Found while fuzzing m-c 20240727-a6ca5a18b4a0 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --repeat 10

Assertion failure: aListID == FrameChildListID::Principal (unexpected child list), at /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1302

#0 0x7a6ec1601137 in nsFlexContainerFrame::RemoveFrame(mozilla::FrameDestroyContext&, mozilla::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsFlexContainerFrame.cpp:1302:3
#1 0x7a6ec14f5874 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7545:5
#2 0x7a6ec14f0d0b in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8467:7
#3 0x7a6ec14b1610 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1680:25
#4 0x7a6ec14b84c4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3284:7
#5 0x7a6ec148b6e5 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3370:3
#6 0x7a6ec148aa22 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4373:37
#7 0x7a6ec1450aee in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
#8 0x7a6ec1450aee in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2211:31
#9 0x7a6ec144f9de in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2679:3
#10 0x7a6ec1458611 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#11 0x7a6ec1458611 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#12 0x7a6ec1458510 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#13 0x7a6ec14583ad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#14 0x7a6ec145769c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#15 0x7a6ec1456a29 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#16 0x7a6ec08d1b3b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#17 0x7a6ec0b4d787 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
#18 0x7a6ec0a823a0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8172:32
#19 0x7a6ebc9267cf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
#20 0x7a6ebc923522 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
#21 0x7a6ebc9241a2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#22 0x7a6ebc9252ef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
#23 0x7a6ebbdae8a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#24 0x7a6ebbda4316 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#25 0x7a6ebbda2d27 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#26 0x7a6ebbda31a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#27 0x7a6ebbdb2216 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#28 0x7a6ebbdb2216 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#29 0x7a6ebbdc5bfd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#30 0x7a6ebbdcc8ff in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#31 0x7a6ebc92c355 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#32 0x7a6ebc882f71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#33 0x7a6ebc882f71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#34 0x7a6ec10cbce8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x7a6ec1184964 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#36 0x7a6ec201c64b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
#37 0x7a6ebc92d1a6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x7a6ebc882f71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7a6ebc882f71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7a6ec201bedb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
#41 0x582373b6917f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x582373b6917f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#43 0x7a6ecf429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#44 0x7a6ecf429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#45 0x582373b3ebb8 in _start (/home/user/workspace/browsers/m-c-20240730164742-fuzzing-debug/firefox-bin+0x58bb8) (BuildId: 696736f42c0ef67fd9e1335017affdd98fdc3008)

Verified bug as reproducible on mozilla-central 20240730164742-c756f74154bf.
The bug appears to have been introduced in the following build range:

Start: 369d5331352d27705546143e21e194b8cd88b5be (20240604094831)
End: 179b4068029ab78efe95cf160bf4d13026349a4d (20240604104127)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=369d5331352d27705546143e21e194b8cd88b5be&tochange=179b4068029ab78efe95cf160bf4d13026349a4d

Not sure if this is regressed by Bug 1850834 (which touched nsCSSFrameConstructor).

When loading the testcase in debug build, I see the following soft assertion before the fatal one in flex container.

###!!! ASSERTION: Must remove first continuation.: '!aOldFrame->GetPrevContinuation() || aOldFrame->IsTextFrame()'

https://searchfox.org/mozilla-central/rev/1b65dee82116a31ab16cf653b9780be959946dc6/layout/base/nsFrameManager.cpp#108-112

Emilio, could you take a look?

Set release status flags based on info from the regressing bug 1850834

Set release status flags based on info from the regressing bug 1850834