Found while fuzzing m-c 20221004-8454bb0c09fe (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !mCaretPoint.IsSet() || mHandledCaretPoint, at /builds/worker/workspace/obj-build/dist/include/mozilla/HTMLEditHelpers.h:826

#0 0x7ff7c4e51424 in mozilla::SplitRangeOffFromNodeResult::~SplitRangeOffFromNodeResult() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditHelpers.h:826:5
#1 0x7ff7c4e4e200 in mozilla::HTMLEditor::HandleOutdentAtSelection(mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:5290:1
#2 0x7ff7c4e4d9d3 in mozilla::HTMLEditor::OutdentAsSubAction(mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:5149:7
#3 0x7ff7c4e748c5 in mozilla::HTMLEditor::OutdentAsAction(nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2877:47
#4 0x7ff7c4e9168c in mozilla::OutdentCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:444:44
#5 0x7ff7c170b358 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5429:37
#6 0x7ff7c2acf963 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4149:36
#7 0x7ff7c2e757ec in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#8 0x7ff7c855617c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#9 0x7ff7c8555aa1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#10 0x7ff7c854cd08 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#11 0x7ff7c854cd08 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3375:16
#12 0x7ff7c8543dad in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#13 0x7ff7c855599d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#14 0x7ff7c8556edc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#15 0x7ff7c71b215c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#16 0x7ff7c2b74443 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#17 0x7ff7c344e749 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#18 0x7ff7c344d923 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#19 0x7ff7c342e7fe in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#20 0x7ff7c342f467 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#21 0x7ff7c34243a4 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#22 0x7ff7c34243a4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#23 0x7ff7c34238f2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#24 0x7ff7c3426191 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#25 0x7ff7c3428c06 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#26 0x7ff7c14ddaf9 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, mozilla::WidgetEvent&, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4532:17
#27 0x7ff7c33e50cf in nsresult nsContentUtils::DispatchTrustedEvent<mozilla::WidgetEvent>(mozilla::dom::Document*, nsISupports*, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:1525:12
#28 0x7ff7c33e4dbd in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:52:12
#29 0x7ff7bfcaec02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#30 0x7ff7bfce0b1e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#31 0x7ff7bfcb9039 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#32 0x7ff7bfcb7bc3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#33 0x7ff7bfcb7e33 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#34 0x7ff7bfce43c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#35 0x7ff7bfce43c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#36 0x7ff7bfccdc8f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#37 0x7ff7bfcd429d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#38 0x7ff7c08bc926 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#39 0x7ff7c07e1cf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#40 0x7ff7c07e1c02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#41 0x7ff7c07e1c02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#42 0x7ff7c4ce35e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#43 0x7ff7c6eed17b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#44 0x7ff7c08bd81a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#45 0x7ff7c07e1cf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#46 0x7ff7c07e1c02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#47 0x7ff7c07e1c02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#48 0x7ff7c6eec693 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#49 0x5651fce41b39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x5651fce41b39 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#51 0x7ff7d780a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x5651fce178dc in _start (/home/worker/builds/m-c-20221004094418-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 9804140749317669ab375d3127cd4fc41aa5c178)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221005215113-517d690052a2.
The bug appears to have been introduced in the following build range:

Start: 53d6e1b0d2c3c86f55666a2a5ac8be1587ae750d (20221003012405)
End: f36d9e78e41726fe8cd299e04b7fad07d208ec79 (20221003110443)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=53d6e1b0d2c3c86f55666a2a5ac8be1587ae750d&tochange=f36d9e78e41726fe8cd299e04b7fad07d208ec79

Set release status flags based on info from the regressing bug 1792639

:masayuki, since you are the author of the regressor, bug 1792639, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

This is caused by the odd behavior of insertHorizontalRule handling with form elements. Therefore, fixing it in bug 1793873 will fix this bug too. However, HTMLEditor::HandleOutdentAtSelectionInternal shouldn't return caret point suggestion because it restores original selection range at returning and its only caller HTMLEditor::HandleOutdentAtSelection ignores the suggestion. Therefore, the testcase does not work after fixing bug 1793873, it detected a potential bug.

The patch will be under review tomorrow.

It restores Selection with AutoSelectionRestorer instance created first.
Therefore it does not want the callers (currently, only
HTMLEditor::HandleOutdentAtSelection only) change Selection after doing it
without special reasons. Therefore, it shouldn't return last caret point
suggestion which is not a good point to put caret actually. Then, callers
do not need to handle it as they've never done.

Depends on D159230

The assertion detected only a logical bug of the code, I mean, the fix does not affect to actual behavior in opt build. Therefore, we don't need to uplift this.

https://hg.mozilla.org/mozilla-central/rev/826073b561e0

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221018094831-826073b561e0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.