As suggested by Peter Cherriman (https://launchpad.net/~pjcherriman) in comment: 

https://launchpad.net/ubuntu/+source/firefox/+bug/77859/comments/3

I've installed the firefox-dbg package (ie, debug symbols), and regenerated the core dump and run gdb over it.  Like him I see:

nsPasswordManager::AttachToInput (this=0x89f6368,  aElement=0x0) at nsPasswordManager.cpp:1962

as the topmost item on the stack prior to the signal handler being invoked, so I too suspect that aElement=0x0 is somehow involved in the segmentation fault.

Full gdb backtrace follows.

Ewen

-=- cut here -=-
ewen@wat:/var/tmp$ ulimit -c unlimited
ewen@wat:/var/tmp$ firefox &
[1] 26943
ewen@wat:/var/tmp$ 
[1]+  Segmentation fault      (core dumped) firefox
ewen@wat:/var/tmp$ ls -l core*
-rw------- 1 ewen ewen 55312384 2007-01-06 12:38 core.26943
ewen@wat:/var/tmp$ gdb /usr/lib/firefox/firefox-bin core.26943
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/
lib/tls/i686/cmov/libthread_db.so.1".

Core was generated by `/usr/lib/firefox/firefox-bin -a firefox'.
Program terminated with signal 11, Segmentation fault.

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/firefox/libmozjs.so...Reading symbols from /usr/li
b/debug/usr/lib/firefox/libmozjs.so...done.
done.
[....]
Loaded symbols for /usr/lib/firefox/components/libnkgnomevfs.so
#0  0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7d8d790 in raise () from /lib/tls/i686/cmov/libpthread.so.0
#2  0x08055e0b in nsProfileLock::FatalSignalHandler (signo=-1210510412)
    at nsProfileLock.cpp:206
#3  <signal handler called>
#4  0xb67e65cc in nsPasswordManager::AttachToInput (this=0x89f6368, 
    aElement=0x0) at nsPasswordManager.cpp:1962
#5  0xb67e7724 in nsPasswordManager::OnStateChange (this=0x89f6368, 
    aWebProgress=0x86a6cec, aRequest=0x86939b4, aStateFlags=131088, aStatus=0)
    at nsPasswordManager.cpp:948
#6  0xb5dd3e62 in nsDocLoader::FireOnStateChange (this=0x8205c88, 
    aProgress=0x86a6cec, aRequest=0x86939b4, aStateFlags=131088, aStatus=0)
    at nsDocLoader.cpp:1210
#7  0xb5dd3ea0 in nsDocLoader::FireOnStateChange (this=0x835a5b8, 
    aProgress=0x86a6cec, aRequest=0x86939b4, aStateFlags=131088, aStatus=0)
    at nsDocLoader.cpp:1217
#8  0xb5dd3ea0 in nsDocLoader::FireOnStateChange (this=0x86a6cd8, 
    aProgress=0x86a6cec, aRequest=0x86939b4, aStateFlags=131088, aStatus=0)
    at nsDocLoader.cpp:1217
#9  0xb5dd423b in nsDocLoader::doStopDocumentLoad (this=0x86a6cd8, 
    request=0x86939b4, aStatus=0) at nsDocLoader.cpp:833
#10 0xb5dd4313 in nsDocLoader::DocLoaderIsEmpty (this=0x86a6cd8)
    at nsDocLoader.cpp:739
#11 0xb5dd45df in nsDocLoader::OnStopRequest (this=0x86a6cd8, 
    aRequest=0x890d118, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:662
#12 0xb723ae35 in nsLoadGroup::RemoveRequest (this=0x86a6740, 
    request=0x890d118, ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:732
#13 0xb56c0c6e in nsDocument::UnblockOnload (this=0x88ff600)
    at nsDocument.cpp:5015
#14 0xb56e256a in DestroyImagePLEvent (aEvent=0x8a09438)
    at nsImageLoadingContent.cpp:668
#15 0xb7e40351 in PL_DestroyEvent (self=0x8a09438) at plevent.c:727
#16 0xb7e403bd in PL_HandleEvent (self=0x8a09438) at plevent.c:699
#17 0xb7e40b2e in PL_ProcessPendingEvents (self=0x80d3758) at plevent.c:623
#18 0xb7e41ed0 in nsEventQueueImpl::ProcessPendingEvents (this=0x80d3710)
    at nsEventQueue.cpp:417
#19 0xb68a3449 in event_processor_callback (source=0x8312d28, 
    condition=G_IO_IN, data=0x0) at nsAppShell.cpp:67
#20 0xb77bc52c in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#21 0xb77958d6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#22 0xb7798996 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#23 0xb7798cb8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#24 0xb7bc7765 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#25 0xb68a38da in nsAppShell::Run (this=0x814e778) at nsAppShell.cpp:139
#26 0xb67c33d2 in nsAppStartup::Run (this=0x814e738) at nsAppStartup.cpp:150
#27 0x0804f321 in XRE_main (argc=3, argv=0xbf82acf4, aAppData=0x80595e0)
    at nsAppRunner.cpp:2380
#28 0x0804abe4 in main (argc=0, argv=0x0) at nsBrowserApp.cpp:61
#29 0xb752bea2 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#30 0x0804ab31 in _start () at ../sysdeps/i386/elf/start.S:119
(gdb) 
-=- cut here -=-