Found while fuzzing m-c 20221119-f7eac47f5daa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: SelectionRef().GetAnchorFocusRange() && SelectionRef().GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5657

#0 0x7f33ef712f41 in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:5655:5
#1 0x7f33ef711e41 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, bool, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:1987:19
#2 0x7f33ef72d59d in mozilla::InsertTagCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1254:13
#3 0x7f33ebf35ebe in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5513:27
#4 0x7f33ed2f7c2f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#5 0x7f33ed68c1f2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#6 0x129887af761a  (<unknown module>)

Verified bug as reproducible on mozilla-central 20230117161302-455aa95a34de.
The bug appears to have been introduced in the following build range:

Start: 5bd477e565175cf9e1fe55931462e2393df9c61f (20221028085519)
End: 7aeab5d3340f4eaaf78f925e51a9d51ec79f2c0b (20221028111145)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5bd477e565175cf9e1fe55931462e2393df9c61f&tochange=7aeab5d3340f4eaaf78f925e51a9d51ec79f2c0b

The testcase is regressed by bug 1797026, but it means that we already had same assertion failure if creating the situation with Selection API. So actually this is not a new regression.

Set release status flags based on info from the regressing bug 1797026

Hmm, I don't reproduce this bug in local build, but the assertion stays there. Additionally, the test uses setTimeout infinitely. Therefore, cannot land the test into WPT without reproducing it... For verifying the state with bugmon, I mark this as WFM for now. If bugmon cannot verify the fix, let's reopen this.

bugmon won't confirm bugs closed as WFM. I can reproduce the issue locally with m-c 20230130-1d72cd67dda1.

(In reply to Tyson Smith [:tsmith] from comment #5)

bugmon won't confirm bugs closed as WFM. I can reproduce the issue locally with m-c 20230130-1d72cd67dda1.

Thank you. Can you rewrite it without setTimeout? I mean that if we know the last innerHTML and caret position immediately before the last document.execCommand call, it can be rewritten without setTimeout in theory.

How is this test case? The stack looks a bit different not sure if it's the same root cause.

Unable to reproduce bug 1810902 using build mozilla-central 20221119085828-f7eac47f5daa. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

(In reply to Tyson Smith [:tsmith] (PTO until Feb 15) from comment #7)

Created attachment 9315429 [details]
testcase_2.html

How is this test case? The stack looks a bit different not sure if it's the same root cause.

Thank you! It's reproducible!

0:11.41 pid:54924 Assertion failure: SelectionRef().GetAnchorFocusRange() && SelectionRef().GetAnchorFocusRange()->Collapsed() (Selection not collapsed after delete), at M:/src/editor/libeditor/HTMLEditor.cpp:5772
 0:11.96 pid:54924 #01: mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode (M:\src\editor\libeditor\HTMLEditor.cpp:5770)
 0:11.96 pid:54924 #02: mozilla::HTMLEditor::HTMLWithContextInserter::Run (M:\src\editor\libeditor\HTMLEditorDataTransfer.cpp:669)
 0:11.96 pid:54924 #03: mozilla::HTMLEditor::InsertHTMLWithContextAsSubAction (M:\src\editor\libeditor\HTMLEditorDataTransfer.cpp:584)
 0:11.96 pid:54924 #04: mozilla::HTMLEditor::InsertHTMLAsAction (M:\src\editor\libeditor\HTMLEditorDataTransfer.cpp:278)
 0:11.96 pid:54924 #05: mozilla::InsertHTMLCommand::DoCommandParam (M:\src\editor\libeditor\HTMLEditorCommands.cpp:1141)
 0:11.96 pid:54924 #06: mozilla::dom::Document::AutoEditorCommandTarget::DoCommandParam<nsTAutoStringN<char16_t,64> > (M:\src\dom\base\Document.cpp:5330)
 0:11.96 pid:54924 #07: mozilla::dom::Document::ExecCommand (M:\src\dom\base\Document.cpp:5510)
 0:11.97 pid:54924 #08: mozilla::dom::Document_Binding::execCommand (M:\fx64-dbg\dom\bindings\DocumentBinding.cpp:4150)
 0:11.97 pid:54924 #09: mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> (M:\src\dom\bindings\BindingUtils.cpp:3310)
 0:11.97 pid:54924 #10: CallJSNative (M:\src\js\src\vm\Interpreter.cpp:459)

AutoDeleteRangesHandler::Run shrink the range not to delete list item if
the list is not empty. However, due to the bug of
HTMLEditUtils::GetRangeSelectingAllContentInAllListItems, it may get empty
range (in the testcase, first the only <li> element is the list has empty
text node as first child, and the range is collapsed into it). Therefore,
AutoDeleteRangesHandler::Run gives up to delete the list items, but does not
update the Selection. Therefore, from the caller point of view, Selection
is unexpectedly not collapsed even after deleting Selection.

Therefore, this patch also makes AutoDeleteRangeHandler::Run collapse
Selection if it gives up to delete something.

Depends on D169043

Unable to reproduce bug 1810902 using build mozilla-central 20221119085828-f7eac47f5daa. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

https://hg.mozilla.org/mozilla-central/rev/ad27deafba46

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox111 to wontfix.

For more information, please visit auto_nag documentation.

This patch depends on some other list element handling. Therefore, it's risky to uplift only this.