1. Load the testcase. 2. Quit Firefox (or otherwise close it and then cause a GC). Result: ###!!! ABORT: Removing image that wasn't in the tracker!: 'found', file content/base/src/nsDocument.cpp, line 8007 Bug 589469 might be the same as this bug (see bug 589469 comment 3 option 3), but I can't be sure because that bug doesn't have a testcase.

This should block Gecko 2.0 because it might be responsible for crashes at http://derstandard.at/ (Alexa: #9 in Austria).

Oh and also because it's likely exploitable, since in opt builds, it crashes touching a bogus address.

The appendChild call in this case does an implicit removeChild followed by implicit adoptNode. Then see bug 589469 comment 8.

FWIW, I've got an (un-reduced, save-as-webpage-complete) testcase from a purchase receipt that triggers this same ABORT_IF_FALSE shortly after leaving print preview. Just talked to bholley about it; if it ends up not being fixed by bholley's patch here, I'll file a new bug on that.

Pushed a fix for this testcase to mozilla-central: http://hg.mozilla.org/mozilla-central/rev/cf4d7946e2e0 Resolving fixed.

The testcase I mentioned in comment 4 still triggers this abort -- I filed bug 591560 on that.

older branches appear don't trigger the alert, as expected since the regressing bug 512260 (suspected or proved?) didn't land there.

(In reply to comment #7) > older branches appear don't trigger the alert, as expected since the regressing > bug 512260 (suspected or proved?) didn't land there. The tracker in question did not exist pre bug 512260.

Jesse landed this testcase on m-c. http://hg.mozilla.org/mozilla-central/rev/cef75243703a