Found while fuzzing m-c 20221004-8454bb0c09fe (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aRangesToDelete.IsFirstRangeEditable(aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3189

#0 0x7fed7446e514 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3189:5
#1 0x7fed74468e38 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1688:47
#2 0x7fed74467f62 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1159:61
#3 0x7fed74399344 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4215:9
#4 0x7fed74436579 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, bool, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1975:21
#5 0x7fed74451a3e in mozilla::InsertTagCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1254:13
#6 0x7fed70cc84a7 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5452:27
#7 0x7fed7208c963 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#8 0x7fed724327ec in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#9 0x7fed77b1317c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#10 0x7fed77b12aa1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#11 0x7fed77b09d08 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#12 0x7fed77b09d08 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3375:16
#13 0x7fed77b00dad in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#14 0x7fed77b1299d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#15 0x7fed77b13edc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#16 0x7fed7676f15c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#17 0x7fed72131443 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#18 0x7fed72a0b749 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#19 0x7fed72a0a923 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#20 0x7fed729eb7fe in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#21 0x7fed729ec467 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#22 0x7fed729e13a4 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#23 0x7fed729e13a4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#24 0x7fed729e08f2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#25 0x7fed729e3191 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#26 0x7fed73e62438 in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:98:12
#27 0x7fed6f26bc02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#28 0x7fed6f29db1e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#29 0x7fed6f276039 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#30 0x7fed6f274bc3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#31 0x7fed6f274e33 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#32 0x7fed6f2a13c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#33 0x7fed6f2a13c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#34 0x7fed6f28ac8f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#35 0x7fed6f29129d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#36 0x7fed6fe79926 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#37 0x7fed6fd9ecf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#38 0x7fed6fd9ec02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#39 0x7fed6fd9ec02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#40 0x7fed742a05e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#41 0x7fed764aa17b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#42 0x7fed6fe7a81a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#43 0x7fed6fd9ecf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#44 0x7fed6fd9ec02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#45 0x7fed6fd9ec02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#46 0x7fed764a9693 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#47 0x5581e3f33b39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#48 0x5581e3f33b39 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#49 0x7fed85eb4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#50 0x5581e3f098dc in _start (/home/worker/builds/m-c-20221004094418-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 9804140749317669ab375d3127cd4fc41aa5c178)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221006041355-b240ded22d26.
The bug appears to have been introduced in the following build range:

Start: 47b031489c06cd0c1f48652c4d6d262d400218eb (20220601040930)
End: 8b7e176bb5e0e5abd88dfe5ba66083050468900b (20220601055440)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=47b031489c06cd0c1f48652c4d6d262d400218eb&tochange=8b7e176bb5e0e5abd88dfe5ba66083050468900b

There are two editor changes in this regression window.

Must be a regression of bug 1771809, however, the assertion does not detect serious issue for usual web apps.

Set release status flags based on info from the regressing bug 1771809

Set release status flags based on info from the regressing bug 1771809

triaged p3/s3

Testcase crashes using the initial build (mozilla-central 20221004094418-8454bb0c09fe) but not with tip (mozilla-central 20221125214546-8b092cca2cab.)

The bug appears to have been fixed in the following build range:

Start: 3b291aad5f7c1bd100fdc4463e7dc4eb6336218e (20221125052500)
End: 9f4fd5a62c727c6622576b94cdd7b2d5190ebd7a (20221125062626)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3b291aad5f7c1bd100fdc4463e7dc4eb6336218e&tochange=9f4fd5a62c727c6622576b94cdd7b2d5190ebd7a

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Odd, patches for bug 1801028 didn't touch around selection handling nor deletion, and the testcase only use insertHTML command. Therefore I don't understand how it fixed the assertion failure. However, the reported testcase should be landed into the tree, anyway.

I can still reproduce the issue locally and fuzzers are still reporting, bugmon is likely wrong.

(In reply to Tyson Smith [:tsmith] from comment #9)

I can still reproduce the issue locally and fuzzers are still reporting, bugmon is likely wrong.

Odd, I also don't reproduce this bug in my local debug build.

Wait, the testcase uses only execCommand("insertHTML") which the entry point of is HTMLEditor::InsertHTMLAsAction. However, the stack in comment 0 runs HTMLEditor::InsertElementAtSelectionAsAction. Therefore, the stack should never happen in the testcase.

tsmith: Could you check whether the testcase matches with the report?

Oops, please check my previous comment.

Updated test case. Reproducible with m-c 20221207-8e09abeeb445.

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #11)

tsmith: Could you check whether the testcase matches with the report?

That could have been my fault. Sometimes we can make crash buckets a bit too forgiving and I may have grabbed a test case from one report and a stack from another.

Here is the stack from the updated test case.

Assertion failure: aRangesToDelete.IsFirstRangeEditable(aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3190 (497df92f:1dbdd79a)

#0 0x7fd5d2dcb00e in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3190:5
#1 0x7fd5d2dc5b9d in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1689:47
#2 0x7fd5d2dc4cc2 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1160:61
#3 0x7fd5d2cf3a94 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4227:9
#4 0x7fd5d2cee641 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4190:8
#5 0x7fd5d2d0c5fb in mozilla::DeleteCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:619:29
#6 0x7fd5cf60d656 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5450:37
#7 0x7fd5d09c479f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#8 0x7fd5d0d57c82 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#9 0x7fd5d50683ec in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#10 0x7fd5d5067d0f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#11 0x7fd5d5059722 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#12 0x7fd5d5059722 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3379:16
#13 0x7fd5d504d88e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#14 0x7fd5d5067c0b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#15 0x7fd5d506914c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#16 0x7fd5d512283c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#17 0x7fd5d0a57893 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#18 0x7fd5d131bb46 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#19 0x7fd5d131b86c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1311:43
#20 0x7fd5d131c519 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
#21 0x7fd5d13114c6 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#22 0x7fd5d13114c6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#23 0x7fd5d13109fb in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#24 0x7fd5d13131bb in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1118:11
#25 0x7fd5d1315c96 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#26 0x7fd5cf89e00b in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1373:17
#27 0x7fd5cf3e98f6 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4536:28
#28 0x7fd5cf3e96f5 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4506:10
#29 0x7fd5cf620343 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7869:3
#30 0x7fd5cf6d1988 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#31 0x7fd5cf6d1988 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#32 0x7fd5cf6d1988 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#33 0x7fd5cdbad6d2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#34 0x7fd5cdbb7955 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#35 0x7fd5cdbb2f3c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#36 0x7fd5cdbb1b0a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#37 0x7fd5cdbb1e65 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#38 0x7fd5cdbbb256 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#39 0x7fd5cdbbb256 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#40 0x7fd5cdbd0be8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#41 0x7fd5cdbd735d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#42 0x7fd5ce7c7c13 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#43 0x7fd5ce6ecba8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#44 0x7fd5ce6ecab1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#45 0x7fd5ce6ecab1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#46 0x7fd5d2bf71c8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#47 0x7fd5d4e240fb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#48 0x7fd5ce7c8ad9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#49 0x7fd5ce6ecba8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#50 0x7fd5ce6ecab1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#51 0x7fd5ce6ecab1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#52 0x7fd5d4e2368c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#53 0x55a3007f5ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#54 0x55a3007f5ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#55 0x7fd5e1333d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#56 0x7fd5e1333e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#57 0x55a3007cc308 in _start (/home/user/workspace/browsers/m-c-20221207165436-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 31ccb93dee8e541e1ea154db589a683108f90298)

It returns the non-editable <body> causes the deletion handlers fail to
adjust range in the editing host and that caused hitting the assertion.

This patch also includes the wrong testcase with which the bug was reported.

Backed out for causing wpt failures in /editing/other/editing-div-outside-body.html?designMode

Backout link: https://hg.mozilla.org/integration/autoland/rev/5426c23701548d070fa34e0606b1ee6f97bfb2ca

Push with failures

Failure log

Oh, I don't know why I didn't realize the failure before requesting the review, but it's obviously detecting an existing bug which is, the some event handlers do not use computed editing host first.

Ah, the test runs only with opt builds...

Sigh, we cannot fix this crash without changing a lot. Once I change the editing host computation of the failure cases, some other tests become failing. We need to fix bug 1634351 before fixing this bug.