Found while fuzzing m-c 20211110-fed25fa6c3da (--enable-debug --enable-fuzzing)

Assertion failure: line (aStartLine out of range), at /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:579

#0 0x7f06c5d83c02 in nsLineIterator::FindLineContaining(nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:579:3
#1 0x7f06c5cbeac6 in nsIFrame::GetFrameFromDirection(nsDirection, bool, bool, bool, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:9168:28
#2 0x7f06c5cbe79a in nsFrameSelection::GetPrevNextBidiLevels(nsIContent*, unsigned int, mozilla::CaretAssociationHint, bool) /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:963:13
#3 0x7f06c5cbe6ad in nsFrameSelection::GetPrevNextBidiLevels(nsIContent*, unsigned int, bool) const /builds/worker/checkouts/gecko/layout/generic/nsFrameSelection.cpp:922:10
#4 0x7f06c5bcd55f in nsCaret::GetCaretFrameForNodeOffset(nsFrameSelection*, nsIContent*, int, mozilla::CaretAssociationHint, mozilla::intl::Bidi::EmbeddingLevel, nsIFrame**, int*) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:725:28
#5 0x7f06c5bcd308 in nsCaret::GetFrameAndOffset(mozilla::dom::Selection const*, nsINode*, int, int*, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:395:10
#6 0x7f06c5bccbe3 in nsCaret::SchedulePaint(mozilla::dom::Selection*) /builds/worker/checkouts/gecko/layout/base/nsCaret.cpp:426:21
#7 0x7f06c465d814 in mozilla::TextInputSelectionController::SetCaretReadOnly(bool) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:551:12
#8 0x7f06c590f975 in mozilla::EditorBase::InitInternal(mozilla::dom::Document&, mozilla::dom::Element*, nsISelectionController&, unsigned int) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:307:56
#9 0x7f06c5a2f207 in mozilla::TextEditor::Init(mozilla::dom::Document&, mozilla::dom::Element&, nsISelectionController&, unsigned int, mozilla::UniquePtr<mozilla::PasswordMaskData, mozilla::DefaultDelete<mozilla::PasswordMaskData> >&&) /builds/worker/checkouts/gecko/editor/libeditor/TextEditor.cpp:121:17
#10 0x7f06c4647376 in mozilla::TextControlState::PrepareEditor(nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:1821:24
#11 0x7f06c466a26b in mozilla::PrepareEditorEvent::Run() /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:1583:13
#12 0x7f06c2a853e7 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5671:17
#13 0x7f06c5b60cfb in ~nsAutoScriptBlocker /builds/worker/checkouts/gecko/dom/base/nsContentUtils.h:3463:28
#14 0x7f06c5b60cfb in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4224:5
#15 0x7f06c5b27780 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2366:22
#16 0x7f06c5b2ff00 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#17 0x7f06c5b2ff00 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#18 0x7f06c5b2fe03 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#19 0x7f06c5b2fcd0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#20 0x7f06c5b2f36a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#21 0x7f06c5b2ec73 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#22 0x7f06c5b2e709 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#23 0x7f06c52e6509 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#24 0x7f06c1f47e09 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#25 0x7f06c1d01e4c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#26 0x7f06c1986e0f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#27 0x7f06c1983701 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#28 0x7f06c1984b85 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#29 0x7f06c19857bd in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
#30 0x7f06c0f0ae5e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#31 0x7f06c0ee4776 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#32 0x7f06c0ee3438 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#33 0x7f06c0ee36b3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#34 0x7f06c0f0e456 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#35 0x7f06c0f0e456 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#36 0x7f06c0ef9163 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#37 0x7f06c0f0034a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#38 0x7f06c198cc26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#39 0x7f06c18ac277 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#40 0x7f06c18ac182 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#41 0x7f06c18ac182 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#42 0x7f06c5828488 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#43 0x7f06c77e2e43 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#44 0x7f06c198db1a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7f06c18ac277 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#46 0x7f06c18ac182 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#47 0x7f06c18ac182 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#48 0x7f06c77e247b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#49 0x55d27043dd79 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x55d27043dd79 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#51 0x7f06d6dcb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x55d27041950c in _start (/home/worker/builds/m-c-20211110214946-fuzzing-debug/firefox-bin+0x1550c)

A Pernosco session is available here: https://pernos.co/debug/N9En6OIcUQf-N4UPyN5Ukw/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211118212756-b193f2e7a6a5.
Failed to bisect testcase (Unable to launch the start build!):

Start: 5b8265dc60c869d1196c475ade06e254d53ce7f4 (20201120094511)
End: fed25fa6c3dae05d0e628fb1493cab5045475409 (20211110214946)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.