STR: 1. Open groups.google.com 2. Crash tested using the Nightly m-c build 6/13/2013 cset: https://hg.mozilla.org/mozilla-central/rev/3d16d59c9317 Crash first noted in hourly build based on: cset: https://hg.mozilla.org/mozilla-central/rev/05d9196b27a1 Also, could be related. Open google.com search for anything Note: The 'search tools' button and the 'more' drop-box does not do anything Also in the Error Console2 when first opening the google.com page this error is shown: Sat Jun 15 2013 09:53:03 Error: SyntaxError: syntax error Source file: https://www.google.com/xjs/_/js/k=xjs.s.en_US.O4F8cgGsAy8.O/m=c,sb,cr,cdos,jp,vm,tbui,mb,wobnm,cfm,abd,bihu,kp,lu,imap,m,tnv,amcl,erh,hv,lc,ob,r,rsn,sf,sfa,shb,tbpr,hsm,j,p,pcc,csi/am=yA/rt=j/d=1/sv=1/rs=AItRSTPY0jHO6XVcz2PUe3NXdFrIdXxEMg Line: 1360, Column: 60 Source code: f)&&/(\\?|&)adurl=/.test(c.href)&&!/(\\?|&)q=/.test(c.href))/(\\?|&)rct=j/.test(c.href)||(e+="&rct=j"),/(\\?|&)q=/.test(

The Syntax error problem is a different regression range, See 883523. Regression window for the crash is as follows Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/52c875b9c520 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130614015908 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=52c875b9c520&tochange=18c1fd169792 Regressed by: 18c1fd169792 Nicholas D. Matsakis — Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj

Unfortunately, m-i tinderbox build a8e3d80187d1 did not fix the crash.... a8e3d80187d1 Gary Kwong — Backout rev 18c1fd169792 for causing issues with the fuzzers. r=luke in-person

The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317

In a debug build, on the google groups page, I get the assertion: Assertion failure: hasScript(), at /Users/amccreight/mz/cent/js/src/jsfun.h:237 The stack is: AnalyzeNewScriptProperties(JSContext*, js::types::TypeObject*, JS::Handle<JSFunction*>, NewScriptPropertiesState&) + 3421 CheckNewScriptProperties(JSContext*, JS::Handle<js::types::TypeObject*>, JS::Handle<JSFunction*>) + 236 JSCompartment::getNewType(JSContext*, js::Class*, js::TaggedProto, JSFunction*) + 603 js::CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*, js::NewObjectKind) + 89

This is definitely due to bug 678037. There is a place where we assume a function doesn't have a lazy script when in fact it might.

Pushing this ahead of review to fix the crashes; this patch is simple. https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab

I can confirm that the m-i build with this patch does fix the crash on groups.google.com win7 x64 32bit hourly m-i cset: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab

https://hg.mozilla.org/mozilla-central/rev/6c897b8852ab Should this have a test?

Haven't had a crash on this yet after 6/15

Verified as fixed on FF 24b6 using Windows 7 x64, Mac OS 10.7.5 and Ubuntu 13.04 BuildID: 20130826142034