Found while fuzzing m-c 20221115-1adc82d1eb96 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==30307==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc958b2dbbf bp 0x7ffd4e5a2bb0 sp 0x7ffd4e5a2b90 T0)
==30307==The signal is caused by a READ memory access.
==30307==Hint: address points to the zero page.
    #0 0x7fc958b2dbbf in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7fc958b2dbbf in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7fc958b2dbbf in IsInNamespace /builds/worker/workspace/obj-build/dist/include/nsINode.h:774:12
    #3 0x7fc958b2dbbf in IsHTMLElement /builds/worker/workspace/obj-build/dist/include/nsIContent.h:177:12
    #4 0x7fc958b2dbbf in bool nsIContent::IsAnyOfHTMLElements<nsStaticAtom*, nsStaticAtom*>(nsStaticAtom*, nsStaticAtom*) const /builds/worker/workspace/obj-build/dist/include/nsIContent.h:186:12
    #5 0x7fc9631375ad in IsAbbreviation /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/LocalAccessible.h:452:22
    #6 0x7fc9631375ad in mozilla::a11y::TableAccessible::IsProbablyLayoutTable() /gecko/accessible/generic/TableAccessible.cpp:139:46
    #7 0x7fc9631023de in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /gecko/accessible/generic/LocalAccessible.cpp:3568:18
    #8 0x7fc9630fdc4d in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /gecko/accessible/generic/DocAccessible.cpp:1463:16
    #9 0x7fc963073cae in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /gecko/accessible/base/NotificationController.cpp:890:16
    #10 0x7fc95f3ff815 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2525:12
    #11 0x7fc95f40dd76 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:375:13
    #12 0x7fc95f40dd76 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /gecko/layout/base/nsRefreshDriver.cpp:353:7
    #13 0x7fc95f40dade in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:369:5
    #14 0x7fc95f40d865 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:913:5
    #15 0x7fc95f40caff in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:827:5
    #16 0x7fc95f40bd41 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:748:5
    #17 0x7fc95f40b55b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /gecko/layout/base/nsRefreshDriver.cpp:594:14
    #18 0x7fc95f40b0f8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:551:9
    #19 0x7fc95e0651bc in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #20 0x7fc95e4afc8f in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #21 0x7fc957de14d6 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
    #22 0x7fc957d4a0c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1756:25
    #23 0x7fc957d471bf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1681:9
    #24 0x7fc957d47dee in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1481:3
    #25 0x7fc957d4901e in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1579:14
    #26 0x7fc9565ca919 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
    #27 0x7fc9565c19d7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
    #28 0x7fc9565bec58 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
    #29 0x7fc9565bf380 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
    #30 0x7fc9565d0a21 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
    #31 0x7fc9565d0a21 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #32 0x7fc9565f3c50 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
    #33 0x7fc9565fe3e4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #34 0x7fc957d518be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #35 0x7fc957bd5ea7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #36 0x7fc957bd5ea7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #37 0x7fc957bd5ea7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #38 0x7fc95ee26119 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
    #39 0x7fc963d7ccc8 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #40 0x7fc957bd5ea7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #41 0x7fc957bd5ea7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #42 0x7fc957bd5ea7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #43 0x7fc963d7bc95 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #44 0x55c1b87042d4 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #45 0x55c1b8704797 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #46 0x7fc97882b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #47 0x55c1b8642d58 in _start (/home/worker/builds/m-c-20221115164451-fuzzing-asan-opt/firefox+0x111d58) (BuildId: b52a592a4bc8d4b251f72487dbb848881c3a8560)

A prefs.js file for bugmon

When we push a cache update for tables, we call IsProbablyLayoutTable.
That in turn checks whether the first grandchild LocalAccessible of each row is an abbreviation.
If there is a malformed table containing an iframe as a child of a row, this grandchild will be an embedded DocAccessible.
Since a DocAccessible has a null mContent prior to DoInitialUpdate, calling IsAbbreviation on this would previously crash because it didn't null check mContent.
The fix is simply to null check mContent.

Verified bug as reproducible on mozilla-central 20221118154632-3b5a8f67189b.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

https://hg.mozilla.org/mozilla-central/rev/f7413f4018ed

Testcase crashes using the initial build (mozilla-central 20221115051541-1adc82d1eb96) but not with tip (mozilla-central 20221119085828-f7eac47f5daa.)

The bug appears to have been fixed in the following build range:

Start: 01175db411656d9df143a23d3a7001ae0244f2cb (20221118212701)
End: 66771e1d95c104ad6b8cddbe8edcf6b2a055a93c (20221118233908)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=01175db411656d9df143a23d3a7001ae0244f2cb&tochange=66771e1d95c104ad6b8cddbe8edcf6b2a055a93c

Jamie, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Yes, the patch here fixed this.