This bug was filed from the Socorro interface and is report bp-1ca1703e-dc74-48b1-b74e-106520170913. ============================================================= Low-volume crash in v57 that seems to be Stylo related. The first reported crash is from build 20170902100317: bp-674b7068-3b4c-4411-9d21-25c420170902 which has MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(diff == regind * size) Another one bp-8ba4b078-b331-4eed-9428-d2d670170905 has: MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((run->regs_mask[elm] & (1U << bit)) == 0) And this (bp-1ca1703e-dc74-48b1-b74e-106520170913) crashes at: https://hg.mozilla.org/mozilla-central/annotate/f9a5e9ed6210/memory/mozjemalloc/mozjemalloc.cpp#l3712 MOZ_DIAGNOSTIC_ASSERT(run->magic == ARENA_RUN_MAGIC); so I'm assuming it crashed on that assertion, although it didn't show up in the crash data for some reason. It looks like geckoservo::glue::Servo_StyleSet_Drop is trying to free an invalid pointer, or some other form of memory corruption. Stack: arena_dalloc_small Allocator<MozJemallocBase>::free(void*) HeapFree core::ptr::drop_in_place<smallvec::SmallVec<[style::stylist::Rule; 1]>> core::ptr::drop_in_place<style::stylist::CascadeData> geckoservo::glue::Servo_StyleSet_Drop mozilla::UniquePtr<RawServoStyleSet, mozilla::DefaultDelete<RawServoStyleSet> >::reset(RawServoStyleSet*) mozilla::StyleSetHandle::Ptr::Shutdown() mozilla::PresShell::Destroy() nsDocumentViewer::DestroyPresShell() nsDocumentViewer::Destroy() nsDocShell::Destroy() nsWebBrowser::SetDocShell(nsIDocShell*) nsWebBrowser::InternalDestroy() nsWebBrowser::Destroy() mozilla::dom::TabChild::DestroyWindow() ...

6 crashes from 4 installations in the last week, not sure this is worth tracking.

Bobby, since this looks stylo related, you might want to have someone take a look?

This looks to me like bug 1385925.

Mark as stylo related.

Resolving as a duplicate of drop_in_place bug 1385925 unless someone thinks this is different bug.

Been tracked in bug 1406996.