Found while fuzzing m-c 20241204-9a8cc59e9dab (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: pointToPutCaret.IsSet(), at /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4905

#0 0x7fffed6c095c in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&)::$_1::operator()() const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4905:7
#1 0x7fffed6ad96e in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4852:7
#2 0x7fffed6b62ed in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:759:15
#3 0x7fffed6a4bbb in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3828:16
#4 0x7fffed69ee9f in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1839:47
#5 0x7fffed69dd0a in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1299:61
#6 0x7fffed5ce0ec in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4565:9
#7 0x7fffed66ebc5 in mozilla::HTMLEditor::DeleteSelectionAndPrepareToCreateNode() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:6023:9
#8 0x7fffed66df72 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2207:19
#9 0x7fffed6874ac in mozilla::InsertTagCommand::DoCommand(mozilla::Command, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1248:13
#10 0x7fffe9a4a46c in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5627:37
#11 0x7fffeab44179 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4169:36
#12 0x7fffeae0a48d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#13 0x7fffee60c29a in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#14 0x7fffee60ba73 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#15 0x7fffef17eede in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1701:10
#16 0x3769e4362e0e  ([anon:js-executable-memory]+0xbe0e)

Ah, if the point becomes non-editable, HTMLEditUtils::GetDeepestEditableStartPointOf returns unset point. This does not cause a crash and happens only with the legacy mutation event listener, so, this is not so urgent.

Verified bug as reproducible on mozilla-central 20241205213207-9dfed8478876.
The bug appears to have been introduced in the following build range:

Start: 7b85c82d731ddab976c6abe7e54685cacaebba41 (20240426225436)
End: 45defed78aafc90410c68310027bf771bcfc5968 (20240427034615)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b85c82d731ddab976c6abe7e54685cacaebba41&tochange=45defed78aafc90410c68310027bf771bcfc5968

Set release status flags based on info from the regressing bug 1877513

Testcase crashes using the initial build (mozilla-central 20241204215713-9a8cc59e9dab) but not with tip (mozilla-central 20250412090848-ab9a67e8cbbd.)

The bug appears to have been fixed in the following build range:

Start: 9d547b90a4073f5906b1220472f69fbc2fdff928 (20250305042859)
End: b00d78bcd328cf80893a4725b8664db65d8fdf10 (20250304235021)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9d547b90a4073f5906b1220472f69fbc2fdff928&tochange=b00d78bcd328cf80893a4725b8664db65d8fdf10

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.