The attached testcase crashes in m-c rev 20171117-36cad9c45551. ==30243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000770068 at pc 0x7f52ac4a6717 bp 0x7ffcfb529190 sp 0x7ffcfb529188 READ of size 8 at 0x603000770068 thread T0 (file:// Content) #0 0x7f52ac4a6716 in Equals /builds/worker/workspace/build/src/layout/base/FrameProperties.h:399:16 #1 0x7f52ac4a6716 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1190 #2 0x7f52ac4a6716 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:413 #3 0x7f52ac4a6716 in Get<nsContainerFrame> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:235 #4 0x7f52ac4a6716 in GetProperty<nsContainerFrame> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3574 #5 0x7f52ac4a6716 in nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:988 #6 0x7f52ac3b21e0 in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11107:42 #7 0x7f52ac0d53b2 in UpdateStyleOfOwnedAnonBoxes /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3387:7 #8 0x7f52ac0d53b2 in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/ ServoRestyleManager.cpp:910 #9 0x7f52ac0d5a1d in mozilla::ServoRestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoStyleContext*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/ ServoRestyleManager.cpp:953:32 #10 0x7f52ac0d8b7f in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1142:28 #11 0x7f52ac09571e in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1235:3 #12 0x7f52ac09571e in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44 #13 0x7f52ac09571e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4220

Full asan log.

Also hits this assertion in debug: Assertion failure: nextInline (There is always a trailing inline in an IB split), at /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:989 #0: nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit, at layout/generic/nsInlineFrame.cpp:945 #1: nsIFrame::DoUpdateStyleOfOwnedAnonBoxes, at layout/generic/nsFrame.cpp:11108 #2: mozilla::ServoRestyleManager::ProcessPostTraversal, at layout/generic/nsIFrame.h:3387 #3: mozilla::ServoRestyleManager::ProcessPostTraversal, at layout/base/ServoRestyleManager.cpp:953 #4: mozilla::ServoRestyleManager::DoProcessPendingRestyles, at layout/base/ServoRestyleManager.cpp:1142 #5: mozilla::PresShell::DoFlushPendingNotifications, at layout/base/PresShell.cpp:4220

INFO: Last good revision: 78be743420f1baa228dee39b59aeb4dc36505d5c INFO: First bad revision: 2ff9e05a7dfe7298e718a734ed3472cf0b611c86 INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=78be743420f1baa228dee39b59aeb4dc36505d5c&tochange=2ff9e05a7dfe7298e718a734ed3472cf0b611c86

I suspect this is effectively the same as bug 1419762, which is long-standing and awaiting review. The AdjustAppendForAfter thing was just wallpapering what I think it's the root case for this. Leaving ni? because I can't check it right now, will do tomorrow.

Meh, I'm weak and just checked. This is indeed fixed by the patch over bug 1419762. Let's see if someone comes around and reviews it :)

Track 58-/59- for now, feel free to nominate again if it's sec-high/critical.