This signature shows up in the performance profile for Gmail in bug 1371668 comment 0, with 11ms self-time, which seems a bit much just for some assertions: http://searchfox.org/mozilla-central/rev/17ebac68112bd635b458e831670c1e506ebc17ad/layout/painting/FrameLayerBuilder.cpp#308 I'm guessing it's the hashtable lookup for "sAliveDisplayItemDatas->Contains" that is costly. We might want to consider putting these assertions in an #ifdef so that they are only enabled in beta/nightly, not release builds? It seems we have a large collection of crashes already. (bug 1344579, bug 1337802, bug 1141089, bug 1134771, bug 1265776) Or are these assertions a wallpaper to avoid continuing and doing potentially exploitable things?

Morris, looks like you added these runtime assertions in https://hg.mozilla.org/mozilla-central/rev/1fda2d8db390699bdaae1a4ff36cf823a24e204f#l3.12 Can you comment on this? (or mattwoodrow, as reviewer of that changeset?) Per comment 0, they're taking up 11ms of time while loading Gmail (in one performance profile) -- do we need to be running them?

(In reply to Mats Palmgren (vacation - back in August) from comment #0) > Or are these assertions a wallpaper to avoid continuing and doing > potentially exploitable things? This one. They look up the pointer in a hashtable of 'alive' objects and return nullptr if not found, so it prevents UAF. This is pretty sad, but we've had multiple people investigate and we still can't find STR or the actual underlying issue.