Found while fuzzing m-c 20230306-a324d94d25a4 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: pointToInsert.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2199

#0 0x7f9f103d0c57 in mozilla::Result<mozilla::CreateNodeResultBase<nsIContent>, nsresult> mozilla::HTMLEditor::InsertNodeIntoProperAncestorWithTransaction<nsIContent>(nsIContent&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::HTMLEditor::SplitAtEdges) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2199:5
#1 0x7f9f103cefad in mozilla::HTMLEditor::HTMLWithContextInserter::InsertContents(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, nsTArray<mozilla::OwningNonNull<nsIContent>>&, nsINode const*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:1138:23
#2 0x7f9f103cd538 in mozilla::HTMLEditor::HTMLWithContextInserter::Run(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::EditorBase::SafeToInsertData, mozilla::HTMLEditor::InlineStylesAtInsertionPoint) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:824:56
#3 0x7f9f103cb69c in mozilla::HTMLEditor::InsertHTMLWithContextAsSubAction(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::EditorBase::SafeToInsertData, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::EditorBase::DeleteSelectedContent, mozilla::HTMLEditor::InlineStylesAtInsertionPoint) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:581:71
#4 0x7f9f103c8753 in mozilla::HTMLEditor::InsertHTMLAsAction(nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDataTransfer.cpp:278:8
#5 0x7f9f103c88e5 in mozilla::InsertHTMLCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1142:34
#6 0x7f9f0c9ef229 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5482:27
#7 0x7f9f0ddca4df in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4125:36
#8 0x7f9f0e15c5e2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
#9 0x7f9f126e2c56 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#10 0x7f9f126e257f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553:12
#11 0x7f9f126d41df in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:625:10
#12 0x7f9f126d41df in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368:16
#13 0x7f9f126c789e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#14 0x7f9f126e247b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:13
#15 0x7f9f126e39ac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:8
#16 0x7f9f127a3c3c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#17 0x7f9f0de31851 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#18 0x7f9f0e792e59 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#19 0x7f9f0e792046 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#20 0x7f9f0e77276d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
#21 0x7f9f0e7733d9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#22 0x7f9f0e768216 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#23 0x7f9f0e768216 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#24 0x7f9f0e76774b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#25 0x7f9f0e769f05 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#26 0x7f9f0e76cae6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#27 0x7f9f0c7a92e3 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, mozilla::WidgetEvent&, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4664:17
#28 0x7f9f0e728289 in nsresult nsContentUtils::DispatchTrustedEvent<mozilla::WidgetEvent>(mozilla::dom::Document*, nsISupports*, mozilla::EventMessage, mozilla::CanBubble, mozilla::Cancelable, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:1536:12
#29 0x7f9f0e727f6d in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:52:12
#30 0x7f9f0aec6712 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#31 0x7f9f0aed0e45 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#32 0x7f9f0aecbf98 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#33 0x7f9f0aecab6a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#34 0x7f9f0aecaec5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#35 0x7f9f0aed4846 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#36 0x7f9f0aed4846 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#37 0x7f9f0aeeaa27 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#38 0x7f9f0aef0edd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#39 0x7f9f0bb43963 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#40 0x7f9f0ba65328 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#41 0x7f9f0ba65231 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#42 0x7f9f0ba65231 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#43 0x7f9f102103e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#44 0x7f9f12497eab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#45 0x7f9f0bb44829 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#46 0x7f9f0ba65328 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#47 0x7f9f0ba65231 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#48 0x7f9f0ba65231 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#49 0x7f9f12497a08 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#50 0x55d6ecc31df0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#51 0x55d6ecc31df0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#52 0x7f9f1f613d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#53 0x7f9f1f613e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#54 0x55d6ecc08458 in _start (/home/user/workspace/browsers/m-c-20230307160733-fuzzing-debug/firefox-bin+0x5b458) (BuildId: f80f3932367abf2a03fbf513284232a9231bf07f)

Verified bug as reproducible on mozilla-central 20230307211537-1d0e58f96dc8.
The bug appears to have been introduced in the following build range:

Start: ad5e9f350f67805fbd3e31643f1988255d4e8286 (20220310081127)
End: b7b1979c79854c39911bc54a69aeeb60bf9ea7aa (20220310103016)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ad5e9f350f67805fbd3e31643f1988255d4e8286&tochange=b7b1979c79854c39911bc54a69aeeb60bf9ea7aa

Regressed by bug 1757911?

Set release status flags based on info from the regressing bug 1757911

Well, in the case, we should just abort handling it.

The patch will make a low level method of HTMLEditor return error. Therefore, we should fix this in next cycle. If this causes a crash in release builds, I can just put a check for the branches though.

If one of them are removed from the DOM tree, it's hard to keep handling it
since we have both split direction paths. Therefore, let's just return error
but not throw new exception in the case.

https://hg.mozilla.org/mozilla-central/rev/6df208248f1f

Verified bug as fixed on rev mozilla-central 20230314010803-7ea8042eaf1d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.