It first appeared in 14.0a1/20120422 and affects currently two users in Nightly. The regression range might be: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bfdebf5cae&tochange=990f6542747b Signature nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&) More Reports Search UUID 3aab2a3a-8eed-4919-842a-311712120424 Date Processed 2012-04-24 22:14:48 Uptime 2267 Last Crash 19.7 hours before submission Install Age 7.9 hours since version was first installed. Install Time 2012-04-24 14:22:14 Product Firefox Version 14.0a1 Build ID 20120424030709 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 15001558, AdapterDriverVersion: 8.15.10.2653 Has dual GPUs. GPU #2: AdapterVendorID2: 0x10de, AdapterDeviceID2: 0x0dce, AdapterSubsysID2: 15001558, AdapterDriverVersion2: 8.17.12.9573D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Total Virtual Memory 4294836224 Available Virtual Memory 3477127168 System Memory Use Percentage 30 Available Page File 13615034368 Available Physical Memory 5928677376 Frame Module Signature Source 0 xul.dll nsObjectLoadingContent::IsPluginEnabledForType content/base/src/nsObjectLoadingContent.cpp:523 1 xul.dll nsObjectLoadingContent::LoadObject content/base/src/nsObjectLoadingContent.cpp:1448 2 xul.dll nsObjectLoadingContent::LoadObject content/base/src/nsObjectLoadingContent.cpp:1254 3 xul.dll nsHTMLSharedObjectElement::StartObjectLoad content/html/content/src/nsHTMLSharedObjectElement.cpp:486 4 xul.dll nsHTMLSharedObjectElement::StartObjectLoad content/html/content/src/nsHTMLSharedObjectElement.cpp:144 5 xul.dll nsRunnableMethodImpl<void obj-firefox/dist/include/nsThreadUtils.h:345 6 xul.dll nsContentUtils::RemoveScriptBlocker content/base/src/nsContentUtils.cpp:4730 7 xul.dll nsDocument::EndUpdate content/base/src/nsDocument.cpp:4040 8 xul.dll nsHTMLDocument::EndUpdate content/html/document/src/nsHTMLDocument.cpp:2275 9 xul.dll nsHtml5TreeOpExecutor::FlushDocumentWrite parser/html/nsHtml5TreeOpExecutor.cpp:654 10 xul.dll nsHtml5StringParser::Tokenize parser/html/nsHtml5StringParser.cpp:161 11 xul.dll nsContentUtils::ParseFragmentHTML content/base/src/nsContentUtils.cpp:3988 12 xul.dll XPCConvert::NativeData2JS js/xpconnect/src/XPCConvert.cpp:359 13 xul.dll XPCConvert::NativeData2JS js/xpconnect/src/xpcprivate.h:3291 14 xul.dll XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:2408 15 mozjs.dll js::PropertyCache::fill js/src/jspropertycache.cpp:110 16 mozjs.dll js::GetPropertyHelper js/src/jsobj.cpp:5124 17 mozjs.dll js::GetPropertyOperation js/src/jsinterpinlines.h:266 18 mozjs.dll js::Interpret js/src/jsinterp.cpp:2757 19 mozjs.dll js::ContextStack::pushInvokeFrame js/src/vm/Stack.cpp:778 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType%28nsCString+const%26%29

More reports at: https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType

Tap on the button to get the crash (it opens a new window, closes it, then changes the embed src of the closed window).

Thanks for the test case Martijn. This patch checks for null on the document's window object before dereferencing it for the top window.

Comment on attachment 619082 [details] [diff] [review] Patch for bug [Approval Request Comment] Regression caused by (bug #): bug 711618 User impact if declined: hard to hit but easily reproducible crashes Testing completed (on m-c, etc.): locally, just landed on mozilla-inbound Risk to taking this patch (and alternatives if risky): none expected String changes made by this patch: none

Comment on attachment 619082 [details] [diff] [review] Patch for bug Review of attachment 619082 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/base/src/nsObjectLoadingContent.cpp @@ +528,1 @@ > NS_ENSURE_SUCCESS(rv, rv); Shouldn't this line (NS_ENSURE_SUCCESS) be removed now?

it shouldn't be removed, it should actually have rv assigned to in the line above. thanks for catching this.

Comment on attachment 619082 [details] [diff] [review] Patch for bug [Triage Comment] Less crashes, noble cause.

Fixed the typo found in comment #7 on inbound (already made the change to the Aurora patch): https://hg.mozilla.org/integration/mozilla-inbound/rev/3be54da1aba4

Cannot reproduce the crash loading the test case on Nightly 2012-04-22, Nightly 2012-04-23, Nightly 2012-05-01. Any thoughts ?

Did you have set up Plugins to "Tap to Play" in your settings?

Sorry, I missed that. Able to see the crash on nightly 2012-04-23 with click_to_play pref set on true. Verified fixed on FF 14b8 on Win 7, Ubuntu 12.04 and Mac OS X 10.6.