==51835==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f0cfffac978 bp 0x7ffe21758010 sp 0x7ffe21758010 T0)
==51835==The signal is caused by a READ memory access.
==51835==Hint: address points to the zero page.
    #0 0x7f0cfffac977 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f0cfffac977 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7f0cfffac977 in nsINode::NodeType() const src/dom/base/nsINode.h:701:38
    #3 0x7f0d05f7c434 in IsComment src/dom/base/nsINode.h:585:35
    #4 0x7f0d05f7c434 in nsCSSFrameConstructor::IsValidSibling(nsIFrame*, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:5947:21
    #5 0x7f0d05f7cd77 in nsCSSFrameConstructor::AdjustSiblingFrame(nsIFrame*, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&, nsCSSFrameConstructor::SiblingDirection) src/layout/base/nsCSSFrameConstructor.cpp:6113:8
    #6 0x7f0d060277c7 in operator() src/layout/base/nsCSSFrameConstructor.cpp:6019:12
    #7 0x7f0d060277c7 in nsIFrame* nsCSSFrameConstructor::FindSiblingInternal<(nsCSSFrameConstructor::SiblingDirection)1>(mozilla::dom::FlattenedChildIterator&, nsIContent*, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:6064:31
    #8 0x7f0d05f7cfa3 in nsIFrame* nsCSSFrameConstructor::FindSibling<(nsCSSFrameConstructor::SiblingDirection)1>(mozilla::dom::FlattenedChildIterator const&, mozilla::Maybe<mozilla::StyleDisplay>&) src/layout/base/nsCSSFrameConstructor.cpp:6138:23
    #9 0x7f0d05f7d7cd in FindPreviousSibling src/layout/base/nsCSSFrameConstructor.cpp:6123:10
    #10 0x7f0d05f7d7cd in nsCSSFrameConstructor::GetInsertionPrevSibling(nsCSSFrameConstructor::InsertionPoint*, nsIContent*, bool*, bool*, nsIContent*, nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6215:27
    #11 0x7f0d05f7e9b7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6974:27
    #12 0x7f0d05f16d87 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1482:25
    #13 0x7f0d05f2137c in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3035:9
    #14 0x7f0d05ee1f51 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3114:3
    #15 0x7f0d05ee1f51 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4202:39
    #16 0x7f0d0137d55d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1443:5
    #17 0x7f0d0137d55d in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:10046:16
    #18 0x7f0d014e8d00 in mozilla::dom::Selection::ScrollIntoView(short, mozilla::ScrollAxis, mozilla::ScrollAxis, int) src/dom/base/Selection.cpp:2949:31
    #19 0x7f0d014f0e3b in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() src/dom/base/Selection.cpp:2882:14
    #20 0x7f0d05e6da2f in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1941:13
    #21 0x7f0d05e7bff6 in TickDriver src/layout/base/nsRefreshDriver.cpp:373:13
    #22 0x7f0d05e7bff6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
    #23 0x7f0d05e7bbf5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #24 0x7f0d05e8b072 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:819:5
    #25 0x7f0d05e8b072 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:737:16
    #26 0x7f0d05e8a64f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:639:7
    #27 0x7f0d05e78fe2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() src/layout/base/nsRefreshDriver.cpp:538:20
    #28 0x7f0cfd37ef95 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
    #29 0x7f0cfd389e8c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:504:10
    #30 0x7f0cfe7149bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #31 0x7f0cfe5f1867 in RunInternal src/ipc/chromium/src/base/message_loop.cc:316:10
    #32 0x7f0cfe5f1867 in RunHandler src/ipc/chromium/src/base/message_loop.cc:309:3
    #33 0x7f0cfe5f1867 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:291:3
    #34 0x7f0d059c65e8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #35 0x7f0d09598cd6 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #36 0x7f0cfe5f1867 in RunInternal src/ipc/chromium/src/base/message_loop.cc:316:10
    #37 0x7f0cfe5f1867 in RunHandler src/ipc/chromium/src/base/message_loop.cc:309:3
    #38 0x7f0cfe5f1867 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:291:3
    #39 0x7f0d095982bf in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #40 0x556dee014bb3 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #41 0x556dee014bb3 in main src/browser/app/nsBrowserApp.cpp:303:18

A Pernosco session is available here: https://pernos.co/debug/9Whw_lLbh69SL9P_YtnqsQ/index.html

mozregression pointed me here: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=db78be8dbc1c81844eb7d35c1a3073078eb5d923&tochange=35aa0dde259f5f51c0aaf86935a54b8087c2e8c6

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20211002095048-1a7d94a7a1e6) but not with tip (mozilla-central 20220930214439-2d182255c548.)

The bug appears to have been fixed in the following build range:

Start: 4d1e93c629daa361f9acd60c1f4e2c594f3bd312 (20220922062700)
End: 4bfcb4ab080ffa3b69f831c840d1212e94fc7199 (20220922063009)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4d1e93c629daa361f9acd60c1f4e2c594f3bd312&tochange=4bfcb4ab080ffa3b69f831c840d1212e94fc7199

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Updated test case.

An updated Pernosco session is available here: https://pernos.co/debug/mL_S1w27VeRacyvOPyP9qQ/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221011160345-75c1403f58f7.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 9b9f8bfe2625e0a57e733d03312f5cfee6527f57 (20211013034420)
End: 9b9f8bfe2625e0a57e733d03312f5cfee6527f57 (20211013034420)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Testcase crashes using the initial build (mozilla-central 20211127092810-c4b3480996ec) but not with tip (mozilla-central 20221125214546-8b092cca2cab.)

Unable to bisect testcase (End build crashes!):

Start: c4b3480996ec9bdbea7040e5cb9e05215d9acb16 (20211127092810)
End: 8b092cca2cab001ed8d13fc83d17bdba39cffe0d (20221125214546)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.