Found in mozilla-inbound: 20170303-c1bec4529e08 May not be s-s but marking as such to be safe. ==5533==ERROR: AddressSanitizer: use-after-poison on address 0x625000c4a440 at pc 0x7ff034daeb2b bp 0x7ffd54582390 sp 0x7ffd54582388 READ of size 8 at 0x625000c4a440 thread T0 #0 0x7ff034daeb2a in GetRowSpanForNewCell /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:1973:21 #1 0x7ff034daeb2a in nsCellMap::AppendCell(nsTableCellMap&, nsTableCellFrame*, int, bool, int, mozilla::TableArea&, int*) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:1420 #2 0x7ff034db0f78 in nsCellMap::RebuildConsideringRows(nsTableCellMap&, int, nsTArray<nsTableRowFrame*>*, int) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:2172:9 #3 0x7ff034db09d5 in nsTableCellMap::RebuildConsideringRows(nsCellMap*, int, nsTArray<nsTableRowFrame*>*, int, mozilla::TableArea&) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:681:7 #4 0x7ff034dac8c9 in nsTableCellMap::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool, mozilla::TableArea&) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:480:7 #5 0x7ff034dd6a29 in nsTableFrame::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:922:5 #6 0x7ff034e41ff5 in nsTableRowGroupFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsFrameList&) /home/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1594:5 #7 0x7ff034909e2d in InsertFrames /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:493:5 #8 0x7ff034909e2d in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8267 #9 0x7ff0348ff4f6 in ContentInserted /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7679:10 #10 0x7ff0348ff4f6 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9773

Seems like it requires ASAN to reproduce...

Possibly related to bug 1344808, also rowspan-related.

er, [row|col]-span-related.

I believe this is a regression from bug 1285874 -- at least, I can reproduce an "AddressSanitizer: use-after-poison" in an ASAN build from that bug's commit: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=85613fa0c5fe&filter-searchStr=asan%20Bo ...but not from the previous commit: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ae20c5a91d7b&filter-searchStr=asan%20Bo (For the record: to download these linux ASAN builds from those ^^ treeherder pages, click the green "Bo", and then the "Job Details" tab at the bottom, and then "target.tar.bz2". This will get slightly more straightforward once bug 1286018 is addressed -- then Job Details will be the default view, I think.) Also, this testcase crashes for me in a (recent) normal Nightly build on Linux (with a fresh profile), so despite comment 2, I don't think it actually requires ASAN to reproduce. [I suspect that in Comment 2, dbaron may have been testing using a build that didn't have bug 1285874's patches yet.]