Found while fuzzing m-c 20230117-455aa95a34de (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: aPoint.GetContainer()->IsInclusiveFlatTreeDescendantOf(&aEditingHost), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2052

#0 0x7fb68a71c8b1 in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> mozilla::HTMLEditUtils::GetBetterCaretPositionToInsertText<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>>(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditUtils.cpp:2051:3
#1 0x7fb68a71b7fb in mozilla::HTMLEditor::AutoInlineStyleSetter::GetEmptyTextNodeToApplyNewStyle(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:554:7
#2 0x7fb68a696d7c in nsresult mozilla::HTMLEditor::SetInlinePropertiesAroundRanges<32ul>(mozilla::AutoRangeArray&, AutoTArray<mozilla::EditorInlineStyleAndValue, 32ul> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:359:13
#3 0x7fb68a65f13b in mozilla::HTMLEditor::CreateStyleForInsertText(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6222:7
#4 0x7fb68a65c77b in mozilla::HTMLEditor::HandleInsertText(mozilla::EditSubAction, nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:1097:7
#5 0x7fb68a61b189 in mozilla::EditorBase::InsertTextAsSubAction(nsTSubstring<char16_t> const&, mozilla::EditorBase::SelectionHandling) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:6033:7
#6 0x7fb68a62e6b7 in mozilla::EditorBase::InsertTextAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:5996:8
#7 0x7fb68a63321c in mozilla::InsertPlaintextCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:852:19
#8 0x7fb686e415ce in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5512:27
#9 0x7fb688206eaf in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#10 0x7fb68859c632 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#11 0x7fb68c99bad6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#12 0x7fb68c99b3ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#13 0x7fb68c98d03f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#14 0x7fb68c98d03f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
#15 0x7fb68c9806fe in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#16 0x7fb68c99b2fb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#17 0x7fb68c99c82c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#18 0x7fb68ca58c8c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#19 0x7fb68826e2f1 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#20 0x7fb688bb4129 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#21 0x7fb688bb3316 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#22 0x7fb688b93c9d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
#23 0x7fb688b94909 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#24 0x7fb688b89776 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#25 0x7fb688b89776 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#26 0x7fb688b88cab in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#27 0x7fb688b8b465 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#28 0x7fb68a92c6b4 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7
#29 0x7fb68bf6cde0 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6447:20
#30 0x7fb68bf6c38b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5840:7
#31 0x7fb68bf6dc86 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#32 0x7fb68630f938 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#33 0x7fb68630ef22 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#34 0x7fb68630d1b5 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#35 0x7fb68630e3b5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#36 0x7fb68bf9fcbe in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13866:23
#37 0x7fb6855f6c0f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
#38 0x7fb6855f8133 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
#39 0x7fb686e6d8d9 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11550:18
#40 0x7fb686e399fb in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11488:9
#41 0x7fb686e54718 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8015:3
#42 0x7fb686f04448 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#43 0x7fb686f04448 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#44 0x7fb686f04448 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#45 0x7fb6853e40b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#46 0x7fb6853ee345 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#47 0x7fb6853e991c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#48 0x7fb6853e84ea in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#49 0x7fb6853e8845 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#50 0x7fb6853f1c46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#51 0x7fb6853f1c46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#52 0x7fb685407495 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#53 0x7fb68540d7bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#54 0x7fb686006443 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7fb685f282c8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#56 0x7fb685f281d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#57 0x7fb685f281d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#58 0x7fb68a5166a8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#59 0x7fb68c755ebb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#60 0x7fb686007309 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#61 0x7fb685f282c8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#62 0x7fb685f281d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#63 0x7fb685f281d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#64 0x7fb68c755a18 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#65 0x557034d72ce0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x557034d72ce0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#67 0x7fb698b01d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#68 0x7fb698b01e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#69 0x557034d49348 in _start (/home/user/workspace/browsers/m-c-20230120093625-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 54764ebb3a582dc5a0a88264b61e7e23ebc2da2c)

Verified bug as reproducible on mozilla-central 20230120212103-f2fbf518572b.
The bug appears to have been introduced in the following build range:

Start: 14b861cccbebd6e09c03b919554ec6cbb46a0609 (20230116222837)
End: 649e128771267789cb8ff55d9f42c459fd0f2cd2 (20230117000234)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=14b861cccbebd6e09c03b919554ec6cbb46a0609&tochange=649e128771267789cb8ff55d9f42c459fd0f2cd2

Must be caused by bug 1807829 because it switched the path handling applying pending styles to new text. On the other hand, this does not affect to users with usual web apps.

Set release status flags based on info from the regressing bug 1807829

I don't understand what's happening in the case... The testcase creates like this.

<marquee><ins contenteditable slot="foo">...</ins></marquee>

And according to marquee.js, <marquee> creates a shadow DOM. And when I see the <ins> in the debugger, <ins>::mParentNode is the <marquee>, but GetFlattenedTreeParentNode(<ins>) returns nullptr, perhaps due the slot attribute.

smaug: Is it intentional behavior that GetFlattenedTreeParentNode for the <ins> returns nullptr even though GetParentNode returns the <marquee>?

Yes, <ins> isn't in the flattened tree. It is only in the trees of trees. I assume there is a slot somewhere and <ins> doesn't get slotted to it.

Thank you. I'll try to understand this more...

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.