Found while fuzzing m-c 20230509-44770d5c9e91 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

I'm not sure if this is a dupe of bug 1798740 or not.

Assertion failure: !aStartBoundary.IsSet(), at /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:960

#0 0x7f221b712114 in void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsINode*, bool) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:960:3
#1 0x7f221b697c67 in mozilla::dom::MutationObservers::NotifyParentChainChanged(nsIContent*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MutationObservers.h:116:15
#2 0x7f221b817d0d in mozilla::dom::Element::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1901:3
#3 0x7f221b72ba03 in nsStyledElement::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/base/nsStyledElement.cpp:210:38
#4 0x7f221d849246 in nsGenericHTMLElement::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:449:43
#5 0x7f221d84f204 in nsGenericHTMLFormElement::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:1786:39
#6 0x7f221d7651bf in mozilla::dom::HTMLElement::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/html/HTMLElement.cpp:63:43
#7 0x7f221ba4bd11 in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1611:15
#8 0x7f221ba53b13 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2850:5
#9 0x7f221c004bbb in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:2109:12
#10 0x7f221c004bbb in AppendChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2116:12
#11 0x7f221c004bbb in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:997:60
#12 0x7f221cf33568 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3335:13
#13 0x558de203059  (<unknown module>)

Verified bug as reproducible on mozilla-central 20230511213213-375c5940c253.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 150d9a179926637ee79ab07da46965fbd5e817eb (20220513093538)
End: 44770d5c9e91a75746e5d62aa1a933859292b77e (20230509215006)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Testcase crashes using the initial build (mozilla-central 20240223034030-d78078443b2c) but not with tip (mozilla-central 20250221165821-2cf34b3c9e61.)

Unable to bisect testcase (Unable to launch the end build!):

Start: d78078443b2cba8fa85b6344c5aa1bad98d97d74 (20240223034030)
End: 2cf34b3c9e6115e24043da1a5e48d3e272d37d4d (20250221165821)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.