With the stack trace below, it first showed up in 24.0a1/20130615. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 Signature js::types::TypeSet::hasType(js::types::Type) More Reports Search UUID 9da3791b-ed06-4052-bee1-235d62130617 Date Processed 2013-06-17 19:57:46 Uptime 15 Last Crash 34 seconds before submission Install Age 15 seconds since version was first installed. Install Time 2013-06-17 19:57:25 Product Firefox Version 24.0a1 Build ID 20130617031112 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x56a1 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0de0, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.1407 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor05_phx1_mozilla_com_25008:2012 EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0de0 Total Virtual Memory 4294836224 Available Virtual Memory 3673063424 System Memory Use Percentage 36 Available Page File 6777159680 Available Physical Memory 2732924928 Frame Module Signature Source 0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:1318 1 mozjs.dll js::CreateThisForFunctionWithProto js/src/jsobj.cpp:1556 2 mozjs.dll js::ion::CreateThisForFunctionWithProtoWrapper js/src/ion/CodeGenerator.cpp:3106 3 mozjs.dll js::CloneFunctionObject js/src/jsfun.cpp:1550 4 mozjs.dll js::Lambda js/src/vm/Interpreter.cpp:3200 5 @0xffffff82 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29

It's #4 top browser crasher in today's build.

CCing :naveed to see if he can help find an assignee here and see if anything in the regression range could be an obvious bug ?

Total Count URL 183 https://www.facebook.com/ 74 http://www.facebook.com/ 61 about:blank 28 https://www.facebook.com/?ref=tn_tnmn 23 https://www.facebook.com/login.php?login_attempt=1 15 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS 12 http://www.facebook.com/?ref=tn_tnmn 10 http://www.google.co.in/ 8 about:newtab

It accounts for 6% of crashes over the last three builds. Tracy, can you provide URLs only for 24.0a1 because crashes with this signature in previous versions are unrelated?

The URL's provided previously were what crash-stats gave me for 24. Here's an updated list: Total Count URL 239 https://www.facebook.com/ 92 about:blank 72 http://www.facebook.com/ 36 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS 35 https://ssl.gstatic.com/orkut/ads/gen/afci007.html#google_ad_width=300&google_ad_height=250&google_image_size=300x250&google_ad_format=300x250_as_new&google_color_border=ffffff&google_color_bg=ffffff&google_color_text=000000&google_color_link=3767be&googl 35 http://www.orkut.com.br/Main#Home 27 https://www.facebook.com/?ref=tn_tnmn 25 https://www.facebook.com/login.php?login_attempt=1 12 https://www.cmb.fr/banque/assurance/credit-mutuel/web/yc_8462/prive 12 http://www.orkut.co.in/Main#Home 12 http://www.facebook.com/?ref=tn_tnmn 11 https://www.google.com/adsense/app#home 9 https://www.google.com/adsense/app

STR Open URL Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911 Pushlog http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4 Regressed by : Bug 678037

I think this will fix these crashes, there is an incorrect use of nonLazyScript() on that stack.

It was #4 top browser crasher in 24.0a1. An uplift to Aurora would be fine before 24.0a2 is released.

For some reasons, there are no crashes with this signature after 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The working range is: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 Is it indirectly fixed by bug 886660?

(In reply to Scoobidiver from comment #11) > For some reasons, there are no crashes with this signature after > 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The > working range is: > http://hg.mozilla.org/releases/mozilla-aurora/ > pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 > Is it indirectly fixed by bug 886660? Fixed window (aurora) Bad: http://hg.mozilla.org/releases/mozilla-aurora/rev/67b0221cbd69 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626140739 Good: http://hg.mozilla.org/releases/mozilla-aurora/rev/d5940f917a9a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626180956 Fixed pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=67b0221cbd69&tochange=d5940f917a9a I guess; Fixed by: dbba940275aa Kannan Vijayan — Bug 883973 - Disable heavyweight function inlining. r=dvander, a=bajaj

Do you still want to uplift the null check based on comment 12?

(In reply to Scoobidiver from comment #13) > Do you still want to uplift the null check based on comment 12? I think if the signature is no longer crashing then the uplift shouldn't be needed.

Marking as fixed in 24.0 per comment 12.

Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Unable to crash Firefox 24 beta 8 (buildID: 20130902131354) and latest Nightly (buildID: 20130903030201). Still a few crashes in Socorro in Firefox 24 beta 7, but less and less with each beta. I think there is safe to call this verified fixed. https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-03&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&version=Firefox%3A24.0b7