28%29 sort by address to get at the FP address crashes

The security team would be interested if steps-to-reproduce showed up.

This frame-poisoned crash still happens, and is not limited to the old Firefox 3.6 branch.