Found while fuzzing m-c 20230325-93996ea3c7de (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mOffset.isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:552

#0 0x7fe4ff5ea63b in mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>::Offset() const /builds/worker/workspace/obj-build/dist/include/mozilla/EditorDOMPoint.h:552:5
#1 0x7fe4ffa1d67b in mozilla::SplitNodeTransaction::SplitNodeTransaction<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:49:41
#2 0x7fe4ffa1d4d2 in already_AddRefed<mozilla::SplitNodeTransaction> mozilla::SplitNodeTransaction::Create<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>>(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/SplitNodeTransaction.cpp:39:11
#3 0x7fe4ff72e8bd in mozilla::HTMLEditor::SplitNodeWithTransaction(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4914:7
#4 0x7fe4ff6f7be9 in mozilla::HTMLEditor::SplitNodeDeepWithTransaction(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:4999:11
#5 0x7fe4ff80f09b in mozilla::Result<mozilla::CreateNodeResultBase<nsIContent>, nsresult> mozilla::HTMLEditor::InsertNodeIntoProperAncestorWithTransaction<nsIContent>(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2288:9
#6 0x7fe4ff80abef in mozilla::HTMLEditor::HTMLWithContextInserter::InsertContents(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsTArray<mozilla::OwningNonNull<nsIContent>>&, nsINode const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:1181:20
#7 0x7fe4ff802a87 in mozilla::HTMLEditor::HTMLWithContextInserter::Run(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::EditorBase::SafeToInsertData, mozilla::HTMLEditor::InlineStylesAtInsertionPoint) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:824:56
#8 0x7fe4ff7fdac0 in mozilla::HTMLEditor::InsertHTMLWithContextAsSubAction(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::EditorBase::SafeToInsertData, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::EditorBase::DeleteSelectedContent, mozilla::HTMLEditor::InlineStylesAtInsertionPoint) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:581:71
#9 0x7fe4ff7f62f7 in mozilla::HTMLEditor::InsertHTMLAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:278:8
#10 0x7fe4f7d86128 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5540:27
#11 0x7fe4fa330c00 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4126:36
#12 0x7fe4faa828d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3335:13
#13 0x7fe505785f83 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#14 0x7fe505785f83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#15 0x7fe5057ab116 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#16 0x7fe5057ab116 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#17 0x7fe5057ab116 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#18 0x7fe505784d28 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
#19 0x7fe505784d28 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#20 0x7fe50578613c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#21 0x7fe5057880b6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
#22 0x7fe5057880b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#23 0x7fe5058f49eb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#24 0x7fe4fa41def0 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#25 0x7fe4fb8db2f6 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#26 0x7fe4fb8d91e9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#27 0x7fe4fb88776c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1333:22
#28 0x7fe4fb8891c4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1502:17
#29 0x7fe4fb870ce6 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:405:5
#30 0x7fe4fb870ce6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#31 0x7fe4fb86eed6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#32 0x7fe4fb874919 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1137:11
#33 0x7fe4ffe2e931 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1082:7
#34 0x7fe504035b3e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6393:20
#35 0x7fe50403470c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5786:7
#36 0x7fe5040372f6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#37 0x7fe4f6271bc8 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#38 0x7fe4f627040d in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#39 0x7fe4f626bbfe in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#40 0x7fe4f626ebf3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#41 0x7fe504089e9a in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13847:23
#42 0x7fe4f443c013 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#43 0x7fe4f443f344 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#44 0x7fe4f7d73a1f in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11669:18
#45 0x7fe4f7d73a1f in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11607:9
#46 0x7fe4f7dabb19 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8138:3
#47 0x7fe4f7ed8f2b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#48 0x7fe4f7ed8f2b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
#49 0x7fe4f7ed8f2b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
#50 0x7fe4f7ed8f2b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
#51 0x7fe4f7ed8f2b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
#52 0x7fe4f7ed8f2b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#53 0x7fe4f7ed8f2b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#54 0x7fe4f3fec8f0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#55 0x7fe4f400759a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#56 0x7fe4f3ff82ea in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#57 0x7fe4f3ff51e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#58 0x7fe4f3ff5acf in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#59 0x7fe4f400ccc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#60 0x7fe4f400ccc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#61 0x7fe4f403893b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#62 0x7fe4f40463d4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#63 0x7fe4f5c384ee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#64 0x7fe4f5a629ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#65 0x7fe4f5a629ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#66 0x7fe4f5a629ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#67 0x7fe4ff36f4e9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#68 0x7fe50532c488 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#69 0x7fe4f5a629ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#70 0x7fe4f5a629ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#71 0x7fe4f5a629ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#72 0x7fe50532bb4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#73 0x55791ea5c0ee in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#74 0x55791ea5c0ee in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#75 0x7fe51aa29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#76 0x7fe51aa29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#77 0x55791e985708 in _start (/home/user/workspace/browsers/m-c-20230503140026-fuzzing-asan-opt/firefox+0x106708) (BuildId: 73cd868486ab74ef9e8d3fa7b33367320a0a1c7f)

Verified bug as reproducible on mozilla-central 20230504215417-f4a38c1b661a.
The bug appears to have been introduced in the following build range:

Start: 12a40a80a9757d658928c97c0c3af6c15302fca2 (20230322000349)
End: be84a6280becce858982e8a84d2311ebbc1e68dc (20230322020849)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=12a40a80a9757d658928c97c0c3af6c15302fca2&tochange=be84a6280becce858982e8a84d2311ebbc1e68dc

based on the regression range, could this be caused by bug 1810663?

This just detects a bug of an EditorDOMPoint user.
https://searchfox.org/mozilla-central/rev/4e6970cd336f1b642c0be6c9b697b4db5f7b6aeb/editor/libeditor/EditorDOMPoint.h#552-553

In the beta/release channels, the offset value is fallen back to 0u. Therefore, this should not be a security bug.
(I'll post a patch soon, anyway.)

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #3)

In the beta/release channels, the offset value is fallen back to 0u. Therefore, this should not be a security bug.

Ah yes, thanks for pointing that out.

Thank you!

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:masayuki, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Some handlers, e.g., HTMLWithContextInserter may want to skip post processing
after inserting new node instead of immediately stop handling the action.
Currently, HTMLWithContextInserter correctly ignores the cases only when
NS_ERROR_EDITOR_UNEXPECTED_DOM_TREE is required. Therefore, making
InsertNodeWithTransaction return the error makes HTMLWithContextInserter
work correctly in tricky cases.

Set release status flags based on info from the regressing bug 1820116

It does not affect in the release channel. And the path is currently available in early beta builds and earlier. Therefore, we don't need to uplift the patch to the beta channel.

https://hg.mozilla.org/mozilla-central/rev/5b695322c383

Verified bug as fixed on rev mozilla-central 20230511040639-da13ef752e22.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.