The following testcase crashes on mozilla-central revision 20210103-89fef9703703 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

async function * f45() {}
f45().next().catch(error => {}).then();
const mainGlobal = this;
function Memory({global}) {}
Memory.prototype = {
  attach() {},
};
function startServerAndGetSelectedTabMemory() {
  let memory = new Memory({ global: mainGlobal });
  return Promise.resolve({ memory, client: 'fake client' });
}
(async function body() {
  let { memory, client } = await startServerAndGetSelectedTabMemory();
  await memory.attach();
  let alloc1, alloc2, alloc3;
    (function inner()  {
      alloc1.line = Error().lineNumber;
  }());
})().catch(e49 => {});
var g7 = newGlobal({newCompartment: true});
g7.parent = this;
g7.eval(`
  Debugger(parent).onEnterFrame = function(frame) {
    let v = frame.environment.getVariable('var0');
  };
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556d6f5ab in js::DebugEnvironmentProxy::initSnapshot(js::ArrayObject&) ()
#1  0x0000555556d727f5 in js::DebugEnvironments::takeFrameSnapshot(JSContext*, JS::Handle<js::DebugEnvironmentProxy*>, js::AbstractFramePtr) ()
#2  0x0000555556d73d9b in void js::DebugEnvironments::onPopGeneric<js::LexicalEnvironmentObject, js::LexicalScope>(JSContext*, js::EnvironmentIter const&) ()
#3  0x0000555556ba4dc3 in PopEnvironment(JSContext*, js::EnvironmentIter&) ()
#4  0x0000555556ba4a7b in js::UnwindEnvironment(JSContext*, js::EnvironmentIter&, unsigned char*) ()
#5  0x0000555556bbc692 in SettleOnTryNote(JSContext*, js::TryNote const*, js::EnvironmentIter&, js::InterpreterRegs&) ()
#6  0x0000555556b9efb8 in Interpret(JSContext*, js::RunState&) ()
#7  0x0000555556b8c118 in js::RunScript(JSContext*, js::RunState&) ()
#8  0x0000555556b9feb9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#9  0x0000555556ba12a4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#10 0x0000555556ba14e0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#11 0x0000555556f6fdd0 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556d0e6e8 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) ()
#13 0x0000555556de6033 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#14 0x0000555556ba0662 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#15 0x0000555556b9ff1a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#16 0x0000555556ba12a4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#17 0x0000555556ba14e0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#18 0x00005555571a65db in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#19 0x0000555556e75757 in js::InternalJobQueue::runJobs(JSContext*) ()
#20 0x0000555556e75343 in js::RunJobs(JSContext*) ()
#21 0x0000555556a26698 in RunShellJobs(JSContext*) ()
#22 0x0000555556a0f013 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#23 0x0000555556a081c9 in main ()
rax	0x555555875d77	93824995515767
rbx	0x166ce957a240	24657027113536
rcx	0x555557fed188	93825036898696
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb5d0	140737488336336
rsp	0x7fffffffb5b0	140737488336304
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x555557f65cd8	93825036344536
r13	0x7ffff60fa3b8	140737321608120
r14	0x93c88501968	10155589638504
r15	0x7fffffffb640	140737488336448
rip	0x555556d6f5ab <js::DebugEnvironmentProxy::initSnapshot(js::ArrayObject&)+267>
=> 0x555556d6f5ab <_ZN2js21DebugEnvironmentProxy12initSnapshotERNS_11ArrayObjectE+267>:	movl   $0x982,0x0
   0x555556d6f5b6 <_ZN2js21DebugEnvironmentProxy12initSnapshotERNS_11ArrayObjectE+278>:	callq  0x555556a97b9a <abort>

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210103213448-89fef9703703.
The bug appears to have been introduced in the following build range:

Start: 0d70229022a8d4a730d0ea16d3ebebcd937b35e3 (20201015193216)
End: a502debc3c9778319f0f15d37e5b1fadd2b757ad (20201015193414)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d70229022a8d4a730d0ea16d3ebebcd937b35e3&tochange=a502debc3c9778319f0f15d37e5b1fadd2b757ad

Jason, could you look into this assertion could be possibly related to the bug fix you pushed back in Oct.

Reduced testcase

let g = newGlobal({newCompartment: true});
let d = new Debugger(g);

g.evaluate(`
  async function foo() {
    await Promise.resolve();
    await {};

    // Force CallObject
    let x;
    let y = () => x;
  }
  foo()
`)

d.onEnterFrame = function(frame) {
  frame.environment.getVariable('missing');
}

The assert fails looking for a CallObject, when it is perfectly reasonable for there to be a LexicalEnvironmentObject on the chain first. I'll update this.

When leaving a frame, we may need to snapshot frame values that debugger is
observing. At this time, the environment chain may still have the body
LexicalEnvironmentObject before the CallObject. This was tripping an assert
in initSnapshot that ensured if a snapshot already existed that the frame
was for a generator/async that may have already paused.

https://hg.mozilla.org/mozilla-central/rev/55d055106082

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210122043737-a6b9acc070e9.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.