Landing bug 1317223 exposed a heap-use-after-free asan error inside libpref. That bug is a JS only patch so shouldn't be able to cause such an error, so my assumption is that the patch is triggering an existing edge-case. The crash happens when calling nsIPrefBranch::resetBranch(). It reports the use after free at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/prefapi.cpp#1009 while the free is at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/nsPrefBranch.cpp#847 Bug 1317223 is landing with xpcshell tests disabled in asan builds, so to reproduce this, you will need to remove the "skip-if = asan" in services/sync/tests/unit/xpcshell.ini and push to try. Note that using artifact builds on try apparently *does not* trigger the crash, but a full build does. Attached is one such asan report.
You need to log in before you can comment on or make changes to this bug.