STEPS TO REPRODUCE 1. download cross-fuzz from: http://lcamtuf.coredump.cx/cross_fuzz/ 2. turn off popup blocking, turn off slow script warnings, turn off the pref "Open new windows in a new tab instead" 3. load file:///c:/cross_fuzz/cross_fuzz_randomized_2011010c5_seed.html#-501598811 ACTUAL RESULT nsPluginArray::AllowPlugins nsPluginArray::GetLength nsMimeTypeArray::GetMimeTypes nsNavigator::JavaEnabled NS_InvokeByIndex_P ... ADDITIONAL INFORMATION Bug occurs in a local mozilla-central (10.0a1) DEBUG build on Windows XP. https://crash-stats.mozilla.com/ have 5 reported crashes in the past 4 weeks. Example: bp-01b9cf5d-c450-44db-af7d-2ba172111005 (Fx 4.0.1, 5.0 and 6.0.2)

CC'ing Jesse in case he wants to look into differences between original cross-fuzz and cross-fuzz-like functionality incorporated into his fuzzers that led to this being missed (doesn't seem to be a dupe).

Bobby, can you look into this? Might be fixable by code inspection, even.

(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #2) > Bobby, can you look into this? Might be fixable by code inspection, even. sure thing.

Added some guesses to my DOM fuzzer in rev 99a9fca5c37f. Let me know if you make a testcase.

I'm able to quickly reproduce bug 671484 with the fuzzer. But after I comment out that assertion and run it for 5 minutes or so, I still don't see this crash. :\ I'm running on macos rather than windows, which may have something to do with it. But I'm also curious as to why the filename seems to be different than the one mats posted in the bug. I've been trying with http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811 mats, can you confirm that this is reproducible with that url? Code inspection doesn't seem all that helpful here, unfortunately, since the code seems relatively innocuous. We've got this function: http://mxr.mozilla.org/mozilla-central/source/dom/base/nsPluginArray.cpp#102 Which calls into: http://mxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#1923 If we believe the stack, then the only explanation is that mDocShell is garbage, which seems unlikely. The stack appears to be PGO-ed though, so it might be a few methods deeper than it appears.

Hmm, I gave this a try on a windows box too and after setting assertions to warn only and commenting out the modal dialog opening code in nsGlobalWindow::Find(), I've had it running for an hour so far and got no crashes. It's still running, and I can leave it go, but so far nothing...

Ok, my bad, I had *not* set the pref to open new windows as windows instead of tabs, with that changed, I started seeing crashes in SVG code, but not this one yet.

(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #7) > Ok, my bad, I had *not* set the pref to open new windows as windows instead > of tabs, with that changed, I started seeing crashes in SVG code, but not > this one yet. Yeah, that matches my experience. I commented out the NS_ABORT_IF_FALSE. I'm curious if the seed mats provided is still valid...

Ok, even with the right prefs set and asserts disabled and the NS_ABORT_IF_FALSE that bholley pointed out commented out, I still have been unable to reproduce this crash.

Re-running the test with an up-to-date build resulted in a different crash. (with the wallpaper in bug 671484 applied) This is with the same seed as before: file://.../cross_fuzz_randomized_20110105_seed.html#-501598811 I'll restart it again and see if I can trigger the original crash...

(In reply to Bobby Holley (:bholley) from comment #5) > But I'm also curious as to why the filename seems to be different > than the one mats posted in the bug. Sorry, the URL in comment 0 has a copy-paste error or something... the URL I use is: file://path-to-cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811 > I've been trying with > http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed. > html#-501598811 I think you get different results if you download it and load it using a file:// URL.

(In reply to Mats Palmgren [:mats] from comment #11) > I think you get different results if you download it and load it using > a file:// URL. Oh, I did (mirrored the whole thing using httrack). I was just pointing to the file to avoid any ambiguity.

I can't reproduce the crash @nsPluginArray::AllowPlugins after running the test for a few days with the -501598811 seed (trunk debug on XP). I got the crashes in comment 10 and comment 13, but only once. (using wallpapers for the SVG abort in bug 671484 and JS abort in bug 693212)

Seems we have nothing to go on here, w/o a testcase that reproduces this problem I find it hard to believe that we'll make much progress here :( Not tracking for 8 any more.

I checked crash stats for this signature. There are 6 crashes in the last few weeks. All of them seem to be foreign language sites. http://www.seznam.cz/ http://www.adiglobal.cz/iiWWW/cz/produkty110.nsf/w?Readform&c2=11001&c3=1100104 http://zalukaj.tv/ http://yandex.ru/yandsearch?text=%D0%BC%D0%B5%D1%84%D0%BE%D0%B4%D0%B8%D0%B9+%D0%B1%D1%83%D1%81%D0%BB%D0%B0%D0%B5%D0%B2+%D1%81%D0%B2%D0%B5%D1%82%D0%BB%D1%8B%D0%B5+%D0%BA%D1%80%D1%8B%D0%BB%D1%8C%D1%8F+%D0%B4%D0%BB%D1%8F+%D1%82%D0%B5%D0%BC%D0%BD%D0%BE%D0%B3%&lr=84 I tried testing them in a Windows XP VM but I did not have any luck reproducing any crashes.

Relinquishing bug, given comment 15.

This is looking like WORKSFORME-ville -- any objections to opening it up? Possible this got fixed along the way since Jesse's fuzzers also include cross-fuzz-like functionality.

WORKSFORME, but leaving this closed in case this is reproducible on older versions that are still shipping.