The attached testcase causes a Null-deref crash in mozilla-central rev d4b3146a5567 with layout.css.grid-template-subgrid-value.enabled ==7630==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3e7dcfc17e bp 0x7ffc85423b10 sp 0x7ffc85423af0 T0) #0 0x7f3e7dcfc17d in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /home/worker/workspace/build/src/xpcom/glue/nsTArray.cpp:35:3 #1 0x7f3e84be0402 in ElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1172:7 #2 0x7f3e84be0402 in operator[] /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1201 #3 0x7f3e84be0402 in MinSizingFor /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:1266 #4 0x7f3e84be0402 in nsGridContainerFrame::Tracks::Initialize(nsGridContainerFrame::TrackSizingFunctions const&, nsStyleCoord const&, unsigned int, int) /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3678 #5 0x7f3e84bdf665 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2574:3 #6 0x7f3e84c0997e in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:6133:5 #7 0x7f3e84acb30d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, unsigned int&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3 #8 0x7f3e84abfdbc in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3429:7 #9 0x7f3e84ab3876 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2798:5

->Layout