Found while fuzzing m-c 20220606-533ad0ead234 (--enable-debug --enable-fuzzing) with GNOME_ACCESSIBILITY=1

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ GNOME_ACCESSIBILITY=1 python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Assertion failure: IsContent(), at src/dom/base/nsINode.h:550

#0 0x7fef217ffc8a in nsINode::AsContent() src/dom/base/nsINode.h:550:5
#1 0x7fef26797113 in nsAccessibilityService::CreateAccessibleByFrameType(nsIFrame*, nsIContent*, mozilla::a11y::LocalAccessible*) src/accessible/base/nsAccessibilityService.cpp:1474:61
#2 0x7fef2678f079 in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::LocalAccessible*, bool*) src/accessible/base/nsAccessibilityService.cpp:1077:18
#3 0x7fef267bf4eb in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) src/accessible/generic/DocAccessible.cpp:2174:34
#4 0x7fef26776a58 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:856:18
#5 0x7fef24fc6ac2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2497:12
#6 0x7fef24fd0030 in TickDriver src/layout/base/nsRefreshDriver.cpp:375:13
#7 0x7fef24fd0030 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:353:7
#8 0x7fef24fcff33 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:369:5
#9 0x7fef24fcfc00 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:896:5
#10 0x7fef24fcf26a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:810:5
#11 0x7fef24fcec55 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:731:5
#12 0x7fef24fce88a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/layout/base/nsRefreshDriver.cpp:594:14
#13 0x7fef24fce49c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:551:9
#14 0x7fef244d0ccb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#15 0x7fef24752d36 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#16 0x7fef20baac44 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6085:32
#17 0x7fef20b3eb61 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1781:25
#18 0x7fef20b3b6b5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) src/ipc/glue/MessageChannel.cpp:1706:9
#19 0x7fef20b3c256 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1506:3
#20 0x7fef20b3d5e1 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1604:14
#21 0x7fef1ff854ee in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:475:16
#22 0x7fef1ff5fec3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:788:26
#23 0x7fef1ff5ea73 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:620:15
#24 0x7fef1ff5ece3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:398:36
#25 0x7fef1ff88ce9 in operator() src/xpcom/threads/TaskController.cpp:127:37
#26 0x7fef1ff88ce9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#27 0x7fef1ff7474f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
#28 0x7fef1ff7ad4d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#29 0x7fef20b44594 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#30 0x7fef20a6b7c7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#31 0x7fef20a6b6d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#32 0x7fef20a6b6d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#33 0x7fef24cad828 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#34 0x7fef26e0a85b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#35 0x7fef20b454da in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#36 0x7fef20a6b7c7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#37 0x7fef20a6b6d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#38 0x7fef20a6b6d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#39 0x7fef26e09e7c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#40 0x563e37bd7f70 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x563e37bd7f70 in main src/browser/app/nsBrowserApp.cpp:338:18
#42 0x7fef3d3d6c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
#43 0x563e37badd1c in _start (/home/twsmith/workspace/browsers/m-c-20220606154314-fuzzing-debug/firefox-bin+0x15d1c) (BuildId: fe708d466304009720bc447c53d0ca9dc1cb6c51)

A Pernosco session is available here: https://pernos.co/debug/BCjZpgpgYnLo8_18yaM8wg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220607214725-e4c90fa447f5.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 578715b6d3fcb21c0b61996347260ef9b119d0d2 (20210609093513)
End: 533ad0ead2345d753cfee67be9d044c10ecce710 (20220606154314)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Testcase crashes using the initial build (mozilla-central 20220611095155-18e3543d1c31) but not with tip (mozilla-central 20230609214634-501ade4b55d9.)

The bug appears to have been fixed in the following build range:

Start: c7b58ffeb92bc7c684aebb8f162b5816c8bc013b (20230608091506)
End: a86d5a3f177d480362c07a9ed34166ae41840ab6 (20230608105722)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7b58ffeb92bc7c684aebb8f162b5816c8bc013b&tochange=a86d5a3f177d480362c07a9ed34166ae41840ab6

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Fixed by bug 1832261.