I ran into this while porting the patch for bug 1670358.

In the patch on that bug, the code added to handle conditional reallocations is mixing up types and performing double-casting.
Since the original bug is s-s I'm marking this the same; I don't know if this is a severe issue since the involved types are all just pointers, but I'd still want to draw attention to it because it's obviously wrong.

At https://hg.mozilla.org/mozilla-central/file/7e223284a9225c66b590aaad671c7448d1ff0b57/xpcom/ds/nsTArray-inl.h#l262 ptr is defined as void*, but https://hg.mozilla.org/mozilla-central/file/7e223284a9225c66b590aaad671c7448d1ff0b57/xpcom/ds/nsTArray-inl.h#l266 assigns a Header* type result to it (to use in RelocateNonOverlappingRegionWithHeader) with a cast. So there's a type mismatch there.

Further, after going through that conditional block, it's cast to Header* yet again at https://hg.mozilla.org/mozilla-central/file/7e223284a9225c66b590aaad671c7448d1ff0b57/xpcom/ds/nsTArray-inl.h#l283.
The Reallocation code block doesn't do this, and for that the type handling and casting is correct.

I think this has been a small oversight when copying the code from the grow function to the shrink function.

This gives the pointer to the new header the type |Header*| and renames the
pointer and size to newHeader and newSize for clarity.

This is not security-sensitive.

https://hg.mozilla.org/mozilla-central/rev/70858e3aab9c

Is there a user-facing issue here which would require backporting this fix to affected branches or can this fix ride the trains?

(In reply to Ryan VanderMeulen [:RyanVM] from comment #5)

Is there a user-facing issue here which would require backporting this fix to affected branches or can this fix ride the trains?

No user facing issue here, this can ride the trains.