nsCSSFrameConstructor::ContentAppended null-checks its arg aContainer before using it in most cases, e.g.: > #ifdef MOZ_XUL > if (aContainer) { > int32_t namespaceID; > nsIAtom* tag = > mDocument->BindingManager()->ResolveTag(aContainer, &namespaceID); https://dxr.mozilla.org/mozilla-central/rev/45692c884fdd5136a64fb2f8a61a0c8183b69331/layout/base/nsCSSFrameConstructor.cpp#7484-7488 But there's one recently-added check where it does not null-check: > bool isNewlyAddedContentForServo = aContainer->IsStyledByServo() && > !aForReconstruction; https://dxr.mozilla.org/mozilla-central/rev/45692c884fdd5136a64fb2f8a61a0c8183b69331/layout/base/nsCSSFrameConstructor.cpp#7503-7504 We should probably add a null-check there for consistency. (Or, alternately, we should remove all the old null-checks and add an assertion that the arg must be non-null. From a quick skim of the callsites, it seems like all of the callers already ensure/assume the arg is non-null.)