Found while fuzzing m-c 20220527-cf40e7b79bb1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(bug: reference to existing task must be allocated by now) at gfx/wr/webrender/src/render_task_graph.rs:516

#0 0x7fd5514b5b20 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fd5514b5b20 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fd5514b5146 in mozglue_static::panic_hook::h3395d9151612f644 /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fd5514b4675 in core::ops::function::Fn::call::h123068b42f5e1fd5 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7fd5544b50ff in std::panicking::rust_panic_with_hook::hd4b01d10d132fdc5 (/home/worker/builds/m-c-20220526213638-fuzzing-asan-opt/libxul.so+0x1f9c50ff) (BuildId: b05f0f4c3fbfd054bfe22ca68f86c5d708a380b0)
#5 0x7fd54fdf7f27 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h1ea5b98200a98b5c /builds/worker/fetches/rust/library/std/src/panicking.rs:617:9
#6 0x7fd54fd2e2c9 in std::sys_common::backtrace::__rust_end_short_backtrace::h0a6fddfca1d3bd0d /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7fd53d10dd7b in std::panicking::begin_panic::h52232d6b91ec9c9b /builds/worker/fetches/rust/library/std/src/panicking.rs:616:12
#8 0x7fd54fc74c1f in webrender::render_task_graph::RenderTaskGraphBuilder::end_frame::h5ded59d1f0feec88 /gecko/gfx/wr/webrender/src/render_task_graph.rs:516:33
#9 0x7fd54f9b9bc6 in webrender::frame_builder::FrameBuilder::build::hcfa5b96003584445 /gecko/gfx/wr/webrender/src/frame_builder.rs:553:28
#10 0x7fd54fbd97d5 in webrender::render_backend::Document::build_frame::h87fa01162ec1d431 /gecko/gfx/wr/webrender/src/render_backend.rs:498:25
#11 0x7fd54fc2228c in webrender::render_backend::RenderBackend::update_document::h13d5187f36caf6aa /gecko/gfx/wr/webrender/src/render_backend.rs:1389:41
#12 0x7fd54fbfe31b in webrender::render_backend::RenderBackend::prepare_transactions::hd2ded8a4ff5d6f6d /gecko/gfx/wr/webrender/src/render_backend.rs:1239:28
#13 0x7fd54fbfe31b in webrender::render_backend::RenderBackend::process_api_msg::hf61670111c454cad /gecko/gfx/wr/webrender/src/render_backend.rs:1092:17
#14 0x7fd54fd22ca6 in webrender::render_backend::RenderBackend::run::haa9cb2ae0d343428 /gecko/gfx/wr/webrender/src/render_backend.rs:756:21
#15 0x7fd54fd22ca6 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hcb3a8fa390b06a66 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1337:13
#16 0x7fd54fd22ca6 in std::sys_common::backtrace::__rust_begin_short_backtrace::h4dafbc770ad6aa55 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:122:18
#17 0x7fd54f2ad286 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h88f8fbd430383405 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:498:17
#18 0x7fd54f2ad286 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb8804b28ad56541d /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#19 0x7fd54f2ad286 in std::panicking::try::do_call::h7bbe05adcef33c3b /builds/worker/fetches/rust/library/std/src/panicking.rs:492:40
#20 0x7fd54f2ad286 in std::panicking::try::hf260e8cba8145cc4 /builds/worker/fetches/rust/library/std/src/panicking.rs:456:19
#21 0x7fd54f2ad286 in std::panic::catch_unwind::hc4ce5b75f477e245 /builds/worker/fetches/rust/library/std/src/panic.rs:137:14
#22 0x7fd54f2ad286 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h24128684628c9b03 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:497:30
#23 0x7fd54f2ad286 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h78bcaa85df280e3c /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#24 0x7fd5544ad2d2 in std::sys::unix::thread::Thread::new::thread_start::h84de7bc63cfc8d04 std.19cbab4a-cgu.15
#25 0x7fd5643a3608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#26 0x7fd563f6a132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

A Pernosco session is available here: https://pernos.co/debug/YrSPRUMIpnzd8e_YqqkW5g/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220527213513-21fcc945a41d.
The bug appears to have been introduced in the following build range:

Start: 1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f (20220518031437)
End: 79f4180c783b1e72fccb1e49fb8db086ea12ecca (20220518033138)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f&tochange=79f4180c783b1e72fccb1e49fb8db086ea12ecca

79f4180c783b1e72fccb1e49fb8db086ea12ecca	Glenn Watson — Bug 1749625 - Fix up and re-enable backdrop-filter r=gfx-reviewers,lsalzman
622b05c843380695ad46c372020a5666baf5c54e	Glenn Watson — Bug 1769855 - Fix backdrop-filter with stacking context isolation r=gfx-reviewers,lsalzman

https://hg.mozilla.org/mozilla-central/rev/d56eed692ac0

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220530093943-ef6f66b77f1e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.