Found while fuzzing m-c 20220208-bad861b89142 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mText.isSome(), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:724

#0 0x7fc6d46e7b44 in mozilla::ContentCacheInParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&, nsIWidget*) const /gecko/widget/ContentCache.cpp:724:7
#1 0x7fc6d3ecfb90 in mozilla::dom::BrowserParent::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent&) /gecko/dom/ipc/BrowserParent.cpp:3043:7
#2 0x7fc6d235d4eb in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /gecko/dom/events/EventStateManager.cpp:1026:32
#3 0x7fc6d235bc3b in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:614:5
#4 0x7fc6d4d6808d in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8246:39
#5 0x7fc6d4d62011 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8215:17
#6 0x7fc6d4d627bb in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /gecko/layout/base/PresShell.cpp:7944:7
#7 0x7fc6d4d5fc56 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6961:12
#8 0x7fc6d4d5e809 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6879:23
#9 0x7fc6d46ae27d in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:685:18
#10 0x7fc6d46adeb5 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1129:9
#11 0x7fc6d48139ea in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/gtk/nsWindow.cpp:511:25
#12 0x7fc6d48a1988 in mozilla::widget::IMContextWrapper::EnsureToCacheContentSelection(nsTSubstring<char16_t>*) /gecko/widget/gtk/IMContextWrapper.cpp:3237:23
#13 0x7fc6d48997f9 in mozilla::widget::IMContextWrapper::OnFocusChangeInGecko(bool) /gecko/widget/gtk/IMContextWrapper.cpp:1123:17
#14 0x7fc6d48994a8 in mozilla::widget::IMContextWrapper::NotifyIME(mozilla::widget::TextEventDispatcher*, mozilla::widget::IMENotification const&) /gecko/widget/gtk/IMContextWrapper.cpp:563:7
#15 0x7fc6d475f527 in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/TextEventDispatcher.cpp:475:40
#16 0x7fc6d46cf82f in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /gecko/widget/nsBaseWidget.cpp:1691:43
#17 0x7fc6d2424954 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /gecko/dom/events/IMEStateManager.cpp:1832:22
#18 0x7fc6d3ec8990 in mozilla::dom::BrowserParent::RecvNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&, std::function<void (mozilla::widget::IMENotificationRequests const&)>&&) /gecko/dom/ipc/BrowserParent.cpp:2346:3
#19 0x7fc6ce661e55 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:3183:57
#20 0x7fc6cdc77a75 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6463:32
#21 0x7fc6cd8d42d9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1658:25
#22 0x7fc6cd8d1ed9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1583:9
#23 0x7fc6cd8d3417 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1480:14
#24 0x7fc6cc3d2952 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
#25 0x7fc6cc39802d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:770:26
#26 0x7fc6cc395588 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:606:15
#27 0x7fc6cc395c99 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
#28 0x7fc6cc3dacd1 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#29 0x7fc6cc3dacd1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#30 0x7fc6cc3b8547 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1195:16
#31 0x7fc6cc3c372c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#32 0x7fc6cd8db54f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#33 0x7fc6cd7610a1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#34 0x7fc6cd7610a1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#35 0x7fc6cd7610a1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#36 0x7fc6d47a8757 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#37 0x7fc6d92a41d7 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#38 0x7fc6d94cdaf4 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5719:22
#39 0x7fc6d94cfc29 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5904:8
#40 0x7fc6d94d0963 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5963:21
#41 0x558483ba9071 in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
#42 0x558483ba9071 in main /gecko/browser/app/nsBrowserApp.cpp:395:16
#43 0x7fc6f0d180b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#44 0x558483af7749 in _start (/home/worker/builds/m-c-20220208215108-fuzzing-asan-opt/firefox+0x5d749)

this testcase sometimes crashes my whole browser (maybe try to open the testcase in multiple tabs?)
https://crash-stats.mozilla.org/report/index/0e65ffb8-f77b-4f3f-b073-93e4d0220212#tab-bugzilla

A Pernosco session is available here: https://pernos.co/debug/qk0Zdm_Vvp1bEzUgi_SgTA/index.html

I'll take a look in next week because of a regression of bug 1746104.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220211164352-46048399bf0f.
The bug appears to have been introduced in the following build range:

Start: 8e9c1ffdeed84e460a9ba7f9e83ca24319a15c87 (20220207222603)
End: 858cdf7acc36f5c2fcf348188fdcb3461ba1672f (20220208033131)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8e9c1ffdeed84e460a9ba7f9e83ca24319a15c87&tochange=858cdf7acc36f5c2fcf348188fdcb3461ba1672f

Oh, this is really interesting case. The testcase sets focus to the <textarea> and hides it from its parent in the focus event listener. Then, IMEContentObserver has pending focus notification, but it already blurred at sending the notification. Then, CacheText fails because root element has already been changed. However, CacheSelection succeeded because of no root check in IMEContentObserver::HandleQueryContentEvent if there is selection cache.

[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 MaybeNotifyIMEOfFocusSet()
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 PostFocusSetNotification()
[Child 24764: Main Thread]: I/IMEContentObserver 0x22ddedab800 FlushMergeableNotifications(), creating IMENotificationSender...
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800   FlushMergeableNotifications(), finished
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 TryToFlushPendingNotifications(), performing queued IMENotificationSender forcibly
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 UpdateSelectionCache(), mSelectionData={ mOffset=0, mString="a" (Length()=1), GetWritingMode()=h-ltr, mReversed=false, mCausedByComposition=false, mCausedBySelectionEvent=false, mOccurredDuringComposition=false }
[Child 24764: Main Thread]: I/IMEContentObserver 0x22de1c40740 IMENotificationSender::SendFocusSet(), sending NOTIFY_IME_OF_FOCUS...
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheAll(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS)
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheText(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS)
[Child 24764: Main Thread]: I/IMEContentObserver 0x22ddedab800 HandleQueryContentEvent(aEvent={ mMessage=eQueryTextContent })
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 SuppressNotifyingIME(), mSuppressNotifications=1
[Child 24764, Main Thread] WARNING: NS_ENSURE_TRUE(mPresShell) failed: file m:/src/layout/generic/nsFrameSelection.cpp:1600
[Child 24764, Main Thread] WARNING: 'aEvent->mReply->mContentsRoot != mRootContent', file m:/src/dom/events/IMEContentObserver.cpp:664
[Child 24764, Main Thread] WARNING: 'queryTextContentEvent.Failed()', file m:/src/widget/ContentCache.cpp:214
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheText(), FAILED, couldn't retrieve whole text
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheSelection(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS)
[Child 24764: Main Thread]: D/IMEContentObserver 0x22ddedab800 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText, mReply={ mOffsetAndData={ mOffset=0, mData="'a' (0x0061)" (Length()=1), Length()=1, EndOffset()=1 }, , mReversed=false, mWritingMode=h-ltr, mContentsRoot=0x0000022DE1A03B80, mFocusedWidget=0x0000000000000000 } })
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheCaret(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS)
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheCaret(), FAILED, couldn't retrieve the caret rect at offset=0
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheTextRects(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS), mCaret=<Nothing>
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheTextRects(), FAILED, couldn't retrieve text rect array around the selection anchor (0)
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheTextRects(), FAILED, couldn't retrieve text rect array around the selection focus (1)
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheTextRects(), FAILED, couldn't retrieve text rect of whole selected text
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630   CacheTextRects(), Succeeded, mText=<Nothing>, mTextRectArray=<Nothing>, mSelection={ mAnchor=0, mFocus=1, mWritingMode=h-ltr, Reversed()=false, StartOffset()=0, EndOffset()=1, IsCollapsed()=false, Length()=1 }, mFirstCharRect=(x=0, y=0, w=0, h=0), mLastCommitStringTextRectArray=<Nothing>
[Child 24764: Main Thread]: I/ContentCacheWidgets 0x22dded2a630 CacheEditorRect(aWidget=0x22dded2a400, aNotification=NOTIFY_IME_OF_FOCUS)
[Child 24764: Main Thread]: E/ContentCacheWidgets 0x22dded2a630   CacheEditorRect(), FAILED, couldn't retrieve the editor rect
[Child 24764: Main Thread]: W/IMEContentObserver 0x22ddedab800   OnIMEReceivedFocus(), but the state is not "initializing", so does nothing
[Child 24764: Main Thread]: D/IMEContentObserver 0x22de1c40740   IMENotificationSender::SendFocusSet(), sent NOTIFY_IME_OF_FOCUS
[Parent 59640: Main Thread]: I/ContentCacheWidgets 0x1b4570b4018   AssignContent(aNotification=NOTIFY_IME_OF_FOCUS), Succeeded, mText=<Nothing>, mSelection={ mAnchor=0, mFocus=1, mWritingMode=h-ltr, Reversed()=false, StartOffset()=0, EndOffset()=1, IsCollapsed()=false, Length()=1 }, mFirstCharRect=(x=0, y=0, w=0, h=0), mCaret=<Nothing>, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=0, y=0, w=0, h=0), mLastCommitStringTextRectArray=<Nothing>
[Parent 59640: Main Thread]: I/ContentCacheWidgets 0x1b4570b4018 HandleQueryContentEvent(aEvent={ mMessage=eQueryEditorRect }, aWidget=0x1b446af1200)
[Parent 59640: Main Thread]: I/ContentCacheWidgets 0x1b4570b4018   HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryEditorRect, mReply={ , mContentsRoot=0x0000000000000000, mFocusedWidget=0x000001B446AF1200 } }   
[Parent 59640: Main Thread]: I/ContentCacheWidgets 0x1b4570b4018 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1b446af1200)
Assertion failure: mText.isSome(), at m:/src/widget/ContentCache.cpp:724

Set release status flags based on info from the regressing bug 1746104

Fixing this bug requires a behavior change, but it causes new oranges...

When the focus event listener of editors which is in the system group runs,
a preceding focus event listener may have already blurred the focused element,
but it may have not been applied to the DOM tree yet. In this case, checking
whether the editor still has focus or has already blurred without flushing the
pending things does not make sense. Therefore, this patch makes the Focus
do it first.

Note that this patch adds 3 crash tests, but only the <textarea> case crashes
without this patch. The others are only for detecting new regressions.

https://hg.mozilla.org/mozilla-central/rev/4ed8f5cc7ae7

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220221094019-da294804f261.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.