Most likely introduced through: https://bugzilla.mozilla.org/show_bug.cgi?id=915524 mfbt/PodOperations.h:101 PodCopy(T* dst, const T* src, size_t nelem) { MOZ_ASSERT(dst != src); MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= nelem); MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= nelem); if (nelem < 128) { /* * Avoid using operator= in this loop, as it may have been * intentionally deleted by the POD type. */ for (const T* srcend = src + nelem; src < srcend; src++, dst++) PodAssign(dst, src); } else { * memcpy(dst, src, nelem * sizeof(T)); } [...] Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c

Setting this to sec-critical because we are crashing in memcpy(). - unaware about what kind of data and size we are using.

So, is this caused by bug 915524?

Well, the stack says yes! Maire, who should own this?

(In reply to :Ehsan Akhgari (needinfo? me!) from comment #4) > Well, the stack says yes! > > Maire, who should own this? I'm not sure yet, but I'll find an owner quickly.

Landed just the fix. I'll land the reduced testcase in attachment 810958 [details] [diff] [review] in a few days. https://hg.mozilla.org/integration/mozilla-inbound/rev/d976524b8774

fixed in https://hg.mozilla.org/mozilla-central/rev/d976524b8774

Confirmed crash in FF27 2013-09-25. Verified fixed in FF27 2013-10-07.