Created attachment 625619 [details] ASan log ASan reported heap-use-after-free, log is attached. Unfortunately no test-case at the moment. Version where bug was found: http://hg.mozilla.org/mozilla-central/rev/95437bcc43dc
Don't know how far we'll get without a testcase, but maybe bholley can spot something from the trace.
Maybe this is bug 751454? Fix just landed.
Created attachment 627566 [details] ASan log (cff5b4470690) I still see this bug on http://hg.mozilla.org/mozilla-central/rev/cff5b4470690
The bug is still on cf4face65451, but I am working on test-case - will provide it in a day or two.
Created attachment 632383 [details] test-case triggering the crash (*.zip) It is not that reliable - sometimes one have to wait for ~15 seconds until it crashes.
Confirmed this using today's daily m-c asan build ( https://firstname.lastname@example.org/try-linux64/ ).
This looks like another variant of bug 752340. With the assertion from that bug, this test case hits it immediately. With the assertion and the fix in place, it doesn't seem to crash, even after a minute or so.