Found while fuzzing m-c 20210526-4973f32229d6 (--enable-address-sanitizer --enable-fuzzing)

#0 0x7f87aa17d855 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f87aa17d855 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /gecko/xpcom/ds/nsTArray.cpp:28:3
#2 0x7f87b5808815 in mozilla::a11y::LocalAccessible** nsTArray_Impl<mozilla::a11y::LocalAccessible*, nsTArrayInfallibleAllocator>::InsertElementAtInternal<nsTArrayInfallibleAllocator, mozilla::a11y::LocalAccessible*&>(unsigned long, mozilla::a11y::LocalAccessible*&) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2596:5
#3 0x7f87b57e681e in InsertElementAt<mozilla::a11y::LocalAccessible *&> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2873:24
#4 0x7f87b57e681e in mozilla::a11y::LocalAccessible::InsertChildAt(unsigned int, mozilla::a11y::LocalAccessible*) /gecko/accessible/generic/LocalAccessible.cpp:2267:15
#5 0x7f87b57d6993 in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) /gecko/accessible/generic/DocAccessible.cpp:2372:19
#6 0x7f87b5772f09 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /gecko/accessible/base/NotificationController.cpp:828:18
#7 0x7f87b234c8f9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2195:12
#8 0x7f87b2359327 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:346:13
#9 0x7f87b2359327 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:324:7
#10 0x7f87b235908d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:340:5
#11 0x7f87b2358e15 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:773:5
#12 0x7f87b235841f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:702:16
#13 0x7f87b23579d9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:615:7
#14 0x7f87b2357151 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:536:9
#15 0x7f87b15b21e7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#16 0x7f87ac05396c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#17 0x7f87abc89cee in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6061:32
#18 0x7f87ab6cbf0a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2155:25
#19 0x7f87ab6c8638 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2079:9
#20 0x7f87ab6c9f95 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
#21 0x7f87ab6caafb in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
#22 0x7f87aa52ffd2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:482:16
#23 0x7f87aa4fc9f0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:766:26
#24 0x7f87aa4fa4f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:621:15
#25 0x7f87aa4fa94d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:405:36
#26 0x7f87aa53a011 in operator() /gecko/xpcom/threads/TaskController.cpp:138:37
#27 0x7f87aa53a011 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
#28 0x7f87aa517348 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
#29 0x7f87aa5220fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#30 0x7f87ab6d368f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#31 0x7f87ab5db741 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#32 0x7f87ab5db741 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#33 0x7f87ab5db741 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#34 0x7f87b1e66f47 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#35 0x7f87b60af60f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#36 0x7f87ab5db741 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#37 0x7f87ab5db741 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#38 0x7f87ab5db741 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#39 0x7f87b60aefe8 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#40 0x55cb4ed4074d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x55cb4ed40b7d in main /gecko/browser/app/nsBrowserApp.cpp:313:18
#42 0x7f87cbd730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#43 0x55cb4ec91a49 in _start (/home/worker/builds/m-c-20210527092758-fuzzing-asan-opt/firefox+0x5ba49)

A Pernosco session is available here: https://pernos.co/debug/2bqn8YhxYxeb7fNGFGmYug/index.html

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210527212801-5d03a9d6cb8a
mozilla-central 20210526160253-4973f32229d6
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.