Found while fuzzing m-c 20220514-28b2e8958185 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: indentedParentElement == content, at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:4845

#0 0x7f632924af14 in mozilla::HTMLEditor::HandleOutdentAtSelectionInternal() src/editor/libeditor/HTMLEditSubActionHandler.cpp:4845:9
#1 0x7f63292488ce in mozilla::HTMLEditor::HandleOutdentAtSelection() src/editor/libeditor/HTMLEditSubActionHandler.cpp:4726:7
#2 0x7f63292485ec in mozilla::HTMLEditor::OutdentAsSubAction() src/editor/libeditor/HTMLEditSubActionHandler.cpp:4691:13
#3 0x7f6329269157 in mozilla::HTMLEditor::OutdentAsAction(nsIPrincipal*) src/editor/libeditor/HTMLEditor.cpp:2657:29
#4 0x7f6329284a7c in mozilla::OutdentCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const src/editor/libeditor/HTMLEditorCommands.cpp:451:44
#5 0x7f6325d58313 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5538:37
#6 0x7f63270042e3 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4052:36
#7 0x7f632737a90c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3271:13
#8 0x7f632c7f48c0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:420:13
#9 0x7f632c7f40ca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
#10 0x7f632c7eb4a6 in CallFromStack src/js/src/vm/Interpreter.cpp:578:10
#11 0x7f632c7eb4a6 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3314:16
#12 0x7f632c7e2732 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
#13 0x7f632c7f3fc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
#14 0x7f632c7f55f8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:605:8
#15 0x7f632b4bb5b1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#16 0x7f6326d8afa3 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:836:8
#17 0x7f6325cc99a9 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:692:12
#18 0x7f6325e3e2c6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:705:12
#19 0x7f6325e3e2c6 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
#20 0x7f6325bb1436 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:740:12
#21 0x7f6325bb01fd in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:768:3
#22 0x7f6325baff03 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:609:13
#23 0x7f6324407ebe in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:475:16
#24 0x7f63243e2873 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:788:26
#25 0x7f63243e1549 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:662:15
#26 0x7f63243e1693 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:398:36
#27 0x7f632440b646 in operator() src/xpcom/threads/TaskController.cpp:124:37
#28 0x7f632440b646 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#29 0x7f63243f711f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
#30 0x7f63243fd71d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#31 0x7f6324fbd846 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#32 0x7f6324ee6357 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#33 0x7f6324ee6262 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#34 0x7f6324ee6262 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#35 0x7f63290f7ec8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#36 0x7f632b235deb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:874:20
#37 0x7f6324fbe73a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#38 0x7f6324ee6357 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#39 0x7f6324ee6262 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#40 0x7f6324ee6262 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#41 0x7f632b23540c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#42 0x55741054ae90 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#43 0x55741054ae90 in main src/browser/app/nsBrowserApp.cpp:329:18
#44 0x7f633b21e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#45 0x557410520c3c in _start (/home/worker/builds/m-c-20220514040948-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: ad557be96302524c286aa009cc9e8878a68e1c0e)

A Pernosco session is available here: https://pernos.co/debug/4ZVvrULWpSRiPtBZWtYIWA/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220530140717-87e39a7da999.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 391dbe0ceb290de3c1a6989aab62e602e55f176c (20210601032903)
End: 28b2e89581853eb7ff35fdd1ebeafefbc077293f (20220514040948)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Really tricky case, but outdent command must not be used so widely since it's available only with execCommand. Therefore, we don't need to fix this so soon. Once we fix bug 1710784, this must be fixed too.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220514040948-28b2e8958185) but not with tip (mozilla-central 20220805213002-85dd3c18eb48.)

The bug appears to have been fixed in the following build range:

Start: 2bc22187f1852ef424986aa13ae03442b3a9693f (20220803224529)
End: f78e1da7320b194ef414a850d0313ff8ad20b67d (20220804005553)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2bc22187f1852ef424986aa13ae03442b3a9693f&tochange=f78e1da7320b194ef414a850d0313ff8ad20b67d

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The behavior is changed by bug 1774704 only from point of view of DOM mutation event listeners because it made HTMLEditor stop updating Selection immediately after each DOM tree mutation. I'll add the testcase into the tree.

Since the status is marked as unaffected for nightly and as wontfix for release, is it unaffected or wontfix for beta?
For more information, please visit auto_nag documentation.

Oops, sorry, it's fixed in Nightly, not unaffected.

The assertion hit has been fixed by bug 1774704, so we should add the reported
testcase into the tree.

https://hg.mozilla.org/mozilla-central/rev/bc7e5aa02d6e