Local mozilla-inbound debug build (rev 68621375dec1) on Linux64. STEPS TO REPRODUCE 1. start Firefox with a fresh profile 2. wait a few seconds ACTUAL RESULTS Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe4e4c700 (LWP 18284)] nsXPConnect::GetXPConnect () at js/xpconnect/src/nsXPConnect.cpp:139 139 MOZ_CRASH(); (gdb) bt #0 nsXPConnect::GetXPConnect () at js/xpconnect/src/nsXPConnect.cpp:139 #1 0x00007ffff2ffc94d in nsXPConnect::GetRuntimeInstance () at js/xpconnect/src/nsXPConnect.cpp:241 #2 0x00007ffff3b40b69 in mozilla::dom::HTMLCollectionBinding::DOMProxyHandler::finalize (this=0x7ffff66cc270, fop=0x7fffe4e4bcc0, proxy=(JSObject *) 0x7fffcefb0300 [object Proxy]) at dom/bindings/HTMLCollectionBinding.cpp:639 #3 0x00007ffff4c3bfbc in proxy_Finalize (fop=0x7fffe4e4bcc0, obj=(js::RawObject) 0x7fffcefb0300 [object Proxy]) at js/src/jsproxy.cpp:3040 #4 0x00007ffff4b08747 in finalize (this=(JSObject *) 0x7fffcefb0300 [object Proxy], fop=0x7fffe4e4bcc0) at js/src/jsobjinlines.h:245 #5 js::gc::Arena::finalize<JSObject> (this=0x7fffcefb0000, fop=0x7fffe4e4bcc0, thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, thingSize=64) at js/src/jsgc.cpp:354 #6 0x00007ffff4afc6eb in FinalizeTypedArenas (fop=0x7fffe4e4bcc0, src=0x7fffe4e4bc20, dest=..., thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, budget=...) at js/src/jsgc.cpp:418 #7 0x00007ffff4ad5dff in FinalizeArenas (fop=0x7fffe4e4bcc0, src=0x7fffe4e4bc20, dest=..., thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, budget=...) at js/src/jsgc.cpp:455 #8 0x00007ffff4ad5a71 in js::gc::ArenaLists::backgroundFinalize (fop=0x7fffe4e4bcc0, listHead=0x7fffcef2c000, onBackgroundThread=true) at js/src/jsgc.cpp:1396 #9 0x00007ffff4adc8b7 in SweepBackgroundThings (rt=0x7fffe51da000, onBackgroundThread=true) at js/src/jsgc.cpp:2208 #10 0x00007ffff4adb614 in js::GCHelperThread::doSweep (this=0x7fffe51daec8) at js/src/jsgc.cpp:2490 #11 0x00007ffff4adb3a3 in js::GCHelperThread::threadLoop (this=0x7fffe51daec8) at js/src/jsgc.cpp:2334 #12 0x00007ffff4adb2e7 in js::GCHelperThread::threadMain (arg=0x7fffe51daec8) at js/src/jsgc.cpp:2313 #13 0x00007ffff7eb9f82 in _pt_root (arg=0x7ffff6c49be0) at nsprpub/pr/src/pthreads/ptthread.c:191 #14 0x00007ffff7bc4e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #15 0x00007ffff6ed8cbd in clone () from /lib/x86_64-linux-gnu/libc.so.6 #16 0x0000000000000000 in ?? () (gdb) list 134 { 135 // Do a release-mode assert that we're not doing anything significant in 136 // XPConnect off the main thread. If you're an extension developer hitting 137 // this, you need to change your code. See bug 716167. 138 if (!MOZ_LIKELY(NS_IsMainThread() || NS_IsCycleCollectorThread())) 139 MOZ_CRASH(); 140 141 if (!gSelf) { 142 if (gOnceAliveNowDead) 143 return nullptr; (gdb)

I'd guess the regression occurred in last 24h or so...

Background finalization is triggering a DOM finalizer somehow. I would guess it is a DOM issue? Did somebody change proxy finalization recently? I looked at the function, and it just seemed like a one liner.

This seems potentially quite bad so I'm going to mark it s-s for now...

This cset appears to work: changeset: 125150:09f72f45a0b7 date: Sun Mar 17 12:45:03 2013 -0700 summary: Merge the last PGO-green mozilla-inbound cset to mozilla-central

> thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND That should so not happen for DOM proxies...

Probably bug 841801. In retrospect, someone else should have reviewed the last patch in that series.

Wait a minute. This looks exactly like some very recent bustage on inbound. https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=49ca6a3ef0b6 Mats, can you update to a tree that passes tests and try again? I'm guessing this is nothing.

You're right, rev cbe09ce5f9ed appears to be working. Sorry for the false alarm.

Better safe than sorry. :)