This bug was filed from the Socorro interface and is report bp-fc1ef905-eef6-4f38-8272-0fd130170719. ============================================================= Called from mozilla::ScriptPreloader::CachedScript::Code<mozilla::loader::OutputBuffer>() Clear UAF, fairly frequent given it's appearing in 55bN and 56 https://crash-stats.mozilla.com/signature/?product=Firefox&version=56.0a1&version=55.0b&version=55.0b10&version=55.0b9&version=55.0b8&address=~e5e5&signature=memcpy%20%7C%20mozilla%3A%3Aloader%3A%3AOutputBuffer%3A%3AcodeString&date=%3E%3D2017-07-12T13%3A40%3A00.000Z&date=%3C2017-07-19T13%3A40%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1

NI naveed for triage

This is probably a regression from Kris's preloader work.

The only way I can think of that this might happen is if we invalidate the startup cache (probably because of an extension installation) in the middle of a cache write operation, and free cached scripts before they're encoded. There's supposed to be locking to prevent that, but there are separate monitors for the cache write operation and ordinary cache manipulation, and the write thread only holds one of them.

Kris, will 1382329 help here?

Last crashes on crash-stats are from 55.0b12, which strongly supports this having been fixed by bug 1382329 (shipped in b13).