Found while fuzzing m-c 20230509-169e7173a60f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aCount <= Length(), at /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1857

#0 0x7fb489f66720 in RemoveLastElements /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1857:5
#1 0x7fb489f66720 in mozilla::a11y::HyperTextAccessible::RemoveChild(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/HyperTextAccessible.cpp:2105:14
#2 0x7fb489f5dff5 in mozilla::a11y::DocAccessible::MoveChild(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, int) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2524:14
#3 0x7fb489f5f2bb in mozilla::a11y::DocAccessible::PutChildrenBack(nsTArray<RefPtr<mozilla::a11y::LocalAccessible>>*, unsigned int) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2436:31
#4 0x7fb489f5e561 in mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2608:5
#5 0x7fb489f5e5e5 in mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2626:7
#6 0x7fb489f567dd in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2190:3
#7 0x7fb489f528f2 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2200:5
#8 0x7fb489f52967 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2206:5
#9 0x7fb489f52967 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2206:5
#10 0x7fb489f2e838 in nsAccessibilityService::ContentRemoved(mozilla::PresShell*, nsIContent*) /builds/worker/checkouts/gecko/accessible/base/nsAccessibilityService.cpp:677:15
#11 0x7fb48879dde2 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7494:21
#12 0x7fb48873bcc9 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4586:22
#13 0x7fb484ccc942 in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:174:19
#14 0x7fb484ccc942 in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:174:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:87:7
#15 0x7fb484ccc942 in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:173:3
#16 0x7fb484b93c2b in mozilla::dom::Document::DisconnectNodeTree() /builds/worker/checkouts/gecko/dom/base/Document.cpp:2905:7
#17 0x7fb484bc9a33 in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:9733:5
#18 0x7fb484bcb2b0 in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:9967:5
#19 0x7fb485f9df27 in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3824:24
#20 0x7fb486333568 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3335:13
#21 0x7fb48a83bb75 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#22 0x7fb48a83b503 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#23 0x7fb48a84cb8b in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#24 0x7fb48a84cb8b in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#25 0x7fb48a83a97d in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#26 0x7fb48a83b37f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#27 0x7fb48a83c8fd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#28 0x7fb48a918182 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#29 0x7fb485bbfa98 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:828:8
#30 0x7fb484af1954 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:733:12
#31 0x7fb484ca11a6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:746:12
#32 0x7fb484ca11a6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:58:13
#33 0x7fb4849d9621 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:728:12
#34 0x7fb4849d8477 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:756:3
#35 0x7fb4849d8190 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:597:13
#36 0x7fb4830bbda7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#37 0x7fb4830b6faa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#38 0x7fb4830b5bdd in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:744:15
#39 0x7fb4830b5e05 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#40 0x7fb4830bf356 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#41 0x7fb4830bf356 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#42 0x7fb4830d56fa in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#43 0x7fb4830dbd1d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#44 0x7fb483d1e215 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#45 0x7fb483c3fdd1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#46 0x7fb483c3fdd1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#47 0x7fb488382e08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#48 0x7fb48a6133db in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#49 0x7fb483d1f0c6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#50 0x7fb483c3fdd1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#51 0x7fb483c3fdd1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#52 0x7fb48a612ca2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#53 0x55eab8e817a6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#54 0x55eab8e817a6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#55 0x7fb498429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#56 0x7fb498429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#57 0x55eab8e58a28 in _start (/home/user/workspace/browsers/m-c-20230510213701-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 62943f22fb28e316d9baf2fbed5d93553833dc4a)

prefs.js file for bugmon

Opt builds report a different failure:

Hit MOZ_CRASH(ElementAt(aIndex = 18446744073709551615, aLength = 0)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

#0 0x5583ea91ef2f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x5583ea91ef2f in mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:50:3
#2 0x7efbe95a1151 in TruncateLength /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2249:7
#3 0x7efbe95a1151 in RemoveLastElements /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1858:5
#4 0x7efbe95a1151 in mozilla::a11y::HyperTextAccessible::RemoveChild(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/HyperTextAccessible.cpp:2105:14
#5 0x7efbe958d71b in mozilla::a11y::DocAccessible::MoveChild(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, int) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2524:14
#6 0x7efbe958f201 in mozilla::a11y::DocAccessible::PutChildrenBack(nsTArray<RefPtr<mozilla::a11y::LocalAccessible>>*, unsigned int) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2436:31
#7 0x7efbe958dd7b in mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2608:5
#8 0x7efbe958de87 in mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2626:7
#9 0x7efbe957717e in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2190:3
#10 0x7efbe956bedc in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2200:5
#11 0x7efbe956bfb7 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2206:5
#12 0x7efbe956bfb7 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2206:5
#13 0x7efbe506f39b in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7494:21
#14 0x7efbe4f98354 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4586:22
#15 0x7efbdd1ea05a in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:174:19
#16 0x7efbdd1ea05a in Notify<(NotifyPresShell)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:174:19)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:87:7
#17 0x7efbdd1ea05a in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:173:3
#18 0x7efbdcfa0d7f in mozilla::dom::Document::DisconnectNodeTree() /builds/worker/checkouts/gecko/dom/base/Document.cpp:2905:7
#19 0x7efbdd00af9d in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:9733:5
#20 0x7efbdd00d723 in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:9967:5
#21 0x7efbdd00cb96 in mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t>> const&, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:9871:5
#22 0x7efbdf57c4ef in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3824:24
#23 0x7efbdfccfea7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3335:13
#24 0x7efbea9f3503 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#25 0x7efbea9f3503 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#26 0x7efbeaa18696 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#27 0x7efbeaa18696 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#28 0x7efbeaa18696 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#29 0x7efbea9f22a8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
#30 0x7efbea9f22a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#31 0x7efbea9f36bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#32 0x7efbea9f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#33 0x7efbea9f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#34 0x7efbeab61f5b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#35 0x7efbded79eb5 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:828:8
#36 0x7efbdd19b8ac in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:733:12
#37 0x7efbdd19b8ac in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:746:12
#38 0x7efbdd19b8ac in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:58:13
#39 0x7efbdcc3fc65 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:728:12
#40 0x7efbdcc3dc43 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:756:3
#41 0x7efbdcc3d5b3 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:597:13
#42 0x7efbd924c15a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#43 0x7efbd923ceaa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#44 0x7efbd923a18d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:744:15
#45 0x7efbd923a68f in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#46 0x7efbd9251881 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#47 0x7efbd9251881 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#48 0x7efbd927d4fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#49 0x7efbd928af94 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#50 0x7efbdae824ce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7efbdacac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#52 0x7efbdacac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#53 0x7efbdacac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#54 0x7efbe45d8309 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#55 0x7efbea5997b8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#56 0x7efbdacac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#57 0x7efbdacac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#58 0x7efbdacac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#59 0x7efbea598e7e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#60 0x5583ea77b73e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#61 0x5583ea77b73e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#62 0x7efbffc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#63 0x7efbffc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#64 0x5583ea6a4d58 in _start (/home/user/workspace/browsers/m-c-20230510213701-fuzzing-asan-opt/firefox+0x107d58) (BuildId: 1a6107a3fe794b68d29433eba1f4d947c1c8bb25)

Nathan, I'm not 100% certain, but this looks like it could be a regression introduced by bug 1455416. Could you please take a look?

Verified bug as reproducible on mozilla-central 20230511040639-da13ef752e22.
The bug appears to have been introduced in the following build range:

Start: a7a328c86d5bab5e73de7abf526304c96addccc3 (20230508201033)
End: cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991 (20230508213519)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7a328c86d5bab5e73de7abf526304c96addccc3&tochange=cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991

This happens when a parent has already disappeared, similar to 1832447. The parent disappears in BeforeRemoval (called within MoveChild), then RemoveChild fails because of it. It looks like the target node is going away in both situations, so I'm not sure why IsInDocument isn't catching this in PutChildrenBack. In this case we're doing document.write(''), and in 1832447 we're doing document.documentElement.parentNode.replaceChild(document.createElement('x'), ...). Both cases appear to hint at "the contents of this document, including the new target container, are going away," but I'm not sure how to check for this effectively.

Setting Bug 1455416 as the regressor re: comment 3 and also in the range in comment 4.
Please correct if needed.

This fuzzing bug is pending triage, please mention if there is an end-user impact

(In reply to Donal Meehan [:dmeehan] from comment #6)

This fuzzing bug is pending triage, please mention if there is an end-user impact

Gotcha - an end user could experience this crash if they (or a website author) call document.write('') on pages with a particular aria-owns structure. That said, use of write is strongly discouraged (the spec recommends against using it). I would be surprised if users see this, but it's certainly possible.

Distilled test case:

<script>
document.addEventListener("DOMContentLoaded", () => {
  document.write('')
})
</script>
<div id='a' aria-owns='b'></div>
<div id='b'></div>

still investigating...

Set release status flags based on info from the regressing bug 1455416

Setting 115 to Fixed as the regressor Bug 1455416 was backed out of central

Fixed by backout.

Verified bug as fixed on rev mozilla-central 20230519041011-d97636946466.