It first showed up in 22.0a1/20130313. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7433bc4545c9&tochange=c1a5c44ae3d8 Signature js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*) More Reports Search UUID 6ee26d13-1a08-4f84-a97b-a31002130313 Date Processed 2013-03-13 16:37:35 Uptime 1390 Last Crash 2.8 hours before submission Install Age 2.5 hours since version was first installed. Install Time 2013-03-13 14:06:59 Product Firefox Version 22.0a1 Build ID 20130313031041 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info AuthenticAMD family 16 model 6 stepping 3 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x9553, AdapterSubsysID: 10731462, AdapterDriverVersion: 8.930.0.0 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor10.phx1.mozilla.com_25440:2008 EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x9553 Total Virtual Memory 4294836224 Available Virtual Memory 3254460416 System Memory Use Percentage 76 Available Page File 660520960 Available Physical Memory 1023672320 Frame Module Signature Source 0 mozjs.dll js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones js/src/jsgc.cpp:4951 1 xul.dll XPCWrappedNative::GetNewOrUsed js/xpconnect/src/XPCWrappedNative.cpp:514 2 xul.dll XPCWrappedNative::GetNewOrUsed js/xpconnect/src/XPCWrappedNative.cpp:534 3 xul.dll XPCConvert::NativeInterface2JSObject js/xpconnect/src/XPCConvert.cpp:925 4 xul.dll XPCConvert::NativeData2JS js/xpconnect/src/XPCConvert.cpp:323 5 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1465 6 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:383 7 mozjs.dll js::Invoke js/src/jsinterp.cpp:430 8 mozjs.dll js::BaseProxyHandler::get js/src/jsproxy.cpp:163 9 xul.dll xpc::XrayWrapper<js::CrossCompartmentWrapper,xpc::XPCWrappedNativeXrayTraits>::g js/xpconnect/wrappers/XrayWrapper.cpp:1720 10 mozjs.dll js::Proxy::get js/src/jsproxy.cpp:2476 11 mozjs.dll proxy_GetGeneric js/src/jsproxy.cpp:2806 12 mozjs.dll js::GetPropertyOperation js/src/jsinterpinlines.h:292 13 mozjs.dll js::Interpret js/src/jsinterp.cpp:2211 14 mozjs.dll js::RunScript js/src/jsinterp.cpp:332 15 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:397 16 mozjs.dll js::Invoke js/src/jsinterp.cpp:430 17 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5714 18 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1433 19 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:578 20 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85 21 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112 22 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:161 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AAutoMaybeTouchDeadZones%3A%3AAutoMaybeTouchDeadZones%28JSObject*%29

More reports also at: https://crash-stats.mozilla.com/report/list?signature=XPCWrappedNative%3A%3AGetNewOrUsed%28XPCCallContext%26%2C+xpcObjectHelper%26%2C+XPCWrappedNativeScope*%2C+XPCNativeInterface*%2C+XPCWrappedNative**%29

It's #2 top browser crasher in today's build.

Bill added AutoMaybeTouchDeadZone, maybe he can make at least an initial analysis here.

Looks like a null deref. The parent argument we're passing in from XPCWrappedNative::GetNewOrUsed appears to be null. That's a little weird. The parent comes directly from a WN scope's global object, which I wouldn't expect to be null. Bobby, can you take a look? It looks like you landed some stuff in the regression range, and you understand this code much better.

He just landed some tests. ;)

So. I would guess that the _initial_ XPCWrappedNativeScope is valid, because it comes from here: http://hg.mozilla.org/mozilla-central/annotate/c1a5c44ae3d8/js/xpconnect/src/XPCConvert.cpp#l818 We pull it off the object's compartment's private _and_ null-check to boot. And XPCWrappedNativeScope is never deleted until the global is finalized, which means that we wouldn't even have the object in the first place. So I would posit that the scope and its global are alive modulo memory corruption or GC hazards. However, in XPCWrappedNative::GetNewOrUsed, we invoke PreCreate, and then appear to run into the |parent != plannedParent| code. This means that the PreCreate hook decided to use a different parent, so we reinvoke XPCWrappedNative::GetNewOrUsed with the scope pulled off that parent object. But this is weird, because we have a presumably non-null object returned from precreate, which has a scope, but whose scope has no global. This would imply that the PreCreate hook here is returning something nasty. Bill, what's the deal with this stuff about PreCreate touching dead compartments? That sounds...suspicious.

We like to have tracked bugs assigned, although it's unclear whether this will end up falling on Bill or Bobby.

Crashes have stopped since 22.0a1/20130318.

I hit this 100% of the time trying to go into http://glitchnap.com/zumbie/ as a "shooter" on Google Nexus 4 with today's nightly (3-28) -- adding QA to see if they can also repro this.

I'm hoping this is a dupe of bug 852436. That fix should be in tomorrow's nightly. Could you please re-test after that?

no longer crashing - resolving.

I'm assuming QAWANTED can be dropped given comment 11. Please re-add if there's some QA help needed here.